A mind blowing presentation about the underlying theory and science behind language/software design with respect to security.
Recently, my news feed has been full of news about the newly launched search engine: YaCy. It is not just "another" search engine as it introduces the concept of Peer to peer decentralized and distributed search where search is no longer under the hand of one big corporate entity or a few data centers as it is traditionally the case with the current search engines such as google for example.
Currently, the project is very basic with a very primary UI but demonstrates a lot of good features. You - The user - can have complete control over the crawled pages and a the portion of the search index you contribute to during the whole search process. You totally have compete unrestricted access to an administrative interface through which you can also get full statistics, issue crawling jobs, black list certain domains and a whole lot more!
This idea in my opinion, the THE idea we have been inspecting for quite a few years now. It will completely revolutionize and change search as we know it and will ring the privacy bells at every search company out there. Complete private and unrestricted search. Your activity or search history is no longer monitored and hindered by corporate greed and goals. Your data and search process is completely untraceable, anonymous and most importantly, you will no longer have to worry over privacy issues since there is no such thing as server client or centralized communication. Peer to peer is the way to go!
Below is the demo of the YaCi project. Enjoy and start using it now if you are convinced. Welcome to the "Tor" of searching.
Speaker: Dan Rosenberg
Originally considered to be the stuff of myth, remote kernel exploits allow attackers to bypass all operating system protection mechanisms and gain instant root access to remote systems. While reviewing prior work in remote kernel exploitation, this talk will go over some of the challenges and limitations associated with developing remote kernel exploits.
We will discuss in detail the development of an exploit for a remotely triggerable vulnerability in the Linux kernel's implementation of the ROSE amateur radio protocol. In doing so, a number of new kernel exploitation techniques will be demonstrated. In addition, this talk will present a working example of the installation of a remote kernel backdoor. We will conclude with a demonstration of this exploit against a live system and a discussion of future work in kernel exploitation and mitigation.
Speaker: David Litchfield
David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt f¸r Sicherheit in der Informationstechnik in Germany.
Speaker: Jason Ostrom Sipera VIPER Lab
This presentation is about the security of VoIP deployed in hotel guest rooms. What it is, why it benefits administrators and users, and how easily it can be broken. The hospitality industry is widely deploying VoIP. Since 2008, we've seen an increase of these rollouts along with Admin awareness of applying the required security controls in order to mitigate this potential backdoor into a company's mission critical data and systems — their Crown Jewels. The method is simple: through VoIP, a malicious hotel guest may gain access into corporate data resources such as a company's sensitive financial or HR systems. This talk will present updated research with a new case study: A Hotel VoIP infrastructure that had security applied. We will explore the missing pieces. How has this risk changed for permitting a hotel guest unauthorized network access, and who should be concerned? An old VLAN attack will be re-visited, with a new twist: how the VLAN attack applies to recent production VoIP infrastructure deployments, and how it can be combined with a new physical method. A new version of the free VoIP Hopper security tool will be demonstrated live, showcasing this new feature. In addition, we will investigate an alternative to CDP for device discovery and inventory control: LLDP-MED (Link Layer Device Discovery - Media Endpoint Discovery). A case study penetration test of a client infrastructure that used LLDP-MED follows , with a comparison to CDP. VoIP Hopper will demonstrate the first security assessment tool features for this advancing protocol. Mitigation recommendations will follow.
Watch this fantastic demo at defcon this year demonstrating an epic hack to link kinect and the metasploit hacking framework in order to hack with style. Yeah, like in the movies. Make a gesture and a command gets executed. How Epic is that? =D. Enough talking, but imagine if hacking is as eye candy as in surfing virtual 3D environments and spatial data structures? Like in the movie: Hackers 1995 ? <3
Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker.
I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011).
Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor.