From 2009

Jump to: navigation, search


List of the Talks that will be held at 2009

Keynote: Politically motivated Denial of Service attacks

The rapid growth of the Internet has been mirrored by a growing number of packet flooding attacks around the world coupled to political motivations. Estonia, Georgia, CNN, the Ukraine, and many other targets have been seen in this sphere in the past few years, and have been going on for nearly a decade. This talk explores the world of DDoS attacks and their growing role as an online political weapon. It also covers how Arbor Networks measured the Estonia and Georgia attacks, how other attacks are measured, and what these attacks mean for the Internet at large.

Bio of Dr. Jose Nazario

Dr. Jose Nazario is Manager of Security Research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains, a site devoted to studying worm detection and defense research.

New advances in Office Malware analysis

Today's malware spreads mainly by exploiting browser bugs or 3rd party plugins like Flash, PDF and so forth. Furthermore mails with malicious attachments are being spread into people's inboxes. These attachments usually are PDFs or MSOffice documents. While there are a bunch of PDF analysis tools available today, they are not for the MSOffice formats like Powerpoint, Excel or Word. This talk will cover current ways of analyzing such documents and will introduce a new forensic toolsuite called OfficeMalScanner. We will disuss all the technical approaches of this tool and i will show a practical session as well, to demonstrate its usage in detail.

Bio of Frank Boldewin

Frank Boldewin is a reverse engineer from germany with long experience in security & malware research. By day he works as a security analyst for a large german datacenter in the finance field. His private interests are mainly focused on malware analysis and he loves everything that belongs to assembly, anti-/debugging and systemprogramming. On his site, he frequently posts papers, video tutorials and tools regarding this research field.

Ownage 2.0

It is 2009 and the underground cyber economy is flourishing. Spam has become a lucrative business, writing exploits fetches real money, financial fraud is on the rise and the worms are loose. Although this is nothing compared to the financial blunders that led to the current recession, it is interesting to know how all the pieces fit together. We've known about classic web hacking, exploiting binaries, shellcode, abusing protocols and tricking users.

This talk explores how each vulnerability plays a key part in making the larger system come together - attack patterns of tomorrow, the objectives, motives and where all the pieces of the puzzle fit together. How do individual SQL Injection, Browser exploits, PDF bugs, XSS, etc fit together? What have we learned from the past, and what are the core design issues in HTTP, HTML, Browsers and application programming that make for mass ownership opportunities? In our quest for mashups and Web 2.0, have we compromised on fundamental security principles?

Last year, I talked about some of the core problems that plagued browsers. This year, the talk goes beyond just browsers and looks at examples of mass ownage, new infection vectors, advanced client-side exploitation, malicious payloads, browser infection with toolbars and more. Everything is assembled before your very eyes! And as a bonus, I will demonstrate some of my own attempts at defeating Web Application Firewalls and Browser Firewalls (yes there is such a creature called a Browser Firewall)

Bio of Saumil Shah

Saumil continues to lead the efforts in security research at Net-Square. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil has been a regular speaker and trainer at conferences such as Blackhat, RSA, Hack-in-the-Box, IT Underground, CanSecWest, EUSecWest, Hack.LU, etc.

Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil has authored "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

PAPERS PUBLISHED: - Facts and findings from the Honeynet project - Architectural vulnerabilities in Java application servers - One-way Web Hacking - HTTP Fingerprinting and advanced assessment techniques - Defeating automated web assessment - Spyware and adware, the quest for the consumer desktop - Web 2.0 Application Security

Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks

TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data, are often mentioned by the security community, movies and wanna-be spies (or NSA employees we guess...).

While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched.

Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.

We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and powerline leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.

We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.

Bio of Daniele Bianco and Andrea Barisani

Andrea Barisani is a security researcher and consultant. His professional career began 8 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 17 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia.

Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team.

He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd.

He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about SatNav hacking, 0-days, LDAP and other pretty things.

Daniele Bianco is a system administrator and IT consultant. He began his professional career as a system administrator during his early years at university. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure.

For the time being Daniele is working as a consultant for Italian astrophysics research institutes, involving support for the design, development and the administration of IT infrastructure.

One of his hobbies has always been playing with hardware and recently he has been pointing his attention on in-car wireless and navigation systems. He's the resident Hardware Hacker for international consultancy Inverse Path Ltd.

Daniele holds a Bachelor's degree in physics from University of Trieste.

