ISSW 2016

We cannot understand where we are going unless we know where we are and how we got here, this applies to road trips as well as careers and technologies.

This talk will begin with a look back at some of the people and ideas which helped to found the practice of information security to build an understanding of our past. From history to the present, the focus will then shift to a discussion of the state of information (in)security and also look at the evolving hacker culture, and close by venturing into a conversation about the future of InfoSec and hacking.

Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.

As technology matures we are seeing a trend of products that are now “smart.” The problem is that once we discover how these devices are programmed we can see the flaws but unfortunately the hardware aspect scares some people away. This talk is to show people how easy it really is to get into embedded device hacking while also expanding their knowledge outside of the x86/x86_64 space. By the end of this talk the audience will be encouraged to go out and start their journey into the embedded device world while having the tools that they need without the need of spending money unless absolutely necessary. This talk will also cover the reasoning behind purchasing products such as a logic analyzer and the bricks walls I personally went through to justify the needs.

Every day, security professionals encounter a common problem: after bringing a student or colleague up to speed on security basics, it feels like nothing stuck. Why does this happen? And how can we change up the ways we educate security to encourage better outcomes for the average user? This talk will help IT and security professionals find common ground with non-technical users. In addition to sharing people-friendly metaphors, it will give attendees a solid set of communication strategies and approaches to educate the average user about the mindset behind security to develop secure behaviors. And yes–spoiler alert–there will definitely be some Lord of the Rings involved!

This talk covers the very basics of how SQL injections work and how to exploit advanced vulnerabilities, and is divided into two parts. The first half goes over the minimum to know about SQL injections and the various techniques available to hackers to exploit them. Once they are covered and demonstrated, advanced techniques on real world applications will be demoed in the latter half. Lot’s of demos.

Android is currently the most popular operating system worldwide. Such popularity garnered increased attention from malicious actors and security researchers alike. The potential impact of widespread exploitation of over one and half billion devices is truly daunting. Several vulnerabilities in Android's Stagefright multimedia library were proven to be usable to realize this potential.

This presentation looks back at the author's time spent researching and attacking Android devices via Stagefright vulnerabilities. It covers various technical facts and interesting tidbits gleaned throughout the exploit development process. Apart from a walkthrough of two exploits, this presentation also discusses Android OS internals and summarizes the body of research published on the topic by the larger security community.

After attending this presentation, you will better understand how vulnerabilities in Android can be exploited. Joshua will show you what has been done to improve the overall security of the Android operating system and what challenges lie ahead.

We’ve taken a novel approach to automating the determination of a phisher’s geographic location. With the help of Markov chains, we craft honeypot responses to phishers’ emails in an attempt to beat them at their own game. We’ll examine the underlying concepts, implementation of the system, and reveal some of the results from our ongoing experiment.

As part of reversing win32k.sys to understand the User-Mode Callback mechanism, I found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. This talk will be a brief introduction into how user-mode callbacks operate, a description of the information leaks vulnerability and how prevalent they are, and then a detailed description of how to take advantage of CVE-2015-0094.

There is an undeniable intersection between computer security researchers' efforts to identify and disclose security vulnerabilities and federal law enforcement's efforts to counter emerging cyber threats and prevent cybercrime. Both engage in activities intended to eliminate cyber threats and to help secure information systems and the personal, financial, and otherwise sensitive data stored on those systems. But for some researchers, there is an abiding concern that the intersection between their work and federal law enforcement's will become a collision that may subject them to investigation or prosecution.

This talk will delve into how federal law enforcement uses Computer Fraud and Abuse Act (CFAA), provide some suggestions to computer security researchers intended to make encounters with law enforcement less likely, and discuss how some recently enacted laws -- and proposed amendments to existing laws -- benefit research. Its goal is to encourage and promote legitimate computer security research.

Using computer vision techniques (CVT) it may be possible to determine how related different binary format files (executables, binary Office formats, etc) are to others of the same format. I wish to present a set of functions, code, and sample corpus which demonstrates comparisons using CVT.

Source code auditing is a common bug finding method for both offensive and defensive security practitioners. In the security consulting game, coming up to speed quickly on a large, unfamiliar code base is paramount to successful source audits. Tracking source code coverage - which source files and functions have been audited, which still need attention, and which should be avoided - is a useful way to track source audits. This can scale out to assist teams of people in collaboration.

This talk presents a number of source auditing methods and tools. Standard techniques such as bug-clairvoyance, plaintext note taking, `grep strcpy`, and pen-to-paper will be covered. Additional tips and techniques Todd has learned along life’s journey will also be shared. He will cover more formal methods involving C language parsers, relational and graph databases, and other tools of his own divination. Finally, the talk shall present a suite of tools and techniques to apply deeper analysis to function execution, data handling, attack surface identification, and security boundary mapping.

Wait, those LibreSSL​ guys are still around? Does it work on anything other than OpenBSD yet? What's the point, everyone just uses OpenSSL anyway, right? In this talk, I'll discuss how the LibreSSL came about, how the portable version was developed, road-bumps along the way, technical and practical differences between OpenSSL forks, things that make LibreSSL special. I'll also shed some light on how things work behind the scenes in the LibreSSL development community, what it's like to be an OpenBSD committer, and how you can help.

The gap between academic development of cryptanalysis techniques and their practical application is wide. The application security community was in awe in 2010 when Duong and Rizzo were able to apply Vaudenay's 2002 padding oracle attack technique to not one but three major frameworks, ASP.NET, Ruby on Rails, and Java Server Faces. There are various tools being developed for certain applications of these attacks, but they tend to implement at most a handful of different attacks. One of the difficulties is that flawed cryptography can exist in lots of different kinds of technologies; cryptography can exist in pretty much any place normal data can! As a result, performing practical cryptographic attacks often requires writing your own custom tool. This can be beyond the scope of a pen test due to time restrictions. It may also be beyond the skill of a tester to implement a given attack.

Enter Cryptanalib: A library implementing various crypto attacks to make writing crypto attack tools easier! But how do you use it if you can't write code?

Enter FeatherDuster: A modular, wizard-like interface to make using cryptanalib as simple as possible, sometimes even requiring the user to write no code whatsoever!

This talk will discuss some common cryptographic mistakes and show how to use cryptanalib and featherduster to exploit them.