Topic Abstract Minimize
The Social Solution To Social Engineering
Randy Abrams

Social engineering is older than the Trojan horse. Social education has been part of civilization from when humans formed tribes. As technologies emerge,
society integrates appropriate social education to ensure survival. The Internet introduced a technology so quickly that society could not effectively respond to rapid criminal adoption the technology for nefarious use. The Internet has taken social engineering attacks from a relatively rare criminal activity to an epidemic.

Until education to harden society against social engineering attacks is a part of our social education, technology will be ill-equipped to make a significant dent in this type of crime. Computer security education must become a part of our social education, but there are unique ways the different aspects of the subject must be addressed in order to effectively educate non-technical members of society. This presentation will explore the sociological changes and approaches to effective computer security education.

Malware retooled: Moving away from purpose built platforms to general tools to target specific industries
Omar Aldahir

Crimeware authors are leveraging the release of source to further develop their already sophisticated and well developed threats as well as add modularity and functionality to their software. In addition the release of Zeus and TDL3 source adds to the wealth of information already available further lowering the entry barrier for developers and price point for would be criminals looking to enter the malware market space. Zeus, SpyEye, (and others like them) are tools that are built specifically to target the financial industry, whereas Sunspot is a general purpose tool that modifies specifically to target banks. This is significant because tools and techniques that are built to detect the former do not work with the latter.

Tracking these trends can be accomplished by leveraging classification and clustering models that are built on Behavioral analysis tools.

Achieve Significant Cost Savings Using Anti-Malware Automation Tools
Darin Andersen

The security industry now offers from multiple sources automated approaches to high-volume malware analysis that offer the potential for dramatic improvements in ROI. Years of testing in analysis labs has resulted in sandbox based behavioral systems, generic detections, reputation technologies and other methods to effectively and quickly automate response to new threats arriving daily. Response times can drop from days to hours to minutes as analysts effectively address attacks in a day zero context, rather than days, weeks or months.

PHP : Lesser Known Exploits
Sean Arries                  

In this presentation we will discuss some lesser know PHP exploit classes and look at real world examples of the bugs, Also we will be discussing lesser known PHP backdoor's for Remote Code Execution. What we need to know to gain access and maintain access to a PHP web application.

Cyber Espionage - Running The Table With The Cyber Intelligence Cycle
Jeffrey Bardin

Cyber criminals and nation-states have adopted traditional physical intelligence techniques for the cyber world. This session will examine various CYBINT and OSINT methods used. It will cover information mining of social networking sites and demonstrate some of the tools in use to gathering information on targets of opportunity.
We'll examine offensive cyber operations as a method of defense.

How To Gain Access To Laptops And Virtual Machines Through The Physical Memory
Csaba Barta

The presenter will show how it is possible to gain access to laptops or virtual machines only by writing into their physical memory. The first part of the presentation will include a demo during which the presenter will modify the memory image of a suspended virtual machine with full disk encryption in order to gain high privileged access to it. During the second part the audience will see the tool developed by the presenter (based on the work of Adam Boileau) in action. The presenter will show how it is possible to gain access to a laptop running Microsoft Windows 7 or Ubuntu Linux by accessing the content physical memory. The tool presented can be used against the most recent Windows and Linux versions.

Spy Jackers - Countering Persistent Threats
Sean Bodmer

This lecture builds on a series of threats and countermeasures used to attribute specific occured events to the individual or group. In this lecture Intelligence Analysis, Cyber-Counterintelligence, and Operational implantations will be covered specifically, how to objectively analyze the details of an intrusion in order to generate highly accurate assessments (profiles) of your adversary which can help IT Security Professionals and/or authorities with attribution and/or apprehension of the criminal.
The ability to maintain access and collect information on a target with advanced or persistence access to your enterprise is the bread-and-butter of premier intelligence agencies around the world.

Pulp Google Hacking – The Next Generation Search Engine Hacking Arsenal
Francis Brown

Last year’s Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form.  New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world’s single largest repository of live vulnerabilities on the web.  And it was only the beginning…

This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments.  In our secret underground laboratory, we’ve been busy creating an entirely new arsenal of Diggity Hacking tools that we’ll be unveiling and releasing for free.

Turbo Unpacking : A Journey Into Malicious Packers
Nicolas Brulez

Malicious software has been using polymorphic packers for a long time in order to evade detection and delay analysis.

In this session the audience will be introduced to the variety of techniques used to create such obfuscation tools, which include (but are not limited to) polymorphic layers, anti-emulation, anti-debugging and anti-dumping.

Since a lot of these obfuscation tools share the same execution logic, it is possible to come up with ways to efficiently unpack and automate unpacking for a majority of malicious packers.

Real examples will be dissected step by step during the session with live a demonstration of manually unpacking samples.

