Security OPUS
Information Security Conference
October 2-5

 P's: research papers help services

Presentations for 2007
Keynote speaker - Richard Thieme
Identity and Disinformation: Playing Chess in Multiple Dimensions

Let's not kid ourselves: security in the 21st century is about the management of perception, the juggling of useful illusions, and the supervision of multiple identities while they go about their business. The only question confronting masters of information security is, how much red pill can you swallow?

Philosophical questions are irrelevant only if you don't want to examine the essence of information security. Those who do are willing to open a door leading into a hall of mirrors, free spirits willing to dance with the devil ...

And as the devil said (in Woody Allen's Deconstructing Harry), "Sometimes youre up and sometimes you're down. In the end, the house always wins. It doesn't mean you didn't have fun."

This presentation is about having fun while you secure illusory boundaries so others can play the game, too ...

Richard Thieme ( is an author and professional speaker focused on the deeper implications of technology, religion, and science for twenty-first century life. He has spoken for Def Con for ten years and Black Hat for eight as well as for venues ranging from ShmooCon, Pump Con and ToorCon to InfraGard and AUSCERT to the Pentagon, the FBI, Los Alamos National Laboratory and the US Department of the Treasury. He has consulted for Network Flight Recorder, Neohapsis, Psynapse/Center for the Advancement of Intelligent Systems, OmniTech, and SPC (System Planning Corporation. His internet columns, "Islands in the Clickstream," are widely read and were published by Syngress Publishing in June 2004. Since then he has published fourteen short stories including "The Geometry of Near," a hacker tale published by Phrack and included in the anthology CyberTales: Live Wire. A short story collection, More Than a Dream: Stories of Flesh and the Spirit is coming soon and he is writing a novel, The Necessity for Invention, which includes the adventures of Don Coyote and Pancho Sanchez, two suitably wily hackers.

Tom Stracener - "Advanced Cross-Site Scripting Scenarios, Filter Evasion and Browser Exploits"

In a subject matter so heavily trafficked by security vendors and researchers, the most often overlooked topic is the potential impact of cross-site scripting in a real world setting. Cross-Site Scripting in web applications is nothing new but, despite being a very well known vulnerability, the deep internals of cross-site scripting, as an attack, are still regarded as fundamentally mysterious. In this presentation, Tom Stracener, senior vulnerability research analyst for Cenzic, will cover the latest Cross-Site Scripting techniques and discuss specific examples of how attackers can bypass application input validation filters using various mutation-based injection strategies. The presentation will also provide insight into how Cross-Site Scripting attacks can be leveraged within the context of an intruder's overall plan to penetrate a web application, how such attacks can be deployed and used, and attack combinations. In doing so, he will cover a number of other major variations of Cross-Site Scripting attacks, from basic cookie theft to using redirects to exploit browser flaws, to content-spoofing type Cross-Site Scripting attacks that trick the user into undermining their own security. The goal of this talk is to give a practical tour de force of the script hacker's arsenal.

Tom Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry's first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester and vulnerability researcher. One of his patents, "Interoperability of vulnerability and intrusion detection systems," was granted by the USPTO in October 2005. Tom is the senior security analyst for Cenzic's CIA Labs.

Luis Miras and Matt Hargett - "Automated Exploit Detection in Binaries: Finding exploitable vulnerabilities in binaries"

Learning to evaluate code analysis products by understanding how they do and don't work, with a live demo and focus on the free/open source code analysis tools bugreport and findbugs. Presented by long-time, independent code analysis developers and practitioners who have released several advisories on real-world exploitable vulnerabilities over the last 10 years.

Luis Miras is the lead vulnerability researcher at Intrusion Inc. He has done work for leading consulting firms. as well as security software vendors. He has spoken at CCC Congress, REcon, Toorcon, Defcon, and BlackHat trainings. In the past he has worked in digital design, and embedded programming.

Matt Hargett has over 8 years of experience in various aspects of network and application security, finding exploitable bugs in low-level protocol stacks and web applications to developing critically lauded products. He is now working to educate security researchers and practitioners on applying public research and information toward building and evaluating static analysis tools and products. He actively contributes to many open source projects and is co-authoring Pragmatic Unit Testing in C#, 2nd edition for the Pragmatic Bookshelf.

