ekoparty Security Conference 7° edición

DIA 1 /// Miércoles 21 /// Sala 'A' Auditorioclick para ver/ocultar info

1. 11:00 - 13:00

   Acreditación

2. 13:00 - 13:15

   introducción y Salutaciones

3. 13:15 - 13:50

   hackers, privacy, makers: Politics

   

   Gerardo 'gera' Richarte, Core Security Technologies.

   Dominar la tecnología, nos gusta, y nos gusta el sabor a poder que tiene. Hablar el idioma de los microprocesadores, que ya están metidos en todos lados, hasta que, como decía futo, una heladera dé bluescreen. Pero que la tecnología halla invadido todo, y que todo ahora esté conectado, no es gratis. Mi primo de 19 hace una pasantía en Movistar y puede ver en donde localizado, en tiempo real, cualquier teléfono. Es verdad? no importa: es posible. Nuestras acciones tecnológicas tienen efecto, casi directo, en todo, y no podemos hacernos los boludos, tenemos que tomar conciencia, y hacer. Seguir aprendiendo y ayudando a otros a aprender, porque empezar de cero, con tanto para dominar, es cada vez más difícil. Y si no dominamos la tecnología, simplemente, nos domina. En la charla: más reflexiones, algunas preguntas, y algunas ideas de cosas para hacer. Veremos que sale, veremos si nos hacemos cargo de lo que nos toca, o si la dejamos pasar.

4. 14:15 - 16:15

   Workshops

   Ver listado completo

5. 16:15 - 16:45 --- COFFEE BREAK

6. 16:45 - 18:45

   Workshops

   Ver listado completo

DIA 2 /// Jueves 22 /// Sala 'A' Auditorioclick para ver/ocultar info

1. 8:00 - 8:45

   Acreditación

2. 8:45 - 9:00

   ekoparty Round Two

3. 09:00 - 09:50

   Exprimiendo la web: obteniendo datos de a gotas para ownear a cualquier argentino

   

   César Cerrudo, CTO at IOActive Labs.

   Hoy en día cualquier usuario de Internet esta registrado en una docena de sitios web y con la informatización constante de cada vez más servicios, el número de sitios en los que nos registramos crece día a día. Todos sabemos que muchos sitios no tienen buena seguridad, pero ignoramos a veces pequeños descuidos de los sitios revelan de a gotas datos sobre nosotros. Estos datos pueden parecer sin importancia, pero al combinar datos extraidos de distintos sitios hace que se pueda extraer aun más datos de otros sitios y convertirlos en información valiosa, para luego realizar ataques especificos contra personas. Esta presentación no es sobre como explotar vulnerabilidades comunes en sitios web ni sobre cómo sacar información de redes sociales, sino de como abusar mecanismos utilizados para la autenticación de usuarios que permiten la extracción mínima de datos (a veces muchos) para luego utilizarlos con buenas o malas intenciones. Es una presentación entretenida con muchos ejemplos prácticos que puede asustar a más de uno, y que espero sirva para abrir nuestros ojos y tomar más recaudos, ya sea como usuarios o como encargados de desarrollar o asegurar sitios web.

4. 09:55 - 10:45

   Setting The Evil Bit: Malicious Traffic Hiding In Plain Sight

   

   Alex Kirk, Sourcefire Vulnerability Research Team.

   Building on the research I presented at You Sh0t the Sheriff in May, this presentation will explore ways to detect traffic generated by malware-infected hosts in a broad, generic fashion - instead of looking for traits specific to a given piece or family of malware. Specifically, my talk will explore: * HTTP protocol breakage - much of the HTTP traffic generated by compromised hosts ignores or violates key parts of the RFCs, breaking the protocol in ways worse than even Internet Explorer 6. * Legal WTFs - other times, malware generates traffic that is technically legal per the RFCs, but simply makes no sense in the real world. This includes items such as POSTs to image URIs, blatantly malicious User-Agent strings (i.e. "GBot/2.3"), mismatches between declared Content-Types and actual data returned, etc. * Spam blasts - after realizing that the hosts in my malware zoo have been blacklisted at all the major mail providers, I\'ve set up an outbound mail honeypot to make sure all of that traffic is captured as well. Techniques for detection ranging from simple flow analysis on port 25 to inspection of SMTP headers and bodies will be based on this new data. * General "Ha Ha" - malware does ridiculous things all the time, and the presentation will be full of the funniest and most ludicrous examples I can find from my malware zoo.