Deploying Solid Defense Strategies
Kevin Cardwell

In this presentation Kevin will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. He will discuss the steps you need to take to defend from the majority of the known attacks. he will show the need and importance for analyzing your systems live memory. The talk will conclude with the importance of adding hardware based protection to your defenses.

Cut The Crap - Let's have A Phishing/ Trojan Attack
Dave Chronister

In this session, Dave Chronister will demonstrate one of his favorite attacks to perform during Social Engineering Audits. In 45 minutes, Dave will show you how to create an attack that consists of a Trojan, Phishing Website, and Phishing Emails; from reconnaissance to successful exploitation. No Power Point slides or Recordings,
this will be %100 live. Programming Experience not needed. At the end of this session every attendee will be able to successfully create this attack and modify it to their own needs. With a success rate of over 90% you will see why Dave and the Hacker’s at Parameter call this attack “Old Faithful”.

TCP Stack Exhaustion and Staying Power
Anna Claiborne

DoS or DDoS is very small acronym used to describe a wide range of attack vectors and methodologies.  Some of the most effective, most difficult to mitigate, and least understood DDoS attacks are executed with a minimal amount bandwidth and resources, and can take down targets many times the size of the attacker.  This presentation will focus on the attacks that target the Operating System TCP/IP stack to exploit vulnerabilities inherent to TCP, and cover defense strategies against this style of attack.

APTs: Misunderstood and Overhyped - What We Should Do to Protect Ourselves
Wolfgang Kandek

We've been recently inundated with news reports alerting us of security compromises at well known global companies and government agencies. The threats of cyber war have also been raised and the term, "Advanced Persistent Threats (APTs)" has been coined, giving the impression that most organizations are not equipped to deal with such sophisticated threats. This keynote exposes the reality behind the causes of these threats, highlights the basic precautions we must all advocate, and makes the case for a new security model that will provide a secure foundation to build upon.

Jack Of All Formats
Daniel Crowley


File formats are not always rigidly defined, and determining how to process files is not always an easy task. Certain files can be valid examples of multiple formats simultaneously, and files with multiple extensions may not be handled as expected in certain circumstances. Learn how these multiple-format and multiple-extension files can be used to bypass filters, hide malware, and trick anti-virus systems.

Follow My Botnet On Twitter
Christopher Elisan

We often hear in the news and in security circles of how highly sophisticated the technologies used by existing botnets are. These technologies ranges from the malware kits that are used to create the bot agents to the protection mechanism employed by cybercriminals to protect their command and control infrastructure. But not all, successful botnets rely on these technologies, some rely on the simplest but hard to mitigate common technologies that we use everyday on the web such as social networking.

To prove the concept, I will discuss and demonstrate how a common PDF file is exploited to serve as a delivery mechanism for malware and once infection is successful how twitter and other free online services are used as the malware's command and control.

Six Key Application Security Metrics– Appsec Risk Management In 2012
Arian Evans

Analysts are calling 2011 The Year of The Hack. And the majority of 2011's Hacks are Web Application Exploits.

This presentation covers real-world key performance indicators (KPIs) necessary to create and sustain a successful, trustworthy, and scalable application security program in the enterprise - to help you ensure you are not the next company covered by the news for months after being hacked dozens of times.
This presentation will overview:
  • 2011 threat landscape from public forensic data
  • 2011 vulnerability landscape and stats
  • 2011 attacker profiles (from supporting stats)
  • Challenges with existing standards, programs, and metrics
  • Keep it simple approach to quantitative and qualitative metrics
Six Appsec KPIs broken down into Risk Measurement and Program Quality categories

This presentation concludes with actionable items you can implement to secure your SDLC and production web application presence.

4 Years and 4 Thousand Websites: What Have We Learned about Hacking Websites?
Jeremiah Grossman

Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. It doesn't matter if a business is in financial services, retail, education, gaming, social networking, government, telecom, media or travel. Daily headlines tell the stories of millions of lost credit-card numbers, millions of personal information records exposed, and gigabytes worth of intellectual property stolen. The net result – corporate losses in the hundreds of millions, sharp stock price declines, lawsuits, fines and costly downtime. All signs point to a worsening problem, but the big question is, "what can be done about it?"

Over the last 10 years WhiteHat Security has performed vulnerability assessments for hundreds of organizations on over 4,000 of the Internet's most important websites -- identifying the very same issues the bad guys routinely exploit. There is a tremendous amount to be learned from this volume of data. For example, by comparing the characteristic of highly secure websites versus the highly vulnerable we can identify the business practices that work best. Fundamentally the answer to the software security question can be found through metrics. By carefully tracking and analyzing metrics, very particular key performance indicators (KPIs), an organization can determine where resources would be best invested.