Rick Wesson - "Botnets and the Global Infection Rate"

Detecting global abuse patterns with realtime black lists, spamtraps and honey pots. Understanding what your network is doing to the rest of the community is difficult, we discuss how to use our tools to understand how your network is abusing other networks and show graphs and stats of trends globably and within the us.

Rick Wesson, CEO, of Support Intelligence, LLC -- is also the CEO of Alice's Registry which he founded in 1999 to fund open-source software development. Rick has built the technology back-ends for many ICANN accredited registrars in the past ten years. Rick has served as the Vice Chair and CTO of ICANN's Registrars' Constituency and has also served as a member of ICANN's Security and Stability Committee.

Alice's registry was the first (and only) registrar to deploy into the .ORG DNSSEC testbed. Allowing the first and only production DNSSEC registrar environment.

Rick also served as the Vice-President of the Board of Directors for the Santa Cruz Community Credit Union, the Nations second largest Community Development Credit union where he sat on the Credit and Finance Committees.

Mr. Wesson believes strongly in community development and financial literacy for both physical communities and etherial based internet communities.

Nish Bhalla and Sahba Kazerooni - "Exploiting and Defending Web Services"

Security has become the limiting reagent in the broad adoption of web services. As a result, much emphasis has been placed on the development of various high-level security standards and protocols, but in most cases the simplest attacks, those at the application level, have been neglected.

Nish Bhalla and Sahba Kazerooni of Security Compass will explore, at a low-level, the vulnerabilities inherent to web services from an attacker's point of view. The talk covers the dependency of web services on xml, the various forms of xml-based attacks, including exploiting parsers and validators, and finally provides recommendations and countermeasures.

This talk is intended for developers and web application architects. It drills down to the details of web services implementation, while maintaining a focus on good versus bad architectural design.

Sahba Kazerooni is a Security Consultant with a strong background in J2EE software architecture and development, bringing to Security Compass a unique blend of development and security knowledge. Sahba has recently been engaged in Threat Modeling and web application source code review, as well as research on SOA security. He also plays a critical role in the development of curriculum for and delivering of Security Compass training services.

Prior to joining Security Compass, Sahba held the position of Technical Consultant at Workbrain Inc. where he was involved in the end-to-end implementation of a web-based workforce management solution. He has worked and built recommendable relationships with many fortune 500 organizations in various sectors, from retail to airline and transportation. His experience at Workbrain has equipped Sahba with advanced knowledge of the Software Development Life Cycle (SDLC) as well as the intricacies of the JAVA programming language.

Sahba has a BSc in Computer Science with Software Engineering specialization from the University of Western Ontario.

Justin Troutman - "Mackerel: An IND-CCA2 and INT-CTXT Cryptovirus"

Mackerel is a family of symmetric cryptovirus constructions that allows up to IND-CCA2 and INTCTXT security; they're based around the AES in CTR mode (IND-CPA) for preserving confidentiality and CMAC-AES (SUF-CMA) for preserving integrity. The optimal configuration (IND-CCA2 and INT-CTXT), "King Mackerel," employs two 256-bit symmetric keys, for encryption and authentication in the Encrypt-then-Authenticate (EtA) composition, and claims a 128-bit security level. All functions operate in the Troutman mode of information extortion (TIE), a slight variation of Young and Yung's information extortion attack [1]. While Mackerel requires its own set of intrinsic analyses, it takes advantage of the analytical scrutiny of the AES; as such, the security of Mackerel reduces to that of the AES. Mackerel is based on original research conducted by Troutman, in [2]*. Mackerel is in the final stages of preliminary cryptanalysis, of which will support Mackerel in a standalone paper, set to appear in Spring '07, along with a complementary protocol for ensuring fairness via game theory.

Advantages over Young and Yung's attack:

The original information extortion attack in [1] relies on asymmetric cryptography (i.e., RSA) and an RNG to produce symmetric keys for encryption, once the cryptovirus has reached the host. Because of this, the adversary hasn't a priori knowledge of the keys, and requires that the cryptovirus encrypt them with RSA, before instructing the victim to send them; this preserves the confidentiality of the symmetric keys, which the adversary uses as leverage in the attack. The RNG proves to be the bottleneck of that attack; in Mackerel, the two symmetric keys for encryption and authentication are generated beforehand, thus removing the necessity for an RNG. In turn, this also removes the necessity for RSA, since the adversary now has a priori knowledge of the keys. By removing the RNG alone, the attack's speed is doubled. Although the keys now exist in plaintext form, within the cryptovirus, the idea is that methodologies exist (i.e., malware) for getting the cryptovirus to the host fast enough for the cryptovirus to execute. Preliminary tests have largely supported this notion.

[1] A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," IEEE Symposium on Security & Privacy, pages 129-141, May 6-8, 1996.

[2] J. Troutman, "Examining Misimplemented RSA and Strengthened Authentication for Variations of the Cryptovirological Information Extortion Attack," Duke University (TIP), July 24th, 2006.

Justin Troutman is an independent contract cryptographer and cryptanalyst, based in the Charlotte metropolitan area of North Carolina's southern Piedmont region, who sports a forte consisting of a specialization in the structural design semantics of cryptographic primitives and their mathematical cryptanalyses, on which he has authored publications and lectured abroad. His prominent areas of interest are the design strategies, and cryptanalysis, of block ciphers (i.e., wide-trail, in particular), MAC functions, and cryptovirological protocols and their game theoretical implications, using both symmetric and asymmetric primitives as components.

On a contract basis, his array of engagements include consulting, conceptualizing, constructing, and cryptanalyzing tactful cryptographic protocols and their respective algorithmic components, as well as authoring publications on cryptanalysis, and conservative policies for implementing cryptography - all of this being housed under his cryptography consulting firm, Extorque. Among his contributions are original works in cryptovirology, as well as the first guest lectures on cryptovirology at Duke University, for their TIP program, which introduces prospective college students to the realm of cryptography and cryptovirology.

Stefano Zanero - "Of IDS evaluation, and why you should handle it with care"

What do we, as customers or researcher, need to know about testing methodologies for IDSs ? Are the currently "standard" industry test methodologies standard enough? And, more to the point - do they actually MEAN anything? How can we make sense (or disperse the FUD) in the cloud of statistics that vendors regularly use for concealing their flaws? And should you be tasked to design an evaluation testbed for intrusion detectors in our environment, how should we deal with the various performance indexes of IDS systems?

Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology.

He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences.

He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Window Snyder - "Security Development in an Open Source World"


Window Snyderis Chief Security Something-or-Other at Mozilla Corporation.

Prior to joining Mozilla, Ms. Snyder was a principal, founder, and core team member at Matasano, a security services and product company based in New York City and a senior security strategist at Microsoft in the Security Engineering and Communications organization. At Microsoft she managed the relationships between security consulting companies and the Microsoft product teams and the outreach strategy for security vendors and security researchers. Previously she was responsible for security sign-off for Windows XP SP2 and Windows Server 2003.

Ms. Snyder was Director of Security Architecture at @stake. She developed application security analysis methodologies and led the Application Security Center of Excellence. She was a software engineer for 5 years focused primarily on security applications, most recently at Axent Technologies, now Symantec.

Ms. Snyder is co-author of Threat Modeling, a manual for security architecture analysis in software.

--> Shawn Merdinger - "VoIP Security Tools and Attacks"

Along with the the emergence of all kinds of VoIP have arrived new risks and threats to this promising, cost-cutting technology. However, as VoIP protocols, services and devices enter the scene what are we security professionals to do? Why analyze, test and break them of course!

This presentation covers several classes of new VoIP security tools and attacks available to security practitioners and administrators. It includes brief guided tours of tool usage along with practical methods and strategies to get the most out of using current VoIP tools, and some non-VoIP tools, in assessing VoIP devices' security posture and resistance to attack.

If you are interested in scanning, sniffing, eavesdropping on calls, 0wning VoIP phones and making PBXs cry - this is a session for you!

Shawn Merdinger is a independent security researcher and consultant based in Austin Texas, USA. In former corporate lives he's worked with Cisco Systems' STAT and TippingPoint's Digital Vaccine teams. His interest in VoIP security has led to multiple CVE vulnerabilities, several international security conferences, and involvement as a Technical Advisor to the Voice Over IP Security Association (VOIPSA).

Kartic Trivedi - "Web 2.0 Security "

Kartik Trivedi, a recognized software security expert is the director of application security at Accuvant. Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients' complex information security challenges. Kartik's role is to build and create a world class strategic software security practice.

Kartik has more then a decade of experience working in the software and security industry. Prior to joining Accuvant, Kartik was a managing consultant and lead instructor at Foundstone - a division of McAfee, Inc. He was the service line owner of web application security and code review practices. Under his leadership, the services became profitable and grew to generate more than 30% of Foundstone's professional services' annual revenue. He has performed security roadmap planning, risk assessment, threat analysis, application assessments, code reviews, network penetration tests, secure SDLC and wireless reviews for large number of fortune 500 clients. Kartik instructed the Ultimate Hacking and secure software development classes. He was the recipient of the McAfee president's club award 2005 for exceptional performance.

Prior to Foundstone, Kartik worked as a software development engineer with Concept Solutions. He was responsible for performing requirements analysis and build dynamic customized portals. Major achievements include implementing complex search algorithms, e-shopping cart software and live chat applications. Before Concept Solutions, Kartik was as a web developer with Larsen and Toubro Limited, where he implemented purchase order module software for ERP solutions.

Kartik is an acclaimed expert, thought leader, and renowned speaker on application and software security. He has been interviewed and quoted in security journals like Security News, Computer Tech Update, Tech World and Security Planet. Kartik is the author of popular security tools like SiteDigger, a Google hacking tool, and WSDigger, a web services testing framework. The tools have been featured in Forbes, Security Focus and more than 200 other security publications. Over the course of his career, Kartik has contributed and reviewed many technical books including Hacking Exposed, Exploiting Software, Hacker Code, and How to Break Web Security. He is a sought-after speaker and has made presentations at several security conferences, such as RSA, Security Leadership Conference, INFOSEC, APPSEC, ISACA, ISSA, and TOORCON

Kartik is involved in several open source software projects. He chairs the OWASP Los Angeles chapter (an open source project to develop secure web application standards) and is a contributing member to VOIPSA (Voice over IP Security Alliance), MONO (open source implementation of .NET in UNIX) and SECCODE (open source repository of secure code) projects. Kartik is a Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), and Certified Information Systems Security Professional (CISSP). He has an MS and a BS in computer science.

Cedric Blancher - "Wireless Security Myth Busting"

This talk aims at pointing out and correct myths around wireless security, like WEP keys being cracked within seconds, WPA being weak security protocol, IPSEC begin the only hope, 802.1x being flawed, etc. It thus will cover both security and weaknesses on ten points, each introduced by questionning audience (quizz like).

    Points to be discussed:
  • WPA weaknesses
  • WEP cracking within seconds (frag. attack)
  • IPSEC vs. WPA2
  • Wi-Fi + 802.1x security
  • WPA/WPA2 auth. being non-mutual
  • WEP being OK for small, low-traffic networks
  • Drivers flaws being overrated and not exploitable
  • Hotspots providers bringing some security
  • Easy setups being kiddies measures
  • Wi-Fi being a cost effective alternative to wire

Cedric Blancher has spent the last 5 years working in network security field, performing audits and penetration tests. He now runs EADS research center, Innovation Works, Computer Security team and focuses on networking and wireless links security. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis.

He's been delivering technical talks worldwide (Cansecwest, Recon, Ruxcon, Pacsec, Bellua, etc.), published research papers, magazine articles (MISC) and trainings (Cansecwest, Pacsec, Syscan) on network and wireless security. He also authored Wifitap, a 802.11 communication tool based on trafic injection. Website: