



Andrea Allievi - Understanding and defeating Windows 8.1 Patch Protections: it’s all about gong fu! (part 2)

Andrea Allievi is an Italian computer security researcher with over 6 years experience. He graduated in 2010 from University Milano Bicocca with a Bachelor’s degree in Computer Science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64 bit capable of defeating some Windows 7 protections. He is also the original designer of the first UEFI Bootkit. Andrea specialized in operating systems internals, from kernel level code all the way to user-land code.



He has completed a lot of security-related researches, ranging from all kind of Malware (especially Kernel-mode rootkit) to the analysis of particular Operating systems security features (like Windows 8 AppContainers for example).



Andrea works as a Security Researcher in the Talos Security Research and Intelligence Group at Cisco Systems Inc.







Jean-Philippe Aumasson - Cryptographic Backdooring

We describe the different classes of cryptographic backdoors, which depend on where sabotage occurs in the cryptographic supply-chain. We characterize and categorize backdoors, in terms of discoverability, detectability, and exploitability, and propose semi-formal definitions in order to encourage a more rigorous study of malicious cryptography.



Several examples are discussed, from straightforward coding backdoors to Dual_EC or the recent sabotaged SHA-1 instances.



Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, in Switzerland. He is known for designing the cryptographic functions BLAKE, BLAKE2, SipHash, and NORX. He has spoken at conferences such as Black Hat and CCC, and initiated the Crypto Coding Standard and the Password Hashing Competition projects. He is member of the technical advisory board of the Open Crypto Audit Project. JP tweets as @veorq.





Andrea Barisani - Forging the USB armory

Inverse Path recently introduced the USB armory project, an open source hardware design, implementing a flash drive sized computer for securityapplications. The USB armory is a compact USB powered device that provides a platform for developing and running a variety of applications.



The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.



The presentation will cover the journey that we have taken to develop the USB armory board from scratch, explaining the lessons learned and its prospected applications.



Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.



His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting.



Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.



He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.





Anthony Zboralski - No Such Security

Anthony Zboralski is a computer hacker who has worked as a security expert for nearly 20 years. He has experience performing penetration tests, security assessments and related services for industries areas ranging from manufacturing through telecommunications and banking to government. Some of his activity as a teen was recorded by security expert and technologist Bruce Schneier: “In 1994, a French hacker named Anthony Zboralski called the FBI office in Washington, pretending to be an FBI representative working at the U.S. embassy in Paris. He persuaded the person at the other end of the phone to explain how to connect to the FBI’s phone conferencing system.



Since then Zboralski has turned his attention to information security. He has assisted numerous governments and dozens of Fortune 500 companies to help test the security of systems and highlight their vulnerabilities. He is now founder and CEO of Belua, an experimental search engine dubbed “the anti-google project





Nicolas Collignon - Google Apps Engine security

Based on a feedback from multiple penetration tests and codes reviews, this talk answer practical questions concerning GAE: How secure is the Google GAE infrastructure? How Google protects your applications? How a GAE application hosted in Google datacenters may affect the security of your internal network?



This talk is not about theory or trolling on “is-cloud-good-or-wrong”, but will present real-world attacks, including arbitrary code execution to escape the Python sandbox in the Google datacenters and exploration of the GAE platform outside of the Python sandbox.



Nicolas Collignon has been auditing and pentesting information systems for more than 9 years. He’s the author of several publications such as “Playing with Windows /dev/(k)mem”, “Tunneling TCP over RDP: rdp2tcp”, “Shell over DTMF”, “VMware and virtualization security” or “JSF ViewStates upside-down”. He is currently leading the penetration testing team at Synacktiv. For the last 2 years, he has spent a considerable amount of time hacking Android operating system and Google services.





Benjamin Delpy - Mimikatz





Benjamin Delpy, is a security researcher know as 'gentilkiwi'. Presented at Black Hat, Defcon, PHDays, BlueHat, and more. Security enthusiast, he publishes tools and articles in order to speak about product weaknesses and to prove some of his ideas. Mimikatz was his first software that reached an international audience. It is now recognized as a Windows security audit tool - http://blog.gentilkiwi.com/mimikatz





Sebastien Dudek - HomePlugAV PLC: practical attacks and...

