I’m Good Enough, I’m Smart Enough and Doggone It, CFP Reviewers and Audiences CAN Love Me!
James Arlen
- You are a great person – a unique and special snowflake – you have brilliant ideas.
- You are completely ineffective at getting those ideas out of your head and to an audience.
- You’ve submitted multiple CFP responses and are not (or rarely) accepted.
- You have used more than 4 fonts in a powerpoint deck or a font size less than 24pts.
- You have ever read your talk from speakers notes (or worse, read aloud only the words on the screen.)
Join this *highly interactive* workshop-style talk during which there will be some instruction and a whole lot of guided visualizations with the aim of getting from *Idea* to *Delivery* – CFP Responses to doing the research to building the talk and making the impact you want.
Stop producing presentations that look like crap and fail to get your point across. NOTE: There will be a beta-release of a tool at this talk – not a ‘sploits make me leet’ tool, but a tool that will make you not look like crap as often.
Building the Perfect Backdoor
Tyler Wrightson
In this talk Tyler discusses how to build the most perfect backdoor. Covering elements and techniques that you probably haven’t considered before and which might surprise you. This will not be a rehash of previously covered rootkit techniques, however rootkit functionality will be covered. You’ll learn the best ways to deploy and manage your backdoor as well as the best functionality to include.
Tyler will release source code and examples of most of the techniques described.
Attacking NFC Mobile Wallets: Why I’d Rather Swipe Your Credit Card
Max Sobell
This talk covers the attack surface of NFC Mobile Wallets (including Google Wallet) and details attacks to date. As more and more Mobile Wallet rollouts are deployed, it is important to understand Wallets’ inherent strenghts and limitations. This talk details communication with the Secure Element, the EMV payment standard, and Android, iOS, and BlackBerry NFC APIs.
Simplifying Secure Code Reviews
Sherif Koussa
Secure code review is one of the best ways to uncover vulnerabilities and reduce risk of online web applications being breached. However, secure code review has always been challenged as being skill and tools intensive. But what if this could be simplified so developers on your team could perform it? What if this could be achieved with minimal impact on deadlines? This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review: a simplified process to follow, free tools to use and some of the pitfalls to avoid.
Controlling a Smartphone from an Architectural Vantage Point
Kirk Swidowski
This talk introduces VERTIGO: a modular custom thin-microvisor for the ARM architecture. It is installed through an Operating System (OS) specific loader that dynamically suspends execution, decouples the OS from its underlying hardware and hoists it into a state analogous to a virtual machine. VERTIGO is considered a virtualization technology but is unique as it does not require any source code modifications of the underlying OS to maintain control and synchronization, unlike OKL4 and CODEZERO. The microvisor targets the Cortex -A8 and -A9 series SoCs and has been tested with the Apple iPhone 4 (iOS 5.1.1) and Samsung Galaxy SIII (Android 4.0.4).
The VERTIGO microvisor represents a unique capability that showcases what is possible at the architectural level. While its primary purpose is to aid in reverse engineering and other security related research tasks, the techniques could be misused to assist with nefarious activities. The benefits of exposing this capability will hopefully be twofold. First, advance the state-of-the-art in tools available when performing reverse engineering and other security related research tasks. Second, allow mitigation technologies to be designed and developed to prevent malicious software from leveraging the same techniques.
Mobile Phone Hacking (+/- 5 years)
Corey Benninger
A look at tricks and techniques used for mobile device and application assessments used over the past five years (from dumb phones to smart phones) and some wild speculation on where things are headed in the mobile security consulting space. From seem editing Razr phones to rooting Androids. From DUN tethering setups to secure element shims. A talk about what trends we’re likely to see repeated and tips for assessing mobile devices not yet developed.
Custom Power Pwn
James Edge
The people over at Pwnie Express are coming out with a neat device called the Power Pwn. This device follows up on the Pwn Plug and the PwnPhone. With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware.
I combined the PCEngines Alix 6f2, an APC BE650R Battery Backup Power Strip, and a battery Power Pack for a Custom Power Pwn. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports.
This talk is a show and tell on what I did and how anyone who is a fan of hardware hacking can do this themselves.
iOS App Hooking – Bypassing lockscreens, jailbreak detection, and breaking stuff
Sid Adukia