DEFCON 17 [Video and Slides] Speeches from the Hacker Convention.

Attacks Against 2wire Residential Gateways Pedro "hkm" Joaquin

Some time ago there was a vulnerability in 2wire residential routers that allowed DNS Poisoning via Cross Site Request Forgery, this was widely exploited in Mexico where this router is most commonly used.

The patch actually contained an Authentication Bypass vulnerability that made things worse, and now, after the patch got patched, there are still many public unpatched vulnerabilities that plague this device.

Pedro "hkm" Joaquin was born in Cozumel island in the Caribbean, currently he is an independent security researcher living in Mexico City. Pedro used to be a forensic investigator, malware analyst and antimalware software vendor for banks in Mexico.

8 years ago Pedro created a community called "Mexican Underground Community" (underground.org.mx) which focuses on hacking and phreaking, They are the largest hacking community in Mexico and have done many public and private meetings all over Mexico including some 2600 ones.

Over the past years Pedro has been researching residential routers and has found several critical bugs in many of them, primarily focusing on the most popular and commonly used routers in Mexico, the 2wire residential gateway.

Attacking SMS. It's No Longer Your BFF Brandon Dixon Information Systems Security Engineer at G2, Inc.

It's the year 2009 and spam mail is still taking up a huge percentage of all email sent everyday over the Internet. Could you imagine that same messaging spam making a detour through your favorite cellular provider gateway and right to your SMS inbox? Mobile spam has not reached the same popularity as email spam, but what if it was as easy as submitting a form to spam thousands of people?

Research was done on several messaging services and implementations to identify vulnerabilities to exploit. The end result to the research was that the idea of mobile spam was easily a reality using Jabber/XMPP and some techniques already put in place by multiple vendors. This talk will conclude with a proof-of-concept web application demo that demonstrates the techniques and issues mentioned as well as thoughts for solving the next generation of spam. Expect to walk away with a new look on mobile spam and the damage that could be done just by pressing submit.

Brandon Dixon is an Information Systems Security Engineer for G2, Inc. He has experience leading research into web services security, XML firewall configuration, and access control models in a service oriented architecture. Brandon has discovered numerous unpublished exploits based on vulnerabilities found in commercial products, web applications and messaging technologies. Additionally, Brandon actively participates in security research both on his own and with groups around the world, primarily with the focus of web application and core device vulnerability testing/discovery.

Failure

Adam Savage Co-Host, MythBusters


A meditation on how I've screwed things up, lost friends and clients, and learned about myself in the process.



Adam Savage has spent his life gathering skills that allow him to take what's in his brain, and make it real. He's built everything from ancient Buddhas to futuristic weapons, from spaceships to dancing vegetables, from fine art sculptures to animated chocolate -- and just about anything else you can think of.



The son of a filmmaker/painter and a psychotherapist, Adam has been making his own toys since he was allowed to hold scissors. Having held positions as a projectionist, animator, graphic designer, carpenter, interior and stage designer, toy designer, welder, scenic painter, he’s worked with every material and process he could get his hands on -- metal, paper, glass, plastic, rubber, foam, plaster, pneumatics, hydraulics, animatronics, neon, glassblowing, moldmaking and injection molding to name just a few.



Since 1993, Adam has concentrated on the special effects industry, honing his skills through more than 100 television commercials and a dozen feature films, including Star Wars Episode I: The Phantom Menace and Episode II: Attack of the Clones, Galaxy Quest, Terminator 3, A.I. and the Matrix sequels. He's also designed props and sets for Coca-Cola, Hershey's, Lexus and a host of New York and San Francisco theater companies.



Not only has he worked and consulted in the research and development division for toy companies and made several short films, but Adam has also acted in several films and commercials -- including a Charmin ad, in which he played Mr. Whipple’s stock boy, and a Billy Joel music video, "Second Wind", in which he drowns.


Today, in addition to co-hosting Discovery Channel's MYTHBUSTERS, Adam teaches advanced model making, most recently in the industrial design department at the San Francisco Academy of Art. Somehow he also finds time to devote to his own art -- his sculptures have been showcased in over 40 shows in San Francisco, New York and Charleston, West Virginia.



Look for Adam on Twitter at http://twitter.com/donttrythis.

Preparing for Cyber War: Strategy and Force Posture in the Information-Centric World Dmitri Alperovitch VP Threat Research, McAfee Marcus Sachs Director, SANS Internet Storm Center Phyllis Schneck VP Threat Intelligence, McAfee Ed Skoudis Founder&Senior Security Consultant, InGuardians

Cyber warfare is the new hot topic of debate in political and military circles in Washington. This panel of cyber policy experts will explore the definition and reality of a cyber warfare threat, focusing on offensive capabilities and military doctrines of our potential nation-state adversaries, debate the deterrence strategies, and operational and legal frameworks guiding the use of defensive and offensive capabilities of the United States. Finally, the panel will discuss the range of options available to US policy makers for preparing for and responding to a cyber attack on this country.

Dmitri Alperovitch is VP of Threat Research at McAfee. He leads the company’s research in Internet threat intelligence analysis, focusing on mail, web, malware and other network threats. Mr. Alperovitch is a leading inventor of numerous patent-pending technologies, including company’s industry-leading in-the-cloud reputation service, TrustedSource. With more than 10 years of experience in the field of information security, he has accomplished extensive research in the areas of reputation systems, spam detection, public-key and identity-based cryptography, as well as network intrusion detection and prevention. Mr. Alperovitch has significant experience working as a subject-matter expert with all levels of U.S. and International law enforcement on analysis, investigations and profiling of transnational organized criminal activities. In addition, he is a recognized authority on online organized criminal activity and cyber security, and has been quoted in numerous articles, including those by Associated Press, Business Week, New York Times, Los Angeles Times, USA Today, and Washington Post. He has been a featured speaker and panelist at numerous law-enforcement, industry and academic security conferences. Mr. Alperovitch holds a Master of Science in Information Security and a Bachelor of Computer Science from Georgia Institute of Technology.

Since 2003, Marcus Sachs has served as the director of the SANS Internet Storm Center, an all-volunteer Internet early warning service sponsored by the SANS Institute in Bethesda, Maryland. The organization traces its roots back to the Y2K era, when a group of Internet security professionals began exchanging technical information via shared databases. Sachs retired from the U.S. Army in 2001 following a 20 year career as an engineer and systems automation officer, and was subsequently appointed by the President to serve in the White House Office of Cyberspace Security. Since leaving public service in 2003 he has continued to work closely with government and business stakeholders in task forces, working groups, committees, and trade associations as a cyber security expert supporting the National Security and Emergency Preparedness community in Washington, D.C. He is a member of the CSIS Commission on Cyber Security for the 44th Presidency and serves on the executive committees of both the Information Technology and the Communications Sector Coordinating Councils. He holds degrees in Civil Engineering, Science and Technology Commercialization, and Computer Science, and is currently pursuing a Ph.D. in Public Policy.

Dr. Phyllis Schneck is Vice President and Director of Threat Intelligence for the Americas for McAfee, Inc. In this role, she is responsible for design and applications of McAfee’s threat intelligence, strategic thought leadership around technology and policy in cyber security, and leading McAfee initiatives in critical infrastructure protection and cross-sector cyber security. For more than 14 years, Dr. Schneck has had a distinguished presence in the security and infrastructure protection community, most recently as a Commissioner and a working group Co-Chair on public/private partnership for the CSIS Commission to Advise the 44th President on Cyber Security. Dr. Schneck server for eight years as a chairman of the National Board of Directors of the FBI’s InfraGard program and founding president of InfraGard Atlanta, growing the InfraGard program from 2000 to over 30,000 members nationwide. Named one of Information Security Magazine’s Top 25 Women Leaders in Information Security, Dr. Schneck briefed the Japanese Government on information sharing and infrastructure protection, and was the moderator of the White House Town Hall Meeting in Atlanta for the National Strategy to Secure Cyberspace in June of 2002. She holds three patents in high-performance and adaptive information security, and has six research publications in the areas of information security, real-time systems, telecom and software engineering. Dr. Schneck received her PH.D. in Computer Science from Georgia Tech, and pioneered the field of information security and security-based high-performance computing at Georgia Tech. She maintains a seat on the Advisory Board of the Johns Hopkins University Department of Computer Science, served on the Steering Committee for the Sam Nunn Information Security Forum as well as a term on the Georgia Tech Advisory Board, and co-founded the Georgia Tech Information Security Center and the Georgia Electronic Commerce Association’s Working Group on Information Security.

Ed Skoudis is a co-founder and Senior Security Analyst with InGuardians, a Washington DC based information security consulting firm. Ed teaches SANS Security 504, "Hacker Techniques, Exploits and Incident Handling," and 517, "Cutting Edge Hacking Techniques," on a regular basis. Ed's expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He has performed numerous security assessments, provided detailed expert witness services in cases involving major credit card theft, and responded to computer attacks for clients in the financial, high technology, healthcare, and other industries. Ed conducted a demonstration of hacker techniques against financial institutions for the United States Senate and is a frequent speaker on issues associated with hacker tools and defenses. He has published several articles on these topics, as well as the books Counter Hack Reloaded and Malware: Fighting Malicious Code. Ed was also awarded 2004, 2005, and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. Previous to InGuardians, Ed served as a security consultant with International Network Services (INS), Predictive Systems, Global Integrity, SAIC, and Bell Communications Research (Bellcore).