Archive > 2004 Presentations

  1. Win32 local exploits through the 'shatter attack' method - Brett Moore
  2. The Art of Defiling: Defeating Forensic Analysis on Unix File Systems - the grugq
  3. Bluetooth Security: Toothless? - Ollie Whitehouse
  4. Security Impacts of Modern Web Development Technologies - David Jorm
  5. Win32 One-Way Shellcode - SK
  6. A Security Microcosm - Attacking/Defending Shiva, A Linux Executable Encryptor - Shaun Clowes
  7. ELF: A fairy tale for viruses - Daniel Hodson
  8. High Tech Crime Investigations in Australia - Brian Diplock
  9. Reverse Engineering for Malware Analysis - Peter Taylor
  10. Advances in real-time network vulnerability analysis - David Meltzer
  11. Reversing and Exploiting Win32 Binaries - Jaguar
  12. Stopping Stack Smashing Attacks - Paul Ducklin
  13. Logging, Logic Bombs and Litigants: IT Security Law for non-lawyers - Andre Stein
  14. Social Engineering - The gentle art of having the good guys help you commit evil - Daniel Lewkovitz
  15. RUXCON Panel Discussion

top ^

Presentation Details

Details on the presentations at RUXCON 2004 is available below to view. Presentation material (slides, etc) is available in the Archive section of the site.

Win32 local exploits through the 'shatter attack' method - Brett Moore

The windows GDI interface uses messages to pass input and events to windows. As there is currently no way of determining who the sender of the message was, it is possible for a low privileged application to interact with a process of higher privilege through these messages.

This presentation will cover in detail some of the flaws exposed through this information sharing method, and demonstrate how it can be exploited to conduct privilege escalation attacks.

Bio:
Brett Moore leads the security research and network intrusion teams at security-assessment.com. He has been credited with the discovery of multiple security vulnerabilities in both private and public software vendors' products including Microsoft web products.

Last year Brett released a paper titled 'Shattering By Example', this presentation will cover details of that paper and research that he has done since then.

top ^

The Art of Defiling: Defeating Forensic Analysis on Unix File Systems - the grugq

The rise in prominence of incident response and digital forensic analysis has prompted a reaction from the underground community. Increasingly, attacks against forensic tools and methodologies are being used in the wild to hamper investigations. This talk will: familiarize the audience with Unix file system structures; examine the forensic tools commonly used, and explore the theories behind file system anti-forensic attacks. In addition, several implementations of new anti-forensic techniques will be released during the talk.

Anti-forensics has cost the speaker one job. This material has never been presented in the North American continent because anti-forensics scares the feds. Find out why.

Bio:
The grugq has been researching anti-forensics for almost 5 years. Grugq has worked to secure the networks and hosts of global corporations, and he's also worked for security consultanting companies. His work as a security consultant was cut short by the publication of an article on anti-forensics. Currently, he slaves for a start-up, designing and writing IPS software.

Grugq has presented to the UK's largest forensic practioner group where he scared the police. In his spare time, grugq likes to drink and rant.

top ^

Bluetooth Security: Toothless? - Ollie Whitehouse

The paper titled 'Bluetooth Security: Toothless?' will move on from the WarNibbling whitepaper released by @stake last year. The paper will discuss some of the advances which have been made by @stake, as well as reviewing of the issues which @stake have encounterd when dealing with vendors.'

Bio:
Ollie Whitehouse is a Director of Security architecture for Atstake Limited in the United Kingdom and Australia. Within @stake Ollie heads up it's Wireless Center of Excellence. The remit of the CoE is anything to do wireless this includes PDA's, Bluetooth, WiFi, Cellular and other RF technologies, and the applications that use or run over these technologies.

top ^

Security Impacts of Modern Web Development Technologies - David Jorm

David will discuss modern web development techniques, tools and technologies, and the security impacts these have on the web applications built using them. He will cover how the next generation of web applications are being built using libraries and platforms which abstract the underlying mechanisms at play, making developers ignorant of the security concerns which should be evident. This will be illustrated by walking through the RAD development of a real ASP.NET web application. Security concerns will be revealed with each step of the development, followed by an explanation of how these concerns were (or should be) mitigated and a sample exploitation.

Bio:
David Jorm has been a professional web applications developer for the last 5 years, working on various commercial and government projects. His specific interest is in web applications security. He has written about PHP for the PHP project and various commercial publications. He currently works writing ASP.NET web applications for a sinister corporation and is studying computer science and environmental science.

top ^

Win32 One-Way Shellcode - SK

The presentation will describe the inner workings of reusable Win32 shellcodes. It will start with an explanation of fundamental techniques to make the shellcode re-locatable and service pack independent. It also will cover processes involved in constructing and testing shellcode which are usually left out in most buffer overflow tutorials. A few simple but handy tools will be introduced in the process. Then, the limitations of existing shellcodes will be discussed. It will lead to the development of one-way shellcode that will overcome those limitations. The talk will also describe a technique to upload/download a file on the command line. Throughout the presentation, various real exploits using different shellcode will be demonstrated.

Bio:
S.K. Chong is Co-Founder and Security Consultant for SCAN Associates; a Malaysian based consulting and security services company. SK has written several white papers to document his research on SQL injection, buffer overflows and shellcode development. He also enjoys playing Capture the Flag game and had previously won some gadgets from HackInTheBox2002 (Malaysia) and BlackhatAsia2003 (Singapore).

top ^

A Security Microcosm - Attacking/Defending Shiva, A Linux Executable Encryptor - Shaun Clowes

Shiva is an ELF encryption tool written by Neel Mehta and Shaun Clowes. Its purpose is to "encrypt" (or obfuscate) generic ELF executables (Linux programs) to make them more difficult to reverse engineer or modify. While executable encryptors have existed for a long time on Windows, they are an immature technology on Unix platforms. Shiva is an attempt to advance the field, and an interesting experiment in the dynamics of Security.

This speech will describe Shiva, what it is and how it works. It will also cover the Security implications of technologies like Shiva, both positive (i.e assisting defenders) and negative (i.e assisting attackers).

Shiva has had three public releases at this stage, the most recent at Black Hat Asia 2003. Since its initial release in November of 2002 we are aware of at least three, successful, generic attacks against it. In this way Shiva is a microcosm of Security technologies in general since it is a protection technology like any other (e.g a Firewall) but works in the most exposed of all environments (an uncontrolled machine) and on a small scale. Thus Shiva is much simpler to attack, and much harder to defend, than many other technologies. Effectively it is a standard security arms race but escalates much more rapidly. Shiva's attack/defence timeline and history is interesting from this (and a technical) perspective, so the speech will also cover this evolution.

Bio:
Shaun Clowes is a techie with an interest in practically anything that is close to the the operating system metal, including security. Shaun has spoken widely on security issues and written down a thought or two along the way. He has never spoken at a conference with it's own YoYo comp before though.

top ^

ELF: A fairy tale for viruses - Daniel Hodson

This presentation looks at the way the ELF format can be manipulated to host foreign code, more specifically code that has virus attributes like poly/metamorphism. Necessary ELF structures such as the ELF header, program header, and section header are discussed aswell as infection techniques such as page padding infection, PLT redirection, and runtime injection.

From this we will look at the way anti-virus companys combat viruses using static and algorithmic signatures and the reasons why such techniques were developed.

Bio:
Daniel Hodson is a young TAFE student and computer enthusiast, currently studying a Diploma in Information Technology (Network Engineering). Thus far he has graduated with a Certificate II in Information Technology and a Certificate II in Interactive Multimedia, hopefully obtaining his MCP by the end of July this year.

Daniel has been interested in computers for 4 years. Over this period, he has done research in the field of computer security, specifically in exploit development and programming (security applications). Daniel recently won best security writer of the month for infosecwriters.com (January 2004) and held online lectures to encourage active participation among fellow peers in computer security.

top ^

High Tech Crime Investigations in Australia - Brian Diplock
Talk description is not available.

Bio:
Brian Diplock is currently Team Leader Investigations of the Australian High Tech Crime Centre's ICT Enabled Crime Team. Brian has been a member of the AFP for 13 years, and during this time he has worked in a variety of areas including General Duties Policing, Communications, Bomb Squad, and National Investigations. Brian has been involved in high tech crime investigation since 2001 and during that time has focused on matters such as computer intrusion, denial of service attacks and maleficent code.

Brian holds a Bachelor of Technology from the University of Central Queensland, along with a Masters of Science (Information Technology) and a Masters in Electrical Engineering Science, both from the University of New South Wales.

top ^

Reverse Engineering for Malware Analysis - Peter Taylor

When it comes to decompiling and understanding a piece of malicious software such as a virus, worm or Trojan, time is generally of the essence. The aim of Malware Analysis is to rapidly isolate, identify, and document the major functional blocks such that detection identities/descriptions can be made available before the malware reaches epidemic proportions.

Due to a time constraint, typical R.E. techniques need to be adapted to zero in on those fragments of code which are deemed "malicious" without detailed analysis of supporting functions.

These adapted techniques are described and demonstrated by analysing a selected malicious binary.

Bio:
Peter has been coding in Assembler and reverse-engineering software for about ten years, at first as a hobby and more recently as a career. He has recently made the move from low level driver development to join a team of Virus Analysts at a leading Anti-Virus company. There he puts his reverse engineering knowledge to use dissecting malicious samples and helping develop tools and techniques for such analysis.

top ^

Advances in real-time network vulnerability analysis - David Meltzer

Network intrusion detection has always provided real-time 24x7 monitoring to discover malicious activity going across a network. In contrast, the tools available to detect the dangerous changes to the network and assets themselves, the introduction of new vulnerabilities, has been a periodic, resource-intensive, auditing process. This technology gap leaves networks vulnerable for minutes, hours, days, or weeks waiting to be exploited while the first warning most people get is when the break-in happens.