5. 10:45 - 11:25

   The Benefits of Making a Good Impression

   

   Deviant Ollam, Board of Directors of the US division of TOOOL.

   Lockpicking is a terrific skill to have, and it can allow you to open doors, cabinets, and chains with relative ease and speed. However, there is no getting around the fact that to pick a lock open you need to crouch down next to it with very conspicuous looking tools... and you have to do this /every time/ you want to open the lock. What if i told you there was an attack that you could perform ONE TIME against a lock and then own it forever? And what if this attack was relatively innocent looking when you stood near the door or padlock in question? Welcome to the world of impressioning... with the right tools and a bit of time, you can turn a blank key into a totally working key for just about any lock in common use today. Pin tumbler locks, wafer locks, even many styles of rotating disc locks and more can be attacked in a way that is hard to notice and which results in amazing access if successful. This talk will show you how it is done and give you some useful tips and tricks if you plan to try it out later on.

6. 11:25 - 11:55 --- COFFEE BREAK

7. 12:00 - 12:50

   Attacking the Webkit Heap

   

   Agustín Gianni, Immunity.

   WebKit provides the backbone for an increasing number of Web Browsers, including Safari, Chrome and the Android browser. Within these browsers we see it coupled with the TCMalloc allocator to manage dynamic memory allocation. This common combination means that understanding of WebKit heap manipulation techniques and TCMalloc heap management algorithms and structures is very useful for reliable exploit development. In this talk we will explain the TCMalloc allocator from the point of view of heap manipulation and exploitation. We will discuss techniques for crafting its internal layout accurately through WebKit's Javascript engine with the aim of setting up the heap for exploitation. Due to the similarities across browsers this information is quite portable and will give base primitives for exploit development. As is often the case with custom heap allocators, TCMalloc has far weaker (or entirely absent) protections than those offered by the core Windows, Linux or OS X allocators. Finally, in an illustration of exploit dev necromancy we will plunder TCMalloc and resurrect some of your favourite exploitation strategies from allocators-past.

8. 12:50- 13:40

   our crown jewels online: Attacks to SAP Web Applications

   

   Mariano Nuñez Di Croce, CEO at Onapsis.
   

   "SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization\'s SAP platform in order to perform espionage, sabotage and fraud attacks. SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals. This talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed. You will understand the real business implications of the exploitation of these technical weaknesses. We will present several LIVE demos, from remote command execution shells through Web interfaces up to unauthorized access to sensitive business information such as credit card transactions and financial data.

9. 13:40 - 14:40 --- LUNCH BREAK

10. 14:40-15:00

    Análisis Forense en dispositivos iOS

    

    Jaime Restrepo, Comunidad DragonJAR.

    Esta charla altamente práctica, está destinada a los analistas forenses, las empresas y los usuarios que quiere entender la información personal que se almacena en el iPhone/iPad/iPod Touch (Dispositivos iOS) y la forma de recuperarla. En esta charla revelaremos la enorme cantidad de información personal almacenada en los dispositivos de Apple y las técnicas/software para la recuperación de esta información.

11. 15:00 - 15:50

    Leveraging MSR's for Fun and for Profit

    

    Ryan MacArthur, iSIGHT Partners.

    I will introduce the audience to MSR's, how they have been abused in the past, and what role they play today. Then I will get into leveraging MSR's to do our bidding, including the following: 1) A small amount of assembly to detect ALL virtualization/emulation environments 2) How to implement a stealthy and low-latency execution tracer, win32 I will demo the use of these live, successfully tracing PE's that employ anti-tracing techniques.

12. 15:50 - 16:10

    Virtual Cash, Show Me The Money: Debugging Facebook Flash Games and Getting Some Real Bucks

    

    Marcos Nieto, Independent researcher.

