44CON LONDON 2015 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track 1 Talk [clear filter]
Wednesday, September 9


44CON LONDON 2015 Community Evening Opening
44CON LONDON 2015 Opens with the Community Evening. Free to attend (registration required) we have talks and a film!

avatar for adrian


Event Director, Cortex Insight, Sense/Net, alien8 Security

Wednesday September 9, 2015 18:30 - 18:44
Track 1


Stegosploit - Drive-by Browser Exploits using only Images
"A good exploit is one that is delivered with style".

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

avatar for Saumil Shah

Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like 44CON, Blackhat, RSA, CanSecWest... Read More →

Wednesday September 9, 2015 18:45 - 19:44
Track 1


Get in the Ring0 - Understanding Windows drivers
Separate your IRPs from your IRQLs, people, it's time to learn about Windows drivers. Turns out they're not magic. Who knew?

avatar for Graham Sutherland

Graham Sutherland

Penetration Tester, Portcullis Computer Security
Graham Sutherland is a penetration tester working for Portcullis Computer Security in London. Before making the career move to security, he spent several years paying his dues as a developer. He is primarily self-taught and spent the best part of a decade doing independent security... Read More →

Wednesday September 9, 2015 19:45 - 20:44
Track 1
Thursday, September 10


44CON LONDON 2015 Opening
avatar for adrian


Event Director, Cortex Insight, Sense/Net, alien8 Security

Thursday September 10, 2015 09:15 - 09:29
Track 1


Smart Muttering; a story and toolset for smart meter platform
The use of smart meters and their associated technologies is becoming more widespread as utility providers struggle to deal with ever growing demand and scarcer resources. The European Union has deployed over 46 million smart meters to date, with an additional 119 million smart meters intended to be deployed in member countries by 2019. Likewise, in the United States of America, there are indications that the number of smart meters deployed had topped the 50 million mark in middle July, 2014.

Previous work has shown security and privacy concerns with smart metering specifically, with researchers at IOActive even developing a "Smart Grid Worm". However, this work has done little to open either smart meter research to a wider audience, or provide tools for approaching new platforms and devices.

To address this, we developed a pluggable framework and easy-to-build low-cost hardware platform for embedded device protocol analysis and manipulation. Both of which will be released under an open-source license during the talk.

Whilst smart devices have been developed for managing resources, their functionality has also been found to be applicable to other spheres, resulting in technologies (based on, or similar to smart technologies) often being found in other applications. Some smart device platforms are also used in process management applications, and even transport management systems. The resources governed by these systems are regarded as critical infrastructure by most governments. Disruption of these systems could result in significant damage to national infrastructure – or even political instability in a region targeted by attackers. In addition to smart networks, the advent of the so-called "Internet of Things", has added a plethora of new devices to home networks. Thus these technologies are responsible for securing access to both nation-state as well as residential resources, making research in this area an important concern.

Given the present and growing criticality of these devices, we embarked on a lengthy assessment of the popular LonMark platform as implemented in the Echelon Series 5000-based devices with the aim of discovering platform-wide vulnerabilities that could be used to attack devices or their backend management platforms.

However, no to very little tools exist for assessing devices making use of obscure networks or protocols. Currently, attacking smart meters, interconnected hardware and associated applications – is not as simple as firing up a web proxy and intercepting traffic, as is the case with web applications, something this talk hopes to change. In most cases, the devices communicate over mediums researchers may not be familiar with and may use custom protocols, resulting in difficulties obtaining access to network communication streams.

To counter these obstacles, I will present various mechanisms for assessing the security of obscure networks, protocols and devices. This will be performed using off-the-shelf hardware and a custom framework for conducting this type of work.

This toolset, the result of thousands of hours worth of research, will provide functionality for conducting traditional sniffing, replay and fuzzing attacks against devices making use of wired connections. Using this framework, the analyst will practically demonstrate attacks against the smart devices used during the course of this research.

Previously, we have demonstrated vulnerabilities in Z-Wave home automation and security devices at BlackHat [1], as well as building proxy frameworks for obscure protocols such as SAP DIAG that led to a significant opening up of the protocol for further research [2]. Thus, this work, while on a different platform is a natural extension of past expertise and interests.

avatar for Ian de Villiers

Ian de Villiers

Ian de Villiers is a security analyst and researcher at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of... Read More →

Thursday September 10, 2015 09:30 - 10:29
Track 1


Is there an EFI monster inside your apple?
A few weeks ago I publicly disclosed an Apple EFI firmware zero day.
It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time.

EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog.
Very few tools exist to chase them.

This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.

Reference blogpost:

Plus content about EFI layout, where to seek rootkits and so on.
Essentially an introduction to EFI and how to find out potential rootkits there.


Pedro Vilaça

A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks copy protections for fun and profit, annoys HackingTeam, trolls Apple’s product security policy... Read More →

Thursday September 10, 2015 11:00 - 11:59
Track 1


DDoS mitigation EPIC FAIL collection
I have been researching DDoS attacks and mitigation techniques for the past three years and worked with industry leaders on testing their systems, providing them with cutting edge, and even never-seen-before attacks.
I was amazed (actually still am) to find out that those big corporations, investing much work into their architecture of defense came to FAIL and sometimes the sole reason for a successful attack was a mitigation configuration or architecture FAIL.
My research is done by utilizing smart grids of computers, mimicking vast botnets from all over the world, writing and perfecting scripted attacks and even involve social engineering attempts within those attacks (for mitigation that involve manual intervention)
In the presentation there will be a showcase of 10 such FAILs, detailed technically as for a step-by-step close follow on the attack strategy and its mitigation failing, and of course - how delving into a recommended setup for a proper mitigation technique that will not inflict such a direct damage as presented.

avatar for Moshe Zioni

Moshe Zioni

Moshe (dalmoz) have been researching security since he was 14, got to the realization about the age of 20 that there is a market for hackers - now called Pentesters, and people will actually pay you for your "service". Nowadays consulting to industry leaders, banks, software vendors... Read More →

Thursday September 10, 2015 13:30 - 14:29
Track 1


reverse reverse engineering
Note: This talk will not be recorded.
Richo will walk attendees through the basic architecture of a traditional AOT compiler and runtime loader, and describe the parallels between this and the operation of a modern bytecode VM (python, ruby, etc). With this newfound knowledge, we'll tackle implementing a tool to reverse engineer a sample of obfuscated ruby. However, instead of analyzing the bytecode directly, we will instead implement a malicious, but otherwise fully functional VM, and use that to explore the various anti-analysis tricks deployed.

By the end of the talk, you will have extended insight into the conceptual inner workings of a compiler, and feel equipped to implement substitutes for the interesting parts of a traditional compilation/loader pipeline to trick opaque objects into telling you how they work, instead of the other way around. While the demos will focus on ruby, the techniques demonstrated are equally applicable to python, etc.

avatar for richö butts

richö butts

Security Engineer, Stripe
richö spends most of his time flying parachutes and flinging himself off things. But he also hacks computers and hangs out with nerds.

Thursday September 10, 2015 14:30 - 15:29
Track 1


Inside Terracotta VPN
Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.

The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew (Google RSA Shell_Crew for details) use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world. While RSA has yet to release the paper to the public, an earlier version of Inside Terracotta VPN was presented to Microsoft’s invitation-only Digital Crimes Consortium (DCC 2105) conference in Miami. This presenter will share with the 44CON London audience otherwise non-public information previously restricted to law enforcement on how this was discovered, and other stuff not appearing in the paper to be released by RSA (this summer).

avatar for Kent Backman

Kent Backman

Kent is a threat intelligence analyst with FirstWatch, the threat intelligence group behind RSA's threat intelligence-driven products including RSA Security Analytics, formerly Netwitness. FirstWatch typically tracks things with no name. Within the small FirstWatch group, Kent's... Read More →

Thursday September 10, 2015 16:00 - 16:59
Track 1


Barbarians At The Gate(way): An Examination Of The Attacker's Tool Box
This talk will examine the tools, methods and data behind the DDoS attacks that are prevalent in the news headlines. Using information collected, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated DDoS attacker.

We will look at the motivations and rationale that they have and try to share some sort of understanding as to what patterns to be aware of for their own protection.

avatar for Dave Lewis

Dave Lewis

Akamai Technologies
Dave has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix... Read More →

Thursday September 10, 2015 17:00 - 17:59
Track 1


Exploiting 64-bit IE on Windows 8.1 - The Pwn2Own Case Study
Instead of 32-bit IE, this year's Pwn2Own competition selected 64-bit Internet Explorer as the target for the first time.
64-bit IE brings new challenges to exploit writers, for example, simple heap spraying technique will not work in 64-bit process.
And in order to win the game, we also need to bypass the control flow guard (CFG) mitigation on windows 8.1 as well as the enhanced protected mode (EPM) sandbox of IE.

In this presentation, we will disclose the details of the 2 vulnerabilities we used to take down 64-bit IE in Pwn2Own 2015 for the first time.
We will go through the poc exploit to demonstrate the techniques we used to work out a working IE 64-bit exploit.
We will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug.
We will also discuss the bug we used to bypass IE's EPM sandbox to achieve elevation of privilege.

avatar for Yuki Chen

Yuki Chen

Yuki Chen is the core member of 360Vulcan Team from 360 Safeguard offensive and defensive research group. In March this year, 360Vulcan Team successfully exploited 64-bit Internet Explorer with EPM enabled at Pwn2Own 2015 in vancouver. Yuki Chen has 6+ years’ experience in security... Read More →

Thursday September 10, 2015 19:35 - 20:29
Track 1


Playing with Fire: Attacking the FireEye MPS
Note: This talk will not be recorded.
This talk will give an overview of a number of vulnerabilities in FireEye's Malware Protection System (MPS) that were recently discovered (and which are patched in the interim). These range from command injections in the management web interface over local privilege escalation vulnerabilities to exploits that allow a full compromise of the system by simply sending a malicious file over the network and exploiting bugs in the analysis process.
We will discuss the inherent attack exposure of certain types of network security controls, together with architectural recommendations how those could be addressed.

avatar for Felix Wilhelm

Felix Wilhelm

Felix is a security researcher working for ERNW GmbH. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular software such as Hyper-V, Xen, Typo3 or IBM GPFS and has presented his work... Read More →

Thursday September 10, 2015 20:30 - 21:29
Track 1
Friday, September 11


Software Defined Networking (SDN) Security
SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.

avatar for David Jorm

David Jorm

David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation... Read More →

Friday September 11, 2015 09:30 - 10:29
Track 1


Going AUTH the Rails on a Crazy Train
Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe. In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.


Jeff Jarmoc

Jeff is a Senior Application Security Consultant at NCC Group who has contributed code to the Brakeman Rails Security Scanning tool. He’s perhaps best known in the Rails community for his whitepaper The Anatomy of a Rails Vulnerability in which he deeply explored remote code execution... Read More →

Tomek Rabczak

Tomek is an Application Security Consultant at NCC Group with experience in secure web application development, security tool research and development, code review, and penetration testing. Over the past 2 years, he has looked at and assessed the security of some of the largest... Read More →

Friday September 11, 2015 11:30 - 12:29
Track 1


Windows 10: 2 Steps Forward, 1 Step Back
Windows 10 is shaping up to be one of the most secure consumer operating systems yet, it includes many new security features baked in such as Control Flow Guard and Credentials Isolation. But new features have a habit of coming with additional bugs which only serve to reduce the security of the system at the same time.

This presentation will describe a few of the new security features introduced into Windows 10 as well as some of the vulnerabilities I’ve discovered which demonstrate that secure engineering is still very difficult in practice.

avatar for James Foreshaw

James Foreshaw

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1... Read More →

Friday September 11, 2015 14:00 - 14:59
Track 1


Responsible disclosure: who cares?
Both OJ and Dan have been conducting security assessments for years. Occasionally a discovery is made which warrants discreetly contacting the vendor in question to let them know several thousand (or million) of their devices have a major vulnerability. Sometimes the vendor takes notice and subsequently takes action, however sadly on most occasions they either feign effort, completely ignore the researcher, or openly say 'go away'. These are a couple stories of how responsible disclosure was attempted, but the company in question couldn't be troubled to help themselves.

Dan will articulate the story of events surrounding the recent goatse-ing of a sign in Atlanta, Georgia. LED billboards are apparently just like every other "IoT" style device - completely open, completely public, you just have to know where to look. A little shodanning and one can find any number of colorful things on the internet. Dan will tell the story about his attempts to notify this sign company shortly before they got goatse'd, their interactions before and after and the demeanor in which one can conduct oneseself when going about turning a security disclosure into a conference talk. We will check live on stage to see how many of these things still exist, as well.

OJ will tell a horrible tale of his first ever disclosure experience, one that involved a very large vendor of consumer storage products. The story consists of initial vulnerability discovery, analysis, and exploitation, and then leads into what seemed like an endless back-and-forth with the vendor over a series of months. There were lows, and there were highs. The former outnumbered the latter. There was much derp! All will be shared in its lulzy glory, in gory detail, up to and including a discussion with the vendor's CSO. The story will end with an opinion. A strong one. OJ will also be trawling shodan to show how many boxes are still vuln. He will be going through the exploit step by step and explaining how things were discovered.

avatar for OJ Reeves

OJ Reeves

Founder, Beyond Binary
OJ Reeves is an Australian security professional who specialises in attack simulation. When not breaking networks and software he is actively contributing to the Metasploit framework, with a particular focus on Meterpreter.
avatar for Dan Tentler

Dan Tentler

Dan Tentler is a Co-Founder of Carbon Dynamics, specializing in Attack Simulation. He currently manages the Attack Simulation division of the organization. He shouts on the internet, quite a lot, occasionally talks to the news. Angry old man of the internet.

Friday September 11, 2015 15:00 - 15:59
Track 1


44CON LONDON 2015 Closing
The closing 30 minutes. giveaways and fun!

Friday September 11, 2015 16:00 - 16:30
Track 1