Cupfighter.net

By Christiaan Beek

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Read more…

By David Lindsay & Eduardo Vela Nava

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.
Read more…

By Christian Papathanasiou

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.
Read more…

By Andre Adelsbach

Image from christianmeichtry's Flickr photostream. Creative Commons license

The talk starts with explaining the properties of Satellite ISPs. Due to the nature of satellite communication, high latency, high downstream bandwidth, the ISPs often use performance enhancing proxies. Often the satellite ISPs use asymmetric links, using a local uplink in combination with the satellite downlink, but symmetric communication, where the uplink also is sent via the satellite is possible too.

The performance enhancing proxy on the local machine has to breaks some of the basic TCP/IP properties to enhance performance, in this also breaking some of the basic security measures.

Read more…

By Enno Rey & Daniel Mende
erey@ernw.de
dmende@ernw.de

When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.

First part of the presentation focuses on what a typical implementation looks like.

There are three generations:
1.    Structured Wireless-Aware Networks (SWAN)
2.    Based on managed APs and LWAPP (After acquiring Airport)
3.    Cisco Unified Wireless Network

The talk focuses on generation one and three.
Read more…

By James Arlen (@myrcurial, james.arlen@pushthestack.com)

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.

By Stephan Chenette (schenette@websense.com)

This talk is accompanied with the release of Fireshark, a Firefox plugin. It can be downloaded here: fireshark.org

Compromised legitimate websites have increased 225% in the last 12 months.

Stephan wrote the Fireshark too to address the problem of analyzing malware serving legitimate site. He found that to date there was no tools that are available today gave him the information that he needed.

Most malware landing pages use exploit kits that will try to use about 25 exploits. These kids are highly obfuscated. Most analysis tools are well known by the bad guys and are thus protected against de-obfuscation.

What is Fireshark?
Read more…

By Roelof Temmingh

Maltego 3.0 will be a major upgrade. The first upgrade that shows is in terms of the visual representation. The Windows based GUI no longer looks like a port from a Unix application to Windows, but has a far more Windows look and feel to it and supports dynamic graphing. The user interface is now fully interactive in all views.

Enhancements include:
•    Dynamic graphs
•    Manual object linking
•    Infinite transfors (e.g. to follow tweets as they occur)

But is not just user interface changes, Maltego v3 will also handle so called “Dead End Entities” entities that currently don’t have transforms.
Read more…

By Felix FX Lindner (Twitter: @41414141, fx@recurity-lab.com)

Image from http://de.wikipedia.org/wiki/Blitzableiter

Felix’s talk is about defending against Flash based web application exploits

This talk is about a tool he developed called “Blitzableiter” (Lightning rod) can be found at http://blitzableiter.recurity.com/. Felix is very much looking for feedback.

Felix has been playing offense for quite some time, but is now playing defense, which he said turns out to be harder then offense.

The motivation for Felix’ work comes form the German government agency BSI who found out that Adobe Flash is way behind the security curve in comparison to other technology.
Read more…

By Max Kelly – CSO of Facebook

Max Keller moved from running a forensics lab to being the Chief Security Officer of Facebook.

Hit ticket slide is “Security – The facebook way”

Axiom 10: “That feature can be used in a way that you didn’t tink of. Try and find out what it is.”

This rule came into existence when they set up their new service friend finder. Which allows you to upload your address list and check if people where on facebook. It turned out that this service was using a lot of CPU because spammers used the service to validate the existence of email addresses to make their spam lists more valuable.
Read more…