List of Talks

Keynote - Human After All

To properly understand malware, it is crucial to understand the motivations and tactics of malware creators and operators. In this presentation, we describe current trends in malware. We approach the matter from two different angles: statistics and case studies.

We will show up to date statistics on malware as observed from an anti virus company with millions of customers. These statistics include the evolution of sample submission, malware types, and detection types.

We will also go in deeper technical details for specific cases. These case studies help understand the global situation with real world examples. Our case studies include analysis for the following malware families: Win32/Kelihos, Win32/OnlineGames.OUM, Win32/SpyEye, and Win32/LockScreen. In addition to describing malware families, we also elaborate on the technics we used to analyses these threats. Our analysis show that some of these families target specific regions or avoid some others, we will show geographic distribution for these cases

Bio: Pierre-Marc Bureau

Pierre-Marc Bureau is senior malware researcher at antivirus company ESET. In his position, he is responsible of investigating trends in malware and finding effective techniques to counter these threats. Prior to joining ESET, Pierre-Marc Bureau worked for a network security company where he was senior security analyst. Pierre-Marc Bureau finished his Master degree in computer engineering at Ecole Polytechnique of Montreal in 2006. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including Recon, Infosec, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.

Security Problems in operational navy systems, Industrial point of view

Most of navy systems (on a battleship or navy base operational centre) integrate harware/software civilian technologies (PC windows, PC Linux, IP Network, IP Phones, WIFI, WEB server, SQL …) and as a consequence integrate also their vulnerabilities. With the increase of the risk level and because of these systems handle military devices (Radar, Electronic Warfare systems, Weapons, Missiles, Drones…) the consequences of corruption could be very dangerous on both combat system (e.g. illicit weapon usage) and ship management system (e.g motors and navigation bare management system corruption). The specificities of a battleship at sea increase the problem complexity (updating of antivirus bases, security management – SIEM…).

Another point is the difficulties the industry has to protect critical software against retro engineering, particularly for exportation under TOT requirements.

Bio: Patrick Hebrard

Patrick Hebrard got a PhD in Mathematics, Computer Science specialization at the University of Paris VI (Pierre et Marie CURIE). For the last 20 years Patrick worked as security expert in various companies on Defense projects. He was notably network security project leader in the field of Firewall, IPSEC, ITSEC and CC in Thales group. He was also responsible of the information system security of different navy projects and speaker in many universities in computer and network security. He is the author of many technical papers in various national and international congresses. He is now head of the Information System Security department of DCNS, leader in navy systems.

Bio: Laurent Comte

Laurent Comte is a security architect for DCNS group. He has over 15 years of information security experience. He is security manager for Whole Warship Information System development and is leading a Common Criteria Certification on one of the largest information system ever certified. Prior to DCNS, he has worked for Thales group as security software developer and manager. He has also participated in International Working Group on Secure Communications Interoperability Protocol. Laurent is a Certified Information Systems Security Professional (CISSP) and an ISO 27005 Risk Manager.

Steal Everything, Kill Everyone, Cause Total Financial Ruin." (Or how I walked in & misbehaved)

This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend an equal amount of time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from mine. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond then cause total financial ruin to a company. These Security threats are real. So are these stories!

Bio: Jayson E. Street

Jayson E. Street is an author of the book "Dissecting the hack: The F0rb1dd3n Network" from Syngress. Also creator of the community site

He has also spoken at DEFCON, BRUCON, UCON and at several other 'CONs & colleges on a variety of Information Security subjects.

His life story can be found on Google under "Jayson E. Street".

He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006.

Fruit: Why You So Low?

New Zealand exports a lot of things; milk products, tasty tasty lamb, and the eponymous kiwi fruit. The primary import is tourists - and not just any tourists - even hackers. But who writes the travel guides for hackers? Where's the Lonely Planet guide to AS24226? NZ isn't blessed with five different CERTs like Australia, so, the Kiwi way is to just do it yer damn self. This talk follows the journey from scanning one box to scanning entire countries; grepping your results to building enterprise message busses to shunt data into your oh-so-webscale nosql-warehouse.