Retrieving Internet Chat History With The Same Ease As A Squirrel Crack Nuts
Yuri Gubanov

Instant Messengers became an important means of communication. Millions of people, regardless of their age, nationality, gender and computer skills,
are using them every day. That’s why more and more evidence can now be found in histories of a suspect’s chats, like Skype, Facebook, ICQ or Yahoo Messenger etc.

There are a lot of problems with messenger investigation and a number of solutions to overcome these problems. The session is devoted to such solutions as real-time and post-factum investigation, including network traffic analysis, existing history files parsing, carving unallocated space or corrupted files and Live RAM investigation.
On this session it will be shown, which methods are available for forensic or security investigator to analyze chats, how a criminal may prevent this and how to overcome such steps.

Building Your Own Virtual Attack Lab Or My Laptop Is My Datacenter
Edward Haletkey

When testing attacks it is very important to build an attack lab that is secure and convenient. This presentation will walk you through building a virtual attack lab with as many targets as necessary as well as review the hardware requirements. An example lab will be demonstrated on a laptop. Safe, Secure, Private.

The Law Of Carrying And Capturing Packets
Marcia Hoffman & Kevin Bankston


Do you want to have an open WiFi network, but worry that you'll get sued for someone else's downloads? Have you thought about running a Tor exit relay,
but wonder whether the cops will end up raiding your house? If so, this presentation is for you. We'll discuss the legal issues raised by relaying other people's Internet traffic, as well as practical steps that you can take to minimize the likelihood that law enforcement or litigants will mistake you for the origin of questionable content.
We'll also talk about the legalities of sniffing unencrypted plaintext traveling over a wireless network or exiting from a Tor relay.

Pentesting People : Social Engineering Integration
Ryan O’ Horo

The security regimen most companies follow rarely includes the most critical element of any infrastructure – its people. The numbers don’t lie,
targeted social engineering attacks are extremely effective and simple steps can be taken to immediately and consistently reduce the threat. In this presentation,
Ryan O’Horo will take the audience into the psychology of a social engineering attack and the unfortunate truth of how unprepared businesses can be against them.
Critically, strategies for running social engineering test cases as part of regular security audits and educating end-users in resisting social engineering attacks will help integrate social engineering with organizations and shrink attack surfaces.

Is Your Security Strategy Working? PROVE It!
Andrew Jaquith/ Tom Rabaut/ Joe Gottlieb

All security professionals eventually end up answering two questions:  Is our organization secure? And Is our security department doing its job? These two questions beg for some clear, measurable metrics that are analogous to sales figures or network uptime numbers. But how do you measure prevention of data leaks and breaches?

In this unique panel, four of the industry’s top names in security metrics come together to discuss methods and tools for benchmarking security posture – and security success. Each of the panelists will give specific examples of metrics that can be used to measure the organization’s current security status and prove to top management that the security organization is doing its job. Attendees will leave the session with some specific benchmarks and tools they can use in their own organizations to measure security success.

The goal of this session is to give the audience some “ammunition” when dealing with upper level management and others who want measurable statistics to show security posture, achievement, or status.  While every organization is different, the panelists will help the audience to provide some common benchmark data, and how to instrument their security systems to provide top-level information that can be used to deliver security metrics.

Hacking Google ChromeOS
Matt Johansen

Google recently announced Chrome OS powered computers, called Chromebooks, which change the entire user-experience by taking place exclusively in a Web browser (Google Chrome). From a security perspective this means that all website and Web browser attack techniques, such as Cross-Site Scripting and Cross-Site Request Forgery, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have hacked away on Google's Cr-48 prototype laptops.
They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

Exposing of all user email, contacts, and saved documents.
Scan their intranet and reveal active host IP addresses.
Spoof Google Voice messages
Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

Insight Into Russian Black Market
Alan Kakareka


Presentation gives insight into Russian black market pricing and revolves around available "products", means of payment, how these "products" ended up for sale,
what the prices are for custom malware, thousands of credentials, and most importantly how not to end up for sale yourselves.

Collecting Shellz By The C-Side
Rob Kraus & Jose Hernandez


Want to infiltrate corporations like Google, RSA, and Adobe? Yes? Then Client- Side(C-Side) Attacks are the attacks for you. The presentation provides an overview of APT attacks, attack methods and defensive strategies that you can employ. Recent media coverage of high profile corporate breaches has made the term “Advance Persistent Threats” (APT) a buzzword in the security industry. APT attacks rely on many attack vectors; C-Side attacks are often used to bypass network defenses.

C-Side attacks have been around for a long time, but have gained popularity in recent years due to increased perimeter security. C-Side’s are different than traditional network attacks in many aspects, but the most notable difference is the use of social engineering to facilitate attacks. We share our experiences testing corporate networks with these types of attacks and demonstrate common attack scenarios. We also present defensive considerations to reduce the likelihood of a successful C-Side attack.

