2005 Presentations

  1. Breaking Mac OSX - Ilja Van Sprundel & Neil Archibald
  2. Binary protection schemes - Andrew Griffiths
  3. Using OWASP Guide 2.0 for Deep Penetration Testing - Andrew van der Stock
  4. Black Box Web Application Penetration Testing - David Jorm
  5. Long Filename, Long Parameter, Malformed Data. Another Day, Another Vulnerability. Same Bug, Different App. - Brett Moore
  6. Computer Forensics: Practise and Procedure - Adam Daniel
  7. Poker Paranoia - Sean Burford
  8. Moving towards the Artificial Hacker - Ashley Fox
  9. Attack automation - Roelof Temmingh
  10. Electronic Evidence - a Law Enforcement Perspective - Jason Beckett
  11. Beyond NX: An attackers guide to anti-exploitation technology for Windows - Ben Nagy
  12. Crypto Rodeo - Amy Beth Corman
  13. Trust Transience: Post Intrusion SSH Hijacking - Metlstorm
  14. To be announced - Mark Dowd
  15. Attacking WiFi with traffic injection - Cedric "Sid" Blancher
  16. Securing Modern Web Applications - Nik Cubrilovic
  17. Malware Analysis - Nicolas Brulez
  18. Deaf, Dumb and Mute: Defeating Network Intrusion Detection Systems (NIDS) - Christian Heinrich

top ^

Presentation Details

This is the finalised list of presentations for RUXCON 2005

Breaking Mac OSX - Ilja Van Sprundel & Neil Archibald

This talk begins with an introduction to the PPC architecture. It then launches into various exploitation techniques in kernel and user space, showing examples (with source code for each). These range from stack and heap exploits to format string bugs and kernel races. The talk expects the audience to have a fairly good understanding of the C programming language, along with basic operating system and kernel knowledge.

Bio:

Neil Archibald is a security professional from Sydney Australia. He has a strong interest in programming and security research. Neil is employed by Suresec LTD as a Senior Security Researcher. He has coauthored two books published by Syngress - "Aggressive Network Self Defense" and "Nessus, Snort & Ethereal Power Tools".

Ilja van Sprundel is a employee of Suresec Ltd. and has a passion for somewhat offensive computer security. Among other things he has previously implemented a secure credit card transaction solution. Ilja also attended the RWTH-Aachen summer school of applied I.T security where he learned a great deal about offensive an defensive security mechanisms. He is also the winner of the 21c3 stacksmashing contest and a member of the Netric security research group.

top ^

Binary protection schemes - Andrew Griffiths

The presentation will cover various issues regarding:

This presentation will mainly focus on the Linux operating system, however, the ideas presented are applicable for other operating systems as well. The presentation is aimed to give a general high level overview with some examples to demonstrate the case in point.


Bio:
Andrew Griffiths (aka andrewg) has presented at RUXCON 2003 about Format string and Heap exploits. Additionally, he has been a staff member since the start of RUXCON. In his spare time he runs / codes levels for various PullThePlug resources such as vortex.labs.pulltheplug.org and catalyst.labs.pulltheplug.org.

top ^

Using OWASP Guide 2.0 for Deep Penetration Testing - Andrew van der Stock
Many pen testers rely heavily on automated tools as their only method of finding flaws. With over 200 controls, OWASP Guide 2.0 significantly raises the bar for penetration testing. Andrew looks at how to use the OWASP Guide 2.0 for deep penetrating testing, including "new" techniques such as modern injection attacks, CSRF and session fixation attacks.

Bio:
Andrew van der Stock, one of Australia's leading webappsec researchers, is among the many contributors to the Open Web Application Security Project (OWASP), and is currently leading the OWASP Guide project. The Guide 2.0 will be released at BlackHat 2005 in Las Vegas, where Andrew is announcing the first new version of the Guide in three years.

Andrew has presented at many conferences, including BlackHat USA, linux.conf.au, SAGE-AU, and AusCERT. He helps with the OWASP Melbourne chapter, started the OWASP Sydney chapter (need fresh victims^W organizers), is the moderator of webappsec@securityfocus.com, and looks after UltimaBB, a secure forum as well as the system administration of Aussieveedubbers, one of Australia's largest and busiest forums with over 3000 members. Andrew is an ex-President of SAGE-AU, the System Administrator's Guild of Australia.

In his copious spare time, he spends time with his cats, cars and food, not necessarily in that order.

top ^

Black box web application penetration testing - David Jorm
David will present a sample web application written in C#/ASP.NET, then methodically pen test it for common holes using black box methods, without access to the source code or the server running the application. As bugs are uncovered the various ways an attacker may exploit them will be explored, so as to move beyond the academic exercise of finding a vulnerability and consider the potential impacts it could have. The sample app and its bugs will be of a simple nature, so this presentation should be quite accessible to everyone with a working knowledge of web technologies.