Is network reconnaissance passe in 2011AD, or a multi-milliondollar part of the coming cybergeddonpocalypse? Join kiwi unix hippy Metlstorm as he discusses the practicality, implementation and effect of datamining country-scale network targeting databases, in NZ and beyon

Bio: Metlstorm

Metlstorm is a beardy unix hacker from Wellington, New Zealand. Having wandered through ISP network engineering, security product dev, some antics with firewire, and a stint in the lower python mines at Immunity Inc., Metl now doffs his white hat with the good roaches at Brett Moore's Insomnia Security, popping alert("omgxss") shellz and polishing the same burnished SSLv2 finding to a gleaming gloss for every report. Metl likes otters, beer and python, and dislikes security product vendors that don't test their festering crapware before they ship it to the desparate, blind, mewling PCI-teat-fed kittens they dub customers. After dark, Metlstorm runs Kiwicon, cusses vendors on weekly infosec podcast Risky Business, and plays grym and frostbitten black metal, alone.

Project Ubertooth: Building a Better Bluetooth Adapter

The off-the-shelf Bluetooth adapters didn't do what I wanted, so I built my own. This is the story of how someone with very little knowledge of electronics embarked on a project to build a 2.4 GHz wireless development platform and ultimately succeeded in creating a low cost device that can be used for Bluetooth sniffing and more. Find out how to build your own Ubertooth One, how to use it for Bluetooth experimentation and other things, and catch a glimpse of an exciting future of wireless security research enabled by open source hardware.

Bio: Michael Ossmann

Michael Ossmann is a wireless security researcher who has been obsessed with Bluetooth for the past three years. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Chip & PIN is definitely broken

The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer's team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

As usual cool gear and videos are going to be featured in order to maximize the presentation.

Bio:Andrea Barisani

Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.

His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting.

Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.

He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.

Bio:Daniele Bianco

Daniele Bianco began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media.

"Milking the Internet: case studies of emerging cybercrime threats"

This presentation will cover emerging internet threats and explore the financial motives and mechanisms behind modern cyber crime. The content of this presentation will consist of a set of incidents case studies raging from ISP and Telecom compromises, to banking networks and web hosting companies at enormous scale. We'll discuss the techniques used by attackers to compromise large number of systems and domains. Tools and toolkits that we have developed to monitor, investigate and analyze malicious activity; We will also examine the hidden part of the iceberg to understand motives behind such activities. For the presentation content, expect highly technical case studies mixed up with light-weight analysis data. For the tools coverage we'll discuss previously unreleased set of tools that we used to investigate HTTP traffic hijacking attacks, MiM systems compromise and framework that we use for large scale data mining.

Bio: Fyodor Yarochkin

Fyodor Yarochkin (TSTF, is a security analyst at Armorize. He is happy programmer and AI hobbyst in his free time.

Extending Scapy by a GSM Air Interface and Validating the implementation Using Classical and Novel Attacks

This presentation describes the enhancement of scapy, the powerful interactive packet manipulation program, by the layer-3 of the Global System for Mobile Communications (GSM) protocol.

Layer-3 of the GSM protocol is part of the UM-interface, which is the air interface connecting the mobile devices to the operators' network. In addition to the demonstration of the addon we will introduce new attacks on the GSM baseband, targeting the logic of the baseband state-machine. Thus far attacks on GSM were mainly directed to vulnerable code running directly on the phone. Recently a totally new attack-vector was successfully used to exploit mobile stations over the air, attacks on the baseband stack. Security researchers working on GSM baseband security lack of open-source tools to analyze the security of the baseband stack. This presentation introduces a scapy-addon allowing users to create GSM layer 3 packets using simple python syntax. Furthermore, this presentation will continue the effort of security researchers to test the security of the baseband stack, that has been, until now, neglected. This is done using and enhancing already existing open-source tools. In addition, possible scenarios of novel attacks on the GSM baseband stack are discussed. This presentation demonstrates attacks and tests on the logic of the GSM state-machine using our newly created addon. One of our results are that classical attacks, found in the literature have been successfully rebuild using our tool. Furthermore, possibly vulnerable parts of the GSM state-machine are explored and discussed in this talk. To the best knowledge of the author there is no prior work presenting a tool allowing to build the whole layer 3 of the GSM specification on the command line, as well as there is no work presenting attacks on the state-machine of the GSM baseband stack, so far. In a nutshell, while one focus is to introduce the new part of scapy, another focus is put on classical as well as on novel attacks.

