Here’s a number of updates as for upcoming TROOPERS13.
The preliminary agenda for this year’s TelcoSecDay can be found here.
Here‘s the (again: preliminary) agenda of the IPv6 Security Summit.
Last, but not least we’ve included another four talks in the main conference:
======
Sergey Bratus & Travis Goodspeed: You wouldn’t share a syringe. Would you share a USB port?
Synopsis: Previous work has shown that a USB port left unattended may be subject to pwnage via insertion of a device that types into your command shell (e.g. here). Impressive attack payloads have been delivered over USB to jailbreak PS3 and a “smart TV“. Not surprisingly, USB stacks started incorporating defenses such as device registration, USB firewalls, and other protective kits. But do these protective measures go far enough to let you safely plug in a strange thumb drive into your laptop’s USB port?
We demonstrate that the scope of the OS code manipulation feasible through a USB port is much broader than could be expected. USB stack abuse is not limited to emulating HID keyboards or a few exotic devices — it is a clear and present danger throughout the USB software stack and can reach into any part of the operating system kernel and driver code. We show a simple development environment that is capable of emulating any USB device to engage whatever software on the host computer is meant to interact with such devices — and break any and all of the assumptions made by such software, leading to pwnage. In a nutshell, sharing a USB port belongs in the past — just as the era of downloading arbitrary executables and other Internet “free love”.
===
Lee (beist) SeungJin: Smart TV Security.
Synopsis: Smart TV sold over 80,000,000 around the world in 2012. The next generation “smart” platform is becoming more and more popular. On the other hand, we hardly see security research on Smart TV. This presentation will talk about what we’ve found and figured out on the platform.
You can picture that Smart TV has almost all attack vectors that PC and Smart Phones have. Also, Smart TV has its own attack vectors such as remote controller. We’ll talk about attack points of Smart TV platform and discover security bugs we found.
Moreover, what attackers can do on a hacked Smart TV. For example, fancy Smart TVs have many hardware modules like Camera or Mic which means bad guys could watch you in a way that users never notice about it. Even more, they possibly make Smart TV working 24/7 even though users turn off their TV that means #1984 could be done.
In addition, we’ll point out a difference of viewpoint of leaked information type among on PC, Smart Phone and Smart TV. Lastly, we’ll give demo of capturing photos lively taken and sending to attacker’s server at this talk.
Bio: Beist has been a member of the IT security field since 2000. His first company was Cyber Research based in Seoul, South Korea and focused on pen-testing. He then got a Computer Engineering B.A. degree from Sejong University.
He has won more than 10 global CTF hacking contests in his country as well as passed DefCon quals 5 times. He has sold his research to major security companies like iDefense and ZDI (Recon ZDI contest).
He has run numerous security conferences and hacking contests in Korea. Hunting bugs and exploiting them are his main interest. He does consulting for big companies in Korea and is now a graduate student at CIST IAS LAB, Korea University.
===
Martin Eiszner: (In)Security Appliances
Synopsis: It is no novelty that software vendors produce insecure software. Numerous security advisories posted each day illustrate this fact. But for security software this picture is different. Their purpose is to protect our network, they offer secure access to our network, they protect us from virus threats, they protect our emails, they protect our information, and they protect our crown jewels. With security software, it is different, they are built securely, and they are free of vulnerabilities… That’s what you thought!
Let us take you on a journey into the mists of security appliances. Follow us while we unveil the mystery and demonstrate how security appliances suddenly become the weakest link of your defense, how we abuse security appliances to gain access to your network, to your data and your crown jewels. We turn security appliances to insecurity appliances.
Whilst this journey, we will disclose world-shattering vulnerabilities in security appliances of well known vendors.
Bio: Martin Eiszner has been CTO for SEC Consult for the last 10 Years. He has been working as a professional security consultant for the last 18 Years. Starting with reversing copy protections of software distrubuted thru so called Floppy disks the 80s he soon became interested in application- and webapplication security ending up as a Key contributor for the 1st OWASP Guide in 1996. He is interested in various topics regarding technical information security such as reversing firmware for mobile- and embedded devices but also in some none technical topics such as vulnerability markets and the role of software vendors in the security game.
===
Dmitry Sklyarov: Flash Storage Forensics
Synopsis: Lots of modern devices use flash memory as primary storage, and some of those devices (e.g. smartphones) often hold private data. There are common ways to protect stored data (with encryption). But is there easy ways to properly dispose sensitive information?
Bio: Dmitry Sklyarov is a Lead Analyst at Positive Technologies and a lecturer at Moscow State Technical University. He did research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics.
======
Well, I’m obviously biased ;-), but me thinks it’s going to be an exciting week in March…
A very good weekend to everybody
Enno