Loading…
BruCON 0x05 has ended
This schedule is subject to change, check back regularly.
Registrations start at 8h30!
Workshop rooms in the location Novotel are 5 minutes walking from the main venue.
Workshop seats are limited to max 30 persons in rooms Orval, Chimay & La Trappe Seats will be on a first come first serve basis, please be there in time
back to BruCON web site.
TIP: to see as grid: click on the "Schedule button"  

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, September 23
 

9:00am CEST

Offensive Techniques by Russ Gideon (day 1/3)
details on http://2013.brucon.org/index.php/Training_Offensive

Speakers
avatar for Russ Gideon

Russ Gideon

Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand... Read More →


Monday September 23, 2013 9:00am - 5:00pm CEST
Sint-Lucas (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Pentesting Smart Grid and SCADA with SamuraiSTFU by Justin Searle (day 1/3)
see http://2013.brucon.org/index.php/Pentesting_Smart_Grid_and_SCADA_with_SamuraiSTFU

Speakers

Monday September 23, 2013 9:00am - 5:00pm CEST
Sint-Marcus (Monasterium) Oude Houtlei 56, Ghent
 
Tuesday, September 24
 

9:00am CEST

Hacking PDF by Didier Stevens (day 1/2)
see http://2013.brucon.org/index.php/Training_PDF

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation. In 2012, Didier founded his own company Didier... Read More →


Tuesday September 24, 2013 9:00am - 5:00pm CEST
Huiskapel (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Lessons in Mobile Penetration Testing by Zach Lanier (day 1/2)
see http://2013.brucon.org/index.php/Training_Mobile

Speakers

Tuesday September 24, 2013 9:00am - 5:00pm CEST
Sanctus Augustinus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Offensive Techniques by Russ Gideon (day 2/3)
details on http://2013.brucon.org/index.php/Training_Offensive

Speakers
avatar for Russ Gideon

Russ Gideon

Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand... Read More →


Tuesday September 24, 2013 9:00am - 5:00pm CEST
Sint-Lucas (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Pentesting Smart Grid and SCADA with SamuraiSTFU by Justin Searle (day 2/3)
see http://2013.brucon.org/index.php/Pentesting_Smart_Grid_and_SCADA_with_SamuraiSTFU

Speakers

Tuesday September 24, 2013 9:00am - 5:00pm CEST
Sint-Marcus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Practical Malware Analysis: Rapid Introduction by Michael Sikorski (day 1/2)
see http://2013.brucon.org/index.php/Training_Malware

Speakers
MS

Michael Sikorski

Michael Sikorski is a well-known expert in malware analysis. He is a Technical Director at Mandiant and a member of the Mandiant Labs (M-Labs) leadership team. He leads the M-Labs malware analysis team through reverse engineering malware as a primary analyst and manages the overall... Read More →


Tuesday September 24, 2013 9:00am - 5:00pm CEST
Sanctus Erasmus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

The Art of Exploiting Injection Flaws by Sumit Siddharth (day 1/2)
see http://2013.brucon.org/index.php/Training_Injection

Speakers

Tuesday September 24, 2013 9:00am - 5:00pm CEST
Sanctus Ireneus (Monasterium) Oude Houtlei 56, Ghent
 
Wednesday, September 25
 

9:00am CEST

Hacking PDF by Didier Stevens (day 2/2)
see http://2013.brucon.org/index.php/Training_PDF

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation. In 2012, Didier founded his own company Didier... Read More →


Wednesday September 25, 2013 9:00am - 5:00pm CEST
Huiskapel (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Lessons in Mobile Penetration Testing by Zach Lanier (day 2/2)
see http://2013.brucon.org/index.php/Training_Mobile

Speakers

Wednesday September 25, 2013 9:00am - 5:00pm CEST
Sanctus Augustinus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Offensive Techniques by Russ Gideon (day 3/3)
details on http://2013.brucon.org/index.php/Training_Offensive

Speakers
avatar for Russ Gideon

Russ Gideon

Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand... Read More →


Wednesday September 25, 2013 9:00am - 5:00pm CEST
Sint-Lucas (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Pentesting Smart Grid and SCADA with SamuraiSTFU by Justin Searle (day 3/3)
see http://2013.brucon.org/index.php/Pentesting_Smart_Grid_and_SCADA_with_SamuraiSTFU

Speakers

Wednesday September 25, 2013 9:00am - 5:00pm CEST
Sint-Marcus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

Practical Malware Analysis: Rapid Introduction by Michael Sikorski (day 2/2)
see http://2013.brucon.org/index.php/Training_Malware

Speakers
MS

Michael Sikorski

Michael Sikorski is a well-known expert in malware analysis. He is a Technical Director at Mandiant and a member of the Mandiant Labs (M-Labs) leadership team. He leads the M-Labs malware analysis team through reverse engineering malware as a primary analyst and manages the overall... Read More →


Wednesday September 25, 2013 9:00am - 5:00pm CEST
Sanctus Erasmus (Monasterium) Oude Houtlei 56, Ghent

9:00am CEST

The Art of Exploiting Injection Flaws by Sumit Siddharth (day 2/2)
see http://2013.brucon.org/index.php/Training_Injection

Speakers

Wednesday September 25, 2013 9:00am - 5:00pm CEST
Sanctus Ireneus (Monasterium) Oude Houtlei 56, Ghent
 
Thursday, September 26
 

8:30am CEST

Registration
Thursday September 26, 2013 8:30am - 10:00am CEST
0 Lounge - Other Aula Ghent

9:00am CEST

Breakfast
Thursday September 26, 2013 9:00am - 9:50am CEST
0 Lounge - Other Aula Ghent

9:50am CEST

BruCON Opening (Seba, Wim)
Thursday September 26, 2013 9:50am - 10:00am CEST
1 Westvleteren Aula Ghent

10:00am CEST

Keynote (Amelia Andersdotter)
Speakers
avatar for Amelia Andersdotter

Amelia Andersdotter

Amelia is a member of the European Parliament, representing the Swedish Pirate Party. In that beastly building she works for internet freedom, free access to culture and knowledge and for an open and democratic information society. Her work is in the area of industrial policy, technology... Read More →


Thursday September 26, 2013 10:00am - 11:00am CEST
1 Westvleteren Aula Ghent

10:00am CEST

Keynote (Amelia Andersdotter)
Speakers
avatar for Amelia Andersdotter

Amelia Andersdotter

Amelia is a member of the European Parliament, representing the Swedish Pirate Party. In that beastly building she works for internet freedom, free access to culture and knowledge and for an open and democratic information society. Her work is in the area of industrial policy, technology... Read More →


Thursday September 26, 2013 10:00am - 11:00am CEST
1 Westvleteren Aula Ghent

11:00am CEST

HTTP Time Bandit (Vaagn Toukharian)

While web applications become richer and provide higher levels of user experiences, those run increasingly larger amounts of code on both server and client side. Few of the pages on the web server may be the performance bottlenecks. Identifying those pages gives both the application owner as well as an attacker a chance to be more efficient in performance or attack.

