• 22 October
  • 23 October


DNS Problems and Solutions

Spammers can't use dotted quads or any other literal IP address, since SpamAssassin won't let it through, since it looks too much like spam. So, spammers need cheap and plentiful -- dare we say 'too cheap to meter'? -- domain names. The DNS industry is only too happy to provide these domain names, cheaply and at massive scale. The end result is that 90% of all domain names are crap, with more on the way. DNS registrars and registries sometimes cooperate with law enforcement and commercial takedown efforts since it results in domains that die sooner thus creating demand for more domains sooner. Spammers and other abusers of the Internet commons sometimes try to keep their domains alive a little longer by changing name server addresses, or changing name server names, many times per day. All of this action and counteraction leaves tracks, and around those tracks, security minded network and server operators can build interesting defenses including DNS RPZ, a firewall that works on DNS names, DNS responses, and DNS metadata; and NOD, a feed of Newly Observed Domains that can be used for brand enforcement, as well as an RPZ that can direct a DNS firewall to treat infant domain names unfairly. Dr. Paul Vixie, long time maintainer of BIND and now CEO of Farsight Security, will explain and demonstrate.


Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9 and the people now working on BIND 10. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).



Design, Implementation and Bypass of the Chain-of-trust Model of iOS

The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.  We will also analyze a code signing bypass vulnerability that enables untethered jailbreak against iOS 8.2, and explain how it was stealthily fixed by Apple in iOS 8.3.


The Pangu Team is a team of senior security researchers focusing on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014, becoming the first team in China to independently develop untethered jailbreaks and the first team in the world to jailbreak iOS 8.

andy davis


Broadcasting Your Attack: Security Testing DAB Radio In Cars

Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are in most cases integrated into an IVI (In-Vehicle Infotainment) system, which is connected to other vehicle modules via the CAN bus. Therefore, any vulnerabilities discovered in the DAB radio stack code could potentially result in an attacker exploiting the IVI system and pivoting their attacks toward more cyber-physical modules such as those concerned with steering or braking. This talk will discuss the complex protocol capabilities of DAB and DAB+ and describe the potential areas where security vulnerabilities in different implementations may exist. I will discuss the use of Software Defined Radio in conjunction with open source DAB transmission software to develop our security testing tool (DABble). Finally I will talk about some of our findings, the implications of exploiting DAB-based vulnerabilities via a broadcast radio medium and what this could mean for the automotive world.


Andy has worked in the Information Security industry for over 20 years, performing a range of security functions throughout his career. Prior to joining NCC Group, Andy held the positions of Head of Security Research at KPMG, UK and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded systems and hardware interface technologies and developing new techniques for software vulnerability discovery.




Sit back and listen to the fascinating journey of this year’s VENOM vulnerability discovery. Learn how hypervisors work and where researchers should look for critical vulnerabilities. Find out how the VENOM vulnerability was found and why it went unnoticed for so many years. Watch a live demo of a VENOM exploit that escapes the guest VM and executes arbitrary code in the host’s hypervisor process. Hear all about the challenges of a coordinated vendor disclosure process. And take in the lessons we learned from the media exposure VENOM received.


Jason Geffner is a world-renowned industry thought-leader in the fields of computer security and reverse engineering. He has been interviewed by Forbes, Fortune, CBS, AP, CSO Magazine, c|net, PCWorld, Dark Reading, and Threatpost, and has been featured on Slashdot, The Register, SC Magazine, ZDNet and Computerworld. Geffner holds several patents, is the discoverer of VENOM, and the inventor of Tortilla. He has been invited to present numerous times at Black Hat, RSA Conference, CanSecWest, OWASP, REcon, ISOI, Lockdown, and other industry conferences, in addition to delivering training to the United States Air Force, Japan’s National Police Agency, and private industry.