Domestic Power-line Communication (PLC) devices are used to extend a LAN network as well as WiFi does, but using the power-line support. Even if PLC have a bad reputation because of few aspects in the past (bad security, bad speed, not stable because of perturbations, ...), this technology grown up and offers a better connection, more stable with an encrypted conversation between two PLC devices. Someone who wants to extend his private network easily without additional wires, or without spending a 'fortune' on wireless repeaters, will use PLCs. Moreover, Internet Service Providers in France usually provide a HomePlugAV embedded in the power supply of their routers and set-top-boxes. As HomePlugAV is implemented on a lot of devices, we were interested to study their security, and their weaknesses.



In this talk, we will see how PLC work with a detailed network analysis. Then we will discover few practical attacks to penetrate, and backdoor a private LAN.



Sébastien Dudek is a security researcher at Sogeti ESEC R&D labs. His main fields of interest are radio communication technologies (GSM, GPRS, RFID, Wi-Fi, POCSAG, DECT...), but also other areas like software, web, and network security.



He has been a speaker at Hack.lu 2012 speaking about GSM protocol stack fuzzing and his fuzzing environment. Interested in application security, particularly on Linux, he has also contributed for the french magazine MISC #62 on current Linux mitigations, and possible ways to bypass them.





Georgi Geshev - Your Q is my Q

Message Queueing concepts are well established in enterprise environments which are already known to be fairly insecure. Now that the Internet of Things is gaining momentum, MQ is also the lightweight mechanism of choice for communicating with your fridge and toaster. We discovered a series of vulnerabilities in several widely adopted MQ implementations that would allow an adversary to cause a mass disruption in your corporate network or maybe pull off the shadow file from your neighbours' microwave. General MQ concepts will be briefly introduced to the audience, followed by a short attack surface walk-through and quick review of the common vulnerabilities and typical misconfigurations and ways to identify and leverage them for fun or profit.



Georgi is a security researcher for MWR InfoSecurity in the UK. Prior moving to the UK, he worked in Australia where he was mostly drinking golden ales and fighting with kangaroos. He was at some point of his life involved with a couple of local chapters of OWASP. His main areas of interest include bug hunting, reverse engineering and cryptography.





Ezequiel Gutesman - Blended Web and Database Attacks on Real-time, In-Memory Platforms

It is well known there is a race going on in the "Big Data" arena (take a drink for even thinking about the "Internet of Things"). One of the stronger competitors in the "Big Data" market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, is that it blends everything to increase performance. The database tables, webserver engine, webserver code, authorization, analytics engine, libraries, etc. are all optimized to, if possible, never touch the disk.



Surprisingly, this causes a perspective shift for the web and database application threat landscape and how security professionals should address it.



Ezequiel Gutesman is Director of Research at Onapsis. He has led security research projects for the last 10 years giving talks and presentations in international security conferences such as Black Hat, Hack.Lu and Ekoparty. Ezequiel is responsible for Onapsis innovation in cutting-edge ERP security assessment techniques and defensive technologies.





Peter Hlavaty - Attack on the Core

Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!



In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.



Peter (@zer0mem) is a security researcher at KEEN Team (@K33nTeam) and his primary focus is kernel exploitation. Peter has 4+ years’ experience at IT security in different areas as malware research, developing anti-APT solutions or windows kernel dev & research.





Alex Ionescu - "SURPRISE TALK"

Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs.



Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT–based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV.





Richard Johnson - Fuzzing and Patch Analysis: SAGEly Advice

Last year, in “Taint Nobody Got Time for Crash Analysis”, we presented implementations of analyses performed on taint traces that included a tool to help determine input leading to a crash and an exploitability evaluation tool based on symbolic execution. This year we will expand on these topics with a study of our efforts towards improving the effectiveness of binary differential analysis (bindiff) and replicating Microsoft Research’s work on the “Scalable, Automated, Guided Execution” (SAGE) fuzzer. Richard Johnson is a computer security specialist in the area of software vulnerability analysis. Richard currently fills the role of Manager of Vulnerability Development in charge of vulnerability discovery, triage, and mitigation research within Cisco Sourcefire VRT, offering 12 years of expertise and leadership in the software security industry. Current responsibilities include research on exploitation echnologies and automation of the vulnerability triage and discovery process. Previous areas of security research and tool development include program execution tracing, taint analysis, fuzzing strategies, memory management hardening, compiler mitigations, disassembler and debugger design, and software visualization. Richard has released public code for binary integrity monitoring, program debugging, and reverse engineering and has presented annually at top-tier industry conferences worldwide for over a decade. Richard is also a co-founder of the Uninformed Journal.





Renaud Lifchitz - Quantum computing in practice

There are a lot of fantasies and myths about quantum computers. Do they exist? In what are they useful? Dive into quantum computing and learn how to develop your own quantum algorithms and run them. Discover how cryptography will be affected and change in the next future.



Renaud Lifchitz is a French senior IT security consultant. He has a solid penetration testing, training and research background. His main interests are protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory (integer factorization and primality tests).



He currently mostly works on wireless protocols security and was speaker for the following international conferences: CCC 2010 (Germany), Hackito Ergo Sum 2010 & 2012 & 2014 (France), DeepSec 2012 (Austria), Shakacon 2012 (USA), 8dot8 2013 (Chile).





Rob Rachwald - The Nitty Gritty of Sandbox Evasion

With organizations facing a deluge of cyber-attacks, virtual-machine sandboxing has become a popular tool for quickly examining legions of files for suspicious activity. These sandboxes provide isolated, virtual environments that monitor the actual behavior of files as they execute. In theory, this setup enables security professionals to spot malicious code that evades traditional signature-based defenses.



But sandboxes are only as good as the analysis that surrounds them. By themselves, sandboxes can only monitor and report file activity, not analyze it. And unfortunately for organizations that rely on them, the file-based sandboxes used by many vendors are proving oblivious to the latest malware. Attackers are using a variety of techniques to slip under the radar of these sandboxes, leaving systems just as vulnerable as they were before.



Rob Rachwald has worked in security for more than 15 years. At Intel, Rob worked on securing their supply chain management system. Additionally, Rob managed product marketing at code review companies Fortify and Coverity. Before joining FireEye, Rob was at Imperva for four years as the senior director of security strategy and oversaw Imperva¹s thought leadership initiatives.





Braden Thomas - Exploitation of a hardened MSP430-based device

This presentation walks through the reverse-engineering and exploitation of a hardened embedded device and provides certain techniques you can use to exploit similar devices. As MSP430 devices become more common, it is slowly becoming the norm to encounter devices in production with blown JTAG fuses. Previously, this was a significant hurdle. In 2008, Goodspeed described several attacks against the MSP's BSL (bootstrap loader). This presentation will review those attacks and describe the challenges facing a researcher attempting to perform them. This presentation will demonstrate how to reliably perform successful firmware extraction on a MSP430 with a blown JTAG fuse. Additionally, the presentation will cover what you might see while reverse-engineering MSP430 firmware. Finally, it will describe a software-only attack that uses a feature of BSL to extract sensitive data from RAM.



Braden is currently a senior research scientist at Accuvant, focusing on embedded research in the AMI and medical device industries. Prior to Accuvant, he worked as a Product Security Engineer at Apple for 6 years.



At Apple, Braden focused on drastically increasing the internal fuzzing throughput and coverage, as well as performing proactive security reviews for many high-profile features.





Guillaume Valadon, Nicolas Vivet - Detecting BGP hijacks in 2014







The main goal of this talk is to raise awareness of routing security issues by providing a tutorial on the BGP routing protocol and on the detection of specific routing events called IP prefixes hijacks. We hope that the security community that attends NSC will find interest in network-related issues. In a nutshell, such events happen when two network operators announce overlapping IP prefixes using BGP. As a consequence, IP packets could be delivered to these two operators. The final destination mainly depends on the home network of the sender. Overlapping announcements can disturb the whole Internet as observed in 2008 when YouTube traffic was partially redirected to Pakistan Telecom.



However, duplicated and overlapping announcements may also be legitimate when an operator wishes to distribute its DNS servers using anycast to filter out DDoS attacks, or needs to assign IPv4 resources to its clients. As a consequence, detecting and classifying hijacks is a challenging task, not only because the dataset is large (around 500 Gb per year), but also because of engineering and commercial practices.



We have been monitoring events that affect French network operators since 2011. This talk will present issues that must be addressed while trying to detect hijacks on the Internet, and focus on France as well as Europe to provide examples.



The outline of the talk will be the following: 1. how does BGP work ? 2. what are hijacks ? 3. engineering Best Current Practices defined by the networking community that could block them 4. offline detection: challenges & results 5. online detection & active measurements: challenges & results.



Guillaume is an Internet professional that works for ANSSI and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he maintains Scapy and tries to learn reversing stuffs. Also, he still remembers what AT+MS=V34 means.



Nicolas is a network security engineer at ANSSI, French Network and Information Security Agency. He spends his days developing elegant solutions to Internet-scale problems. He also works on the security of a wide range of network related devices.





Damien Cauquil - Hardware Workshop - Fun with RF remotes