We will discuss a method of identifying the weakness of the web Application by performing series of regular requests to it. With some refinements and data normalizations performed on the gathered data, and then performing more testing based on the later it is possible to pinpoint to single most resource(CPU or DB) consuming page of the application. Armed with that information it is possible to perform more efficient DOS/DDOS attacks with very simple tools.

The presentation will be accompanied with a few demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researches to play with.

Speakers
avatar for Vaagn Toukharian

Vaagn Toukharian

Vaagn Toukharian is Principal Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography... Read More →


Thursday September 26, 2013 11:00am - 12:00pm CEST
1 Westvleteren Aula Ghent

12:00pm CEST

Taking the BDSM out of PCI-DSS through open source solutions (Erin Jacobs, Zack Fasel)

At some point as information security practitioners, we all face those god-awful three letters. PCI. Yes. It sucks, it's not cheap, and Yes, It's not "real security". But if you or your client is handling cardholder information, you must SUBMIT! Err… comply….with over 200 requirements. But how does a technically-minded and security-driven badass meet the letter and intent of PCI without pulling their hair out, spending thousands on vendor solutions that don’t provide holistic security, upsetting management, nor just “check the box” and move on?

Zack and Erin will explore their tried and tested open source solutions implemented by organizations from the small/mid-sized to some of the largest providers in the world to address the requirements of PCI DSS while substantially improving security. This isn’t your grandpa’s high-level theoretical overview, but a deep technical dive with specific configuration guidelines you can implement tomorrow.

You too can better devote resources to skilled talent over ineffective or exorbitantly priced products and let’s start fixing things.

Speakers
avatar for Zack

Zack "Unce Untz Wub" Fasel

Zack “Unce Untz Wub” Fasel is a seasoned Penetration Tester and Security Consultant with diverse experience serving clients ranging in Fortune 100s, Enterprises, and SMBs in varying industries.
avatar for Erin

Erin " SecBarbie" Jacobs

Erin “SecBarbie” Jacobs plays the role of information security executive, IT HCIC, security consultant, social soirée extraordinaire, as well as PCI-QSA on several TV shows (mostly on CCTV in her house).


Thursday September 26, 2013 12:00pm - 1:00pm CEST
1 Westvleteren Aula Ghent

1:00pm CEST

Lunch
Thursday September 26, 2013 1:00pm - 2:00pm CEST
0 Lounge - Other Aula Ghent

2:00pm CEST

CobraDroid (Jake Valletta)

“What does this application do?” is a question that analysts often ask themselves when performing an application assessment or analyzing mobile malware. CobraDroid was designed to answer this question. CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).

This talk discusses how CobraDroid can be used for Android malware analysis and application assessments. It will include a discussion of the techniques used to assess applications and a demonstration of the tool.

Speakers
avatar for Jake Valletta

Jake Valletta

Jake Valletta is a consultant at Mandiant in their New York office. His areas of interest include mobile security, application security, penetration testing, and incident response. Mr. Valletta is a leader in the mobile security space at Mandiant. His responsibilities at Mandiant... Read More →


Thursday September 26, 2013 2:00pm - 3:00pm CEST
1 Westvleteren Aula Ghent

2:00pm CEST

Analyzing internet Attacks with Honeypots (Ioannis Koniaris)
In the field of computer security, honeypots are systems aimed at deceiving malicious users or software that launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by human hackers or malware. In this workshop we will outline the operation of a two research honeypots, by manual deployment and testing in real time. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. Furthermore, two visualization tools will be presented for the aforementioned systems, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Speakers
avatar for Ioannis Koniaris

Ioannis Koniaris

Ioannis is a CS graduate and IT security researcher. He is currently working in the field of DevOps and Software Engineering for a software development company, while he has also worked as an assistant in the Network Operations Center of AUTH while studying for his BSc from said university... Read More →


Thursday September 26, 2013 2:00pm - 4:00pm CEST
5 La Trappe Novotel Ghent

2:00pm CEST

Crypto by Example (Christopher Lytle)

Cryptography is awesome, but modern cryptography has a seriously high barrier to entry that prevents a lot of people from getting into its technical side. Fortunately, many important lessons, attacks, and concepts can be demonstrated using classic pre-digital ciphers. Over the course of this four-hour workshop attendees will:

    * Learn the technical basics of cryptography.

    * Implement classic ciphers by hand.

    * Learn about weaknesses in these ciphers and how to leverage these weaknesses to crack said ciphers.

    * Get examples (in Python) from my Open Source framework to automate standard cryptographic functions, including attacks and analysis.

    * Learn the history and stories surrounding my chosen ciphers.

    * Learn a methodology so that when given an unknown ciphertext, they will be able to diagnose the cipher used and implement an attack.


Ultimately I'm aiming to have the workshop be 50% technical instruction, 40% hands-on work with guidance, and 10% historical narratives.

Speakers
avatar for Christopher Lytle

Christopher Lytle

Chris is a Senior Security Consultant at VerSprite. This one time, he hacked a computer. His likes include tacos, bad cryptography, and strange hardware.


Thursday September 26, 2013 2:00pm - 4:00pm CEST
4 Chimay Novotel Ghent

2:00pm CEST

Cuckoo (The Cuckoo Team)

Cuckoo Sandbox is an open source for automating the dynamic analysis of malware. It allows you to run and monitor any suspicious file inside an isolated environment and collect indicators and evidences of its behavior.

Cuckoo is growing to be an established but complex software and there are many features, improvements and fixes that are yet to be developed.

At Brucon core developers, contributors and users will be able to sit down to discuss, hack, break (and possibly build) Cuckoo Sandbox and wonder about the future of fighting malware.

This workshop is sponsored by Splunk


Speakers
avatar for Jurriaan Bremer

Jurriaan Bremer

Jurriaan is a freelancer security researcher from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. In his spare time he works as one of the Core Developers of Cuckoo Sandbox... Read More →
avatar for Claudio Guarnieri

Claudio Guarnieri

Claudio is a Security Researcher at Rapid7. His research work covers malware, botnets, privacy and surveillance issues. He's a core member of The Shadowserver Foundation and The Honeynet Project, he leads the development of Cuckoo Sandbox and created and maintains Malwr.com.
avatar for Mark Schloesser

Mark Schloesser

Mark Schloesser is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is also deeply involved developing open-source software as part of the Honeynet Project and other communities... Read More →
avatar for Alessandro

Alessandro "jekil" Tanasi

Alessandro is a security researcher and software engineer from Italy, interested in hacking methodologies and instruments, with focus on vulnerability assessment, digital forensics, malware analysis and security tools development. He is one of the Core Developers of Cuckoo Sandb... Read More →


Thursday September 26, 2013 2:00pm - 4:00pm CEST
2 Westmalle Aula Ghent

2:00pm CEST

KUDO : Post Mortem Forensic Analysis with FLOSS Tools 2.0 (Sandro Melo)

Currently, computers are increasingly user for illicit activities, in this scenario, as such it is necessary for respond incidents of security  to use  Computer Forensics best practices,  even if not a formal criminal investigation take place. This article how about post mortem forensic of medias especially the hard disks. Several tests and evaluations  can be do in each layer of abstraction, in order to recovery data with quality  to identify evidence . This evidence can be  block of data or even a file related to the security incident being investigated that will henceforth be treated as an artifact. It is true that to perform a forensic analysis, to demand methodology and  also appropriate tools.About the Methodology Analysis in Five Layers that proposing a treatment in each layer of abstraction allowing the identification of each data that can be relevant in the analysis of incident and to meet the need of appropriate tools, the use FOSS tools, is an interesting alternative, since the number of projects developed by this community, for computer forensic, is significant and of sufficient quality to allow the realization of all the forensic  computational process.

Who should attend:

  • Law enforcement officers, federal agents, or detectives who want to master computer forensics and expand their investigative skillset to include data breach investigations, intrusion cases, and tech-savvy cases

  • Incident response team members who are responding to complex security incidents/intrusions and need to utilize computer forensics to help solve their cases

  • Computer Forensic professionals who want to solidify and expand their understanding of file system forensic and incident response related topics

  • Information security professionals with some background in hacker exploits, penetration testing, and incident response

  • Information security managers who would like to master digital forensics in order to understand information security implications and potential litigation related issues or manage investigative teams

  • Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or WHO investigates individuals that are considered technically savvy

Speakers
avatar for Sandro Melo

Sandro Melo

About Sandro Melo -  aka CARIOCA -  Currently I work at Bandtec College, and also with Advanced Training, Pentest, Response to Security Incidents and Computer Forensic and student/candidate in Doctor Program in TIDD/PUC-SP. I was born in the beautiful city Rio de Janeiro, Brazil... Read More →


Thursday September 26, 2013 2:00pm - 4:00pm CEST
3 Orval Novotel Ghent

3:00pm CEST

Realtime analysis and visualization of internet status (Tiago Balgan Henriques, Tiago Martins, João Gouveia)

Nowadays, nearly everyday we see a new botnet going up and another one being brought down, looking at this fact the presenters of this talk decided that they needed a way to constantly know and visualize different botnet status. Then we decided we needed to go one step further,  and, not only understand how they were growing or shrinking, but to also capture patterns between the different machines that have been compromised and multiple proprieties of different botnets:

  • Which port(s) does a certain botnet use?
  • Which type of protocol?
  • What type of machine is it?
  • Is it a personal machine or a gateway with multiple machines behind it?
  • Is that machine affected by one or more botnets?

After we achieved this, we decided to create a fast and useful way to use this data, so we created what we call The Cyberfeed and Project Hyperion, which we will also be doing live demos of.

On the cyberfeed side you can access all of our data of all types from sinkholes, to portscans, and even honeypots and do different types of queries, allowing you to access only the data you need and want, combining all this it can provide you with useful information that can even be used in defense.

On Hyperion, is where our visual modules are located, you can easily get visual geospatial information about different botnets and search for information on our portscans.

Speakers
avatar for João Gouveia

João Gouveia

João Gouveia (CTO) & Co-founder of AnubisNetworks has specialized in the IT security field for over 13 years * Deep knowledge over the broad spectrum of the IT landscape security * Focused on understanding current and future threats and align technology strategy to come up with... Read More →
avatar for Tiago Balgan Henriques

Tiago Balgan Henriques

Tiago 'Balgan' Henriques currently is Security Lead at Centralway located in Zurich. At the university he did some part time lecturing on a different range of topics, from Computer Security, to Networking and Cryptography. His main interests are: Cryptography, Pentesting, Information... Read More →
avatar for Tiago Martins

Tiago Martins

Tiago Martins got his MSc in Computer Engineering at University of Lisbon in 2010 and has been working in Research and Development since 2009. Currently he’s working at AnubisNetworks where his main area of focus is Security Information and Event Management. His work involves the... Read More →


Thursday September 26, 2013 3:00pm - 4:00pm CEST
1 Westvleteren Aula Ghent

4:00pm CEST

Coffee
Thursday September 26, 2013 4:00pm - 4:30pm CEST
0 Lounge - Other Aula Ghent

4:30pm CEST

Lightning Talks
Thursday September 26, 2013 4:30pm - 5:30pm CEST
1 Westvleteren Aula Ghent

4:30pm CEST

Advanced Excel Hacking (Didier Stevens)

This is a workshop on hacking Excel on Windows without exploits.

Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, ...), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.

I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.

The advantage of hacking without exploits, is that this will always work, regardless of the patching level. As long as Excel and macros are allowed to run, arbitrary code can be executed.

