Lockdown 2009
Presentations
Lockdown Welcome (Ron Kraemer)
PowerPoint Slides
Shadowserver (Richard Perlotto)
The Shadowserver Foundation is a Non-Profit Organization that gathers and disseminates information on malicious activity and behavior to appropriate parties and network owners. This presentation will be about the processes and methodology of what Shadowserver is and how they gather and process the information. We will also review several of the summarizations and results that we have brought together.
Defenders of the Cyber World (James Foster)
To the cyber terrorists that aim to damage the United States of America, you know who you are, united we stand. We, the people, will develop wicked security tools, build rock solid software security products and continue to drive innovation while in great recession. We will laugh, not cry. Come and join us…you will learn, not buy. Some technical stuff, not boring. International cyber attack techniques will be covered without hesitation. Cyber defense tools and strategies will be discussed with financial limitation... in mind. Again more technical stuff, not mind-numbing. And oh, by the way… I’ll show you how to h*ck the web, worldwide, via a tool that will be available for download after the session (for educational and ethical purposes only of course). See you at Lockdown 2009! - James C. Foster (www.Ciphent.com)
Application Security: For Hackers and Developers (Jared DeMott)
There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: source code auditing, fuzzing, reverse engineering, and exploitation. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for. Web auditing is covered using WebGoat. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of dynamic testing topics. When it comes to reversing
C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Usage of this tool is covered. Bug categories and exploitation technique discussions are the final component. We'll consider exploiting BSD local programs to Vista browsers using the very latest techniques.
PowerPoint Slides
Blinded by Flash: Widespread Security Risks Flash Developers Don't See (Prajakta Jagdale)
In a rush to adopt the dazzling Flash technology, website developers tend to use quick and dirty hacks to get their applications to work and in the process sidestep any security features provided by the technology. What are these security measures? Why are these measures ignored and in what manner? What security threats arise from such a disregard of the security model? And how many flash applications in the wild are vulnerable to such threats? What are the means to hide malicious code within Flash applications? All these questions will be answered in this presentation with the help of Flash applications encountered in the wild. These applications are examples of insecure development practices and they demonstrate the ease with which the Flash security model can be compromised. And as an answer to the all-important question of how to analyze Flash applications to find vulnerabilities, I will demonstrate a tool designed to perform Security Analysis of Flash applications. The tool decompiles SWF files and detects and reports vulnerabilities in Flash applications and can be used against all Flash versions.
Powerpoint Slides
Finding IRC-like Meshes Sans Layer 7 Payloads (Akshay Dua)
In recent years, the Internet has seen a new kind of threat - the
botnet - a network of compromised machines (bots) participating in
malicious activities like Distributed Denial of Service (DDoS)
attacks, email spam and identity theft. These compromised machines are
usually controlled remotely by a bot commander via the Internet Relay
Chat (IRC) protocol.
As a result, there has been recent interest in detecting IRC based
botnets. Most existing solutions use packet inspection techniques to
detect botnets. However, the drawbacks are that previously unknown
botnets and those that use encrypted communications will escape
detection. We therefore present a method to identify IRC-based botnets
without using any application layer information.
PDF
Ten Things Your Web Developers are Still Doing Wrong (Frank Kim)
Increasingly, computer attackers are exploiting flaws in web applications, exposing enterprises to significant threats, including Personally Identifiable Information breaches and uploads of malware onto vulnerable corporate websites for distribution to customer browsers. Many of these web application vulnerabilities are a direct result of improper input validation and output encoding, which leads to numerous kinds of attacks, including Cross-Site Scripting (XSS), SQL Injection, command injection, and others. This session describes some of the best defenses against such attacks, which every web application developer should master.
Powerpoint Slides
IPV6 Vulnerabilities (Joe Klein)
During the early stages of new technology implementation there exists a period of time when there is little critical review of the potential security risks. Historically, this period has given adversaries a method of obtain access to sensitive data, be it WIFI, USB keys, Web 2.0 and now IPv6. Many organizations implement these flashy new technologies with no processes for evaluating the risk or awareness of security controls which support secure implementation – and then it is too late.
This presentation is meant to fill that gap, providing a wake-up call to the dangers of not securely implementing IPv6. This presentation specifically addresses the most common case, which is, "accidental implementation". Topics in this presentation include:
- Why IPv6 is inevitable
- Who should care
- IPv6 as a defensive/offensive tool kit
- Security challenges, attack surfaces and targets
- History and analysis of published IPv6 vulnerabilities
- Why our security tools are broken
- Three attacks on "accidently implemented" IPv6 devices
- Recommendation on mitigation
Be warned, this is not the typical IPv6 presentation and will not include basics found in the Requests for Comment, in books or in classes. Instead, this is an analysis of what can go wrong if IPv6 is not implemented securely on your networks
PDF
Format String Vulnerability 101 (Deral Heiland)
Format String Vulnerability 101 A comprehensive presentation on format string vulnerabilities within the Windows Intel Architecture
environment. This presentation will take the audience from the basics of discovering format string vulnerabilities, through to the development and execution of exploit code. Using various debugging tools and exploit methods, we will show how format strings can be leveraged to trigger various exceptions and gain control of the flow of execution within a vulnerable application. This presentation will include multiple live demonstrations.
PowerPoint Slides
Secure Application Coding Guidelines (Dave Russell)
This presentation will discuss the design of application security guidelines, and how UW-Madison is hoping to employ them to provide a foundation for secure coding practices. We will talk about how the best practices were developed, their significance in the software development lifecycle, and how they can be realistically applied. To spice things up a bit, a few examples of why secure coding practices are important will be included, illustrating some of the more interesting secure coding mistakes that Dave has seen over the years.
Powerpoint Slides
Security Tools - Hands On (BadgIRT Volunteers; David DeCoster, James Leinweber, Steve Barnet and Jeff Savoy)
**Important Note**
This is a hands-on session and will require the participants to bring a laptop. At minimum, the laptop will need 512 MB ram, 15G of free hard drive space and be capable of running a current version of vmware. Participants can obtain the software from here.
This is a double session hosted by the BadgIRT Volunteers that will provide an introduction to some widely used security tools. Each tool will be reviewed and the participants will be given time to work through exercises. The planned tools include A) using unix security controls with IPV6, B) Mod-security and C) Microsoft Security Configuration Wizard and D) URL Scan.
URLSCAN Powerpoint Slides
URLSCAN Exercise - Microsoft Word
Security Configuration Wizard Powerpoint Slides
IPv6 R&D at the WSLH Powerpoint Slides
IPv6 Tools - Microsoft Word
Lockdown Hands on ModSecurity Exercises - Microsoft Word
virtualbox Powerpoint Slides
Rendezvous-based Network Traffic Analysis (David Plonka)
The ability to classify and understand Internet traffic and host behavior has important implications in network operations and security. This talk will introduce a novel method for analysis based on "rendezvous", i.e., the method by which hosts present themselves to each other so that they can determine remote IP addresses of servers and peers with which they might subsequently communicate. Analysis utilizing the Domain Name System (DNS), the most widely used rendezvous service, will show how rendezvous-based methods offers significant improvements over prior techniques.
PDF