This presentation will discuss the recent advancements made in providing real-time network vulnerability analysis. It will survey the new tools released over the last year that contribute towards this goal, and discuss taxonomy of the approaches that have been previously and are currently being explored to provide this information, along with the relative strengths and shortcomings of each.

Having provided background on the various approaches and what is currently state of the art, this presentation will then present a unique approach to real-time vulnerability analysis that advances the art by combining the ideas of traditional vulnerability auditing tools with more recent techniques in passive vulnerability monitoring to provide the most comprehensive real-time vulnerability analysis capability to-date. These new advances will be demonstrated at the presentation on simulated networks.

Bio:
David Meltzer is founder and CTO of Intrusec, Inc., a network security software company founded in early 2002. He has over a decade of network security research and software development experience, and is a respected vulnerability researcher credited with the discovery of numerous vulnerabilities. David was a founder of Internet Security Systems X-Force security research group, and was an original author and lead developer of ISS' RealSecure network intrusion detection system, as well as author of a host-based IDS, and major contributor to host and network vulnerability analysis products. While obtaining his B.S. in Computer Science from Carnegie Mellon University, David also held such positions as Editor of Phrack and organizer of SummerCon. This will be Dave's first time in Australia!

top ^

Reversing and Exploiting Win32 Binaries - Jaguar
This presentation will cover a few unique win32 exploitation examples. In-depth exploitation methods for a popular cross-platform network-services package will be presented, and significant differences between this and generic win32 exploits will be discussed.

Bio:
Jaguar works as a secuirty research engineer at British Telecom. He audits source code for potential vulnerabilities and has also been involved in reverse engineering commerical closed source applications. Jaguar is also a member of the Debian Linux security audit project to proactively audit packages in the Debian Linux distribution to spot security flaws.

top ^

Stopping Stack Smashing Attacks - Paul Ducklin
This paper reviews a range of techniques we can use to write safer code, and to run it more safely, in order to reduce our vulnerability to stack-smashing attacks, which sadly remain as effective today (e.g. Blaster, Sasser) as they were 15 years ago (e.g. Morris Worm).

Bio:
Paul Ducklin
Head of Technology, Asia Pacific
Sophos Pty Ltd, Sydney

Paul Ducklin is a long-standing member of the anti-virus community, initially at the Council for Scientific Research (CSIR) in South Africa, and, since 1995, at Sophos in the UK and in Australia. Paul is a computer scientist (or, more accurately, has a piece of stiff paper which makes that claim on his behalf) and heads up Sophos's technical teams at Sophos in Sydney. But he once spent time pretending to work in marketing following a mixup over desks.

His main interests outside anti-virus and anti-spam research include driving around in cars which other people think are rubbish, and going on and on about how much better FreeBSD is than Linux.

Paul has Swimming Proficiency Badge (25 yards).

top ^

Logging, Logic Bombs and Litigants: IT Security Law for non-lawyers - Andre Stein
Topics covered:

Bio:
Andre Stein is a Sydney-based lawyer specialising in IT and Telecommunications Security Law. He has served as a Security Policy Adviser to the former Australian Federal Communications Minister, Richard Alston. Prior to this, Andre was a Visiting Fellow at the Heritage Foundation, a Washington DC think-tank. Andre's articles have appeared in a number of publications including the Australian Financial Review and The Australian newspapers. He is the co-editor of the Australian Chapter of "World Online Business Law" (Oceana Publications, New York) and authored the section on Australian Computer and Data Security Law.

top ^

Social Engineering - The gentle art of having the good guys help you commit evil - Daniel Lewkovitz
Social engineering is an area of security that is all too frequently tossed in the 'too hard basket'. Security engineers argue there's not a lot which can be done to prevent the psychological manipulation of their staff, so concentrate instead on patching servers and buying new firewalls, while their information assets literally walk out the door. This threat is one which cannot be ignored.

This presentation will illustrate effective real-world countermeasures to social-engineering based attacks, including a practical demonstration of such an attack via telephone and discussion of how it could be prevented.

Bio:
Coming originally from a background in physical protection and threat analysis with a technical savvy, Daniel Lewkovitz spends his time closing holes in both the online world and the real one. He has performed end-to-end security reviews and consultancy engagements for security conscious organisations in the private, public, health, financial and government sectors. These have variously included banks, major utilities, critical infrastructure and law-enforcement agencies.

Daniel is licensed to perform certification audits against AS/NZS 7799 (Information Security Management) and is a licensed NSW Security Industry Operative and Qualified Security Trainer, Daniel has authored several papers and articles, which have been published by industry journals and occasionally edits an Infosec column in Security Oz Magazine where he punctuates reviews of batons, firearms and crowd-control technology with commentary on technical security matters.

He holds a Master's Degree in Information Technology and Communication from the University of Wollongong, is an Associate of the Australian Computer Society and a Certified Information Systems Security Professional (CISSP).

top ^

RUXCON Panel Discussion
Information on the RUXCON Panel is available in the Social Activities section of the website.