Have We Lost The War on Security?
George Kurtz

The explosive growth of Internet and IP-enabled devices is reshaping communication, collaboration and commerce opportunities for individuals and organizations around the world. At the same time, miscreants are abusing the Internet’s open and any-to-any communication architecture for malicious purposes, leaving many users at risk and the future of a secure Internet as an aspiration rather than a reality. The current cybersecurity model is reactive, disconnected and unable to keep pace with the seismic explosion in malware. Providing protection to a heterogeneous world of connected devices requires a new approach to security. McAfee CTO George Kurtz will show that incremental improvements can’t bridge the opportunity gap and explain the required paradigm shift of driving security down the stack.

The Emerging Standard for Preserving Electronic Data on Social Networks and the Cloud.
Erik Laykin

In this session noted computer forensic expert and cyber investigations pioneer Erik Laykin will review the emerging standard of care and current best practices for the preservation, monitoring and collection of electronic data on Social Networks and the Cloud. Topics will include a review of contemporary risks, tools, standards and case studies and will provide guidance on establishing your own corporate cloud based “Evidence Center”.

New Cyber Warfare Targets: SCADA Systems
Robert M. Lee

As the destructive capabilities of cyber weapons expand so does the threat to SCADA systems.  SCADA systems offer a unique weakness and ideal target in cyber warfare for nation-states, terrorist organizations, and hackers alike.  When the Stuxnet worm first became public it changed the perception of cyberspace for people all around the world to include those interested in conducting cyber warfare.  It showed now more than ever that activities in cyberspace could be as lethal as a military strike while embarrassing corporations, countries, and influencing relationships between nation-states.  As cyber warfare continues to evolve so must our SCADA and critical infrastructure cyber defenses.  
This presentation will discuss SCADA systems as cyber warfare targets and what the effects of a such an attack can truly accomplish.  The perspective of the discussion is one from an Air Force Cyberspace Officer and goes not only into technical level discussion but more importantly brings together socio-political issues involving the future of cyber warfare.

A Report From The Front Lines Of Malware Analysis
Chad Loeven


In the eternal battle of white hats vs blackhats in cyberspace, the blackhats always have first-mover advantage. Further, they only have to succeed only once in owning their target, whereas the defenders must detect, block and remediate every attack to be successful. How do we as a security community overcome the inherent advantage the blackhats enjoy in their strength in numbers?
In this talk we cover the current state of analysis technology and future directions security researchers are taking to level the playing field

APT in the enterprise - Finding an evil in a haystack
Pascal Longpre

Advanced malware like TDL4 or attacks using the Metasploit framework are designed to live in memory and to leave little or no traces on disk. Detecting and investigating  these attacks on a large number of computers is often perceived as close to impossible with current technologies.

In this talk, we will demonstrate an automated detection approach developed as a request by different government organizations. It involves the combination of cutting-edge technologies such as advanced rootkit detection, automated live memory analysis, process tracking and anomaly detection with other more traditional approaches like reputation validation, antivirus signatures and environment correlation.

Control System Cybersecurity Training Kit Live Demonstration
Matthew E Luallen


This session will detail the development process undertaken to build a control system cybersecurity training kit for use in commercial training and academia. 
The kit steps the students through understanding critical infrastructure, control systems cyber architecture, ladder logic, actual attacks and mitigating controls against embedded devices (eg. PLC), the communications channel and the operator's console.  Live demonstrations will be performed showing how easy it is to misrepresent data in control system environments and a first time ever example of a physical-cyber attack against an operator console.  

Do They Deliver : Practical Security And Load Testing Of The Cloud
Matthias Luft


The r evolution of cloud based computing is often used to illustrate a possible paradigm shift in computing. The centralized processing and storing of data allows the development of new architectural approaches as well as completely new usage experiences. The implementation of these architectural models is a critical requirement to profit from a shift in computing to this new model. To provide a toolset for measuring potential profits for performing this shift, we want to introduce "skyscraper":
It is a framework für load testing cloud based applications including a specially developed demo application for major cloud platforms. Using skyscraper,

the results of several load tests are illustrated to show possibilities and caveats of the scalability of cloud based infrastructures. The evaluations were performed against the platforms of several major cloud service providers hosting the demo application of skyscraper. This demo application is utilizing all possibilities to improve scalability and security of cloudified applications, so a guide to the security and scalability features and limitations of cloud platforms is presented in addition.

The Myth Of The Advanced Persistent Threat
Dave Marcus

The past year may go down in computer history as “The Year of the APT.” What is an advanced persistent threat? With targeted attacks such as Operation Aurora and Stuxnet becoming more and more prevalent we have seen a significant change in attack sophistication. Many would claim that there are more advanced attack techniques than ever before, better reconnaissance tactics, ever stealthier malware, and more determined adversaries that are possibly state sponsored. But is this really the case? Are attacks becoming more sophisticated, or is the security industry and its varied technologies just not keeping pace?