Bio:
David Jorm has been a professional web applications developer for the last 6 years, working on various commercial and government projects. His specific interest is in web applications security. He has worked with a wide range of tools and platforms handling support, systems administration, development, systems analysis, project management and security. He is currently the software architect for a federal government department and is studying environmental science and computer science.

top ^

Long filename, long parameter, malformed data. Another day, another vulnerability. Same Bug, Different App. - Brett Moore
During this presentation Brett will discuss some trends with vulnerabilities that researchers should realise in the relationships between reported vulnerabilities that could be used to help speed up the discovery of new vulnerabilities.

He will discuss testing methods, some important things to remember when testing, and some weaknesses with testing methods.

The presentation will include the methodology used that led to the discovery of vulnerabilities such as fp30reg.dll overflow, nsiislog.dll overflow, excel.exe file overflow, hyperTerminal file and parameter vulnerability, secureCRT parameter vulnerability and the winamp long filename overflow.

Bio:
Brett Moore leads the security research and network intrusion teams at security-assessment.com. He has been credited with the discovery of multiple security vulnerabilities in both private and public software vendors' products including Microsoft web products. Brett has conducted research and published whitepapers and other documents about previously unpublished vulnerabilities and exploitation methods.

top ^

Computer Forensics: Practise and Procedure - Adam Daniel
Computer evidence is extremely volatile and the simplest of errors can contaminate findings and render important evidence inadmissible. This talk is an in-depth look into modern computer forensics and the various procedures and techniques used as well as covering some of the pitfalls that can arise when presenting computer evidence in a court of law.

Bio:
Adam has over 12 years of experience in the IT industry specialising in Data conversion, Data recovery and reconstruction and Computer Forensics. He worked on and given evidence for cases in all levels of both State and Federal court, as well as providing technical expertise for several major investigations for organisations like the ACCC.

top ^

Poker Paranoia - Sean Burford
If I were to write a movie, it would be about Online Poker. Online poker has all of the necessary components; cheating, billions of dollars, the potential for organised crime, a technological race and honour amongst thieves.

The famous mathematician John von Neumann was interested in the mathematics of poker play, mentioning it in his studies of game theory1. Some of his work has been used to develop computer algorithms for computer poker play.

Others argue that computers will never be as good as people at playing poker, due to the subtleties of the interactions between players. Poker is not a simple game of logic, but a complex conversation between the players.

This talk explores the concepts of computer poker play and computer assisted poker cheating. The theory of computer poker play, along with the technological race between those who would cheat at online poker and those who want to guarantee a fair game is covered.

Bio:
Sean Burford has worn many hats; C/C++ developer, systems administrator and occasional security advisor. He loves to mix and match tools from these disciplines to create better ways to understand software, bugs and all.

Holding a Bachelor of Computer and Information Science from the University of South Australia. Sean has continued his education gaining certifications in Linux Administration (LPI), Solaris 9 Systems Administration (SCSA), and is a Sun Certified Network Administrator.

top ^

Moving towards the artificial hacker - Ashley Fox
Artificial Intelligence and associated machine learning techniques has been discussed in literature for over 50 years. AI research involves producing software and machines to perform human tasks that require some degree of exhibited rational "intelligent" behaviour.

This talk will focus on some varying artificial intelligence concepts and their applications within the modern security professional's arsenal, past, present and perhaps future. This talk will also address the implications of AI enabled malicious code that we may see in the future.

Bio:
Ashley Fox is currently studying as a 3rd year Computing student in Victoria Australia. He has a strong interest in computer science and security research. Ashley has been involved in RUXCON since it's first year in 2003. Any donations made during his talk will go to renting space on Andrew Griffith's lounge room floor for the duration of the conference.

top ^

Attack automation - Roelof Temmingh
How far can automation be taken? How much intelligence can be embodied in code? How generic can automated IT security assessment tools really be? This presentation will attempt to show which areas of attacks lend themselves to automation and which aspects should best be left for manual human inspection and analysis.

