際際滷shows by User: hashdays / http://www.slideshare.net/images/logo.gif 際際滷shows by User: hashdays / Wed, 25 Jun 2014 01:52:06 GMT 際際滷Share feed for 際際滷shows by User: hashdays Ange Albertini and Gynvael Coldwind: Schizophrenic Files A file that thinks it's many /slideshow/schizophrens/36276833 apf2s1ftfskmrozxquaw-140625015206-phpapp02
As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration. Ange Albertini: Reverse Engineer, author of Corkami Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.]]>
As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration. Ange Albertini: Reverse Engineer, author of Corkami Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.]]> Wed, 25 Jun 2014 01:52:06 GMT /slideshow/schizophrens/36276833 hashdays@slideshare.net(hashdays) Ange Albertini and Gynvael Coldwind: Schizophrenic Files A file that thinks it's many hashdays As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration. Ange Albertini: Reverse Engineer, author of Corkami Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/apf2s1ftfskmrozxquaw-140625015206-phpapp02-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration. Ange Albertini: Reverse Engineer, author of Corkami Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.
Ange Albertini and Gynvael Coldwind: Schizophrenic Files A file that thinks it's many from Area41
]]> 1827 10 https://cdn.slidesharecdn.com/ss_thumbnails/apf2s1ftfskmrozxquaw-140625015206-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease /slideshow/curing15yr/36276723 ttciojtrjyoaa543jkow-140625014826-phpapp01
Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution. With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases. Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, hes a member of The Honeynet Project, and hes also one of the Core Developers of Cuckoo Sandbox. Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. P旦lten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "]]>
Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution. With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases. Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, hes a member of The Honeynet Project, and hes also one of the Core Developers of Cuckoo Sandbox. Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. P旦lten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "]]> Wed, 25 Jun 2014 01:48:26 GMT /slideshow/curing15yr/36276723 hashdays@slideshare.net(hashdays) Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease hashdays Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution. With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases. Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, hes a member of The Honeynet Project, and hes also one of the Core Developers of Cuckoo Sandbox. Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. P旦lten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. " <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/ttciojtrjyoaa543jkow-140625014826-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution. With this fancy gadget it is possible to ease an analyst&#39;s life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases. Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, hes a member of The Honeynet Project, and hes also one of the Core Developers of Cuckoo Sandbox. Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. P旦lten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. &quot;
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease from Area41
]]> 1168 7 https://cdn.slidesharecdn.com/ss_thumbnails/ttciojtrjyoaa543jkow-140625014826-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities /slideshow/marc-ruef/36276563 aohjqiwmtpkf9ivsddfu-140625014402-phpapp01
The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Z端rich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.]]>
The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Z端rich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.]]> Wed, 25 Jun 2014 01:44:02 GMT /slideshow/marc-ruef/36276563 hashdays@slideshare.net(hashdays) Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities hashdays The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Z端rich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/aohjqiwmtpkf9ivsddfu-140625014402-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn&#39;t get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Z端rich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas &quot;Die Kunst des Penetration Testing&quot; (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities from Area41
]]> 1369 4 https://cdn.slidesharecdn.com/ss_thumbnails/aohjqiwmtpkf9ivsddfu-140625014402-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Rob "Mubix" Fuller: Attacker Ghost Stories /slideshow/attacker-ghost-stories-v8/36276483 knomoxdirxjomyexeiyu-140625014128-phpapp01
This talk was originally titled I'm tired of defenders crying, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.]]>
This talk was originally titled I'm tired of defenders crying, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.]]> Wed, 25 Jun 2014 01:41:28 GMT /slideshow/attacker-ghost-stories-v8/36276483 hashdays@slideshare.net(hashdays) Rob "Mubix" Fuller: Attacker Ghost Stories hashdays This talk was originally titled I'm tired of defenders crying, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/knomoxdirxjomyexeiyu-140625014128-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> This talk was originally titled I&#39;m tired of defenders crying, but thought better of it. This talk is about the tidbits that I&#39;ve seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
Rob "Mubix" Fuller: Attacker Ghost Stories from Area41
]]> 1171 2 https://cdn.slidesharecdn.com/ss_thumbnails/knomoxdirxjomyexeiyu-140625014128-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Halvar Flake: Why Johnny cant tell if he is compromised /slideshow/why-johnny-cant-tell-if-he-is-compromised/36276323 n8wkzrsuspg3c30ewq0m-140625013534-phpapp02
Halvar Flake - Keynote to Area41 2014]]>
Halvar Flake - Keynote to Area41 2014]]> Wed, 25 Jun 2014 01:35:34 GMT /slideshow/why-johnny-cant-tell-if-he-is-compromised/36276323 hashdays@slideshare.net(hashdays) Halvar Flake: Why Johnny cant tell if he is compromised hashdays Halvar Flake - Keynote to Area41 2014 <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/n8wkzrsuspg3c30ewq0m-140625013534-phpapp02-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Halvar Flake - Keynote to Area41 2014
Halvar Flake: Why Johnny cant tell if he is compromised from Area41
]]> 7452 5 https://cdn.slidesharecdn.com/ss_thumbnails/n8wkzrsuspg3c30ewq0m-140625013534-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy /slideshow/hashdays-2011-tobias-ospelt-reversing-android-apps-hacking-and-cracking-android-apps-is-easy/10218270 ospelthashdays11-111118074521-phpapp01
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing. Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.]]>
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing. Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.]]> Fri, 18 Nov 2011 07:45:19 GMT /slideshow/hashdays-2011-tobias-ospelt-reversing-android-apps-hacking-and-cracking-android-apps-is-easy/10218270 hashdays@slideshare.net(hashdays) hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy hashdays This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing. Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/ospelthashdays11-111118074521-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing. Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy from Area41
]]> 1439 6 https://cdn.slidesharecdn.com/ss_thumbnails/ospelthashdays11-111118074521-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Mikko Hypponen - Keynote /slideshow/hashdays-2011-mikko-hypponen-keynote/10218252 hypponenhashdays11-111118074419-phpapp01
]]>
]]> Fri, 18 Nov 2011 07:44:16 GMT /slideshow/hashdays-2011-mikko-hypponen-keynote/10218252 hashdays@slideshare.net(hashdays) hashdays 2011: Mikko Hypponen - Keynote hashdays <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/hypponenhashdays11-111118074419-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br>
