We’re very happy to announce the third round of Troopers 2013 talks today (first round here, second here).
So much quality stuff… it seems to get (ever) better every year ;-).
Here we go:
==================
Michael Ossmann & Dominic Spill: Introducing Daisho – monitoring multiple communication technologies at the physical layer.
Synopsis: Most communications media can be monitored and debugged at various levels of the stack, but we believe that it is most important to examine them at the physical layer. From there, the security of every level can be investigated and tested. The task of monitoring physical layer communications has become increasingly difficult as we try to squeeze more and more bandwidth out of our links. A passive tapping circuit can be used to monitor a 100BASE-TX connections, but no such circuit exists for 1000BASE-T networks.
Our solution to this problem is Project Daisho; an open source hardware and software project to build a device that can monitor high speed communication links and pass all of the data back to a host system for analysis. Daisho will include a modular, high bandwidth design that can be extended to monitor future technologies. The project will also produce the first open source USB 3.0 FPGA core, bringing high speed data transfer to any projects that build on the open platform.
As a proof of concept at this early stage, we will demonstrate monitoring of a low bandwidth RS-232 connection using our first round of hardware and discuss the challenges involved with the high speed targets such as 1000BASE-T and USB 3.0 that we will take on later this year.
Bios: Michael Ossmann is known for his experience with radio communications technology and open source hardware design, having produced both the Ubertooth and HackRF as well as regularly teaching workshops on software defined radio. He has spoken about his work with software defined radio and Bluetooth at Troopers, Black Hat, DEF CON, ToorCon, ShmooCon and more.
Dominic Spill has been building a Bluetooth packet sniffer since 2007; last year he took over as lead developer for the Ubertooth and has recently begun working with Michael on Daisho. He has previously presented his Bluetooth work at DEF CON, ShmooCon, USENIX WOOT, and Kiwicon.
Both speakers have a passion for building open source tools to allow curious people to examine the technologies and protocols that we use to communicate.
===
Adem Sen: Understanding & Mitigating Large Scale DoS Attacks.
Synopsis: In 2012, quite a few organizations have been exposed to large scale denial-of-service attacks. Still in some places there’s a lack of understanding and preparedness/response capabilities.
This talk will provide a classification of common DoS attacks and the methods & tools used by the attackers. Furthermore different mitigation approaches will be discussed, together with their advantages/disadvantages and scenarios where they can (or can not) be applied. The speaker can & will provide first hand experience from being in charge to counter an attack of multi-gigabit scale and from several other case studies.
Bio: Adem is a security expert with German Railways (DB Systel) where he is responsible for the corporate network’s and telecommunication’s security.
He has been designing and implementing network security mechanisms for many large scale environments for over 10 years, covering high secure networks and high secure VoIP environments. He is specialized on network defense techniques and has vast experience in analysis and mitigation of DDoS attacks.
===
Chris Nickerson: Guerillas in the Wires.
Synopsis: From 6000 BCE to today we have been schooled in war. Human kind has endured endless attacks, leveraging every tool as a weapon and every weapon as a tool. Throughout this 8000+ year history there have been superpowers which dominated the battlefield and conquered those with far less resources than they possessed. BUT….. Every one of the conquering was eventually beaten. Even the most impressive of military forces have been completely dismantled through the use of tactics and sheer will. In 1809 these tactics were given a name “Guerrilla Warfare”. Juan Martin Diez, with only a few thousand men/woman, used these tactics to beat the invading forces of Napoleon time after time. No matter how many resources, soldiers, and tactics the French threw at the problem… the Guerrillero never gave in.
This talk will look at an 8000yr old problem through a historical lens and attempt to provide insight on WHERE WE ARE TODAY and WHERE TO GO FROM HERE. In order to do this, we must discuss if your inflated security budget, mass of troops and BLOCKS of defensive measure make you a Superpower or just another sitting duck?
Bio: Chris is a security guy. He has a bunch of certifications (CISSP,CISA,ISO…etc) and a whole lot of experience to put into slide decks to make you say “wow…. he MUST know what he is talking about!” He likes to ask questions, play different roles, stand on the desk, and rant about his passions.
Chris likes to get to the point and do work! He’s worked at Fortune 100 companies and ran a few InfoSec businesses of his own. He is the co-host of the Exotic liability Podcast, the author of the upcoming “RED TEAM TESTING” book published by Elsevier/Syngress and a founding member of BSIDES Conference.
===
David Weinstein: Corporate Espionage via Mobile Compromise: A Technical Deep Dive.
Synopsis: Corporate scale cyber espionage is a threat to keeping a leg up on the competition. Mobile phones are increasingly targeted by attackers and can be a powerful tool to gain entry to a company and exfiltrate intellectual property. We will examine how the ability of the mobile device to operate on either side of corporate boundaries exposes the company to risk. This talk will be particularly technical in describing the implementation of a reprogrammable USB device built upon the Linux gadget framework on Android used to penetrate traditional corporate defenses. We will also demonstrate an Android RAT specifically designed to aware of its surroundings, capable of recording sensitive audio, video, bluetooth, and wireless connections, while silently waiting to be plugged into a corporate laptop/desktop. Then the fun begins!
Bio: David is a young software engineer and mobile security researcher. His cutting-edge work in Android and embedded systems has contributed to multiple patent-pending designs, and has recently provided expert consulting to DARPA and other government projects on mobile security. David has written papers on thin-client computing, innovated in the area of cryptographic systems for USB peripherals, and re-envisioned the defensive possibilities of mobile phone chargers.
Selected Publications:
SeRPEnT: Secure Remote Peripheral Encryption Tunnel, MITRE technical report.
A Security Hygienic Smart Charger for Mobile Devices, IEEE Mobile Security Technologies (MoST 2012), San Francisco, CA.
BEYOND THIN CLIENTS: LIMITING CYBERSECURITY VULNERABILITIES.
===
Dominick Baier: OAuth2 – Ready or not (here I come).
Synopsis: After a 3-year long struggle, the IETF finally released the OAuth2 specifications (RFC 6749 & 6750). While all the big players (like Google, Microsoft and Facebook) are already using it, more and more people want to follow. But there is big confusion about what OAuth2 really is, what its uses cases are and which problems it can actually solve. At the same time, also the security experts out there don’t really agree if OAuth2 is a complete failure, or not – or something in between. Dominick walks you through OAuth2, its use cases, dark corners and pitfalls.
Bio: Dominick works as an associate consultant for the Germany-based company thinktecture. His main area of focus is identity management & access control in particular. He helps customers around the world implementing claims-based identity, single sign-on, authorisation and federation in their web applications, services and APIs. Dominick is an international conference speaker and the author of ‘Developing more-secure ASP.NET Application’ and co-author of the Microsoft Patterns & Practices ‘Guide to Claims-based Identity and Access Control’.
You can find Dominick’s blog at http://www.leastprivilege.com and his various open source projects (which include the very popular security token service called thinktecture IdentityServer) at http://thinktecture.github.com.
==================
More talks to follow soon… so stay tuned 😉
See you @Troopers, have a great day everybody and don’t forget to follow us on Twitter.