SensePost will provide the audience a glimpse of BiDiBLAH - an attempt to automate a focussed yet comprehensive assessment. The tool provides automation for:


Bio:
Roelof Temmingh heads up SensePost's innovation centre and is a founding member of the company. He has been a presenter at various international conferences including RSA, FIRST, BlackHat and Defcon and has contributed to a couple of books such as How to own a continent, Aggressive network self defence, Special Ops and Nessus network auditing. He is the author of Wikto, BiDiBLAH and Crowbar. Roelof enjoys drinking tea and smoking Camels.

top ^

Electronic Evidence - a Law Enforcement Perspective - Jason Beckett
The field of electronic evidence or forensic computing is growing at an exponential rate and there has been no regulation of the industry. This talk will look at some of the issues that are facing forensic examiners now and in the future. The presentation will look at areas such as tool validation, industry accreditation and the needs for such requirements though examples and case studies.

Bio:
Jason Beckett is the Director of Electronic Evidence for the New South Wales Police. He spent 14 Years as a Police Officer in the areas of Intelligence, forensic science (Forensic Document Examination) and Electronic Evidence. In 2002 he left the Police to take up a position as director of forensics for a multinational accounting firm before being lured back to the NSW Police as Director of Electronic Evidence where he established Australia's largest and most advanced forensic computing facility.

Jason has been involved in forensic computing for more than a decade and has trained nationally and internationally in data analysis, reverse engineering, data recovery, computer forensics and incident response, including training from a number of US law enforcement agencies with three letters and other US and Canadian government agencies. He has developed extensive training courses in electronic evidence, data recovery, and reverse engineering. He has also developed numerous software tools to automate many of these processes.

top ^

Beyond NX: An attackers guide to anti-exploitation technology for Windows - Ben Nagy
In an effort to complicate the exploitation of memory corruption vulnerabilities, Microsoft have introduced several new technologies in Windows XPSP2 and Windows 2003. Support for NX (No eXecute) memory is the most often discussed, but is also the least used because of the hardware support required. However, new technology has also been added to protect the stack, the heap, improve exception handling and to complicate exploitation by removing or randomising some interesting pointers at fixed memory addresses.

Although groundbreaking research work exists in terms of attacking the individual technologies like Safe SEH, /GS stack protection, Heap Cookies and NX itself, it is very difficult to obtain a unified view of how the technologies work together against real world attacks. If you're comfortable with stacks and heaps and have a passing familiarity with x86 assembler and CPU architecure then join us as we attempt to clarify the operation of all the new protection features, alone and in combination, and then see what attacks remain viable.


Bio:
Ben Nagy was born in Australia but has spent the last several years working with eEye Digital Security in Switzerland and Thailand. With a strong background in most areas of network security and several sets of pretty letters, he has been particularly interested in firewalls, crypto, and software vulnerability research. Ben loves rambling on about security and has presented at several conferences in Europe and Asia, as well as hosting eEye's monthly Vulnerability Expert Forum.

top ^

Crypto Rodeo - Amy Beth Corman
This talk is a round up of some interesting current events in the field of cryptography. It covers four topics which may impact non-cryptographers:

Bio:
Amy Corman is a PhD candidate at the University of Melbourne working on cryptographic network protocols. She was previously a security systems administrator for 4 years and has a Masters of Information Security from RMIT.

She is also one of the primary organisers of SecureCon, a free computer security conference held in Melbourne each February.

top ^

Trust Transience: Post Intrusion SSH Hijacking - Metlstorm
Trust Transience: Post Intrusion SSH Hijacking explores the issues of transient trust relationships between hosts, and how to exploit them. Applying technique from anti-forensics, linux VXers, and some good-ole-fashioned blackhat creativity, a concrete example is presented in the form of a post-intrusion transparent SSH connection hijacker. The presentation covers the theory, a real world demonstration, the implementation of the SSH Hijacker with special reference to defeating forensic analysis, and everything you'll need to go home and hijack yourself some action.

Bio:
Metlstorm is a deathmetal listening linux hippy from New Zealand. When not furiously playing air-guitar, he works for linux integrator and managed security vendor Asterisk in Auckland, New Zealand. Previous work has placed him in ISP security, network engineering, linux systems programming, corporate whore security consultancy and a brief stint at the helm of a mighty installation of solaris tar. Amongst his preoccupations at the moment are the New Zealand Supercomputer Centre, wardriving-gps-visualization software that works in the southern hemisphere, and spreading debian and python bigotry. Oh, and Metl''s band 'Orafist' needs a drummer - must have own kit and transport to New Zealand.

top ^

To be announced - Mark Dowd
Presentation description not available.

Bio:
Mark Dowd has been part of the ISS X-Force research and development team for the past 5 years. In that time he has uncovered a number of vulnerabilities in major widely-used software applications. Some examples include buffer overflows in Sendmail, OpenSSH, Internet Explorer, and Windows Encryption software (a PCT protocol in the MS SSL implementation).