This session will explore and detail high-profile attacks like Operation Aurora, Stuxnet, and Night Dragon and examine whether these are advanced attacks or whether security technologies are just not up to the task.

SSL And The Future Of Authenticity
Moxie Marlinspike

In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have more recently started to cause real problems.

This talk will provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some strategies to definitively fix the disintegrating trust relationships at the core of this fundamental protocol.

No Death By Powerpoint - Just Live Hacking
Joseph McCray

In this presentation Joe McCray will demo several attacks with each one having to bypass Anti-Virus/IDS/IPS/WAF and other defensive mechanisms. There will be no powerpoint slides, just hack, after hack, after hack, after hack. Watch Joe demo live attacks against all of your favorite Operating Systems, and Applications. You won’t want to miss this!

PCI Compliance In The Cloud : Why Or Why Not?
Martin McKeay & Mike Dahn

Your management fears the auditors more than the hackers.  So why is it they're looking at moving cardholder data so quickly? Because 'cloud computing' is the new marketing buzzword that promises to do everything you ever wanted. So why shouldn't you be moving your credit card processing to the Cloud?  Because being PCI compliant in the Cloud requires significant thought and planning! And making a mistake could cost you a pretty penny.  Mike Dahn and Martin McKeay will explore the topic at length.

Root Cause Of Cybercrime, Cyberwar And Malware Exploitation : CVEs
Gary Miliefsky

HOW TO FIND AND FIX CVEs and BE MORE PROACTIVE
In this session you will gain insider information about the root cause of exploitation. You will learn about Common Vulnerabilities and Exposures (CVEs) and how hackers, viruses, worms, spyware, botnets, rootkits, Trojans, cybercriminals and cyberterrorists use CVEs to exploit networks. Over 95% of successful attacks are exploits of these CVEs.

Hands on 'live' CVE analysis, exploitation and remediation using the latest tools such as OpenVAS and OVAL plus some cutting edge HIPS technology to buy you time to fix your holes so they don't get exploited.

Battery Firmware Hacking
Dr. Charlie Miller

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues.

SCADA Dismal Or Bang-Bang SCADA
Yaniv Miron


Water, Oil, Nuclear, Electric, The air you breathe, wouldn’t it be fun to hack into it? In this presentation I will show you the ease of hacking into the systems that runs our lives (SCADA - Supervisory Control And Data Acquisition), how weak are their protocols and how lame they are deployed. If you wanna play with the big boys systems - be in this SCADA hacking talk. (A new tool will be reveled in the talk).

Secrets to Hacking: The Challenges, Risks and Rewards
Haja Mohideen

This session will expose the underground secrets to recents hacks and will cover in-depth analysis of how the attackers managed to steal information from multi-national companies.

Solid State Drives And How They Work For Forensics And Data Recovery
Scott Moulton


I will display how SSD Drives, NAND and Flash memory works and the effect it has on the data from a recovery and a forensic perspective. My content is ANIMATED in 3D. This is about four years of research about how these devices work and what is currently possible in the Data Recovery and Forensic world and what will change with forensics and data recovery jobs in the future.

Collecting Eyeballs : Measuring And Analyzing Malicious Activity On Twitter And Facebook
Daniel Peck

The popularity and open API of social media make an attractive medium for attackers. In this talk, we discuss the scale and history of malicious activity on Twitter and Facebook. Based on a comprehensive research study, we demonstrate how attackers respond rapidly to the large increases of users driven by celebrity attention,
as well as review attacks across trending topics, URL shorteners and more.

PenTesting the Cloud
Tim Pierson

This talk will look at some of the major cloud infrastructures and providers and what it takes to perform a pen test on your own infrastructure in a shared or multi-tenant environment this would include perhaps yours or a shared application in that same multi-tenant or shared environment. Even between the top tier providers there are major differences in what can be offered as far as cloud security goes and what is allowed to be tested.  Mostly it is limited for fear of brining the rest of the shared infrastructure down.  Some cloud providers provide more of a proper methodology than others.  Some of them have an approval process where yet still some of them just leave it up to you. Other providers offer a full suite of services to test their apps along with yours.  Is this what you really want?  Is this sufficient for compliance?  How can you architect your own security in the cloud and access data in the cloud and moreover pen test it to the satisfaction of the compliance agencies and upper management and financial backers.  What other technologies are available to help you secure your data in and out of the cloud and how can they be tested?

New SCADA Attacks – APT, Night Dragon, And Stuxnet-Everybody Is Kung Fu Fighting
Jonathan Pollet


The recent increase in coordinated covert cyber incidents targeting global oil, energy, and petrochemical companies, termed “Night Dragon” and the Stuxnet malware are examples of APT attacks targeting SCADA systems and critical infrastructure. Our security teams have been involved on the ground level responding to several Night Dragon and APT incidents, and developed an educational presentation about what was found, the methodology of the attackers, and some useful tips for asset owners to consider in preventing this type of an attack from exploiting their own systems.

A Crushing Blow At The Heart Of SAP JZEE Engine
Alexander Polyakov

Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It’s becoming popular security topic but still not covered well.

This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other's lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.

I will explain architecture of SAP’s J2EE engine and give a complete tour into its internals. After that I will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform.

Finally it will be presented chained attack which use multiple logic vulnerabilities and give a full control on SAP’s J2EE Engine. A free tool will be presented to automatically scan custom applications against this attack.

PCI Data Security Standard (DSS) Update
Hemma Prafullchandra

DSS 2.0 explicitly clarifies that system components in cardholder data environments can be virtual or physical. This standard was released in October 2010.
In June 2011 the PCI Security Standards Council released an Information Supplement providing additional guidance on use of virtualization in the payment chain.
This session will discuss the key elements of DSS 2.0 and the virtualization information supplement.

SCADA And PLC Vulnerabilities In Correctional Facilities
Tiffany Rad & Teague Newman & John Strauchs

On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. Using original and publically available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.

Cloud Service Provider Security Update
Robert Rounsavall

This talk will look at some of the major cloud infrastructure as a service (IaaS) providers and what their current security offerings consist of.  Even between the top tier providers there are major differences in what can be offered as far as cloud security goes.  Some of them talk about having secure cloud offerings even though there are no security services available just because they passed some sort of audit.  Other providers offer a full suite of services.  How can you architect your own security in the cloud and access data in the cloud?  What other technologies are available to help you secure your data in and out of the cloud?  Some of these tools and architectures will be demoed during the talk.

SCADA Security : Why Is It So Hard?
Amol Sarwate

This talk will help those implementing security measures for SCADA systems. It will present the technical challenges faced by organizations that have SCADA or control systems installations, provide examples of security controls for SCADA systems, and offer an open-source tool to help identify and inventory SCADA systems.

It will begin by introducing SCADA systems under the hood and will go into depth about SCADA protocols like MODBUS and DNP3 at the packet level.
The second half of the talk will focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems.
This will include examples of what some large organizations have done, and a discussion about why SCADA security cannot be deciphered just by tools or technical solution.
The presentation will conclude with the release of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation.

Mobile App Moolah : Profit Taking With Mobile Malware
Jimmy Shah

Smartphones are a hot new market for software developers. Millions of potential customers, and a large percentage willing to part with a small sum of money for your latest creation. Even a moderately successful app can help fill your pockets. It's hard to ignore for legitimate developers. It's even harder to ignore for criminals.

Things have changed from the old days of malware creation. It's no longer just about proving yourself or testing a new platform by writing proof-of-concepts(PoCs),
porting old malware, and learning the idiosyncrasies of the development tools. Now it's about evading detection and taking a profit. Where there's money,
crime usually follows.

The presentation is not about attribution, naming names or pointing out the parties responsible. It's about the underlying technology and the methods used, including:
  • how actual examples in the wild function
  • detection/analysis evasion techniques
  • geographical trends in profit-taking malware

Achieving Database Security And Compliance In The Cloud
Josh Shaul

In their research document “The Cloud Wars: $100+ billion at Stake,”[i] Merrill Lynch has predicted the cloud computing market will reach $160 billion in revenue by this year. Some say that the unprecedented hype surrounding this new paradigm stems from the disruptive departure cloud computing represents from traditional computing and operational processes. Cloud computing offers important on-demand computing benefits including pay-as-you-go and self-service where capacity is elastic and applications are deployed without regard to underlying architecture.

The evolution of software to a service (SaaS) delivery model frees users from the limitations of traditional infrastructure such as scalability, performance bottlenecks, and capacity. But these are the business implications of the cloud paradigm. Data breaches and audit failures can occur just as easily within the cloud as within traditional computing infrastructures. Cloud computing neither increases nor decreases the database security, risk, and compliance challenge, but it does require that existing processes and procedures are adaptable, able to scale, and become elastic along with the infrastructure.

During this presentation, an overview of how to achieve database security and compliance in the cloud will be discussed. Cloud computing neither increases nor decreases threats to critical data assets and cloud computing still requires a robust program of database SRC based on best practices. Regardless of delegated responsibilities, service level agreements, and service provider commitments, the ultimate responsibility for database security, risk management, and compliance in the cloud remains with the application, or data owners. We will discuss measures to ensure security is properly executed and managed, control over data access is in place, regulatory compliance is minded, and expectations are appropriately set.

The new Frontier for Zeus & SpyEye
Ryan Sherstobitoff

Credit unions, community and regional banks have come under the recent focus of Zeus and SpyEye gangs. These malware families are no longer targeting the Bank of America’s of the world; instead there is a dramatic shift in the type of targets fraudsters are going after.