    Nowadays, social networks get their peak visitors into a somewhat complex gaming hierarchy, where they get involved in playing with or against their friends, but in these games there\'s always a constant: to succeed faster, to better improve the gaming experience, to acquire the latest items, whether outrun, out-stand, outwit other players, and get a high position in the coop, many on-line gaming companies have created virtual cash to purchase premium items and services otherwise unachievable. This simple procedure not only covers how to get our hands on that precious virtual cash without directly spending any real cash, but also how to stock it and even act as unofficial resellers, should it become a prosperous dark venture. The approach of my presentation aims towards demonstrating with very simple steps and tools how to trick an on-line game server to deliver some cash, masked under achievements during game-play, which everyone would fairly get; this particular scenario cuts that time window, boosts it by storming a set of genuinely recorded session back to the server in large number of iterations for each created phantom account. For each clone that has been tested with this procedure, the amount of generated virtual cash could be worth 50 US Dollars, once drained from there to a central account. On a daily basis, two clones can be set-up and drained from a fairly low-profile connection, since this can be performed from a 32KBps upload link with no problems, without triggering any alarm either. So, there are these power boosts that can be acquired with money via pay-pal, etc. That cyber cash acquisition is also achieved by genuine hard work, which in this case, supervised drones storm the servers mocking real players to get the virtual game money, transferred and redeemed, no different from a normal product sold by the company that creates it, since what is resold, for a lower price is, actually a product acquired legitimately from them.

13. 16:10 - 17:00

    Deep Boot

    

    Nicolás Economou, CORE Security Technologies.

    En esta presentación se dará a conocer una técnica relativamente genérica recientemente desarrollada para controlar el booteo de cualquier sistema operativo corriendo en x86-x64, tomando el control del CPU desde la primera instrucción ejecutada por el mecanismo de BOOTEO del BIOS hasta el booteo completo del OS, finalizando con la toma de control en kernel del mismo. Técnicas similares pueden ser encontradas en rootkits y la primera versión de Computrace. Se hará una SIMULACIÓN de un ataque REAL "rootkiteando" en vivo un Windows (posiblemente con un AV corriendo), para lograr persistencia y luego demostrando como el mismo "rootkit", utilizando esta tecnica (Deep Boot), vuelve a controlar el OS desde el booteo.

14. 17:00 - 17:30 --- COFFEE BREAK

15. 17:30 - 18:20

    Snakes on a Payload: Bundling Python with your shellcode

    

    Pedro Varangot , Core Security Technologies.
    Fernando Russ, Core Security Technologies.

    Tradicionalmente entendemos 'explotación binaria' como la disciplina para convertir una vulnerabilidad en la capacidad de correr código casi arbitrariamente en el CPU de la víctima. Si consideramos esto como el "stage 1" luego uno puede pensar diferentes formas de pasar a un "stage 2", siendo esto poder utilizar los servicios que da el sistema operativo a cualquier proceso, como el manejo de memoria, los sockets, el sistema de archivos, etc. Las restricciones de las tecnologías de stage 2 actuales en los productos comerciales están muy bien descriptas por Dino Dai Zovi en una publicación en WOOT 2007, que como solución propone un boceto de stage 2 que luego bootstrapea una VM. Motivados por esto, y dadas las restricciones de estas técnicas actuales a la hora de desarrollar herramientas de post-explotación, comenzamos a investigar los problemas y posibilidades de desarrollar un payload que bootstrapee una VM. En esta charla vamos a contar sobre las dificultades del desarrollo de este payload usando una VM que corre un subset de Python, y la forma en que las resolvimos. Asimismo vamos a liberar con una licencia opensource el toolchain necesario para construir un payload usando esta técnica, y hacer una demostración de cómo usamos el mismo para construir el payload en una vulnerabilidad prototípica.

16. 18:20 - 18:40

    (Pr0n=>CTC) => (P=NP)

    

    Ariel Futoransky, co-founder of Core Security Technologies.

    En "Feeling the future", un controlversial artículo del journal of Personality and Social Psychology, se describen formalmente varios experimentos muy simples que permitirían una forma elemental de precognición. Todo lo que aparentemente hace falta son varias personas, computadoras y algunas fotos eróticas!? Cuales serían las implicancias de confirmarse estos resultados? En esta charla mostraremos como distintas variantes de estos expermimentos podrían utilizarse para construir ataques contra primitivas criptográficas, mostrando como ejemplo RSA, e invitaremos a la audiencia a participar en un intento de ataque en vivo.

17. 18:40 - 19:30

    SCADA Trojans: Attacking the grid

    

    Rubén Santamarta, Consultor independiente.

    Cómo, cuándo, dónde, porqué y quién puede atacar los sistemas de control industrial, específicamente los de manejo de energía, son algunas de las cuestiones que conducirán la charla. Se hará un recorrido sobre los ataques teóricos, añadiendo nuevos vectores y métodos de ataque más prácticos. La charla tendrá un importante contenido práctico, exponiendo 0days en software y hardware SCADA. Finalmente se modelará un ataque destinado a "apagar" un país.

18. 19:30 - 24:00

    GetTogether by Onapsis

    

    Después de la conferencia, nos juntaremos en un pub a compartir unas cervezas.
    ¡La casa invita una ronda!

DIA 3 /// Viernes 23 /// Sala 'A' Auditorioclick para ver/ocultar info

1. 8:00 - 8:45

   Acreditación

2. 8:45 - 9:00

   ekoparty Final Round

3. 09:00 - 09:50

   Reversing the State: gastopublicobahiense.org

   

   Manuel Aristaran, Independent researcher.

   Computers are getting political. The flood of information available these days has made people aware that their governments are not releasing the enormous quantity of data they generate. When they do, it's usually under poorly made websites or formats that don't allow for automated processing. The Open Data movement is now demanding governments to release their information in standard and open formats. We will present the case of gastopublicobahiense.org , a site that put public procurement information published by the government of Bahía Blanca (Argentina) under a new light.

4. 09:55 - 10:45

   Cloud and Control: Factoring and Cracking

   

   Tom Ritter, Gotham Digital Science.

   Other people have presented on operating 'in the cloud': running jobs on a few nodes in EC2. This talk is about how to control 2000 instances as easily as 2 using BOINC, the open source software behind SETI@Home, ClimatePrediction.net, and other volunteer distributed computing projects. Setup and administration of BOINC is shown with the context of examples: factoring RSA keys and cracking passwords. A new approach to hands-off password cracking was developed and benchmarked against Korelogic’s Defcon 2010 Crack Me If You Can contest, using three different password crackers across seven hash formats. Private keys for 512 bit SSL Certificates are recovered in under two days using open source software; and analysis is shown on the necessity of 'good' polynomial selection and oversieving.

5. 10:45 - 11:25

   Design and implementation of a voice encryption system for telephone network

   

   Fabián Valero Duque, Security consultant and researcher.

   Se ha desarrollado un sistema de encriptación de voz en tiempo real que trabaja sobre la telefonía fija; combinando dos tipos de cifrado. El primer tipo, un protocolo de clave pública llamado RABIN (Algoritmo de cifrado asimétrico basado en el problema del cálculo de raíces cuadradas módulo un número compuesto) para intercambiar las claves privadas, y el segundo se basa sobre un protocolo de llave privada llamado TEA (Tiny encryption algorithm, pequeño sistema de cifrado e.) realizando además un procedimiento de enmascaramiento de las claves cifradas del algoritmo privado. XTEA_E (TEAX_E) es un aporte entregado en el proyecto basado en el algoritmo XTEA(TEAX). (Pequeño algoritmo de cifrado). El sistema permite una conversación telefónica en donde la voz cifrada se transmite en forma digital por medio de módem entre los usuarios, sin comprometer la legibilidad del mensaje.

6. 11:25 - 11:55 --- COFFEE BREAK

7. 12:00 - 12:50

   Virtualised USB Fuzzing using QEMU and Scapy

   

   Tobias Mueller, Chaos Computer Club.

   The talk will be about Virtualised USB Fuzzing using QEMU and Scapy. It will be shown how QEMU can be modified so that it allows to attach a virtual USB device which is backed by an external process. This allows to implement USB behaviour easily and cheaply and thus allows to test USB stacks, USB drivers and applications on top.

8. 12:50 - 13:40

   Bosses love Excel, Hackers too.

   

   Chema Alonso, informatica64.

   Remote applications published in companies are around us in the cloud. In this talk we are going to add ICA and Terminal Server Apps to fingerprinting process, automating data analysis using FOCA. It will allow attacker to fingerprinting internal software, internal networks and combine the info in PTR Scanning, evil-grade attacks and command execution trough Excel files. In the end, we are going to play with a tricky feature in security policies about remote excel that will allow hackers to bypass macro restrictions.

9. 13:40 - 14:40 --- ALMUERZO

10. 14:40 - 15:30

    iOS Code Injection and Function Hooking

    

    Michael Price, McAfee Labs.

    This presentation covers techniques that can be used for injecting dynamic libraries into binaries on disk, or also into running processes (local or remote), as well for hooking standard functions, shared library calls (symbol stubs or lazy pointer table entries) and Objective-C method calls. In the presentation, these techniques are combined to hook SSL functions used by the Game Center support included with iOS for the purpose of obtaining access to otherwise encrypted network traffic. A description of how Game Center center client support handles communication to the backend will be covered. Also, some coverage of ARM assembly is given, including hooking techniques for functions compiled to ARM and THUMB.

11. 15:30 - 15:50

    Experiments using IDA Pro as a data store

    

    Aaron Portnoy, HP TippingPoint DVLabs.

    This talk will cover the TippingPoint security research team's experiments using IDA Pro to mirror a datasource. The ability to harvest attributes and metadata from a binary can allow a reverser to extend their arsenal of approaches to solving their problems. By combining the information available statically with supplemental data collected from a debugger, a reverser can paint a more complete picture of the target application. Additionally, the ability to modify attributes and subsequently query them via a friendly interface can aid in collaborative reversing. This lightning talk aims to demonstrate what other tasks can be accomplished when building functionality on top of a few simple primitives.

12. 15:50 - 16:40

    Defeating x64: Modern Trends of Kernel-Mode Rootkits

    

    Eugene Rodionov

    Aleksandr Matrosov

    Las versiones de Microsoft Windows de 64 bits fueron consideradas resistentes contra rootkits en modo kernel debido a los chequeos de integridad de código realizados por el sistema. Sin embargo, hoy en dia hay ejemplos de malware que emplea métodos para saltear los mecanismos de seguridad implmentados. Esta presentación se enfoca en los problemas de seguridad de la acquitectura x64, específicamente en las políticas de firma de código del modo kernel y en las técnicas utilizadas por el malware moderno para saltearlas. Se analizan las técnicas de penetración del espacio de direcciones del modo kernel utilizadas por los rootkits modernos in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS/TrojanClicker.Agent.BJ (rootkit dropper) Se presta especial atención al bootkit Win64/Olmarik(TDL4) por ser el más prominente ejemplo de un rootkit de modo kernel apuntado a sistemas Windows de 64 bits. Detallaremos las notables características de TDL4 con respecto a su predecesor (TDL3/TDL3+): la evolución de componentes del modo usuario y modo kernel del rootkit, técnicas usadas para saltear el HIPS, sistema de archivos oculto y su funcionalidad como bootkit. Finalmente, se describen las posibles aproximaciones a la remoción de un equipo infectado y se presenta una herramienta forense libre para el volcado de sistemas de archivos ocultos de TDL.

13. 16:40 - 17:10 --- COFFEE BREAK

14. 17:10 - 17:50

    Open Source Satellite Initiative

    

    Hojun song, Investigador independiente.

    Hojun Song talks about Open Source Satellite Initiative. OSSI promotes private space program by providing DIY tutorials on building a small satellite. After four years of research and one year of experience as a satellite engineer, Song Hojun has found that it is possible to launch and operate a personal satellite at a fairly reasonable price and finally he's waiting for his satellite to be launched in May 2012. In the end, he also talks about how he has been exploring ways to integrate the concept of a personal satellite project into cultural contexts and into his artistic practice.

15. 17:50 - 18:30

    The Baseband Playground

    

    Luis Miras, Consultor independiente.

    Baseband processors control access to the radio hardware on cell phones. There has been published security research and presentations on remotely attacking baseband processors. This talk will take a different approach and focus on code injection into the baseband from the application processor. This is the same method that many unlocks (ultrasn0w) use to bypass carrier restrictions. Interestingly, these unlocks (exploits) can also be used to load your own code onto the baseband. This enables the patching of existing GSM code and other phone functionality :) This talk will cover baseband architecture, setting up a development environment, injecting custom code into the baseband using a variety of exploits, and interesting areas for modification. The case study for the talk will be an iPhone baseband running the Nucleus RTOS, but the concepts will be applicable to other basebands and OS.

16. 18:30 - 19:20

    BEAST: Surprising crypto attack against HTTPS

    

    Juliano Rizzo, Investigador independiente.

    We present a new fast block-wise chosen-plaintext attack against SSL/TLS. We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing.

17. 19:00 - 24:00

    Aftercon Party / Fiesta de cierre.