These videos are now available on Google Video. Please click here.

For presentation materials please see the Packet Storm Mirror


Day 1

1.) KEYNOTE 1: Schneier on Security

Speaker: Bruce Schneier


Always interesting and entertaining, Bruce Schneier will talk about current topics in security, economics, and society.


2.) Security Engineering in Windows Vista
Speaker: Ian Hellen and Vishal Kumar


This paper will present a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest commercial pentest in the world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you will only hear from Microsoft!


3.) Playing with Botnets for fun and profit
Speaker: Thorsten Holz


Botnets are still a huge threat within the Internet. These network of compromised machines can be used to carry out DDoS attacks, send spam, or other nefarious purposes. Since the time between a security advisory, the first proof-of-concept exploit, and automated utilization with the help of bots becomes shorter and shorter, this threat will presumably grow.


In this presentation, we will briefly present the background of bots & botnets, especially focussing on latest trends. The main part will deal with some ways to play with a botnet: Using nepenthes (, we are able to automatically collect new malware. With the help of a sandbox, this malware can be quickly analyzed, focussing on extracting all important information about the botnet from the binary. And this information can then be used to impersonate as a legal bot and to join the botnet. Now the fun begins since we are part of the botnet and can observe everything what is happening. There are other ways to play with a botnet, some of which are more grey than others. In the presentation, we will introduce these ways to give the audience some food for thought to develop their own techniques. Furthermore, we present in detail the results we have obtained during our work in the last months. Besides rather offensive results, we will also give some best practice recommendations to mitigate the risk posed by botnets.


4.) Taming Bugs: The Art and Science of Writing Secure Code

Speaker: Paul Boehm

Writing secure code isn’t just about avoiding bugs. If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Programming is as much about People, as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, etc), and Path Normalization to deal with Path Traversal.


5.) Application Intrusion Prevention Systems: A new approach to protecting your data

Speaker: Fabrice Marie

Intrusion detection systems have existed for the last 20 years, and trends have shifted from using HIDS to using NIDS. Unfortunately Host Intrusion Detection Systems can only see symptoms of intrusions on a single host or set of hosts if distributed, and Network Intrusion Detection Systems can only see symptoms of intrusions on network segments. Intrusion Prevention Systems are inline IDSes that attempt to prevent an attack IF and only IF it was detected in the first place.


Unfortunately today’s attacks target web applications and there is very little a NIDS or HIDS would catch of these, because they examine lower level protocols and symptoms. Among others, we will examine what would and what would not get caught with today’s IPSes. Moving forward, this presentation will propose a new approach to protecting your data from attackers: Application Intrusion Prevention Systems.


We will introduce important new concepts of Network based Application Intrusion Prevention Systems (NAIPS) and Application based Application Intrusion Prevention Systems (AAIPS), counterparts and complements respectively of HIPS, and NIPS. We will look at existing technologies that can be used towards our goal, and put forward a few concrete and effective methods that could be used to perform the application intrusion prevention. Finally we will look at the advantages and limitation of each method


6.) Attacking the IPV6 Protocol Suite
Van Hauser


IPv6 is arriving slowly in Europe, but an important topic in Japan and South Korea, as IPv4 addresses are scarce. IPv6 will change the issues of security and hacking by a large degree. This speech will give a short introduction on the protocol differences, then show the vulnerabilities in the protocols and finally present the THC-IPV6 Attack Toolkit which includes the tools for all vulnerabilities shown, as well as a very easy packet crafting library.  


7.) Writing Metasploit Plugins - From Vulnerability to Exploit 

Speaker: Saumil Shah

This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a “proof-of-concept” exploit. The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms.


In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework. Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit’s internal modules and how to integrate custom exploits with the Metasploit framework


8.) x.805 Standard
Ching Tim Meng


Network security should be designed around a strong and flexible security framework, coupled with appropriate security tools, standardized protocols and security infrastructure. Naturally, in a multivendor environment, no end-to-end security solution can be achieved without standards. The Bell Labs Security Model, which has been adopted by the International Telecommunication Union (ITU) as ITU-T X.805, uniquely identifies 72 key security areas that are evaluated by Lucent Worldwide Services security consultants, to assess, plan and implement security solutions appropriate for the organisation’s business. The security framework has been adopted by ISO on 1 February 2006 as part 2 of the International Standard ISO/IEC 18028. This presentation shall explore on how this standard can help organisations to secure their network more effectively with a proven methodology.


9.) The world through the eyes of a signature developer
Jonathan Limbo


As part of the Signature Development Team with Cisco Systems, he will be presenting a ground zero perspective through the eyes of a signature developer on exploit trends, attack vectors and evolving obfuscation techniques. Challenges of network detection and the next step in mitigating these evolving threats.


10.) Client Honeypots - It’s Not Only The Network
Michael Davis


The Client Honeypot is a new implementation of the classic honeypot concept. Honeypots create an environment that is unknown and monitored, therefore, all data entering the environment is suspect as the environment should not receive any data. Honeypots have generally been targeted at researching and analyzing network and operating system level attacks, however, New attacks, such as phishing, have exploited vulnerabilities within client applications such as web browsers in order to increase propagation, perform identity theft, fraud, or general mayhem.


Client honeypot are being developed to solve the need of the research community. The community needs a set of tools to help analyze what sources of information are disseminating these threats, what the threats do, and ultimately devise ways to protect users from these threats. The initial implementation of the client honeypot focuses on providing data for use within analysis not automated analysis of the data.


A Client Honeypot is a collection of applications that collectively help researchers and end users determine where threats are coming from, by actively searching or scraping the Internet, what those threats exploit to install themselves on the target system, and what information the malware collects. Information such as what files, registry keys, or sockets are accessed or created, in addition to lower level information such as what sites the malware communicates with and how the malware functions can also be obtained.


11.) Triple Play; Triple Threat? — IPTV Security

Speaker: Yen-Ming Chen


The Triple-play strategy (Data, Voice and Video) is set to enable Telecoms to increase their Average Revenue per Unit (ARPU) and revolutionize current home entertainment. IPTV generated revenue is expected to have 102% CAGR from year 2004 - 2010. While security issues in Data and Voice of the Triple-Play strategy have been examined in details, not much has been done in the IPTV field. In this presentation, we will look at IPTV’s advantages in business, architecture, threats and some of the vulnerabilities that have been seen on the field. The IPTV architecture comprise of the Content Source, Head-End, Delivery and Management network and Consumer Home network. Current security threats (malicious attackers, worms or disasters) could stop the Telecoms from making profit or even losing money. The presentation will present some real-life weaknesses and vulnerabilities and provide countermeasures for Telecoms.


12.) Firefox Security

Speaker: Window Snyder


Window Snyder will be presenting a look at the new security features in the next release of Mozilla’s Firefox web browser. In addition, Ms. Snyder will also be bringing down the latest release candidate for distribution to the conference attendees!


13.) Pentesting Java/J2EE - Discovering Remote Holes

Speaker: Marc Schoenefeld


Java/J2EE is a widely used industry standard for business applications, although designed with security in mind, flaws in the J2EE framework implementation may lead to holes in the J2EE protection model. This is especially a problem when remote attackers are allowed to influence control flow on the server. This talk addresses the root causes for this problem such as flaws the underlying JRE. Demonstrating these bugs aims to educate system and application developers to code their own classes and therefore get less vulnerable J2EE servers and applications in the future.


14.) Visualising Source Code for Auditing

Speaker: Lisa Thalheim


Auditing large amounts of source code can be a challenging task. With ever-growing software, hardly anyone has the time (aka money) and patience to read each and every single line of code there is. Thus, a crucial point is to get an overview of the code, to identify potentially interesting areas of code, understand how different parts of the code interrelate, sometimes even to reverse engineer the architecture implicitly contained in source code, for the documentation on the particular code is often either outdated or nonexistent. This pinpointing of interesting areas within the code is especially important and useful when professionally auditing for security-relevant bugs in given code. The purpose of this talk is to show how information visualization techniques as well as techniques from compiler design can be used to help an auditor to quicklier and better understand large amounts of source code and thereby become a more efficient auditor. I will also show the latest development of Charles, a tool I develop to implement and assess the various source visualization ideas.


Day 2

1.) KEYNOTE 2: What application security tools vendors don’t want you to know and holes they will never find!

Speaker: Mark Curphey & John Viega


Software and application security is a hard nut to crack. Traditional network and operating system assessment and protection tools can be taught to look for repeatable conditions with reasonable results. However (and despite heavy marketing suggesting other wise) application protection and assessment tools suffer from a significant different order of problem. In this talk John Viega and Mark Curphey will systematically discuss and demonstrate the limitations of automated protection and assessment tools using live working examples. The talk will focus on code review tools, web application scanners and web application firewalls.


2.) Scapy and IPv6 networking

Speaker: Phil Biondi and Arnaud Ebalard


We will quickly present Scapy, a packet manipulation program. We will show how it can help you in in domains like network discovery, network probing, fuzzing, unit testing, etc. We will then cover the IPv6 support, extending Scapy injection, probing and testing capabilities to IPv6 networks. Status on specific available features will be detailed (tunneling/Teredo support, ND support, available extension headers and other IPv6 related protocols).


3.) Finding Secrets in ISAPI

Speaker: Nish Bhalla


Developers programming in C/C++ hide secrets in code. Assumptions are made that no one can read the content of a binary. This talk will give a brief introduction on how to start performing binary analysis, how to circumvent some basic debugger checks and how to find secrets hidden in code. The example code that is demonstrated is an ISAPI which will be decompiled and demonstrated to help find the secret as well as look to writing an exploit. The talk will be mostly demonstration based and would require some basic understanding of programming concepts.


4.) Pen Testing Windows Vista BitLocker Drive Encryption from the Inside

Speaker: Douglas Maciver


This insider’s candid perspective on the threat analysis and penetration of BitLocker Drive Encryption will be a forthright review of its threats, vulnerabilities, and their mitigations — significant since the talk is in advance of the products release date. The presentation will bring together known device attacks such as DMA exploits with “not-widely-discussed” platform vulnerabilities to show how they affect BitLocker Drive Encryption and device security in general. The presentation will also include the penetration team’s best crack-finding practices, the BitLocker team’s use of Microsoft’s Security Development Lifecycle, threat-modeling, threat-storming, queer views, and other practical tips. Along with DMA exploits, some of the other BitLocker and device attacks to be discussed are: PIN-hammering, key-wear analysis, ciphertext manipulation, physical memory attacks, Trusted Computing Base subversion, LPC bus attacks, and others.


Other threat analysis and penetration insights from the team will include: the poison of conventional wisdom, avoiding paranoia-induced burnout, pros and cons of external security review, security code review best practices, how to avoid analysis paralysis, leveraging dream states, adversary modeling, forensics, and cryptographic validation. The presenter is a member of the penetration team. This presentation will not be a marketing or sales presentation. It will contain a (very) brief overview of BitLocker Drive Encryption, limited to its security elements. For general BitLocker information, please go to


5.) A New Approach to Cybercrime: The Hacker’s Profiling Project (HPP)

Speaker: Raoul Chiesa


The talk will detail the results learned from the first two years of activity of the HPP research study, developed by Raoul Chiesa, an independent security researcher, and Dr. Stefania Ducci, a researcher in criminology at UNICRI (United Nations Interregional Crime and Justice Research Institute). The research project includes the dissemination of questionnaires, the installation of targeted Honeynet systems and the cross-linked analysis of computer intrusions and IT attacks.


Participants will discover how many myths surrounding hackers and the so-called “security underground world” have been often misunderstood, painting this world as a “dark environment”, diverting attention from the really important psychological and technical issues of a reality in continuous evolution. This is a very special happening for Malaysia, since Dr. Ducci and Mr. Chiesa will introduce for the first time “ both in Asia and worldwide the complete results of their research activities, after partial presentations in France (EUROSEC 2006) and Switzerland (Ticino Communications Forum 2006).


6.) The Biggest Brother

Speaker: Roberto Preatoni & Fabio Ghioni


Roberto Preatoni with Fabio Ghioni will present an overview about the ongoings in matters of digital and non-digital freedom. This paper will deal with how PSYOPs (Psychological Operations) are nowadays fully backed up by technological means, how western governments are abusing it and how western democracies are suffering from it. From the dream of a technology meant to ease lives and the nightmare of technologies used to enchain the users: from RFID-ed passports to laser printer tracebacks. The question remains: Can the hacker movement raise a stand and fight against this? Is the hacker community credible and reliable as it is pictured by the current media coverage?


7.) Towards an Invisible Honeypot Monitoring System

Speaker: Nguyen Anh Quynh


Honeypot is a decoy system to trap attackers, and data capture tool is one of the core components of the honeypot architecture. The most vital requirement of this component is that it must function as stealthily as possible, so the intruder is not aware of its presence. Currently Sebek is the most sophisticated tool for this purpose. Unfortunately Sebek is rather easy to detect, even with unprivileged right access. This talk discusses the drawbacks of Sebek, then proposes an architecture and implementation of a tool named Xebek. Based on Xen Virtual Machine technology, Xebek aims to address the most outstanding problems of Sebek. While Xebek provides the similar features as Sebek does, our tool is far more “invisible” and harder to uncover. The experimental results also demonstrate that Xebek is more flexible, while the reliability and efficiency are significantly improved over its counterpart.


8.) Hacking a Bird in The Sky: Hijacking VSAT Connections

Speaker: Jim Geovedi & Raditya Iryandi


Since the mid 1950s, satellite communication systems have made enormous advances in capability and performance. Internet access over satellite, digital content distribution, wide area network (WAN) connectivity, video teleconferencing, distance learning, and telephony services sent over satellites have become integral to our society. Unfortunately, security has not kept pace where the current systems are vulnerable to a variety of attacks. This presentation will discuss about satellite technologies for providing broadband data communications using Very Small Aperture Terminal (VSAT) network system, how they work, and what is possible and not possible for determined opponents to achieve.


9.) Smashing the Stack for Profit - Period

Speaker: Rohyt Belani


Attacks that I have responded to in the recent past have rarely been conducted for fun. The monetary motivation of the hackers is obvious. In this presentation I will discuss real world attacks that entailed a deadly combination of financial fraud and computer crime. The case studies will discuss how the white collared criminals (financial wizards) operate in tandem with computer hackers to rake in the moolah! The focus of the presentation will be on the techniques used by the hackers to obtain the information necessary to successfully execute such attacks.


10.) Using Neural Networks and Statistical Machinery to improve remote OS Detection

Speaker: Carlos Sarraute & Javier Buroni


The problem of remote Operating System (OS) Detection is a crucial step of the penetration test process, since the attacker needs to know the OS of the target host in order to choose the exploits that he will use. The first fingerprinting implementations were based on the analysis of differences between TCP/IP stack implementations. The next generation focused the analysis on application layer data such as the DCE RPC endpoint information. Even though more information was analyzed, some variation of the “best fit” algorithm was still used to interpret this new information, which will not work in non-standard situations and is unable to extract the key elements which uniquely identify an operating system.


Our new approach involves an analysis of the composition of the information collected during the OS identification process to identify key elements and their relations. We will present an analysis, based on Neural Networks and statistical tools, of the tests used as stimulus to find out which are the most significant respect to OS detection, and show how these tests can be expanded and optimized.


We will also present two working OS detection modules: one which uses DCE-RPC endpoints to distinguish Windows versions, and another which uses Nmap signatures to distinguish Windows, Linux, Solaris and BSD systems. We will explain the inner workings of the neural networks and the fine tuning of their parameters; and show successful results.


11.) MOSREF: Using Cryptography and Injectable Virtual Machines in Security

Speaker: Wes Brown


Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation.


The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine’s native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Pascal’s P-code.


The comprehensive talk will cover the framework and methodologies that went into creating a secure remote execution environment. The algorithms used to secure communication channels will be discussed. The virtual machine and language themselves will be covered in some detail along with examples. Additionally, there will be a demonstration of writing an exploit in this framework, and using it to inject a virtual machine on a remote host.


12.) Hacking Trust

Speaker: Anthony Zboralski & Dave McKay


A presentation dealing with the power of social engineering.


13.) Yet Another Web Application Testing Toolkit (YAWATT)

Speaker: Fyodor Yarochkin & Meder Kydyraliev


Fyodor and Meder will present the results of their research in the area of automated web application security testing. YAWAT was created due to the fact that the existing automated web application security testing approaches are extremely limited, and practically unable to identify application security problems beyond typical coding errors (i.e. SQL injection, XSS and CRLF injection bugs). The purpose of the YAWATT is to provide security analysts with flexible modular framework based on meta-language that is used to describe web application testing scenarios and aims to assist in discovery of both coding errors and application “logic” vulnerabilities. Due to modular design the application testers are provided with granular control over whole testing process, and ability to modify execution scenario, submit additional application data and/or re-execute testing process using new “knowledge” obtained during previous execution.


14.) VoIPhreaking: SIPhallis Unveiled

Speaker: The Grugq


The continued explosive growth of VoIP technology deployment has not been matched by security assessment technology. This talk will present a suite of new tools for VoIP security analysis: the VoIPy toolkit. With the release of the VoIPy tool kit, in particular, SIPhallis, a major barrier to comprehensive effective VoIP penetration testing has been removed. Examining vulnerabilities within the VoIP protocol suite, as well as common deployment problems exploited, this presentation will demonstate the VoIPy tool suite as framework for exploiting these vulnerabilities — ranging from free phone calls, to spoofing caller-id. This presentation will focus on the new SIPhallis VoIP centric penetration tool, designed specifically to foster new and innovative VoIP security attacks. The talk will examine core VoIP vulnerabilities, and how SIPhallis can be used as the primary security assessment tool for a VoIP penetration test.


15.) Subverting Vista Kernel For Fun And Profit

Speaker: Joanna Rukowska


The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the ‘algorithm’.