ToorCon 15 Reception

Our reception tonight is at the pool deck on the 3rd Floor. Follow the signs for the Ivory Room. Saturday and Sunday’s events will be on the Second Floor. You’ll need to use the elevators to get up. We’ll see you all soon!

Let the Hackers Learn

Schools don’t teach hacking, and the internet hides it for both profit, and fear of punishment. This makes learning, in a legal way, very difficult; so we developed a site where anyone can create any security related challenge they want. This talk is about how we keep our server safe and secure while letting our users make any mistake they want so they can teach the world about all the web based exploits.

John Irwin
I love to break things and love to learn. I graduated from the University of Washington with a bachelors in Informatics. I have experience working in IT, and am currently employed at Security Innovation as a Security Engineer.

Adventures with weird machines thirty years after “Reflections on Trusting Trust”

It’s been thirty years since Ken Thompson’s famous “Reflections on Trusting Trust” (well, 29, but what’s an off-by-one?). Back then, few hackers expected to actually encounter a planted bug, and now we speculate what commonly used software might not have them. But, if we somehow managed to eliminate all bugs, could we then trust software? We believe that the answer is “not really”: bugs are a part of the problem but by far not all of it.

Any complex enough input is indistinguishable from bytecode for a “weird” virtual machine hiding in the parser. Unless we radically redesign data formats, telling what data could do when fed to software is much harder than it needs to be. For code, of course, it’s known to be undecidable, but it may surprise you how many “tables” are as good as code: for example, so are ELF relocations + dynamic symbols, and so are IDT+GDT+TSS for an ia32 processor (no instructions needed for a Turing-complete computation). This talk will summarize two years of our explorations with @BxSays and @JulianBangert of such “weird machine” programming environments, and what these weird machines mean for “Trusting Trust” beyond bugs.

Sergey Bratus
Sergey Bratus believes that hacking has become a distinct computing research and engineering discipline: while academia focuses on abstractions, models, and frameworks, hackers expose “weird machines” inside actual systems, and show how much unexpected computation power they are capable of. On his day job as a Research Assistant Professor at Dartmouth College, he is extremely fortunate to work with brilliant students who hack ELF, DWARF, 802.11, 802.15.4, and many other nice things.

Static Malware Analysis with PyTriage

Malware analysis is a long process. It’s also not a very well known process among most IT professionals. In some corporate environments a dedicated malware analyst might not be available. In that case, one of the available IT staff might need to perform some preliminary analysis on the binary. It is for this reason PyTriage is available.

This tool provides a simple to use interface to perform preliminary static analysis of the binary. One of it’s features is to generate hashes in a variety of standards. Currently it supports MD5, SHA1 and sshdeep but more can be added quite easily. It also supports file type recognition with “file magic” technique so one can be sure of the type of the file before starting detailed analysis. PyTriage also has some PE dissection capabilities. It splits the PE into required sections and then displays the section information along with it’s hash and size. One can also peek into the imported DLLs as well as the exported functions which will hint at the possible usage of the binary. It can also generate signatures in two different formats: One for the open source malware analysis tool YARA and the other for the popular antivirus ClamAV. PyTriage also has support for submitting the file via the VirusTotal API. This allows you to look up if the file has been detected previously by antivirus providers. There is also a report generation feature that allows you to generate a concise report.

All of this is available with an easy to use GUI so newcomers to malware analysis can find analysis easy. The presentation will also take a look at how one can write plugins for the tool so as to contribute and make it a better tool.

Yashin Mehaboobe
Yashin is a security researcher with the Cyber Security and Privacy Foundation. My areas of interest in this field span hardware security, social engineering, network security, malware analysis and reverse Engineering. He had discovered a denial of service vulnerability in Android that he reported to Google and presented at Defcon Kerala. His work includes creating a static file based web application fingerprinting script for nmap, automated malware detection system for the Raspberry Pi, a network proxy in Python and a malware analysis framework in Python. He was the winner of the Defkthon CTF held at Defcon Kerala. He has also presented at Defcon Bangalore and c0c0n 2013.

Abusing Google Apps: Google is my Command and Control Center

This talk is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center. In this talk i will demonstrate the implementation of Hostless Phishing, the rebirth of age old e-mail bombing, and finally implementing a cross platform (Windows, Linux, Mac) bot in python that uses Google Apps as it’s C&C. The Bot and C&C communication is done via Layer 7. The Botnet’s commands and responses are encrypted with Google’s own SSL connection.

This talk will give the audience an idea about how the innocent Google services can be abused by an attacker.

xboz
Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He is a strong supporter of Free & Open Information Security Education. He runs a successful DEFCON Chapter at Kerala.

His area of interest includes web app & stand-alone app security and coding tools. He has been invited to speak at multiple security conferences like DEFCON Bangalore, ClubHack , nullcon Goa, OWASP AppSec AsiaPac 2013, BlackHat Europe 2013, Hackmiami 2013 and Confidence 2013, BlackHat US 2013 and G0S 2013.