Bio:Laurent Weber

Abusing the Windows WiFi native API to create a Covert Channel

Communications over wireless channels have been perfectioned in the last years mainly improving performance and speed features. Security in this field has been a concern since the first 802.11 draft, having evolved by adding security features based on different crypto systems. In this paper we focus on the construction of a covert channel, exploitable in any system, between any endpoint and a specially crafted endpoint. The channel built can be started even while an active connection is established between a computer and a wireless Access Point, with one unique network device. This functionality allows an attacker that compromised a wireless enabled endpoint to extract available information and avoid detection. We will describe the design behind the channel structure and a fully functional implementation.

Bio: Ezequiel Gutesman

Ezequiel is a researcher at Corelabs, the research team at Core Security Technologies. His research areas focus in Web Application Security and Privacy, Dynamic taint analysis, Wireless Security and recently Cloud Security. He also teaches programming to high school students.

Bio: Andres Blanco

Andrés is a developer in the Core Impact team, the flagship automated penetration testing tool from Core Security Technologies. He is in charge of the wireless features in Impact. His research is mainly focused in Wireless Technologies and Web Application Security and Privacy.

Locating a GSM phone in a given area without user consent.

Is it possible to locate a GSM phone in a given area without alerting its user and without any help from the provider? This paper presents preliminary results from a technique to achieve this goal. It is based in the idea of tracing RF patterns (using a highly directionnal antenna) that the "victim" phone is forced to transmit under the attacker's command. A hands on demonstration and discussion during the conference will help elaborate the idea.

Bio: Iosif Androulidakis

Dr. Iosif Androulidakis has authored more than 25 papers and presented more than 50 talks and lectures on ICT security issues in international conferences and seminars in 16 countries. His research interests focus on security in PBXs (private telephony exchanges) as well as in mobile phones and embedded systems. Recent collaborations include an array of public organizations and private companies, the Media and security consulting firms. Holding two patents, he is a member of IEEE (Technical Committee on Security & Privacy) and ACM (Special Interest Group on Security Audit & Control) as well as a certified ISO9001 and ISO27001 systems auditor and consultant.

On the Secure Software Development in Early Stages within UML Profiles

Security deals with confidentiality, authorisation, authentication, availability and integrity non-functional properties (NFPs). Unfortunately, security modelling and analysis in UML (standard de facto as modelling language) has been normally neglected or relegated to the final stage of the software life-cycle. This fix it later approach can result expensive (in terms of cost) since it requires a system redesign and thus reimplementation if some problem arises. In this paper, the Security Analysis and Modelling (SecAM) profile is recalled. The SecAM profile provides a single modelling framework, easy to use and integrated with dependability (DAM profile) and performance framework (MARTE profile), which ables to perform analysis of the system through specific formal techniques for security and dependability. By using this powerful framework, potential performance or security problems can be detected in early stages of software life-cycle (or system design) so saving the cost of discovering in later stages.

Bio:Ricardo J. Rodríguez

Linux thread injection - The jugaad way

Windows malware conveniently uses the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my research on creating an API similar to createRemoteThread() on *nix OSes. The aim of the research is to show how a simple debugging functionality in *nix oses can be exploited by a malware to hide itself and delegate(inject) the critical(malicious) operation to an innocent process. The Proof of concept toolkit code named "Jugaad" currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. Jugaad does an in-memory thread injection and hence is stealthy. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection as opposed to shared object injection which reveals the name of the shared object in the process maps file. The payload to be executed runs inside the thread and is independent of the toolkit - you chose your payload, jugaad injects the payload. Finally the talk will conclude with options for protecting against any such kind of attacks.

