OnSite: Industry Events

The Bad Guys Are Winning: So Now What?

Author Ed Skoudis

With the continual release of zero-day exploits, ever-larger-scale botnets, and rampant spyware, attackers have compromised tens of millions of machines connected to the Internet. With clever attackers mixing social engineering, physical attacks, and phishing into their bag of tricks, their rate of successful penetration is both astounding and depressing. A central thesis of this talk is that a sufficiently determined (but not necessarily well-funded) attacker can compromise almost any organization with an Internet connection. The discussion will first analyze why this is so. We'll then look at the implications of such an environment for enterprises. How should information security priorities shift in light of this evolving threatscape and attack surface? What are the implications for system administrators, incident response teams, and even penetration testers? We'll also briefly look beyond the enterprise, and consider the military and national security issues associated with emerging threats and attacks.

Future Trends in Network Security

Author Eric Cole, Ph.D.

Malicious code and other attacks are increasing in intensity and the damage that they cause. With little time to react, organizations have to become more proactive in their security stance. Reactive security will no longer work. Therefore, organizations need to better understand what the future trends, risks, and threats are so that they can be better prepared to make their organizations as secure as possible. Dr. Cole's in-depth, cross-industry experience allows him to give relevant examples in every instance. This presentation covers security issues that are relevant to IT managers and administrators alike.

Geekonomics

Author David Rice

The security market is broken. Current statistics on cyber crime and cyber espionage tell an appalling tale of failure across the board, from government to private sector. Never before have we had so many tools and practices in cyber security and yet seen such insufficient results. When good, competent people appear to fail regularly, we know from epidemiology that "the people" are likely not the problem; the system is. This talk argues from first principles of economics and social psychology why the current approach to cyber security needs to change and how to change it.

Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen

Author Bryce Galbraith

"All your layer are belong to us!"

What else can be done when traditional attack vectors like remote exploits and weak passwords fail, start the report? No way! MitM attacks can open up systems that might otherwise be impregnable: systems with strong passwords, that are fully patched, that are protected by ACLs and employ other best practices. Inconceivable, right!? This presentation will cover how you can crack these tough nuts on your next penetration test by influencing layers 2-7 of the OSI Model. Bryce will discuss the tools and techniques needed to launch a wide variety of MitM-based attacks that leverage common scenarios found in most organizations today.

• Credential sniffing
• VoIP interception
• Command injection to bypass strong authentication (e.g. one-time passwords, DNA samples? Doesn't matter).
• Crypto attacks on SSL, SSH and even intercepting keystrokes from RDP sessions.
• Downgrade attacks on common authentication protocols (e.g. Windows network authentication)
• Web traffic manipulation and malicious code injection from trusted sites
• Side-channel attacks on web applications
• Strategic DoS attacks (e.g. syslog suppression, AAA bypass)
• Advanced wireless network attacks including a unique, completely mobile, wireless attack rig complete with Internet access!

Even if you don't plan to incorporate these attacks into your own testing regime you need to be aware of what attackers can do to you while you are using the Net for fun and profit!

Social Zombies: Your Friends Want to Eat your Brains

Author Kevin Johnson

Kevin Johnson explores the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Kevin will next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

Software Security Street Fighting Style

Author Johannes Ullrich

It is tough to be a developer. As a developer, you have countless opportunities to make mistakes. You mess up once, and you lose. On the other hand, the attacker has to find only a single vulnerability to get fame and fortune. The o nly way to beat the attacker is simple and repeatable defensive techniques that work every time. Similar to a street fight, the Kung Fu of the attacker will not matter if you can land a quick kick to the groin or pull a gun. This talk will demonstrate some of these techniques as they apply to defensive coding for web applications. We will discuss why your Kung Fu will not matter and where Sun Tzu went wrong.

State of the Hack

Author Rob Lee

This "straight from the battlefield" presentation will provide case studies that describe in detail the most recent computer security incidents Mandiant has responded to on behalf of the organizations. The three or four anonymous in-depth case studies will be covered about the recent complex hacks against commercial, government, and financial organizations. The talk will go into how the intruders are gaining access, what they are doing, and a discussion of the malware used in the attacks.

What's New for Security in Windows 7 and Server 2008-R2?

Author Jason Fossen

The Vista nightmare is finally over, but what's new for security in Windows 7 and Server 2008-R2 then? The aim of this talk is to give you a bird's eye view of the Win7 security enhancements to help you decide whether to upgrade or to grit your teeth and stick with XP for another ten years. Topics include BitLocker To Go for flash drives, AppLocker program whitelisting, IPSec DirectAccess, BranchCache, PowerShell 2.0, booting from VHD files, IE8 SmartScreen Filter, hyper-detailed logging, and the hated User Account Control prompt. Bring your questions and get it straight without the anti-Microsoft FUD or the pro-Microsoft propaganda!