Today many Zeus and SpyEye variations are deployed by fraudsters that target community style banks; this means the really small banks serving rural areas such as Star City Arkansas are showing up frequently in the log files of C&C servers across the globe. Therefore, during our research we have uncovered evidence from a number of “in the wild” samples of Zeus and SpyEye, that these families target even the most obscure financial institutions such as the Star City Bank located in rural Star City, AR – normally you would not find custom triggers for a bank such as Star City like you would for Wellsfargo, rather it will be attacked generically through a platform services provider.

Attacking And Mitigating Unbound Media
Brad Smith


This session will discussion and demonstrate the threat of unbound media (media not guided by wire such as: Satellite transmission, Radio, WiFi, Bluetooth, Infrared). Everybody is now unbound and few are securing this multifaceted threat.  This session will help you understand the treats by demonstrating the for you and then helping you understand how to stop them.

Not some talking head session, you can play along with the demonstrations, so you’ll fully understand the treat and the remediation.  The usually quizzes, prizes and “play along hacks” are there in this informative session that covers one of your higher vector threats: Unbound Media.  Seeing is truly Believing!

During this session you’ll be able to: State definition of unbound media, List good and nefarious uses of unbound media, Watch / “Play along” demonstrations on common attacks for Satellites, Wifi, RFID and Bluetooth, Define controls and methods of remediation for these specific unbound media that Ethical Hackers might employ, Discussion on securing all unbound media and Restate where additional help may be located.

NOTE: to play along hacks with the WiFi, RFID and Bluetooth demonstration please bring your laptop with WiFi, RFID and Bluetooth and security assessment tools such as Backtrack 5.

Hunting Web Malware
Aditya K. Sood


The talk sheds light on the new trends of web based malware. Technology and insecurity goes hand in hand. With the advent of new attacks and techniques,
the distribution of malware through web has been increased tremendously.

Blackberry WatchDog – Because You Need Prevention
Radu Stanescu
 
The  IT Security industry now offers several DLP solutions for the data stored on the company network, that leaks through USB devices, emails or printers.
Blackberry WatchDog monitors your employees Blackberry devices activities – like calls, SMS, BBM, PIN, Address Book – and allows you to generate reports and send you alerts on specific subjects.
Blackberry WatchDog is a powerful guardian for your information leaks and helps you learn more about your company.

Application Whitelisting : The Good, The Bad, And The Ugly
Harry Sverdlove


In today’s IT security world, the exponential growth in malware and the increasing significance of highly targeted attacks are causing major concern for companies of all sizes across all industries. The level of technological strength needed to repair damage caused by a cyber attack is not something that many companies are capable of projecting. For the past 20 years, the security industry has been developing a method of securing a company through the blacklisting of certain signatures and addresses to protect organizations from falling victim to malicious software.

Risk Assessment Based On Vulnerability Analysis
Ari Takanen


The complexity of modern day networks is overwhelming for people conducting security assessment in especially in the area of telecommunications. In an ideal world,
all available interfaces would be tested, but in reality, budgets, deployment schedules and the availability of tools often impose limitations on what is feasible.
In order to perform security testing efficiently yet thoroughly and reliably, it is necessary to analyze the network and prioritize the test targets. That way, the critical interfaces are properly tested and the resources are not wasted on testing issues that are trivial in the particular system under test. We combine the Unknown Vulnerability Management Lifecycle model, with other novel technologies such as Attack Vector and Attack Surface Analysis, and vulnerability metrics such as Common Vulnerability Scoring System (CVSS) to create a simple process for analyzing the network, prioritizing the threats and planning the security testing accordingly.

Everything You Need To Know About Wireless Security
Domonkos P. Tomcsanyi


In the past years several wireless protocols were broken by hackers and researchers. In this presentation I would like to walk with my audience through the various attacks in theory and in practice. While doing this we will try to answer some of the main questions related to wireless security (why is it so popular to break a radio network nowadays?) and talk about the steps needed to make a wireless system secure.

Software (In)security - Defending against evil software
Shakeel Tufail

Software exploits are constantly increasing and becoming more effective at subverting applications. Software is more commonplace than ever before in our history. It resides in our computers, tablets, smartphones, machinery, transportation, business operations, cars, etc. Hackers know the value of your software and data assets & it’s a matter of time until they attack you!

Secure software is improving but severely lacking in most applications. The future of computer security requires that we secure our software. The network firewalls, routers, and IDS’ can't protect us anymore. We need to build security into our applications.