Prior to working at ISS, Mark was consulting and performing penetration tests for an Australian company, where he was able to develop his skills, and also uncovered a number of software vulnerabilities in several UNIX-based operating systems, including remote vulnerabilities (and proof of concept exploit code) in Linux, Solaris, *BSD, Tru64 and IRIX.

Currently, he is co-authoring a book related to software analysis and finding security vulnerabilities.

top ^

Attacking WiFi with traffic injection - Cedric "Sid" Blanche
WiFi networks initial security scehme is impacted by numerous well known flaws. However, studies shows that more than two third of WiFi deployments are not protected properly. Among all reasons that could explain this statistic, the fact that all attacks relying on raw 802.11 traffic injection are still widely considered as theoritical by both users and vendors. As it will be shown, traffic injection can dramaticly boost usual attacks against wireless networks (DoS, Rogue APs, WEP cracking). More interesting, it can also lead to effective low level attacks against open and WEP environnement. Commercial hotspots captive portal attacks will be discussed as an example. This talk aims at demonstrating the impact of traffic injection on WiFi security and prove that open and WEP networks do not provide valuable security, as opposed to latest security recommandations (WPA/WPA2).

Bio:
Cedric has spent the last 4 years working in network and Unix systems security field, performing audits and penetration testings. In 2004, he joined EADS Corporate Research Center in France to achieve R&D within network security field, including wireless links. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He also has delivered technical presentations (Eurosec, SSTIC, Cansecwest, Recon, Syscan, etc.) and articles (MISC, SSTIC, etc.) about network security. Cedric's website : http://sid.rstack.org/

top ^

Securing Modern Web Applications - Nik Cubrilovic
Web Applications have moved on from the old post-form-new page model to new age applications that make heavy use of technologies such as XML, browser-based requests and Javascript. Examples of such applications are Google's Gmail and Flickr.com. This presentation will be a short intro to the latest web technology topics, and then go into detail to describe attack methods against new-age web applications and how to defend against them. The presentation will stress the importance of all developers having knowledge of secure development techniques, to prevent their web applications from being compromised. The aim of the presentation is to prepare the unwary coder or application designer before they leap into the new technologies available. As part of the presentation, new attacks against PHP web application back-ends will be covered, and a secure development model for PHP applications will be discussed. The presentation assumes some knowledge of HTML, HTTP, PHP (or any other web development language) and Javascript.

Bio:
Nik Cubrilovic is the founder of Solutionstap Pty Ltd, a web development and consulting company with a global client base operating out of Wollongong, Australia. Nik has been developing web and desktop applications for almost 10 years and has a keen interest in security. Over the years Nik has uncovered a number of security vulnerabilities in Windows NT, IIS server, PHP, many other platforms and many web applications including some of Australia's largest institutions. Many of his exploits reached the media but were carried out anonymously using an online handle. Nik has since gone on to make a living as a security consultant and a developer prior to founding Solutionstap in 2003.

top ^

Malware Analysis - Nicolas Brulez
Coming soon

Bio:
Coming soon

top ^

Deaf, Dumb and Mute: Defeating Network Intrusion Detection Systems (NIDS) - Christian Heinrich
The "ideal" NIDS provides a unique forensic capability to wired and wireless networks.

However, its actual implementation provides an intruder with the opportunity to discover, evade, confuse and disable the NIDS in order to reduce its overall function for incident response.

Christian Heinrich will present several new attacks with a number of supporting "real world" case studies of an unpublished API in which to identify, confuse and disable an NIDS and to evade detection over a TCP/IP network.


Bio:
Christian Heinrich is Principal of Secure Agility. As the network security specialist, his initial experience with NIDS consisted of applying filters to TCPDump prior to the release of Shadow from US Naval Surface Warfare Center. He has since evaluated, operated and managed a majority of NIDS implementations, including Snort, ISS Realsecure, Dragon, CiscoIDS and Network Flight Recorder (NFR).

Christian Heinrich has participated in a senior technical capacity for a large number of network security projects for News Corporation, Australian Security Intelligence Organisation (ASIO), Australian Federal Police (AFP) and Defence Signals Directorate (DSD).

Christian Heinrich has many network security qualifications, including Checkpoint Certified Security Engineer (CCSE), Cyberguard Firewall Security Administrator (CSFA), Lucent Security Professional, Sophos PureMessage for UNIX and SANS Firewalls, Perimeter Protection, and VPNs.

Christian Heinrich is the "Organizer" for the recently announced Australian and New Zealand Snort User Groups.

Christian Heinrich participated in the Technical Q&A of "SecCon 98" as an invited expert of the chair.