These techniques are interesting to hackers and pentesters, because they allow one to execute arbitrary code in a restricted environment, without creating new processes or writing DLLs to disk. Even in a whitelisted environment, where EXEs and DLLs have to be whitelisted, these techniques work as long as Excel is allowed to run and macros are not disabled.

For the pure VBA technique, I show examples of:

  • a Windows taskmanager that can kill, pause and resume Windows processes, as well as inject shellcode into these processes. This spreadsheet is also useful to clean infected PCs were malware prevents taskmanager from running.

  • network utilities: ping, resolve, ...

  • installed programs list

For the mixed VBA technique, I show examples of:

  • a spreadsheet with embedded cmd.exe and regedit.exe. These two programs are taken from ReactOS (the opensource project aiming to build a Windows XP binary compatible OS), transformed into DLLs, and then injected into Excel's memory from memory with specially designed shellcode. This spreadsheet allows one to run an undetectable command line interpreter and registry editor in environments were such tools are restricted. This is not only usable on corporate PCs or kiosks, but (for example) also on infected PCs were malware prohibits cmd.exe and regedit.exe to run.

  • a spreadsheet with the opensource code of putty.exe transformed into a DLL.

  • a spreadsheet with a port forwarder, allowing the restricted machine to be used as a proxy.

  • ...

I will not only explain these techniques and demo these spreadheets, but I will also explain and release the tools I designed to create these spreadsheets.

Attendees have to bring a Windows machine (physical or virtual) with Microsoft Excel (2003, 2007, 2010 or 2013, 32-bit or 64-bit). 32-bit Excel is preferred, as some examples only work on 32-bit (at the time of writing, ReactOS is 32-bit only).

A Python interpreter is also needed for attendees that want to use my tools to transform a DLL into VBA code.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation. In 2012, Didier founded his own company Didier... Read More →


Thursday September 26, 2013 4:30pm - 6:30pm CEST
2 Westmalle Aula Ghent

4:30pm CEST

Analyzing internet Attacks with Honeypots (Ioannis Koniaris)
In the field of computer security, honeypots are systems aimed at deceiving malicious users or software that launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by human hackers or malware. In this workshop we will outline the operation of a two research honeypots, by manual deployment and testing in real time. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. Furthermore, two visualization tools will be presented for the aforementioned systems, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Speakers
avatar for Ioannis Koniaris

Ioannis Koniaris

Ioannis is a CS graduate and IT security researcher. He is currently working in the field of DevOps and Software Engineering for a software development company, while he has also worked as an assistant in the Network Operations Center of AUTH while studying for his BSc from said university... Read More →


Thursday September 26, 2013 4:30pm - 6:30pm CEST
5 La Trappe Novotel Ghent

4:30pm CEST

Automating RE with Python (Carlos G. Prado)

All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…

From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.

In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.

Directed to

  • Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins

To take away

  • First immersion in the area of reversing automation.

  • How to use Python to automate some tedious tasks

  • Lots of scripts and plugins to take home and play!

  • Geeky fun!

Requirements

  • Some knowledge in binary reversing on Windows

  • Basic x86 assembly knowledge would be very helpful

  • First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)

  • Basic knowledge of the Python language

  • A certain „nerdiness“.

Speakers
avatar for Carlos G. Prado

Carlos G. Prado

I'm a particle physicist recycled into the IT security field. Originally from Spain but living in Germany, I'm frequently tortured by the rainy, cold weather and therefore forced to wear funny hats and drink traditional warming beverages. My main interests are reverse engineering... Read More →


Thursday September 26, 2013 4:30pm - 6:30pm CEST
3 Orval Novotel Ghent

4:30pm CEST

DJ Workshop
will be in the DJ Workshop area (see venue plan)


Thursday September 26, 2013 4:30pm - 6:30pm CEST
0 Lounge - Other Aula Ghent

4:30pm CEST

Foundational Packetry: Using the internet on god mode (@undeadsecurity, @blackswanburst)

So you're a network wizard, and all your packets are urgent. You nmap, and wireshark, and you're good at it. At parties people ask to see your packet tricks, and challenge you to duels.

This is a workshop/challenge born over a beer wager between two such gentleman of networks. Chaps with finely groomed facial hair and an understanding of Braess' paradox applied to routing tables.

And what better place to settle that challenge over beer, than Brucon?

The challenge was simple, yet worthy:
Can you associate with wireless, get an IP address, set your DNS server, resolve a URL, and do an HTTP request using only SCAPY? In other words, BE THE OS at the network layer.

They didn't do it because it was cool, and they didn't do it because it was sexy (cause let's face it, it's neither). They did it to re-learn the foundations of networking and packetry. They did it to embrace the task that gives birth to deep understanding. They did it because they admire the people of the IETF who bootstrapped the internet primarily by writing and responding to text files.

Now you too, can quote RFCs. You too, can improve your SCAPY skills in a single day. You too, can make obscure packet jokes.

More importantly, this workshop will test you on things you *think* you know. The gentleman in question thought they were pen-test badasses, until they humbled themselves on the foundations of networking.

Are you ready to school these two legendary gentleman on what they think they already know?

This will be half workshop, half personal challenge. The two hosts were born out the hacker spaces, where everyone is a teacher and everyone is a student. This is simply a continuation of that ethos.

Requirements:


Speakers
avatar for Eireann Leverett (@blackswanburst)

Eireann Leverett (@blackswanburst)

Eireann Leverett hates writing bios in the third person. He once placed second in an Eireann Leverett impersonation contest. He likes teaching the basics, and learning the obscure. He is sometimes jealous of his own beard for being more famous than he is.
avatar for Matt Erasmus (@undeadsecurity)

Matt Erasmus (@undeadsecurity)

Matt isn't very good at writing bios. He works outside of information security but dabbles in packets, malware and other such shenanigans when the urge strikes him. Mostly during winter, when it's colder than a penguins nipple outside.


Thursday September 26, 2013 4:30pm - 6:30pm CEST
4 Chimay Novotel Ghent

5:30pm CEST

.Net : The Framework, the Myth, the Legend (Aloria)

.NET has been around forever, yet the amount of tutorials and documentation covering its analysis is rather diffuse. It's time to give it the beatdown it deserves.

This talk will cover the current state of the art in .NET reversing, down from PE format of .NET assemblies through various types of obfuscation, and into reversing tools and techniques. Finally, we'll demo how to modify the behavior of an obfuscated .NET binary by injecting new code.

Speakers
avatar for Aloria

Aloria

Aloria began her interest in Microsoft programming languages when she wrote her first QBasic app at the tender age of eight. Since then, she has gone on to work on application security teams for a variety of organizations, including start ups, military, and finance. She presently... Read More →


Thursday September 26, 2013 5:30pm - 6:30pm CEST
1 Westvleteren Aula Ghent

6:30pm CEST

Dinner
Thursday September 26, 2013 6:30pm - 7:30pm CEST
0 Lounge - Other Aula Ghent

7:30pm CEST

Keynote: Back in Black (David Mortman)
As an industry, information technology as whole is not doing a great job when it comes to security. In many ways, we are much better than we were ten years ago, but we still have a long way to go. If we're going to catch up or even keep up with the miscreants we need to get back to the basics and do things better.

Speakers
avatar for David Mortman

David Mortman

David Mortman has been doing Information Security for well over 15 years and is currently the Chief Security Architect for Dell/Enstratius and a Contributing Analyst at Securosis. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at... Read More →


Thursday September 26, 2013 7:30pm - 8:30pm CEST
1 Westvleteren Aula Ghent

9:30pm CEST

BruCON Party
Will be at the Cirq Central, Hoogpoort 32, Ghent Line-up to follow

Thursday September 26, 2013 9:30pm - Friday September 27, 2013 12:00am CEST
0 Lounge - Other Aula Ghent
 
Friday, September 27
 

9:00am CEST

Breakfast
Friday September 27, 2013 9:00am - 10:00am CEST
0 Lounge - Other Aula Ghent

10:00am CEST

Keynote (Dan Guido)
Speakers
DG

Dan Guido

Dan Guido leads the strategic vision for Trail of Bits products and services and manages its day-to-day operations. His most recent research applied intelligence-driven defense to mass malware and demonstrated that, contrary to popular belief, only a very small number of vulnerabilities... Read More →


Friday September 27, 2013 10:00am - 11:00am CEST
1 Westvleteren Aula Ghent

11:00am CEST

Paint by Numbers vs. Monet (Russ Gideon)

Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against attackers, and thus the penetration testing industry was born. Back then the approach to attacks was very paint by numbers. If an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial training on this concept was derived from real world attacks, and we have evolved that training but stopped a few years ago that quick mimicking the real attackers. Why did we do this? It isn’t because as an industry we didn’t want to advance it but it was because it became very difficult to. Why so difficult, because the times have changed, and people are not just giving out thing like they used to. Attackers don’t take that approach. They find a vulnerability/exploit and treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money and takes a Monet. Yes there are plenty of lookalike Monet paintings, but none have the brush stroke characteristics that true Monet paintings do. Are current approach to detecting and resembling real attacks is still very paint by numbers. Our commercial off-the-shelf tools are great tools, and can help something look like a Monet, but when you look at the brush strokes you can see it is a paint by numbers.

We will be reviewing some Tactics, Techniques, and Procedures (TTP) scenarios from real world attacks and showing the not so common differences between true attacker TTPs and current penetration testing methodologies, TTPs, and tools. This talk will focus on the binary aspects of these scenarios to show significant differences and some similarities of current attack patterns. This presentation is designed to show viewers the very low level details that we are overlooking in how to replicate true malicious attackers.This common trend to use off-the-shelf tools to conduct penetration tests has replaced a significant amount of tool writing which has and will help the industry, but this has come at an expense as well.

Speakers
avatar for Russ Gideon

Russ Gideon

Russ Gideon has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand... Read More →


Friday September 27, 2013 11:00am - 12:00pm CEST
1 Westvleteren Aula Ghent

12:00pm CEST

Lunch
Friday September 27, 2013 12:00pm - 1:00pm CEST
0 Lounge - Other Aula Ghent

12:00pm CEST

Lightning Talks
Friday September 27, 2013 12:00pm - 1:00pm CEST
1 Westvleteren Aula Ghent

1:00pm CEST

DevOps/Security Panel (Kris Buytaert, Patrick Debois, David Mortman, Alex Hutton)
Security/Ops Memeage: Fitting DevOps, Lean, Risk, Metrics and ITIL/Six Sigma Together. We've assembled an all-star team of experts in DevOps, Lean, Risk and Metrics to tell you how they can be used (and abused) for the sake of security. You'll learn how they are not at odds with each other but in fact are greater then the sum of their parts. You'll be entertained and also well fed as the panel will bring pastries for audience questions.

Speakers
avatar for Kris Buytaert

Kris Buytaert

Kris Buytaert is a long time Linux and Open Source Consultant. He's one of instigators of the devops movement, currently working for Inuits. He is frequently speaking at, or organizing different international conferences and has written about the same subjects in different Books... Read More →
avatar for Patrick Debois

Patrick Debois

In order to understand current IT organizations, Patrick has taken a habit of changing both his consultancy role and the domain which he works in: sometimes as a developer, manager, sysadmin, tester and even as the customer. During 15 years of consultancy, there is one thing that... Read More →
avatar for David Mortman

David Mortman

David Mortman has been doing Information Security for well over 15 years and is currently the Chief Security Architect for Dell/Enstratius and a Contributing Analyst at Securosis. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at... Read More →


Friday September 27, 2013 1:00pm - 2:00pm CEST
1 Westvleteren Aula Ghent

1:00pm CEST

Automating RE with Python (Carlos G. Prado)

All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…

From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.

In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.

Directed to

  • Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins

To take away

  • First immersion in the area of reversing automation.

  • How to use Python to automate some tedious tasks

  • Lots of scripts and plugins to take home and play!

  • Geeky fun!

Requirements

  • Some knowledge in binary reversing on Windows

  • Basic x86 assembly knowledge would be very helpful

  • First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)

  • Basic knowledge of the Python language

  • A certain „nerdiness“.

Speakers
avatar for Carlos G. Prado

Carlos G. Prado

I'm a particle physicist recycled into the IT security field. Originally from Spain but living in Germany, I'm frequently tortured by the rainy, cold weather and therefore forced to wear funny hats and drink traditional warming beverages. My main interests are reverse engineering... Read More →


Friday September 27, 2013 1:00pm - 3:00pm CEST
3 Orval Novotel Ghent

1:00pm CEST

Crypto by Example (Christopher Lytle)

Cryptography is awesome, but modern cryptography has a seriously high barrier to entry that prevents a lot of people from getting into its technical side. Fortunately, many important lessons, attacks, and concepts can be demonstrated using classic pre-digital ciphers. Over the course of this four-hour workshop attendees will:

    * Learn the technical basics of cryptography.

    * Implement classic ciphers by hand.

    * Learn about weaknesses in these ciphers and how to leverage these weaknesses to crack said ciphers.

    * Get examples (in Python) from my Open Source framework to automate standard cryptographic functions, including attacks and analysis.

    * Learn the history and stories surrounding my chosen ciphers.

    * Learn a methodology so that when given an unknown ciphertext, they will be able to diagnose the cipher used and implement an attack.


Ultimately I'm aiming to have the workshop be 50% technical instruction, 40% hands-on work with guidance, and 10% historical narratives.

Speakers
avatar for Christopher Lytle

Christopher Lytle

Chris is a Senior Security Consultant at VerSprite. This one time, he hacked a computer. His likes include tacos, bad cryptography, and strange hardware.


Friday September 27, 2013 1:00pm - 3:00pm CEST
5 La Trappe Novotel Ghent

1:00pm CEST

Cuckoo (The Cuckoo Team)

Cuckoo Sandbox is an open source for automating the dynamic analysis of malware. It allows you to run and monitor any suspicious file inside an isolated environment and collect indicators and evidences of its behavior.

Cuckoo is growing to be an established but complex software and there are many features, improvements and fixes that are yet to be developed.

At Brucon core developers, contributors and users will be able to sit down to discuss, hack, break (and possibly build) Cuckoo Sandbox and wonder about the future of fighting malware.

This workshop is sponsored by Splunk


Speakers
avatar for Jurriaan Bremer

Jurriaan Bremer

Jurriaan is a freelancer security researcher from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. In his spare time he works as one of the Core Developers of Cuckoo Sandbox... Read More →
avatar for Claudio Guarnieri

Claudio Guarnieri

Claudio is a Security Researcher at Rapid7. His research work covers malware, botnets, privacy and surveillance issues. He's a core member of The Shadowserver Foundation and The Honeynet Project, he leads the development of Cuckoo Sandbox and created and maintains Malwr.com.
avatar for Mark Schloesser

Mark Schloesser

Mark Schloesser is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is also deeply involved developing open-source software as part of the Honeynet Project and other communities... Read More →
avatar for Alessandro

Alessandro "jekil" Tanasi

Alessandro is a security researcher and software engineer from Italy, interested in hacking methodologies and instruments, with focus on vulnerability assessment, digital forensics, malware analysis and security tools development. He is one of the Core Developers of Cuckoo Sandb... Read More →


Friday September 27, 2013 1:00pm - 3:00pm CEST
2 Westmalle Aula Ghent

1:00pm CEST

Winter Cluster : Build a malware agglomerator (Michael Sikorski, Willi Ballenthin)

Millions of new malware samples are identified each week, but most are simply variants of well-known families. Finding a means to automatically group these families enables researchers to focus their time on the truly interesting samples. Machine learning clustering algorithms are perfect for this task. WINTER CLUSTER is a four hour, hands-on workshop that introduces machine learning and malware analysis. Students will build a foundation on these topics and create an interactive malware clustering tool from scratch. After the conference, attendees can immediately integrate “the Agglomerator” into their real-world or R&D environments.

The first hour of the workshop provides the students with a taste of machine learning. WINTER CLUSTER covers both classification and clustering algorithms, but focuses on the intuition behind each approach. In the first lab session, students work with an industrial-grade machine learning toolkit to rapidly triage a large dataset and identify threats.

The second hour of the workshop has students dive into malware analysis. WINTER CLUSTER presents common techniques for static and dynamic analysis. Throughout this session, the authors place an emphasis on identifying features appropriate for machine learning algorithms. In this session, students dissect real malware and manually identify similarities among the samples.

After a break, the third and fourth hour of the workshop takes the newly formed expertise and applies it towards the problem: "How can we handle a firehose of malware?". Students build an automated malware clustering tool that discovers relationships among samples. As they identify and extract robust features, the tool agglomerates binaries into families. WINTER CLUSTER concludes by exploring how attendees can implement a similar system in their research or professional environment.

Attendees of the workshop are encouraged to bring a laptop with VMware in order to participate in the labs. The speakers will provide a virtual machine with all required software and frameworks.

Speakers
avatar for Willi Ballenthin

Willi Ballenthin

Willi Ballenthin is a Consultant with Mandiant who can usually be found responding to breaches. Although he has experience in a variety of forensic settings, Willi enjoys reconstructing intrusions from initial exploit to long-term persistence. At Mandiant, Willi identifies vectors... Read More →
MS

Michael Sikorski

Michael Sikorski is a well-known expert in malware analysis. He is a Technical Director at Mandiant and a member of the Mandiant Labs (M-Labs) leadership team. He leads the M-Labs malware analysis team through reverse engineering malware as a primary analyst and manages the overall... Read More →


Friday September 27, 2013 1:00pm - 3:00pm CEST
4 Chimay Novotel Ghent

2:00pm CEST

Data-plane networking (Robert Graham)

High-speed network design separates components into a "fast-path" and a "slow-path". And example might be "software defined networks", where software controls how a switch forwards network traffic. One set of terminology calls this the "data-plane" and "control-plane".

This is a great metaphor for cybersecurity. The "data-plane" is exposed to hackers, and must withstand constant hacker attack while keeping up with link speed traffic. The "control-plane" is hidden from hacker attack, using firewalls or non-routable IP addresses.

My DNS server is a "data-plane" DNS. It's based upon an in-memory table that's lost due to power outage. It doesn't store information a SQL server with transaction logging. Because of this, it can be 10x or even 100x as fast. This is a great attribute for the "data-plane", but a horrible attribute for the "control-plane".

It's role is to be a "slave" to a "hidden master" server running software like BIND10. The design proposed by this talk is that all DNS should consist of slave DNS servers exposed to the Internet, and that all primary master servers should be hidden from the Internet.

From a DNS point of view, I'll show how UPDATE, NOTIFY, and AXFR/IXFR mechanisms work to maintain this structure.

This idea isn't necessarily new, it's just that it hasn't been formalized. People already use caching front-ends for hidden webservers, or separate 10.x.x.x private networks for controlling their public infrastructure routers. The purpose of this talk is to provide a more formal, rigorous discussion of this idea. For example, I'll demonstrate how the custom TCP/IP stack in my DNS server that bypasses the operating-system stack serves this "data plane" purpose.

Speakers
avatar for Robert Graham

Robert Graham

In 1998, I created one of the first personal firewalls (BlackICE Defender) and the first IPS (BlackICE Guard). In 2007, I released the first sidejacking tool "Hamster". For the past 15 years I've been a frequent speaker at conferences. My blog is at http://blog.erratasec.com, my... Read More →


Friday September 27, 2013 2:00pm - 3:00pm CEST
1 Westvleteren Aula Ghent

3:00pm CEST

Coffee
Friday September 27, 2013 3:00pm - 3:30pm CEST
0 Lounge - Other Aula Ghent

3:30pm CEST

Building Custom Android Malware for Penetration Testing (Stephan Chenette)
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.

Speakers
avatar for Stephan Chenette

Stephan Chenette

Stephan Chenette is the Director of Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive research team. Stephan has been involved in security research for the last 10 years and has presented... Read More →


Friday September 27, 2013 3:30pm - 4:30pm CEST
1 Westvleteren Aula Ghent

3:30pm CEST

5by5 Presentations
See speaker's details for a description of the presented 5by5 projects.

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1... Read More →
avatar for Assem Chelli

Assem Chelli

Assem got his State Engineer degree in 2010 at the National Higher School of Computer Science Algiers (ESI) and worked for 2 years in the same institution as a Computing Engineer.  Assem is currently a Master Student at the same university.  Assem contributed for years to many Open... Read More →
avatar for Guido Witmond

Guido Witmond

Guido loves tinkering with toys. At a young age he took things apart to see how they worked. Later he also learned how to put them back together in working order. These days he applies that curiosity to internet security. He took apart the PKI-security tools and put them back in a... Read More →
avatar for Robin Wood

Robin Wood

Robin has over six years experience in computer security and over fifteen in software development. He has ran security audits for many large banks, trading firms and various other international organizations. Robin is an active member of the computer security community, regularly... Read More →


Friday September 27, 2013 3:30pm - 4:30pm CEST
2 Westmalle Aula Ghent

3:30pm CEST

Automating RE with Python (Carlos G. Prado)

All tasks involved in binary analysis can be automated. Sometimes it’s a matter of convenience and sometimes there is just not another way to do it…

From static reversing with IDA Pro to debugging with Immunity debugger (or even without a debugger!) every task can be carried out with better performance and more important, less headaches, by using a bit of Python.

In this 4h. workshop (hands on!) you will be learning how to work more efficiently and unleash all the power of several reversing tools you may already know to some extent.

Directed to

  • Advanced beginners in the field of binary reverse engineering who had their first contact with the tools of the trade (IDA Pro, OllyDbg, Immunity Debugger, etc.) and want to go to the next level by automating tasks and writing small scripts or plugins

To take away

  • First immersion in the area of reversing automation.

  • How to use Python to automate some tedious tasks

  • Lots of scripts and plugins to take home and play!

  • Geeky fun!

Requirements

  • Some knowledge in binary reversing on Windows

  • Basic x86 assembly knowledge would be very helpful

  • First exposure to tools like IDA Pro or a debugger (Olly is cool, Immunity Debugger would be better)

  • Basic knowledge of the Python language

  • A certain „nerdiness“.

Speakers
avatar for Carlos G. Prado

Carlos G. Prado

I'm a particle physicist recycled into the IT security field. Originally from Spain but living in Germany, I'm frequently tortured by the rainy, cold weather and therefore forced to wear funny hats and drink traditional warming beverages. My main interests are reverse engineering... Read More →


Friday September 27, 2013 3:30pm - 5:30pm CEST
3 Orval Novotel Ghent

3:30pm CEST

DJ Workshop
Check out the DJ Workshop area (see venue plan). Our house DJs will take the time to teach you everything from scratching to dropping the bass. Based on their combined experience of bringing huge crowds to ecstatic heights, they will make you familiar with the science behind DJ'ing and provide you a hands-on workshop that will leave your brain entranced and your eardrums buzzing.


Friday September 27, 2013 3:30pm - 5:30pm CEST
0 Lounge - Other Aula Ghent

3:30pm CEST

Foundational Packetry: Using the internet on god mode (@undeadsecurity, @blackswanburst)

So you're a network wizard, and all your packets are urgent. You nmap, and wireshark, and you're good at it. At parties people ask to see your packet tricks, and challenge you to duels.

This is a workshop/challenge born over a beer wager between two such gentleman of networks. Chaps with finely groomed facial hair and an understanding of Braess' paradox applied to routing tables.

And what better place to settle that challenge over beer, than Brucon?

The challenge was simple, yet worthy:
Can you associate with wireless, get an IP address, set your DNS server, resolve a URL, and do an HTTP request using only SCAPY? In other words, BE THE OS at the network layer.

They didn't do it because it was cool, and they didn't do it because it was sexy (cause let's face it, it's neither). They did it to re-learn the foundations of networking and packetry. They did it to embrace the task that gives birth to deep understanding. They did it because they admire the people of the IETF who bootstrapped the internet primarily by writing and responding to text files.

Now you too, can quote RFCs. You too, can improve your SCAPY skills in a single day. You too, can make obscure packet jokes.

More importantly, this workshop will test you on things you *think* you know. The gentleman in question thought they were pen-test badasses, until they humbled themselves on the foundations of networking.

Are you ready to school these two legendary gentleman on what they think they already know?

This will be half workshop, half personal challenge. The two hosts were born out the hacker spaces, where everyone is a teacher and everyone is a student. This is simply a continuation of that ethos.

Requirements:


Speakers
avatar for Eireann Leverett (@blackswanburst)

Eireann Leverett (@blackswanburst)

Eireann Leverett hates writing bios in the third person. He once placed second in an Eireann Leverett impersonation contest. He likes teaching the basics, and learning the obscure. He is sometimes jealous of his own beard for being more famous than he is.
avatar for Matt Erasmus (@undeadsecurity)

Matt Erasmus (@undeadsecurity)

Matt isn't very good at writing bios. He works outside of information security but dabbles in packets, malware and other such shenanigans when the urge strikes him. Mostly during winter, when it's colder than a penguins nipple outside.


Friday September 27, 2013 3:30pm - 5:30pm CEST
5 La Trappe Novotel Ghent

3:30pm CEST

Winter Cluster : Build a malware agglomerator (Michael Sikorski, Willi Ballenthin)

Millions of new malware samples are identified each week, but most are simply variants of well-known families. Finding a means to automatically group these families enables researchers to focus their time on the truly interesting samples. Machine learning clustering algorithms are perfect for this task. WINTER CLUSTER is a four hour, hands-on workshop that introduces machine learning and malware analysis. Students will build a foundation on these topics and create an interactive malware clustering tool from scratch. After the conference, attendees can immediately integrate “the Agglomerator” into their real-world or R&D environments.

The first hour of the workshop provides the students with a taste of machine learning. WINTER CLUSTER covers both classification and clustering algorithms, but focuses on the intuition behind each approach. In the first lab session, students work with an industrial-grade machine learning toolkit to rapidly triage a large dataset and identify threats.

The second hour of the workshop has students dive into malware analysis. WINTER CLUSTER presents common techniques for static and dynamic analysis. Throughout this session, the authors place an emphasis on identifying features appropriate for machine learning algorithms. In this session, students dissect real malware and manually identify similarities among the samples.

After a break, the third and fourth hour of the workshop takes the newly formed expertise and applies it towards the problem: "How can we handle a firehose of malware?". Students build an automated malware clustering tool that discovers relationships among samples. As they identify and extract robust features, the tool agglomerates binaries into families. WINTER CLUSTER concludes by exploring how attendees can implement a similar system in their research or professional environment.

Attendees of the workshop are encouraged to bring a laptop with VMware in order to participate in the labs. The speakers will provide a virtual machine with all required software and frameworks.

Speakers
avatar for Willi Ballenthin

Willi Ballenthin

Willi Ballenthin is a Consultant with Mandiant who can usually be found responding to breaches. Although he has experience in a variety of forensic settings, Willi enjoys reconstructing intrusions from initial exploit to long-term persistence. At Mandiant, Willi identifies vectors... Read More →
MS

Michael Sikorski

Michael Sikorski is a well-known expert in malware analysis. He is a Technical Director at Mandiant and a member of the Mandiant Labs (M-Labs) leadership team. He leads the M-Labs malware analysis team through reverse engineering malware as a primary analyst and manages the overall... Read More →


Friday September 27, 2013 3:30pm - 5:30pm CEST
4 Chimay Novotel Ghent

4:30pm CEST

Geolocation of GSM Mobile devices, even if they do not want to be found. (David Perez, Jose Pico)

Geolocation of mobile devices (MS) by the network has always been considered of interest, for example, to locate people in distress calling an emergency number, and so the GSM standard provides different location services (LCS), some network-based, and some MS-based or MS-assisted.

OK, but what if a third party, without access to the network, was interested in knowing the exact position of a particular MS? Could he or she locate it?

In this presentation we will show that this is indeed possible, even if the MS does not want to be found, meaning that the device has all its location services deactivated. We will demonstrate a system we designed and built for this purpose, that can be operated in any standard vehicle, and which can pinpoint the exact location of any target MS in a radius of approximately 2 kilometers around the vehicle.

Yet, the main focus of the presentation will not so much be the system itself as it will be the process we followed for its design and implementation. We will describe in detail the many technical difficulties that we encountered along the way and how we tackled them.

We believe this can be useful for people embarquing themselves in similar research projects.

Obviously, a system like this cannot be demonstrated live in the room (it would be quite illegal), but we will show videos of the different consoles of the system, operating in different environments.

Speakers
avatar for David Perez

David Perez

David Perez is founder and security analyst with Taddong. David has more than 10 years of experience in delivering advanced security services to clients in all market sectors, conducting security research projects and teaching courses on security. He is the author of various technical... Read More →
avatar for Jose Pico

Jose Pico

Jose Pico is founder and security analyst with Taddong. He has 14 years of experience working for multinational companies, where he touched almost every aspect of IT technologies. In the last few years he has focused on the security field, and in 2010 he co-founded Taddong, where... Read More →


Friday September 27, 2013 4:30pm - 5:30pm CEST
1 Westvleteren Aula Ghent

4:30pm CEST

ACDC information sharing workshop (Ulrich Seldeslachts)
ACDC information sharing workshop, introducing STIX and the centralized clearinghouse. Introducing the Belgian support center. Join the ACDC information sharing workshop Friday September 27th noon. Learn why information sharing is important, of business and security benefit and how it can be done. Vulnerabilities and threats can be discovered in your network with a series of tools and technologies, with some experienced and less experienced persons knowing what to look for. But do you always know what it means, can you differentiate the major threats from suspicious behavior? Information Sharing members receive trusted and timely expert information that increases sector-wide knowledge of physical and cyber security threats. Based on level of service, Information Sharing members take advantage of a host of important benefits, including early notification of security threats and attacks, anonymous information sharing across the financial services industry, regularly scheduled member meetings, and conference calls. When attacks occur, early warning and expert advice can mean the difference between business continuity and widespread business catastrophe. Members of the Information Services information sharing and analysis networks can receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. In this workshop, the purpose is to better understand the requirements and the needs of information sharing interests, help define the joint level of detail and the tools required for information sharing. We will provide guidance to the generated outputs and inputs of the clearinghouse system. The team will also introduce some of the activities of the Belgian support centre.


Friday September 27, 2013 4:30pm - 5:30pm CEST
2 Westmalle Aula Ghent

5:30pm CEST

Closing (Seba, Wim)
Friday September 27, 2013 5:30pm - 5:40pm CEST
1 Westvleteren Aula Ghent