These noted security experts will discuss
current IT security issues and provide an insight into strategy
and security concepts during two conference days.
How NOT to Construct a Hardware Security System: The Microsoft Xbox – Michael Steil
With the Xbox, Microsoft rushed into the home entertainment market in 2001, by basically selling an Intel Celeron 733 MHz PC in a smaller case. Its security system was supposed to lock out copied games as well as non-licensed ("homebrew") software, but apparently time constraints and the lack of skill of the engineers lead to a security system with plenty of vulnerabilities. In this talk, Michael Steil explains the (reconstructed) development of the Xbox security system, Microsoft's mistakes, hackers' attacks, and the lessons learnt.
About the Right and Wrong Way to Use Biometrics – Mikko Kiviharju
Biometrics, such as voice- and fingerprints, is an area with both unrealistic expectations and undermined technology. Biometric data are harder to lose than passwords, but they are also harder to change and pose some security risks that keys and passwords do not. On the other hand, the use of biometrics is conventionally seen only as an easy way to replace keys and passwords, when in the end they are ideally suited for security architectures considerably lighter than the usual PKI.
This presentation charts some of the pitfalls that usually arise, when biometrics are treated like passwords or normal keys. The talk will also show how recent innovations in biometrics and good old crypto can help implementing simpler security practices and break old barriers - must PKI have all those CAs like VeriSign and are the stolen fingerprints really irreplacable?
RFID Malware Demystified – Melanie Rieback
Radio Frequency Identification (RFID) malware, first introduced in my paper 'Is Your Cat Infected with a Computer Virus?', has raised a great deal of controversy since it was first presented at the IEEE PerCom conference on March 15, 2006. The subject received an avalanche of (often overzealous) press coverage, which triggered a flurry of both positive and negative reactions from the RFID industry and consumers. This presentation will serve as a forum to explain RFID malware, from a hacker's perspective. I will start by explaining the fundamental concepts behind RFID malware, and then offer some qualifications and clarifications, separating out the facts vs. the myth regarding the real-world implications.
Things VoIP somebody did wrong so you don't have to – Hendrik Scholz
VoIP providers have their infrastructure in place and end user devices
are flooding the market for several years now. Yet SIP standardization
and development is in full swing.
There has been lots of discussion and uproar about SIP security and
The talk tries to define the current status based on issues
and fixes which came to light by running a large scale SIP installation
and research into various areas.
Problems include information leaks, device specific implementation bugs
and generic security problems. Many vendors push a myth named Session
Border Controllers. SBCs supposedly fix all problems but we are not
The Art of Deception: Are YOU In Danger of Being ‘Conned’? – Kevin Mitnick
While relatively unknown to the general public, the term “social engineering” is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole.
Mitnick illustrates why a misplaced reliance on security technologies alone, such as firewalls, authentication devices, encryption, and intrusion detection systems are virtually ineffective against a motivated attacker using these techniques.
Although there are no reported statistics on the number of successful social engineering attacks, these ages-old techniques have been and continue to be extremely effective against unsuspecting targets, and pose the least risk and cost to your adversary.
In the corporate environment, a large number of unsuspecting victims never realize they have been manipulated. Will your employees be the next? Through concrete examples, Mitnick shares what your business can do to develop a creative and engaging security program that heightens awareness, motivates employees to change their attitudes, influences them to think defensively, and encourages the adoption of good security habits.
More Than a Microsoft World – Marc Maiffret
While Microsoft has long been the primary target for criminals looking to exploit system vulnerabilities, now other applications such as Systems Management, QuickTime, iTunes and even security applications from companies like Symantec and McAfee are being used as a means of entry into the network.
eEye's research team has identified these exploits as part of a growing trend of attacks that target consumer-oriented applications rather than the operating system itself, as well as bypass network-level security technologies traditionally used by organizations, including IDS gateways or gateway-based anti-virus systems. Now, applications like QuickTime or iTunes can represent a threat to the network's integrity.
The reason is simple - Since Microsoft has been the dominant OS with the largest installed base, hackers naturally targeted it. However, as Microsoft has
steadily improved its approach to security, criminals are looking to other "low hanging fruit." And they've had 5 whole years to practice against Microsoft, which means many applications are more vulnerable than ever.
This presentation will use real world examples to demonstrate how hackers are using their 5 years of practice against Microsoft to target every other application connected to your network.
Botnet Monitoring - Learning More About Botnets – Thorsten Holz
With the help of tools like nepenthes or different honeypot solutions, we are able to automatically collect autonomous spreading malware. With the help of an automated analysis process, we can also learn more about each binary without any human interaction. Thus we are able to automatically collect information about botnets, e.g. where they are located, which nick names they use, and which passwords are involved. Now the fun part begins: we can track the botnet and learn more about it! In the first part of the talk, we will shortly introduce nepenthes and different ways to collect malware. In addition, we briefly talk about malware analysis with the help of CWSandbox. The main part of the talk focusses on "botspy", a tool for automated tracking of botnets. We introduce the tool in detail and talk about the lessons learned with it based on real-world examples. The talk concludes with an overview of "Rishi", a tool to detect infected machines in a network. Moreover, we introduce several other ways to detect compromised machines and how to protect against the threat behind botnets.