Some Tricks For Defeating SSL In Practice

This talk will cover some past and present vulnerabilities in SSL/TLS implementations as well as some problems with the way that SSL/TLS is deployed on the web. It will also demonstrate some tools that can be used to exploit these vulnerabilities, which ultimately prove deadly in practice.

Bio Moxie Marlinspike

Moxie Marlinspike is a fellow at the Institute For Disruptive Studies, a radical think tank for hackers and co-conspirators who seek to operate outside of both the professional sphere as well as academia.

PDF- Penetration Document Format

For several years now, vulnerabilities in PDF readers (mostly Adobe Acrobat) have been exploited to compromise PCs. The PDF language supports JavaScript, but this is in itself no blatant security issue, because the latest versions of the PDF language thoroughly sandbox JavaScript programs. Most Adobe Acrobat vulnerabilities arise from bugs in the PDF rendering engine or the JavaScript interpreter.

This presentation will mainly focus on 2 aspects of the malicious PDF problem. 1) Analyzing malicious PDF documents. Disassembling malicious PDF documents with standard PDF tools has an inherent risk: the tools could contain the same vulnerabilities that the very PDF document we are analyzing exploits in Adobe Acrobat, thus exposing the virus lab to an infection risk.
That's why special tools (PDFiD and pdf-parser) were developed to mitigate this risk. Live demos will illustrate these tools. 2) How to protect PCs against infection by malicious PDF documents. Although opening a malicious PDF document with a vulnerable PDF reader is the main avenue of infection, there are also avenues that require less user interaction. The protection techniques presented have the added bonus that they not only protect against malicious PDF documents, but other type of malicious office documents too.

And finally, to revive an old security conference custom, a PDF vulnerability will be disclosed which does not only affects PDF documents, but other types of documents too...

Bio Didier Stevens

Didier Stevens is an IT Security professional specializing in application security and malware. Inspired by Eric Filiol, Didier has researched the PDF language and revealed obscure PDF-language and PDF-reader features that malware authors use in their exploits. Didier works for Contraste Europe NV. All his software tools are open source.

Fuzzgrind: An automatic fuzzing tool

Fuzzing is a testing technique that provides invalid, unexpected, or random data to the inputs of a program. Despite being extremely powerful, fuzzing has many drawbacks, the most important one being the time required to develop fuzzers. In the case of model description based fuzzing, writing the model is a never ending process: protocol specifications must be analysed or reversed if unavailable, etc. Moreover, different fuzzers must be developed for each new target.

Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs, and potentially vulnerabilities. Fuzzgrind is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.

Fuzzgrind is based on two free software programs: Valgrind, a dynamic binary instrumentation framework; and STP, a fast constraint solver. A plug-in has been developed for Valgrind which tracks path conditions tied to the input file while tested software is being executed. STP solves each encountered constraint to generate new test files that will explore new execution paths on future execution. This technique seems particularly effective, especially since it is sufficient to provide a valid file and the target software, and let Fuzzgrind begin to search bugs automatically. Some vulnerabilities have been discovered or rediscovered in small Unix tools and libraries.

Bio Gabriel Campana

Gabriel Campana is a security researcher working at Sogeti ESEC R&D labs. His research interests are mainly focused on vulnerability research, exploitation methods, and Linux kernel security. Lately he has been working on automated vulnerability research, especially fuzzing. In his spare time, he plays with embedded network devices

Perseus: A Coding Theory-based Firefox Plug-in to Counter Botnet Activity

Most of the activity of botnets is based on listening and analysing hhtp stream to retrieve and collect sensitive data (email addresses, login/password, credit card numbers ...). This is possible because the http protocol does not protect the contents of transmitted packets. The use of encryption, besides the fact that it would lead to severe constraints (time encryption key management ...), poses problems in legal terms, especially for transnational flows with respect to the different national regulations. How can protect against this flow listening by botnets while allowing the action of States in the field of the surveillance of communications? The project we are developing aims to provide an operational response to this problem. The solution is materialized in the form of a Firefox plug-in, developed under the triple GPL / LGPL / MPL and meeting the specifications of Mozilla development, allowing for possible incorporation into the code of Firefox. Principle put into practice this principle has been validated mathematically between 1997 and 2007 in two theses of the Ecole Polytechnique (E thesis. Filiol in 2001; thesis J. Barbier 2007). The idea is to encode the data exchanged (payload packets) with punctured convolutional codes (used in telecommunications for their very high encoding speed). The flow is, after encoding and before transmission, according to an artificially noisy noise parameter P, defined before the transmission. Alice wants to communicate with Bob. As a first step, the parameters of the encoder are generated randomly (polynomial size constraint, rate, matrix punching, setting noise ...) and a short session allows https to communicate to Bob (this amounts to less than 256 bytes). The http stream is then encoded using this encoder and Bob decodes it via the Viterbi algorithm. On the Botnet agent side, analysis of the http stream must pass through a systematic preliminary phase of decoding, but since the encoder is changed for each transmission, the botnet client must first rebuild the unknown encoder which is computationnally infeasible without heavy resources which moreover would betray the presence of the botnet client on the infected host. The time required time for that reconstruction becomes prohibitive. In addition, only a non-punctured equivalent encoder can be recovered (established theoretical results which have been experimentally validated). If reconstruction is infeasible in practice by a botnet client type, it is still easily possible for a service of the State with a classical computing power. The various implementations show that this layer encoding / decoding is transparent to the user and does not degrade the performance.

Bio Eric Filiol, Eddy Deligne

Eric Filiol is the head of the Operational Cryptology and Virology at ESIEA a French Engineer School in Computer Science, Electronics and Control Science. He has spent 21 years in the French Army mainly as a ICT security expert (cryptanalysis, computer virology). He holds a Engineer diploma in Cryptology, a PhD in applied mathematics and computer science and a Habilitation Thesis in Computer Science. His main reserach interest are Symmetric Cryptosystems analysis (especially from a combinatorial point of view), Computer virology (theoretical and experimental study of new form of malware and anti-malware technologies), Computer warfare techniques. He is also the Scientific Director of the European Institute in Computer Antivirus Research (EICAR) in Germany and the Editor-in-chief of the Journal in Computer Virology. He likes playing Bass Guitar (Jazz), running (marathon and half marathon) and good wine/food.

Eddy Deligne is a PhD student at the Operational Cryptology and Virology at ESIEA. He recently obtained his MSc in computer security. His PhD thesis deals with the theoretical and practical aspects of active auditing and pentesting.

Keynote: Analyzing Word and Excel Encryption

Microsoft Word and Excel application use RC4 encryption with a 128-bit secret key for the confidentiality puposes (up to Office 2003 or equivalently up to the version 11). RC4 encryption is considered as strongly secure and the user's confidence relies on this alleged security. Unfortunately the RC4-based encryption implemented in Word and Excel (up to Office 2003) is very weak. Starting from a previous theoretical attack published in 2005 we present in our paper an operationnal cryptanalysis of this encryption but combining pure cryptanalytic techniques and forensics techniques. With a probability of success greater than 90 % we are able to recover the complete plaintext both for Word and Excel. The time complexity of the attack is linear in the size of the Word or Excel document. From a practical point of view, it is therefore possible to bypass RC4 encryption in this context within a few minutes of computing time.

Exploiting Delphi/Object Pascal

this presentation is about exploiting applications written in the delphi language. the whole research behind it just started out as a fun little project, since I wanted to know what was possible and what wasn't. I did some googling around, but couldn't really find any decent answer anywhere, so I ended up investigating myself. I'll present a comparison with the c(and some c++) programming languages, show how it's vulnerable to overflows (stack, heap) give examples, show some interesting language issues (int rules, corner cases in api usage, ...) say a thing or two about code auditing of delphi code, and cover some possible mitigations in the delphi compiler.

Bio Ilja van Sprundel

When E.T. comes into Windows Mobile 6...

Mobile devices are omnipresent in our lives in various forms: GPS, mobile phones, PDAs, etc. The Smartphone is the convergence of most of them. There are many embedded operating systems on the mobile market. Windows Mobile, developed by Microsoft, is quite a popular one [1]. Consequently, it appears essential to analyse how Microsoft's mobile operating system works to understand risks and threats, and anticipate methods that could be used to attack a device and keep a door open for the attacker without the user knowing it. Mechanisms for the Desktop version of Windows that may compromise the system or install backdoors are publicly available and have been well known for several years. The embedded O.S. seems very similar on the surface since most APIs that exist in Windows Desktop versions are also present in Microsoft's embedded system. This makes it easier to adapt software from the Desktop world. However, the layers underneath are very different. This may be the main reason why attackers have not yet moved to the embedded world. The material architecture underneath is ARM, which is RISC-based (Reduced Instruction Set Computer), as opposed to x86 used on PCs. The constraints of the embedded world have made the memory management work very differently internally than in the PC world. System calls are also implemented in a different manner. In order to understand the risks, several points should be analysed. The different services on a Smartphone need to be well understood (Phone, SMS, GPS, SD-card, etc). The network environment must be considered closely in order to list all the possible attack vectors (phone, Bluetooth, WLAN, ActiveSync, etc). The system's internal mechanisms will be explained. This will allow us to understand how the system may be compromised (keylogger, SMS interception, rootkits, ransomwares, etc). The security mechanisms implemented by Microsoft will be analysed with respect to the risks. In addition, more and more antivirus companies propose solutions to protect devices, so it is only logical to want to know what they really protect against. We will give details on the stealth mechanisms, remote control capabilities, ways to make the rootkit persistent, and services that a malicious hacker could use on Windows Mobile devices. This talk will focus on the services that an attacker could potentially control for malicious purposes and the different rootkit methods that may be used to hide these actions from the phone's user.

Bio Cedric Halbronn

Cedric Halbronn is a security researcher working at Sogeti ESEC R&D lab. He has a background in telecom engineering and security. Nowadays, his researches are mainly focused on smartphones security and the services offered by the network operators - more generally on mobile security.

malicious PDF origamis strike back

Most of people believe PDF file format is safe because it looks like a static image. Lately, PDF readers like Acrobat or Foxit have been targeted by severe flaws allowing remote attacker to execute arbitrary code on the remote system. However, PDF readers are not only prone to code based attacks. The PDF language itself may lead to insecurity. In our previous researches, we explained how to build a virus in a PDF document, or how to manage a targeted attack, mainly based on native features of the PDF language. First part of the talk will summarizes these results in order to keep in mind how dynamic a PDF file can be. Then, we will show how complex Acrobat Reader is, detailing some of its internal mechanisms and their weaknesses. Next, we will deal with "PDF forensics": what to do when receiving a weird PDF file, and how to extract pieces of information. Last, we will show 2 new attacks leading to credentials leaks.

Bio Guillaume Delugré, Fred Raynal, Damien Aumaitre

Frédéric Raynal is head of the Software Security Research and Development team at Sogeti. He is also the Chief Editor of the first French magazine dealing with computer and information security (MISC). He was previously co-head of a similar team at the Common Research Center (CRC) of EADS and head of the Organisation Committee of SSTIC. He worked on information hiding and cryptography to defend his PhD. Now, he deals with (in)secure programming, security of operating systems, information warfare.

Guillaume Delugré is a French student in computer engineering. He is mostly interested in reverse engineering, malware analysis, vulnerability research, and anything related with IT security.

Damien Aumaitre is working at the Software security research and developement team at Sogeti since 3 years. He has been working on low level PCI and firewire, Windows kernel internals.

IpMorph: Unification of OS fingerprinting defeating

There currently exists tons of IP stack fingerprinting tools, that allows one to identify the remote OS of potential targets with relative ease. In this talk, we will show that confusing or fooling remote OS FingerPrinting (OSFP) tools is possible in a universal way. To demonstrate, we created IpMorph, which is a userland TCP/IP stack in charge of monitoring sessions and modifying packets on the fly to fool remote fingerprinting tools. We will detail its behaviour and algorithms, against tools such as Nmap, Ring and SinFP. It's capable of fooling the active as well as the passive mode of OSFP tools. Our goal it to unify all the different signature formats inside a single database of "personalities". The configuration of IpMorph is done (its attributes as well as its algorithms) according to those personalities. We will present the concepts and architecture behind IpMorph, and detail some of the technical challenges encountered: the difficulty to reverse certain signature information or to respect some temporal constraints, all the while trying to guarantee transparency and discretion. We think this material is innovative, as no-one has tried to determine what really defines an TCP/IP stack, which is what we're trying to do by unifying all signatures into personalities. Our work has already permitted to find a bug in Nmap, raised issues with the relevance of some tests in SinFP, and allowed us to better understand what makes a TCP/IP stack unique, and what constitutes efficient OSFP techniques.

Bio Guillaume Prigent, Florian Vichot

Guillaume Prigent is a computer security research engineer, and has worked in the field of security simulation for the last 10 years. He began as a research engineer in 1999 at CERV, the European Centre for Virtual Reality in Brest, where he developed the concepts of hybrid simulation for the DGA/Celar. He now is the R&D CTO of his own company, Diateam, founded in 2002, where he works on the open source Hynesim project. He also gives talks and classes in many engineering schools of the Brest region (ENIB, ENSIETA, ESM Saint-Cyr).