Bio:Aseem Jakhar

SniffJoke project

A sniffer or a NIDS works collecting passively internet traffic. This traffic is grabbed as a series of packets, and these packets reassembled in session by the "reassembly engine". The reassembly engine is the target of SniffJoke project: injecting packets inside a live session, Sj don't damage the session, but bring the reassembly engine to do ambiguos choose. The bug exploited is not implementation dependent, instead is network and protocol dependent. Our issue is in found a security laboratory able to provide to us such kind of technology. We're looking for NIDS and sniffer to test in real network environment. SniffJoke project, near the 0.5 release, is now splitting in two parts: SniffJoke (modular mangler extremely configurable) and Janus, portable software able to divert kernel sessions to userspace or to a remote box.

Our goal for the 0.5 is to make SniffJoke running under windows/macosx/linux and Janus divert sockets handled in your default gateway (eg: openwrt, lafonera) or from your local box (macosx, linux, bsd)

In the research point of view, since the 1998, when a paper by Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", has been released, the NIDS/sniffer has know to be possibile of faults. Researcher has developed "Active Mapping" in the NIDS engine, aiming to better understad how manage an ambiguos packet. Active mapping, SHOULD works in NIDS (some kind of information will not be mapped so easily, expecially in high performange environments), but netherless, is not possibile use active mapping efforts in large sniffing. At the moment, national security issue somethime relays in these technology, therfore is a scientific issue make a demonstration that no security will be obtained by passive traffic analysis.

Bio:Claudio Agosti

Claudio Agosti (I, in this section) is currently working in some projects involving: steganography, anonymity, deep level networking, voip and mobile network security and online human right protection. Mix well, put a sprinkle of anti-forensic, serve cold. The worst issue in those really cool projects is that no one is financing me, thus sometime I need to work. Jobs actually include developing and few security issue to manage. Dreams ? A world where everyone has N-pseudonyms, certified by web of trust security model. I'm not "security certified" except lifeguard, I'm bored by penetration testing, and my future is painted with javascript. keywords: vecna, s0ftpj, sniffjoke, globaleaks, winston smith project, elettra.

Lockpicking Talk

Lockpicking has become very popular since information can be easily shared on the Internet and tools can be easily bought. Although lockpicking has a steep learning curve, once mastered, almost any lock that is not a high-security lock can be opened with a little determination. In the 'lockpicking 101' talk, we will look at why exactly lockpicking is possible in the first place, and how to do it. The focus will be on standard locks, but also different types of locks will be discussed, such as wafer locks, safe locks, lever locks and more. Apart from using standard pick tools, there is also key duplication, impressioning, bumping and the use of pick guns. These will be explained as well. After the talk, you will understand how lockpicking works and able to open a simple lock. You will also see why manufacturers do not strive to make the lock as secure as possible.

BIO: Walter Belgers

Walter Belgers is partner at Madison Gurkha, a Dutch security company. Apart from leading a team of penetration testers, he still conducts security audits. He likes to give trainings and lectures, including at conferences. Apart from his work, Walter has hobbies such as drifting, sailing and lockpicking. In 2006, he founded a chapter of TOOOL, the Open Organisation of Lockpickers in Eindhoven, the Netherlands. For the last five years he has won the Dutch club competition.

How Visualization makes it possible

Handling huge amount of data is difficult. Organizations have been deploying Firewall, SIEMS, log management systems and still, attacks occur and find their way into their networks. Events that are being handled are stored in databases, dealt with a dashboard, etc. All these cutting straight access to data for the analyst. Using visualization, when done properly, can not only make you understand the whole picture, but also make you find clues faster than any sort of pattern matching against known attacks. This talk will give examples on how successful visualization has been used by several banks and governmental institutions to quickly find targeted attacks.

Bio:Sebastien Tricaud

Sebastien Tricaud is the founder of Picviz Labs. He has more than 15 years experience in various intrusion detection & prevention systems implementation and currently serves as the Honeynet Project Chief Technology Officer. Lecturer for conferences such as Eicar, CanSecWest, Usenix etc., visionary in computer security and does not talk on subjects covered by many. He currently works on how to effectively find attacks in huge amount of data.

