The content brought forth...

Listed below are the lectures selected for presentation with full information.


Hacking has been characterized as fast, loose, and ad-hoc. Academia has been characterized as slow, deliberate and iterative. We wanted to train and mentor students from a bunch of different backgrounds, so we took the best processes from the academic approach, and the best people from the hacker community, and combined them into one program. In this talk, I'll discuss the programs environment, processes, and results, at the NYU-Poly ISIS Lab.


9600 8N1, Root Shell Drive, Serial City, USA

This presentation dives into the crazy world of serial port converters, remote access devices, and terminal servers, demonstrating simple methods for accessing thousands of servers, routers, and point of sales systems using Metasploit. There will be a focus on Digi International bugs, along with much more.

All the network is a stage, and the APKs merely players: Scripting Android Applications

This will be a walkthrough presentation on dynamic exploration of Android app using JRuby. We'll give a brief overview of the entire process, beginning with tools to disassemble the package, followed by a crash course in understanding small disassembly, modifying, and rebuilding APKs. Then move into a tutorial on running code from a targeted android package within a jruby session demonstrating a popular app being scripted, recovering private keys and bypassing custom cryptographic routines to create and control thousands of fake social accounts.

We'll conclude with a discussion on what this allows us to do, such as access to APIs restricted to official mobile only use, discovery and reuse of functionality, and aid in blackbox dynamic reverse engineering.

ASERT's DDoS Malware Corral, Volume 1

In the never-ending search for new DDoS malware families, ASERT's malware corral processed over 2 million samples in 2012. In this talk we will share some details on a handful of lesser known bots that we analyzed this past year. We will cover what the bot does to an infected host, its command and control (C&C) communications, and, of course, what the DDoS attack traffic looks like. While names like HOIC, Dirt Jumper, and Brobot are familiar in the infosec media, we will cover new ones such as Cynic, SATBOT, and TarriedRat.

Anatomy of a Chinese Infiltration into a Research EDU

In 2009 I was asked to assist in the investigation of an intrusion at an unnamed educational institution due to alarming outbound network behavior. This presentation will detail what the investigation uncovered including discussion of attacker tools and techniques as well as a blow-by-blow chronological account of what we believe happened. Although some of the facts are somewhat comical, the presentation will delve into some of the challenges facing edu network defenders and their administrators.

Cracking Corporate Passwords - Why Your Password Policy Sucks

In the past, Rick has talked about public password leaks of Internet facing applications/websites. This is a treasure trove of knowledge for password crackers about password selection in non-corporate environments.

And then, LinkedIn hashes got leaked (6 months after being hacked no less!). This was one of the first large lists of passwords chosen specifically by users who are "more likely" to choose passwords that would meet password complexity rules. But are they better passwords?

But the information gained from the LinkedIn passwords was nothing new to professional penetration testers. Inside corporate networks, they are complexity rules that users have to meet when choosing passwords, and there is password rotation as well. It is common knowledge that these policies make the passwords "stronger" - but is it a correct statement? (Hint: Its not.)

Join Rick, and lets laugh at what people are doing when they think no one is looking. Guess what? Spring2013 is a crappy password. And you know what? Three months ago, Winter2012 wasnt a great password either.

We need to change our ideas about password policy. It is making our networks LESS insecure. And you need to do something about it.

Defending the City Within the City

There aren.t many information security jobs where you.re charged with protecting a police department, electric utility, nuclear reactor, health care facility, and a rail gun. The University of Texas is its own city within Austin. But, at an EDU you can.t just throw up a firewall and call it a day; a certain amount of openness must be maintained for academic freedom and research. In addition, there are some weird devices to secure on a university campus you'll find in few other places. Some of the things the UT Information Security Office has assessed over the years include an MRI machine, a giant glowing globe, manhole covers, SCADA systems, and a Godzillatron. The ISO will discuss, in panel format, the challenges of securing a university environment. Come with questions.

Destructive D-Trace - With Great Power Comes Great Responsibility

Dtrace, an instrumentation framework present on Mac OS X, Solaris and TrustedBSD, has long been a tool for system administrators and developers alike to investigate and debug their applications and platform. However, it also can be utilized by an attacker as a means of cloaking their presence on the system.This talk will discuss the implementation of a fully functional rootkit via Dtrace probes. It will also look at ways of making detection of the rookit

Dissecting Socioware - A Study of Online Social Network Malware

Online Social Networks (OSNs) have revolutionized the internet and social interactions by giving birth to e-societies. Being chain networks, OSN's expose a wide attack surface for attackers to trigger infections, affecting a large set of users. This talk sheds light on the model of Socioware, a termed coined to represent social malware. The model of analysis used in this talk covers different sets of malware classes and attack techniques that are used by attackers to infect OSNs.

During the analysis of Socioware, this talk unveils the use of spreaders, classes of malware that are used to inject malicious messages into communication software, and loaders, features in a bot that recursively load malicious programs and plugins onto the infected machine, and how they are used in Socioware. This talk goes over several demonstrations and real-world examples that cover how OSNs such as Facebook, etc. are hijacked and infected. Finally, the talk will conclude with effective defense tactics that OSNs can implement to reduce Socioware. We will discuss reverse engineered code snippets of different bots to backup our concepts on socioware.

Ghetto VR: steps involved in vulnerability research

Everybody has heard of a zero day exploit, but an extremely small amount of people in the security industry have actually found them. This presentation hopes to show future vulnerability researchers the steps necessary to find zero day exploits with simple examples in python that can be the basis of their future tool suites. Equally it should show software developers that they need to have an equally rigorous testing plan so that their software isn.t the low hanging fruit hackers can target. This presentation when possible will point the audience to useful resources. All examples are provided in python. During each step of the vulnerability research cycle helpful tips are provided.

Range Fees and Zero Days: Cyber "Hackerspaces"

Ever wanted to develop exploits targeting vital critical infrastructure, such as power grids, gas pipelines, hospitals, nuclear facilities and dams, but found buying required items to develop these sorts of attacks on EBay difficult? What about writing self- propagating code or developing your own command-and-control infrastructure for a bot army, but didn.t want to pull the trigger on potentially career limiting act? For those with proclivities to defend against these types of real-world attacks and find canonical DARPA datasets boring and out-of-date and willing-participants in control of modern- networks difficult to find? This talk aims to bridge this gap. The first half of this talks discusses what a Cyber Range is, how it is constructed and what the goals of such as project is. The second half discusses how this idea of a "cyber hackerspace" could be leveraged by the security research industry.

Taint Nobody Got Time for Crash Analysis

The last decade has seen a large focus on vulnerability discovery automation with various methods of fuzzing and input generation, however little has been said about crash analysis or triage. This talk will discuss a powerful toolchain for crash analysis that incorporates the best available approaches for automated reasoning about memory access violation exceptions and overcomes limitations in currently available tools such as !exploitable and crashwrangler.

In particular, we will discuss four key areas: forward taint analysis to track areas of memory that are influenced by user-controlled data, backward taint analysis to isolate input bytes that lead to the crashing state, control flow analysis to infer which conditionals are part of the logic leading to a crashing state, and finally forward symbolic execution to determine if the input can be modified to reach an alternate state giving more control over the execution of the program. In other words, our system will isolate the input bytes causing the crash and try to determine if your ReadAV can actually be turned into a WriteAV or code execution.

This toolchain is designed to plug into a standard fuzzing system to help complete the automation loop for vulnerability discovery and triage. We also include a GUI component for utilizing the data within IDA Pro. This project will be freely available to the public sometime in 2013. The core concepts can also be adapted for use in malware analysis and vulnerability discovery.

The 24 Hour Pentest

If a penetration tester had 24 hours to assess an organization, what would he do? This talk will discuss conducting a 24 hour penetration test that far exceeds what most companies provide via automating the process with web-apps and common sense. It challenges the status quo penetration test that is being offered as a service. The truth is, many companies throw money away and receive no value. It's time to change the game.

The State of Cyber Intelligence: Crossing the Bridge while Building It

Trying to shed your reactive tendencies and figure out what is needed to get ahead of the cyber threat? Tired of struggling to get actionable information at the level you need (UNCLASSIFIED) in time to act? The Software Engineering Institute.s Innovation Center at Carnegie Mellon University presents its findings of a year-long study into the state of the practice of cyber intelligence. The study surveyed the cyber intelligence processes, tools, training, and technologies across the federal government and multiple sectors of industry, such as energy, retail, education, financial, and health care. This information indicated that organizations excel at performing cyber intelligence by effectively balancing the need to protect the network perimeter with the need to look beyond it for strategic insights. We will discuss the best practices that led to these organizations success and how to tailor them to address challenges organizations currently face. This presentation does not simply admire the problem, but shares actions being done today that can help you get a step ahead of cyber threats.