All videos have been encoded in Quicktime. Please use Quicktime Player or VLC for playback. If you have trouble playing these files, please ensure you have the latest 3IVX codec. For presentation materials please click here


HITBSecConf2007 - Malaysia - Day 1.torrent


1.) Keynote Address 1: Honeypot Project: Latest Research
Lance Spitzner, Founder, Honeynet Project


In this presentation we cover two of the Honeynet Project’s current research programs, fast-flux and GDH. In fast-flux, we will learn how the criminal community is leveraging a sophisticated architecture to make it much more difficult to identify and shut them down. In GDH (Global Distributed Honeynet) we will learn one of the ways the Honeynet Project is making it to easier to capture data at a global level.


2.) Keynote Address 2: Online Crime and Crime Online
Mikko Hypponen, Chief Research Officer, F-Secure Corp.


Who’s really behind the network attacks? Who’s launching the phishing scams? Who runs the botnets? How do they hide their malware? Where are they reselling the stolen bank accounts and credit card numbers? How do they move their money around? How do they recruit their money mules? What do these guys look like and how does all this really work? Is this the perfect crime?


3.) State of Security
Andrew Cushman (Senior Director, Microsoft Security Response and Community, Microsoft Corp)


Andrew Cushman – Sr. Director of the Microsoft Security Response Center shares the MSRC’s historical perspective on security ecosystem and discusses Microsoft’s current approach to security. This will be a 10 year retrospective talking about the creation and evolution of the MSRC and Microsoft’s security strategy. Along the way Mr. Cushman will discuss seminal events and give a glimpse into the future.


4.) Injecting RDS-TMC Traffic Information Signals - How to Freak Out Your Sat Nav System
Andrea Barisani (Chief Security Engineer, Inverse Path Ltd) and Daniele Bianco (Hardware Hacker, Inverse Path Ltd)

RDS-TMC is a standard based on RDS (Radio Data System) for communicating over FM radio Traffic Information for Satellite Navigation Systems. All modern in-car Satellite Navigation systems sold in Europe use RDS-TMC to receive broadcasts containing up to date information about traffic conditions such as queues and accidents and provide suggested detours in case they affect the plotted course.

In this presentation, the audience will be introduced to RDS/RDS-TMC concepts and protocols. In addition, we will show how you can decode/encode such messages using a standard PC and cheap home-made electronics with the intent of injecting information in the broadcast RDS-TMC stream to manipulate the information displayed by the satellite navigator.

We’ll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection / jamming can play in social engineering attempts (hitmen in the audience will love this!). In order to maximize the presentation we’ll also demo the injection… hopefully at low power so that we won’t piss off local radio broadcasters,

5.) Hacking SCADA – How to 0wn Critical National Infrastructure
Raoul Chiesa (Board of Directors member, ISECOM Group and TSTF) and Alessio L.R. Pennasilico aka Mayhem (Security Evangelist, Alba S.T. s.r.l.


This talk will introduce the audience to SCADA environments and its totally different security approaches, outlining the main key differences with typical IT Security best practices. We will analyze a lot of real world case studies related to Industry, Energy and other fields. We will describe the most common security mistakes and some of the dire consequences of such mistakes to a production environment. In addition, attendees will be shown a video of real SCADA machines reacting to these attacks in the most “interesting” of ways!


6.) Exploiting the Intranet With a Webpage - Is JavaScript the New Shellcode?
Martin Johns (University of Hamburg, Faculty of Informatics)


Web browsers are installed on virtually every contemporary desktop computer, only few companies refuse their employees to access the web via http and the evolution of active technologies like JavaScript, Java or Flash has slowly but steadily transformed the web browser into a rich application platform. For these reasons, the browser was recently (re)discovered as a convenient tool to smuggle malicious code behind the boundaries of the company firewall. While earlier related attacks required the existence of a security vulnerability in the browser’s source code or libraries, the attacks which are covered in this talk simply employ the legal means that are provided by today’s browser technology.


7.) Meta Anti Forensics: The HASH Hacking Harness
The Grugq (Independent Network Security Specialist)

For the last decade buffer overflows and memory corruption exploits have been the main focus of hacking tool development. The actual hacking environment has received little attention. Indeed, most hackers still hack directly within a vanilla shell, using their tools straight off the command line. No public tools have emerged to change the methodologies of the command line hacker.

This talk presents a new penetration testing assistance tool to bridge the gap between vanilla command line hacking and graphical exploit environments such as Impact and CANVAS. At its simplest this new tool provides programmatic control to normal shell interactions. Utilising this powerful building block, based on Python and incorporating Expect-like functionality, this tool enables numberous new capabilities for today’s systems security analyst.

8.) Security: Past, Present and Future
Deviant Olam, Eric Michaud & Q (Members of TOOL USA) and Marc Weber Tobias (Investigative Attorney and Security Specialist)


A special 2 hour back-to-back presentation dealing with physical security bypass methods and high security locks.


9.) WabiSabiLabi - The Exploit Marketplace
Roberto Preatoni (Director of Strategy, WabiSabiLabi & Founder, Zone-H Defacement Mirror)


Three days after its launch, the Wabisabilabi project attracted the world’s attention. For the good and for the bad, the press covered the project in all its aspects, generating and endless round of comment threads on specialized forums. The project got the attention of the financial press, hitting the Economist and Forbes. The speech will let you hear directly from WABISABILABI!


10.) Advanced Web Application and Database Threat Analysis with MatriXay
Frank Yuan Fan (Founder and Chief Technology Officer, DBAPPSecurity)

Web application vulnerability and threats has been rated as #1 issue in 2006, while you may looking at defense strategy, maybe it is good to look at a few real case on how a site being hacked and owned, while almost unnoticeable.

With this presentation Frank will have analysis on top 3 Web threats including SQL injection and Cross site scripting, as well as latest dangrous ANI vulnerability being used combined with Web application threats. Along with this, Frank will also show how quickly the site will be hacked using MatriXay, and the architecture, and the backend database security threats.

11.) 360° Anomaly Based Intrusion Detection
Dr. Stefano Zanero (Politecnico di Milano T.U.


In this talk, after briefly reviewing why we should build a good anomaly-based intrusion detection system, we will present two IDS prototypes developed at the Politecnico di Milano for network and host based intrusion detection through unsupervised algorithms. We will then use them as a case study for presenting the difficulties in integrating anomaly based IDS systems (as if integrating usual misuse based IDS system was not complex enough…). We will then present our ideas, based on fuzzy aggregation and causality analysis, for extracting meaningful attack scenarios from alert streams, building the core of the first 360° anomaly based IDS.


12.) Insider Threat Visualization
Raffael Marty (Manager, Strategic Application Solutions @ ArcSight Inc.)

Insider Threat has become an increasingly discussed topic in the past months. Information leaks, sabotage, and fraud have been reported all over big organizations. One way to address the insider problem is to analyze log files and find suspicious behavior before it results in direct or indirect financial loss for a company.

Signs of suspicious behavior or users lend themselves very well to visualization techniques. Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This talk takes a step-by step approach to analyzing signs of insider threat. I will use open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow ( which was written by the submitter. It is a very simple tool to visualize preprocessed information. The analysis I will go through will show how early warning signs of insider activity manifest in log files, making it possible to prevent further damage and assess the impact of the activities. Information leaks and sabotage activity can be visualized in the same ways using mainly line graphs and treemaps.

The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data. The main tool used for the talk is AfterGlow, which in his current version supports a diverse set of operations to ease the analysis of log data.


HITBSecConf2007 - Malaysia - Day 2.torrent

1) Keynote Address 3: The Rise and Fall of Information Security in the Western World
Mark ‘Phiber Optik’ Abene, Former Member of LOD/MOD

I’ve had the unequaled pleasure of witnessing the birth of two great movements: the hacker underground and the computer security industry. Join me in not just a speech, but a verbal odyssey back to the beginnings of each of these all-important cultural developments; how, directly and indirectly, these two movements have fed off the other in a manner sometimes helpful and sometimes adversarial.

In the form of firsthand anecdotes, I’ll tell of my earliest recollections of getting online and innocently discovering the so-called counter-culture of hacking in the early 80’s, and how I became intertwined with its evolution into a full-blown cultural movement. Likewise, I’ll describe my brushes with the earliest attempts to establish a dialogue between the international security researchers just starting to gain prominence in the late 80’s and early 90’s, and how my compelling motivation to speak out in public forums, at great personal risk, would ultimately contribute to my entanglements with the U.S. government in no small way.

In my transition to security professional, you’ll hear about how I helped to bring the notion of tiger teams and penetration studies into common practice, and how I continue to champion the misunderstood young people who possess these uncanny skills as being one of our greatest wasted resources in an age of abject insecurity. Together, we’ll question, after such promising beginnings, has the security industry collapsed upon itself, de-evolving into a mockery? Has the more recent trend of exploitation and harsh punishment had a chilling effect on real research and the true spirit of discovery and exploration?