Hacking and Reverse Engineering Industrial Control Systems with DOSBox

The reality of finding MS-DOS, Windows 3.1, 95, 98, NT, 2000, etc as the controlling operating system on many industrial and SCADA control systems is all too common. To most, these systems have become a lost art that confounds those who are tasked with supporting these, unless the machine or system is under service agreement. Having systems with these operating systems is a huge threat to your infrastructure. This presentation will provide solutions for enumerating and dealing with legacy platforms including discovery, reverse engineering, emulation, and thoughts on new technology.

•∞d4rkm4tter∞•
d4rkm4tter has a degree in Computer Science with emphasis on computer security. He has 9 years industry experience which ranges from running Internet companies (ISP and SaaS), consulting for government agencies, designing/implementing SCADA/Industrial Control systems for transit, commercial to now working with Sylarus Technologies where he is primarily focused on improving antiquated hardware and software as well as protecting intellectual property and the manufacturing machines. He is passionate hacker who is focused on innovation.

Are you Janitor or a Cleaner?

Everyday corporations are faced with the increasing likelihood of attack. They spend millions, in security software/tools/training/hardware only to neuter it at the behest of other “business” units. The idea that losing one customer because of a false positive is enough justification to put the entire customer base at risk. This talk will debunk that myth, as well as show what makes our attackers so nimble ( they don’t have to play by the rules ). On the flip side – how are you handling the breech? What are you doing with your attack data? Are you just mopping up the mess – or are you armed with the tools to thoroughly “clean” your enemy. This talk is a double shot of the real life experiences handling an active attack and cleaning up after a breach. A primer on new approaches to antiquated techniques and ultimately shine some light on what makes the attacker so nimble – and ways to up your incident response game. Are you a janitor? Or are you a cleaner?

John “geekspeed” Stauffacher
John Stauffacher (@g33kspeed) is a Senior Security Consultant with the Accuvant Labs Technology Services team where he performs perimeter, network and application security defense projects for clients. As part of the Technology Services team, John’s core function is to provide expert level consultation to clients as well as deliver training and knowledge enrichment. John has held high level technical certifications with major security vendors and is considered an expert in the field of perimeter security. John has also been a lead contributor to open source security projects, as well as an active speaker at conferences and author of a number of titles on the topic of network and perimeter security. John has carried an active CISSP certification since 2004.

Matthew “mattrix” Hoy
Matthew Hoy (@mattrix_) is a Senior Security Consultant with Accuvant Labs Technology Services team. Matthew has worked in the Information Security world for over 15 years in various Information Security roles from Security Analyst, Architect, Incident Response, Consultant and Management. Matt currently holds CISSP and SANS GCIH Certifications. Matt has recently presented at Seattle Toorcon.

Most attendees would probably recognize mattrix better in a staff shirt of some kind for either Toorcon or a Red Shirt Goon at Defcon.

Matthew’s hobbies include Off-roading, shooting sports, fishing, hunting and technology when he has time.

Mask Your Checksums – The Gorry Details

When publicly submitting packet data, it is common wisdom to mask things such as your IP addresses. It is also advised that you mask your checksums, why? This talk attempts to beat this dead horse to the ground, with demonstrations and an open-source tool release.

Eric (XlogicX) Davisson
Eric has degrees ranging in fields like criminal justice, engineering, and business (from Accociates to Masters). He has a security analyst day job and owns the phx2600.org domain. Eric is interested in obscure languages like whitespace, brainf**k, and non-0×86 assembly. He’s presented at Hackers on Planet Earth 9 (Explosive Steganography), CactusCon (Doing it Wrong with Scalpel), and BSidesPHX. He is currently doing dumb stuff with TCP/IP.

Death by Numbers: Scalable Mobile Malware Heuristics

In today’s world of smartphone ubiquity, mobile malware is an increasingly prevalent (and difficult to mitigate) threat. One problem area for contemporary malware analysts is determining which apps legitimately need the permissions they request, and which have nefarious motivations. This presentation introduces a novel approach to mobile malware analysis at scale: human sentiment analysis. Leveraging online crowdsourcing platforms, analysts can programmatically determine which apps “feel” most suspicious–a huge time saver in a field with millions of apps to assess.

David Shaw
David Shaw has extensive experience in many aspects of information security. After working in the trenches of perimeter analysis, David joined an External Threat Assessment Team as a Security Researcher, working closely with large financial institutions to mitigate external risk and combat phishing attacks. David is currently the Senior Director of Engineering at Redspin, specializing in External and Application security assessments and managing a team of highly skilled engineers.

Applications of Artificial Intelligence in Ad-Hoc Static Code Analysis

During a recent engagement, I was faced with *reviewing* 2.6 million lines of C#/ASP.NET code. After several hours of line by line, file by file, review, I decided to write a script to look for problems. It became apparent that the script needed a little more intelligence so I found myself applying methods from AI to tracing through source code. The end result is a static code analysis tool aptly named scat that does a parallel analysis of C# using state space search algorithms.

Also, I like cats :)

Ashaman
I work as a Sr. Security Engineer at Security Innovation, based out of Seattle. I have a Masters in Software Engineering and an undergrad in computer science. Before joining SI, I worked at Microsoft, Disney, Harris, and Symantec (formerly Veritas) hacking code.