Florian Vichot graduated from ENIB in 2008, and is now a Diateam employee and the lead developper on the Hynesim project (

Peeking into Pandora's Bochs - instrumenting a full system emulator to analyse malicious software

Today, malicious software (malware) poses a major threat to computer systems. Oftentimes, malware is runtime-packed (or -encrypted) to evade signature-based malware detectors and to make the actual malicious code inaccessible to static analysis methods. It is also common for the runtime unpacking (or decryptor) stubs to employ anti-debugging techniques to prevent dynamic analysis and manual unpacking by human analysts. Pandora's Bochs was originally developed as a tool to unpack runtime-packed binaries. The open source PC emulator Bochs's instrumentation facilities were extended with a Python interface and a set of Python routines was created to monitor an unmodified Windows XP guest system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. This method works well against common runtime-packers. As Pandora's Bochs does not rely on debugging facilities provided by the guest system, it is largely unaffected by common anti-debugging techniques. Since its inception as an automated unpacker, Pandora's Bochs was extended to also monitor calls to the Windows API and their arguments. The presentation will focus on the technical aspects of Pandora's Bochs. It will give a brief overview of typical runtime packer or executable protector behaviour, about Bochs's instrumentation facilities and the Python interface that was created. It will detail the techniques used to obtain information about guest operating system and process states, how processes are monitored and unpacked, and how API call tracing is implemented. Like Bochs, Pandora's Bochs is open source software.

Bio Lutz Böhne

Lutz Böhne studied Computer Science at RWTH Aachen University where he graduated in 2008. He is currently working as a penetration tester for RedTeam Pentesting GmbH. RedTeam Pentesting is a company specialised in penetration tests. Members of RedTeam Pentesting have spoken on various security conferences on different topics, including 2006, 2007 and 2008. More information about RedTeam Pentesting can be found at

Challenge of Windows physical memory acquisition and exploitation

In 2008, companies and governements interests for Microsoft Windows physical memory growed significantly. Acquisition was one of this challenge. Author will present a free and open-source tool he created called win32dd to acquire in various format windows physical memory. Moreover, he will show how interoperability between exiting format can help incident response engineers, and investigators to improve their results in the extracting information process through existing free tools like Microsoft Windows Debugger.

Bio Matt Suiche

Matthieu Suiche is a security researcher working at the Nederland Forensisch Instituut. Matthieu is mainly know for is work on reverse code engineering and volatile memory forensics. He had been speaker in various security conferences such as PacSec, BH USA and law enforcement meeting like EUROPOL High Tech Crime Meeting or ENFSI. His previous work include Windows Hibernation file documentation. He is reachable through his website at

HostileWRT: Fully-Automated Wireless Security Audit Platform on Embedded Hardware

Computer and network security professionals are confronted on a daily basis with the issues of testing the reality of perceived problems and suggesting fixes with high applicability potential. Such issues are particularly difficult in wireless environments since the measures are not of binary nature but depend on the capacity to detect effectively WiFi networks, access points and other radio equipments. There is always the chance of missing a radio equipment or not having good and accurate measurements. We propose in this paper to automate several critical parts of the wireless network security audit using pervasive and inexpensive platforms and thus to free more time to focus on the applicability of the fix, and even the verification of the application of the Fix. HostileWRT aims at automating scanning and cracking in wireless environment and improving results using different behaviours depending on the goal of the auditor. By using an hostile approach, we want to prove that it’s not possible to fully audit a wireless environment without taking in account the several different kinds of vulnerabilities that affect both the infrastructure and the end-users.

Bio Philippe Langlois, Eugene Parkinson

Founder of P1 Security and Senior Security Consultant for Telecom Security Task Force. Philippe Langlois has proven expertise in network security. He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France, as well as Worldnet, France's first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (RSA, COMDEX, Interop, HITB Dubai, You can reach him through his website at:

Implementation of K-ary Viruses in Python

Since works of Fred Cohen and Leonard Adleman, describing viral payload (offensive routine) as not being a virus' features, the world of the computer virology has down evolved. To this end, viruses have evil properties in the scientist population and not scientist, this is why viruses have make a new aggressive and deceptive market, with a common word : money. Out of this system, vxers have done beautiful programs, which once are formalizing, become even more interesting in their study. In this paper, I wanted to come back to basic computer virology, having a virus with a real ability to spread, and generate a new virus which is different at each time, but with new mechanisms. Using Linux to build a virus isn't harebrained, each system may be contaminated, and Linux supply interesting qualities to make easier a propagation. Furthermore, using a script language as python can expand the possibilities of interaction with the various components of the system and its vicinity. The k-ary codes are an idea of Eric Filiol, and are a new kind of virus. Inside this paper we have implemented a real one, it will be explained and detailed.

Bio Anthony Desnos

Anthony Desnos is currently a research engineer at ESIEA (SI&S team) in Paris, France. His research focuses on computer virology/security, and more particularly about new generations of stealth codes. He is involved in a number of open source security projects, including Sanson Th Headman, Draugr and ERESI.

Some insights about the recent TCP DoS (Denial of Service) vulnerabilities

During the last four years years, the United Kingdom’s Centre for the Protection of National Infrastructure (CPNI) embarked itself into a project to perform a thorough security assessment of the TCP and IP protocols. The project did not limit itself to an analysis of the relevant IETF (Internet Engineering Task Force) specifications, but also included an analysis of common implementation strategies found in popular TCP and IP implementations. As strange as it may sound, this was the first thorough security assessment of the TCP and IP protocols and their common implementation strategies, and the first attempt to take much of the work and wisdom of the security community to the IETF (Internet Engineering Task Force) and the vendor community.

During this period of time, a number of vulnerabilities in the TCP protocol were independently reported to some vendors and CSIRTs. During the cooperation process with the affected parties, had a key role in providing advice to vendors on these vulnerabilities and the possible mitigation strategies.

Recently, these security issues were finally disclosed by some CSIRTs and some major vendors. However, the security bulletins did not provide much detail about the nature of the vulnerabilities or the possible mitigation strategies. As a result, the information that is currently available about these issues has mostly been "guess work" by some security researchers, and due to the lack of "official" details about these issues it has been difficult to separate "fudge" from fact.

Fernando Gont will provide details about the nature of the aforementioned vulnerabilities, and will provide some insights about the possible mitigation strategies.

Bio Fernando Gont

Fernando Gont specializes in the field of communications protocols security, and has worked for both private and governamental organizations both in Argentina and overseas.

Gont has worked on a number of projects for the UK National Infrastructure Security Coordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP and the IP protocols.

He is currently working on the security assessment of communications protocols on behalf of the United Kingdom's Centre for the Protection of National Infrastructure. Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work in the field of Internet engineering, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published a number of IETF Internet-Drafts and IETF RFCs.

Gont has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, BSDCan 2005, BSDCan 2009, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, JCC 2007, IETF 64, IETF 67, IETF 73, LACNIC X, LACNIC XI, LACNIC XII, and Kernel Conference Australia 2009.

Playing in a satellite environment 1.2

This presentation is a warning call to those responsible for the companies that use or provide data connection (especially the Internet) via satellite, proving some of the attacks [more]This presentation is a warning call to those responsible for the companies that use or provide data connection (especially the Internet) via satellite, proving some of the attacks that are possible in this environment. The presentation outline is: - Insecurity in Satellite communications. - Malicious Active Attacks - Getting an anonymous connection - Conclusions The attendees will learn how insecure satellite connections are and why they need a more secure platform for this environment or how we must use secured protocols if we have this technology hired. Also, they will learn how these attacks can be made, including how to get an anonymous satellite connection. Previously satellite presentations exists, but these are focused only in feeds capturing and a bit in sniffing data, treating this as a passive vulnerability.

Bio Christian Martorella

Christian Martorella has been working in the field of information security for the last 10 years, starting his career in Argentina IRS as security consultant, now he's leading a Security Services team at S21sec in Spain, where he performs penetration tests, web application assessments, security audits and forensic analysis for a wide range of industries including Financial services, Telecommunications, utilities and government. He is cofounder an active member of Edge-Security team, where security tools and research is released. He has been speaker at What The Hack!, NoConName, FIST Conferences, OWASP Summit 2008 and OWASP Spain IV.

Christian has contributed with open source assessment tools like OWASP WebSlayer and Metagoofil. He likes all related to Information Gathering and Penetration testing. Currently holds the President position at the FIST Conferences board, and in the past teached Ethical Hacking at the Security Master of La Salle University. He is an Advisor of the Source Conference Barcelona.