hashdays 2011: Mikko Hypponen - Keynote from Area41
]]> 531 4 https://cdn.slidesharecdn.com/ss_thumbnails/hypponenhashdays11-111118074419-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attacks - Lessons from Stuxnet /slideshow/hashdays-2011-felix-fx-lindner-targeted-industrial-control-system-attacks-lessons-from-stuxnet/10218238 fxhashdays11-111118074305-phpapp02
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.]]>
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.]]> Fri, 18 Nov 2011 07:43:04 GMT /slideshow/hashdays-2011-felix-fx-lindner-targeted-industrial-control-system-attacks-lessons-from-stuxnet/10218238 hashdays@slideshare.net(hashdays) hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attacks - Lessons from Stuxnet hashdays The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/fxhashdays11-111118074305-phpapp02-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor&#39;s production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix &#39;FX&#39; Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attacks - Lessons from Stuxnet from Area41
]]> 1724 4 https://cdn.slidesharecdn.com/ss_thumbnails/fxhashdays11-111118074305-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users /slideshow/hashdays-2011-sniping-slowloris-taking-out-ddos-attackers-with-minimal-harm-to-your-users/10218226 folinihashdays2011-111118074220-phpapp01
Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really. Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular. Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/]]>
Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really. Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular. Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/]]> Fri, 18 Nov 2011 07:42:18 GMT /slideshow/hashdays-2011-sniping-slowloris-taking-out-ddos-attackers-with-minimal-harm-to-your-users/10218226 hashdays@slideshare.net(hashdays) hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users hashdays Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really. Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular. Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/ <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/folinihashdays2011-111118074220-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It&#39;s even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server&#39;s incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really. Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular. Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini&#39;s analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users from Area41
]]> 1096 5 https://cdn.slidesharecdn.com/ss_thumbnails/folinihashdays2011-111118074220-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Christian Bockermann - Protecting Databases with Trees /slideshow/hashdays-2011-christian-bockermann-protecting-databases-with-trees/10218211 bockermannhashdays11-111118074103-phpapp01
Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application. Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity.]]>
Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application. Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity.]]> Fri, 18 Nov 2011 07:41:01 GMT /slideshow/hashdays-2011-christian-bockermann-protecting-databases-with-trees/10218211 hashdays@slideshare.net(hashdays) hashdays 2011: Christian Bockermann - Protecting Databases with Trees hashdays Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application. Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/bockermannhashdays11-111118074103-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application. Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity.
hashdays 2011: Christian Bockermann - Protecting Databases with Trees from Area41
]]> 1815 4 https://cdn.slidesharecdn.com/ss_thumbnails/bockermannhashdays11-111118074103-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...) /slideshow/hashdays-2011-ange-albertini-such-a-weird-processor-messing-with-x86-opcodes-and-pe-files-too/10218166 slides-111118073738-phpapp01
Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis. For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes. The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research. Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.]]>
Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis. For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes. The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research. Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.]]> Fri, 18 Nov 2011 07:37:36 GMT /slideshow/hashdays-2011-ange-albertini-such-a-weird-processor-messing-with-x86-opcodes-and-pe-files-too/10218166 hashdays@slideshare.net(hashdays) hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...) hashdays Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis. For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes. The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research. Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/slides-111118073738-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Whether it&#39;s for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis. For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they&#39;re obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes. The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research. Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opcodes (and PE files too...) from Area41
]]> 840 7 https://cdn.slidesharecdn.com/ss_thumbnails/slides-111118073738-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality /hashdays/hashdays-2011-jeanphilippe-aumasson-cryptanalysis-vs-reality aumassonhashdays11-111118073639-phpapp02
Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, well explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which well illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor. Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NISTs SHA-3 competition.]]>
Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, well explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which well illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor. Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NISTs SHA-3 competition.]]> Fri, 18 Nov 2011 07:36:36 GMT /hashdays/hashdays-2011-jeanphilippe-aumasson-cryptanalysis-vs-reality hashdays@slideshare.net(hashdays) hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality hashdays Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, well explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which well illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor. Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NISTs SHA-3 competition. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/aumassonhashdays11-111118073639-phpapp02-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, well explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which well illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor. Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NISTs SHA-3 competition.
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality from Area41
]]> 1575 9 https://cdn.slidesharecdn.com/ss_thumbnails/aumassonhashdays11-111118073639-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 https://public.slidesharecdn.com/v2/images/profile-picture.png https://cdn.slidesharecdn.com/ss_thumbnails/apf2s1ftfskmrozxquaw-140625015206-phpapp02-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/schizophrens/36276833 Ange Albertini and Gyn... https://cdn.slidesharecdn.com/ss_thumbnails/ttciojtrjyoaa543jkow-140625014826-phpapp01-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/curing15yr/36276723 Juriaan Bremer und Mar... https://cdn.slidesharecdn.com/ss_thumbnails/aohjqiwmtpkf9ivsddfu-140625014402-phpapp01-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/marc-ruef/36276563 Marc Ruef: Adventures ...