Relaying EMV Contactless Transactions With Off-The-Shelf Android Devices

We present the first vulnerabilities in EMV Contactless that do not use legacy modes and that are applicable to all EMV Contactless cards and terminals worldwide. In particular, we show that a relay attack can be performed with very limited resources and widely available off-the-shelf hardware. Our proof-of-concept relay attack proves that a criminal can pay at a Point-of-Sale terminal, using the payment card inside a wallet of a victim, while the victim is arbitrary far away from the terminal. Using EMV and Android specific optimizations, we show the world's first relayed transaction that is faster than a transaction performed directly with the same card. Due to this technological advancement, the most obvious countermeasure against relay attacks, timing restriction, will not be effective at all. 

As climax of the presentation we will give a live demonstration of our relay attack performed with a real point-of-sale terminal and a real bank card.

Our findings have significant implications for the acceptance of contactless transactions by the public. Indeed, contactless transactions will not be widely accepted by customers if they are not confident about the security of contactless cards, and contactless technology in general and banks in specific can suffer significant reputational damage.


Jordi van den Breekel is an IT security consultant at KPMG the Netherlands. He provides his clients with advice on many aspects of IT security, performs penetration tests and IT security audits. During his Master’s research on EMV Contactless and his work for KPMG, he became an expert in the fields of the EMV standard and NFC technology. In 2014, Jordi graduated Cum Laude from the University of Technology Eindhoven with a Master of Science degree in Information Security Technology.




No Magic Here: Challenges and Opportunities in the Emerging Field of Security Data Science

As enterprise networks and consumer devices generate an ever-larger deluge of security-relevant data, data science (machine learning, data visualization, and scalable storage technologies) has become necessary if we are to succeed in both stopping advanced attackers and gaining intelligence about their tactics. Unfortunately, there is still a gap between the security and data science communities: security professionals often have limited knowledge of data science, and security data scientists often come from non-security backgrounds and may not understand why security data science is different than the solutions taught in traditional machine learning and visualization programs. In my talk, I will bridge this gap, discussing the challenges and opportunities posed by applying data science to security, demonstrating exciting results achieved by my research group in the last few years, and empowering attendees to begin to apply security data science in new and powerful ways.

The first part of the talk will provide a non-mathematical overview of security data science, introducing state of the art data visualization and the big three machine learning tasks (classification, clustering and regression). For each of the topics, I will give examples of how my colleagues and I have successfully applied the topic to problems like attack detection, threat intelligence, malware analysis and scalable malware analytics. The second part of the talk will cover both major security-specific data science challenges and solutions to these challenges. The third part of my talk will address security data visualization, discussing my groups ongoing and past log visualization, malware analysis visualization, and threat intelligence visualization work. My goal is that attendees leave the talk excited about the possibilities of applying data science to their own security related work, newly aware of the pitfalls of this area, and more knowledgeable about solutions to these pitfalls.


Joshua Saxe directs Invincea Labs' data science research group, whose focus is researching and developing breakthrough security data science technologies.  Highlights of his work at Invincea have included leading the development of a system that automatically discovers and visualizes malware genealogical relationships, and leading the development of novel data science approaches for detecting, analyzing and visualizing both malware and malicious network behavior.  Prior to starting at Invincea, Josh served as lead research engineer at Applied Minds, an inter-disciplinary technology think-tank, where he led a two-year research project focused on applying machine learning and data visualization to the problem of modeling enterprises' cybersecurity vulnerabilities.



Attacks on Telecom Operators and Mobile Subscribers Using SS7

Lately, phone communication records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. We will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies — SS7. The talk will address attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, changing enabled services, call forwarding, unauthorized intrusion into a voice communication channel. Information about signaling messages, which can help to perform these attacks, is open for public access. The research also covers types of proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.


Dmitry Kurbatov graduated from Moscow State Institute of Radio Engineering, Electronics and Automation with degree in Information Security of Telecommunication Systems. He has 7 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at the Positive Research Center, he participated in organizing all Positive Hack Days forums. Dmitry has published many articles on information security.