2) Keynote Address 4: The Evolution of Hacking
Emmanuel Goldstein, Founder, 2600 Magazine

There have always been hackers. People who challenge the rules, think outside the box, and pool their knowledge and resources have been responsible for all sorts of inventions and discoveries over the centuries. With computers, phones, and the rise of the technocratic state, their importance and visibility have multiplied dramatically. But with that visibility has come fear from those who don’t understand.

In a post-9/11 world, hackers have become almost as much of a “threat” as terrorists. Laws that have been hastily passed in countries all over the world demonize acts of exploration as if they were the real threats to society. The result of this sort of suppression will be a culture of fear and suspicion where technological progress slows to a crawl. Emmanuel Goldstein has witnessed the growth of the hacker world over the past few decades. Something that for him started as fun and games has turned into a global phenomenon with very serious implications.

3) Tools and Strategies for Securing a Large Development Project
Window Snyder (Chief Security Something or Other, Mozilla Corporation)

Developing secure software is difficult. There is more information available on application security now than ever before. But how much of this information has been successfully used on a large scale, widely deployed, complex software project? What really works? Mozilla is making the process of securing a large software project transparent. Window Snyder will discuss the methods Mozilla uses to secure Firefox and share tools created by Mozilla. Developers can use these methods and tools to secure applications in their own environment. Ms. Snyder will also talk about the new security features coming in Firefox 3.

4) Hacking the Bluetooth Stack for Fun, Fame and Profit
Dino Covotsos (Managing Director, Telespace Systems)

Enhancements in cellular technology and mobile computing in recent years has lead to the availability of affordable and powerful mobile devices. Where before cellular phones where relegated only to the business class and other members of the upper-echelon of society, today they are deemed a necessity and have become so cheap in comparison to phones of years past that almost anybody can own one.

One of these enhancements is definitely the Bluetooth specification, which allows for the creation of short range wireless personal area networks. In recent years however, it has come to light that various flaws exist in certain Bluetooth implementations. Our paper aims at demystifying these vulnerabilities. Amongst other things it will include the procedures involved in bluesnarfing, the potential hazards of bluejacking as well as the backdooring of mobile devices. We will also be demonstrating the tools and techniques used in accomplishing the above listed attacks.

5) Protocol Fuzzing
Luiz Eduardo (Senior Systems & Security Engineer, Mu Security)

This presentation will cover all that is about to know on protocol fuzzing. Touching the fuzzing basics, and going over what’s fuzzable and what’s not, why fuzzing became such a big thing in the past few years. From “insane” fuzzing and how the new tools (commercial and free) found better ways to do fuzz. The usual challenges will be covered and predictions on what the future is holding for this technology.

6) Hacking Biometric Systems
Starbug (Independent Security Researcher)

Today biometric systems are becoming mainstream. They can be found everywhere - in mobile phones, computers, ATMs even in passports. Apart from facial recognition systems and barely used systems like iris and vein scanners, fingerprint readers are built into most biometric products. Contrary to the assurance of the manufacturers, nearly every system is still very easy to hack.

In this talk I want to show the different techniques of hacking biometric systems from the attack on the communications (with a ARM-driven replay attacking device) and the stored reference data to the direct hack of the sensor itself. Making a dummy fingerprint from a picture of a fingerprint stored onto a passport for example is the masterpiece of hacking biometric systems, because you always have access to the sensor and its very hard to find proper countermeasures

7) Hacking Hardened and Secured Oracle Servers
Alexander Kornbrust (Founder, Red Database Security GmbH)

Most papers and documents concerning hacking Oracle databases are designed to break into unhardened, unpatched Oracle databases. That’s easy… This presentation will show different possibilities to break into a already hardened and patched Oracle databases using the latest Oracle security features like Database Vault, Transparent Data Encryption, Virtual Private Database…. We will talk about:

* Privilege escalation / Data theft using the following privileges
— select any table
— execute any procedure
— create view
— create procedure

* Disable SQL Tracing
* Disable DDL-Trigger
* Bypass Logon-Trigger
* Remove Traces from various places (log-files, audit-tables, …)
* IDS Evasion
* Get Oracle Passwords (not only from Hashes)

8) Enterprise Hacking: Who Needs Exploit Codes?
Fetri Miftach (Principal Consultant, PT Bellua Asia Pacific) and Jim Geovedi (Security Consultant, PT Bellua Asia Pacific)

Traditional business drivers (time to market, cost basis etc) are still the dominant factors when formulating technology strategy. Security issues, although recognised as being of primary concern, are usually left behind to catch up. In an era where turnkey solutions, outsourcing, enterprise application integration across traditional boundaries are becoming the norm, this approach is causing more of a headache in the long run than the perceived (short-term) economic gains.

Highlighting lessons learned during several assignments, we found that the roles played by third parties and the lack of visibility of extended business processes (and related technology infrastructure) are becoming the main challenge for an enterprises information security team. In several cases, access to sensitive systems were engineered through the simple use of guile and cunning, identifying weak links introduced by the complexity of third party relationships and the many inter-connections between business entities. And in a significant number of these cases, exploit codes were not even deployed.

Several ideas on how to mitigate these situations will be offered for further discussion.

9) An End-to-End Analysis of Securing Networked CCTV Systems
Sarb Sembhi (Chief Technology Officer, Securityw0rk5)

This session will look at every component of a Wireless Camera and PTZ Camera (Pan, Tilt, Zoom) on a networked CCTV System from end to end. This includes all hardware (includes middleware, as well as the chips), software and protocols that can be considered as components of the overall system. The talk will identify similarities and differences with components used in other embedded devices and their existing vulnerabilities on some part of the end-to-end CCTV system. The talk will give sample setups that are recommended by various manufacturers, and those that are used, identifying weak points. The talk will also cover some of the human aspects of the systems, and where manufacturers of hardware and software are taking Law Enforcement with their technology, showing why this technology is one of the most exciting technologies to be converged and what re the scary bits that this may leads us into. This talk will look at securing some of the vulnerabilities that exist.

10) Slipping Past The Firewall
Billy K. Rios (Senior Researcher, VeriSign) and Nathan McFeters (Senior Security Advisor, Ernst & Young Advanced Security Center)

Using a lethal combination of various client side attacks we’ll smash the same origin policy, punch our way through your firewall, and dropkick an Oracle database on your internal network (and we’re NOT talking about SQL Injection!). Although the sophistication of client side attacks has dramatically increased over the last few years, many in the security community continue to dismiss the true dangers of these attacks. These non-believers feel that client side attacks are simply limited to HTTP based attacks or phishing attacks against careless individuals. This talk will demonstrate some techniques used by attackers to establish a staging point on your internal network. This staging point will be used to conduct NON-HTTP based attacks against various services on YOUR internal network.

11) Attack Surface of Modern Applications
Felix ‘fx’ Lindner (Founder, Recurity Labs GmbH)

Applications and frameworks mature over time. We have seen the end of the format string era. We see the end of the buffer overflow era coming. This rather high level talk wants to direct your attention to the distribution of the types of vulnerabilities over time and where things are heading. It attempts to review the defences that developed over the last 10 years and compares them to the few usable vulnerability data sources we have. Although no hex codes are shown, the talk might just be interesting.

12) Googling for Malware and Bugs
Dr. Jose Nazario (Senior Security Engineer, Arbor Networks)

Googles tremendous database has facilitated a number of queries that before we could only dream of. The back end analysis tools, exposed through search facilities and operators, solves a number of technical hurdles and leaves only your imagination as a limiting factor. While other talks have focused on finding out about people and hidden secrets using Google, this talk will focus instead on using Google Codesearch to perform large scale static code analysis to find security-related bugs, and also on how to use the standard Google search facility to find malware and suspicious executables. Well explore what this means, discuss tools to facilitate this approach, and show you how to go forth and discover the Internets underbelly.

13) The Computer Forensics Challenge and Anti-Forensics Techniques
Domingo Montanaro (Information Security Specialist and Computer Forensics Expert) and
Rodrigo Rubira Branco (IBM, Brazil)

The presentation will cover the main area of interests inside the Computer Forensics Challenge:

- Data Recovery (Several Levels)
- Analyzer’s correct methodology: How to differentiate between a Computer Forensics Expert and a tool operator
- Incident Handling and Response using the most accurate tools - How to not damage evidence

And also of Anti-Forensics stuff:

- The manipulation of the forensics analysis due to lots of methods of subverting the system
- Data Hiding (Encryption, Steganography, FileSystem’s Internals and others): How can a attacker can hide data using hacking techniques
- What to trust and what to not trust in evidence collection: hashes, memory dumps, etc.

14) Hacking Ajax and Web Services – Next Generation Web Attacks on the Rise
Shreeraj Shah (Director, BlueInfy)

WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. This presentation reveals emerging security threats, some of which will be demonstrated.

Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats. Ajax is becoming integral part of these new applications and its serialization aspect opens up new ways of hacking browser side application which can lead to XSS and XSRF.

Comprehending XML-based attack vectors LDAP/SQL injections, SOAP messaging attacks, AJAX and Web profiling. These shall be covered along with demonstration examples. Web services are the backbone of WEB 2.0 and it is important to understand security threats.