We will speak about the challenges of securing software as well as secure architecture concepts and best practices for securing the software development life cycle. You’ll see actual case studies and maybe a surprise or two…

Next Generation Cloud API's : Security Embedded
Richard Tychansky


Shown through a number of case studies will be how ineffective security controls are being implemented by Cloud developers in Software as a Service (SaaS) offerings.
A sample of Cloud providers is illustrated and their API’s examined for how security control mechanisms are allowed to be implemented. Game changing SaaS vulnerabilities will be presented as well as a process for detection, examining their impact, and prevention in the next generation of Cloud API’s.

SCADA hacking: the proliferation of weapons for the next world war
Shaun Waterman / Jonathan Pollet / Prof Tiffany Rad / Matthew Luallen

Stuxnet was a sophisticated creation, and probably designed by a well-resourced team including some level of expertize or at least familiarity with SCADA/ICS systems. But now that Stuxnet has got the attention of the global computer security community, ingenious hackers -- some with no background at all in ICS/SCADA -- have been able to devise effective attacks against SCADA systems. At the moment, these attacks look crude compared to Stuxnet and the vendor maintains that they would merely put the machinery safely into stop mode.

But even being able to shut down an industrial plant would be an enormous propaganda victory for a hactivist group like Anonymous, or any would-be successor. And extortion using the threat of attacks against SCADA systems is already a reality, according to some reports.

In short, what nation-states can do today, criminal enterprises and skilled hactivists can likely do tomorrow, and even script kiddies may even be able to join in next week.  

What are the implications of the growing availability in open source literature of techniques for attacking SCADA systems? What measures can owner operators take to protect themselves? How are effective are the government's attempts to build partnerships with the SCADA/ICS community?

As far as speakers go, would it be worth trying to get anyone from the government along? I am talking to Marty Edwards' people about an open day they organizing at the end of the month down at Idaho National Labs and i could raise the possibility of him taking part in the session during those conversations if you thought it appropriate.

Transparent Smartphone Spying
Georgia Weidman

Your whole life is on your smartphone, from your work related emails, to where you've been, to your clandestine communication with your secret lover. This talk discusses new research in stealing data off smartphones transparently. This proof of concept works over cellular communication at the base smartphone operating system to avoid detection. Communications are parsed, logged, and even forwarded to an attacker before the owner of the phone even has access to them. This talk will also discuss stealing information stored in apps, in email, etc. from underneath the application layer and again forwarding this data to an attacker. Live demos on multiple smartphone platforms will be shown, and proof of concept code will be released.

Cloudy With A Chance Of Hack
John Weinschenk


Cloud computing is a cost effective and efficient way for enterprises to automate their processes. However organizations need to be aware of the pitfalls of the many cloud-computing solutions out there - one of the main ones being security. Companies should ask the solution provider the security measures used in developing the application and get an independent verification to make sure there are no gaping holes. With over 75% of attacks occurring through the Web, any attack through these applications can lead to leakage of confidential information and embarrassment. This session will highlight the security considerations an organization needs to take into account when adopting cloud computing capabilities.

And You Will Know Us By The Trail Of Our Logs: Malware research and analysis using log data
Zachary Wolff

In this talk we will take a proactive approach to malware research and analysis by looking at specific samples and the log trails they leave behind.  In certain cases the exploits that malware utilize will  generate an identifiable log trail, in others it will be the malware’s unique behavioral logs that clues us in .  We will examine some of the more relevant log sources to be looking at and also some ways to proactively capture relevant logs.

Visualizing the Advanced Persistent Threats - Know the Enemy, Know Yourself
Benson Wu


The presentation begins with significant APT attacks and guide the audiences in understanding how "advanced" and "persistent" are played in APT warfare. Unfortunately, even a single access to a malicious document enables the attacker to download a multitude of malware binaries. Frequently, this malware allows the adversary to gain full control of the compromised systems leading to further penetrations, even endangering their own customers. We have identified the main-stream attack vector for APT is through social engineered emails with attachment that can bypass most anti-virus detection. Then we characterize the nature of this significant-yet-mysterious threat by analyzing collected APT activities, mapping them to APT victims, and categorizing quite a few major APT taskforcces. By visualizing APT, one can better understand the APT plan in advance, and prepare countermeasures for it.

Apple iOS 4 Security Evaluation
Dino Dai Zovi

As the popular smartphone platforms have increased in popularity with consumers, many enterprises and businesses are considering broadening their support beyond their traditionally support platforms. These new smartphone platforms such as iOS and Android, however, come with a lack of detailed understanding of their security features and shortcomings. This presentation is the result of an extended assessment of the security mechanisms and features of Apple's iOS with an emphasis on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices.

iOS 4 implements several key security mechanisms: Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization. Each of these mechanisms' precise operation was investigated in detail through static and dynamic binary analysis, as well as their strengths and any identified weaknesses.

We examine and document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail. Finally, based on the strengths and weaknesses identified, concrete recommendations will be made on what compensating measures an organization can and should take when deploying iOS-based devices for business use.

spacer
dummy