OAuth and OpenID - Securing the Insecure

There are a number of open protocol and standards designed to deliver mechanisms for enabling the identity attributes of users to be shared between different web sites. Technologies such as OAuth and OpenID are being adopted by small and large size organizations to share or consume user resources across the web.

This session is a technical study of some of these emerging user-centric Identity technologies; and more importantly, their key security implications. We will present scenarios of how insecure implementations of these protocols can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and focus on secure application implementation and countermeasures against possible attacks.


The talk starts with a swift introduction to OAuth and OpenID with a series of light and fast rotating slides. Next, we will quickly set the foundation for the upcoming attack vectors and countermeasures.

The majority of the presentation will be spent on attacks and remediation tips and techniques. We will cover real-world examples of insecure implementations by presenting code snippets and design flaws. Furthermore, we will discuss tactical and practical solutions in relations to :

+ Confidentiality and Server Trust issues. + Insecure Storage of Credentials on Web and Mobile Applications. + Flawed Session Management Weaknesses + Other attack vectors to be revealed at a later date.

BIO: Khash Kiani

Khash Kiani is a principal security consultant and researcher with over 13 years of experience in building and securing software applications for large defense, insurance, retail, technology, and health care organizations. He specializes in application security integration, penetration testing, and social-engineering assessments. Khash currently holds the GIAC GWAPT, GCIH, and GSNA certifications, has published papers and articles on various application security concerns and spoken at Blackhat US. He can be reached at

Weaponizing the Smartphone: Deploying the Perfect WMD

The acceptance and integration of mobile phones, specifically smartphones, into our everyday life has allowed for these devices to penetrate deep into secure areas. The ability to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. This ability and access has allowed the use of smartphones to be bred into devices that rival other penetration testing hardware/software combinations.

I have developed and created an OS platform package that allows penetration testers and security professionals the ability to test both physical security and technical security without being constrained by computers, cords, or the image of suspicious behavior. The WMD platform package is based on Windows Mobile 6.5 Smartphones and is executed similar to a virtual machine. The WMD package is preloaded with many of the same applications and testing tools that are included with Backtrack 4,, there is no affiliation between the two projects, only the similar desire to create a single source of the latest tools, applications, and techniques used by today's security professionals integrating today's latest technologies.

"Weaponizing The Smarphone: Deploying The Perfect WMD" will show the audience how to create a deployable package on a MicroSD card for use on the HTC Rhodium (AT&T Tilt2) or similar Windows Mobile 6.5 smartphone. Then using a test wireless AP, a windows server 2003 VM, and The loaded WMD Smartphone the audience will be presented with a live demonstration of some of the tools including NMap, Metasploit, and The Social Engineering Toolkit to exploit the Windows Server 2003 VM and gain administrative access.

The fundamental security flaw of accepting technology to perform only for what is was "made" for without the expectation of manipulation presented by "Weaponizing The Smartphone: Deploying The Perfect WMD" will help security professionals protect their environments while stimulating "out-of-the-box" thinking.

Bio: Kizz Myanthia

Kizz joined Rapid7 in 2011 as a Penetration Tester. Kizz is an Information Security Specialist whose qualifications include an in-depth understanding of security principals and practices; C|EH, MCSE+Security designations; and detailed knowledge of security tools, technologies and development. Having 10 years of security experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations, with nearly 13 years overall in the industry. He has extensive experience in PCI and other compliance processes; along with specializing in penetration testing techniques, social engineering, and mobile device security policies and procedures. Kizz has spoken at NotACon, Secure360, a number of SecurityBSides, SecTor, and Hacker Halted.

Critical infrastructure, a weapon of mass destruction?

PLC, DCS, OPC, SCADA, Modbus, Stuxnet, we all hear about these terms quite often nowadays. But what are they? Why did Stuxnet target a PLC and why it is so "critical"? How can an attack on a PLC affect our daily businesses or our home computers? And how are all the Critical Infrastructures interconnected: Telecom, Electricity, Gas, Water, Banks, Transportation?

This is not just another Critical Infrastructures presentation. This presentation will take the global picture approach and show you why you should be worried. We will also emphasize on the local context (Luxembourg, France and Belgium) and try to answer this question: is the fact that Luxembourg is nuclear free mean there is no risk…?

Bio: Francois Gaspard

Francois Gaspard has more than 10 years of experience in information security. After having spent the last four years in Metlstorm's "kiwiland" country, he is now back in Europe. He is passionate by information warfare, critical infrastructures, extreme hacking and innovative information retrieval techniques. He is an international speaker and writer, and now teams up with Fred Raynal to research different way of thinking in information security.

Bio: Fred Raynal

Fred Raynal, PhD, founder of the french conference SSTIC and magazine MISC, also created and led a R&D team for the last 5 years. He enjoys both technical hacking, information warfare and finding ways to combine both in order to find different (and hopefully better) ways to do information security.

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when they are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness can be compared to that of the existing IPv4 implementations. Thirdly, there is much less implementation experience with the IPv6 protocols than with their IPv4 counterpart, and “best current practices” for their implementation are not available. Fourthly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols. During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out a comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols. Fernando Gont will discuss the results of the aforementioned project, highlighting the most important aspects of IPv6 security, providing advice on how to deploy the IPv6 protocols securely, and explaining a number of vulnerabilities that were found in IPv6 implementations (together with possible strategies to mitigate them). Additionally, he will briefly demonstrate the use of some attack/assessment tools developed as part of this project (yet unreleased), to exploit a number of vulnerabilities found in popular IPv6 implementations.

Bio: Fernando Gont

Fernando Gont specializes in the field of communications protocols security, working for private and gubernamental organizations both in Argentina and overseas. Gont has worked on a number of projects for the UK National Infrastructure Security Co- ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite. Gont is currently working on the security assessment of communications protocols on behalf of the United Kingdom's Centre for the Protection of National Infrastructure. Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published a number of IETF Internet- Drafts and RFCs (Request For Comments). Gont has also recently joined the Transport Directorate of the IETF. Gont has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, BSDCan 2005, BSDCan 2009, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, IETF 64, IETF 67, IETF 73, IETF 76, LACNIC X,

The ArDrone corruption

The ArDrone corruption

The goal of the demonstration is to corrupt, both the communication canal UAV/pilot, and the embedded system. This demonstration uses the ArDrone a commercial quadricopter, build and developed by the French society Parrot in 2010. The demonstration is in four parts:

  1. The first one shows the vulnerability of the networks flow and allows recovering the video stream.
  2. The second is the corruption of the navigation system and get the control of the drone illegally.
  3. The next one is the attack of the embedded system and the change of the video stream with rootkits methods.
  4. The last one is a dos attack and the shutdown of the UAV in flight.

Bio: Eddy Deligne

Eddy Deligne is a PhD student at DCNS (SSI department), Operational Cryptology and Virology laboratory at ESIEA and at Polytechnique Paris. His PhD thesis deals with the theorical and pratical aspect of the security and the furtivity with a hypervisor. He is co-directed by Eric Filiol (ESIEA) and Patrick Hebrard (DCNS). He also works on the Perseus project.

Bio: Olivier Ferrand

Olivier Ferrand is a PhD student at DCNS (SSI department), Network and Information Systems Security Group at SUPELEC and University of Rennes I. His PhD thesis is co-directed by Hebrard Patrick (DCNS), Eric Filiol (ESIEA) and Ludovic Me (SUPELEC).

Rootkits and Trojans on Your SAP Landscape

SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Bio:Ertunga Arsal

Scaling up DoS: taking out your mobile phone, bank and internetz

Bio:Philippe Langlois

Founder of P1 Security and Senior Researcher for Telecom Security Task Force. Philippe Langlois has proven expertise in network security. He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France, as well as Worldnet, France's first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB Dubai, Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at:

The travelling hacksmith

Bio: Saumil Shah