A BIG THANK YOU to our sponsors, speakers, media and of course the HITB .MY and .NL volunteers for their help in putting together a kick ass conf! All presentation materials can be downloaded from:

http://conference.hackinthebox.org/hitbsecconf2011ams/materials

Official conference photos will be available at http://photos.hackinthebox.org in about 2 weeks time. Don’t forget to follow @hitbsecconf on Twitter! This blog posting will also be updated with links to post conference media coverage as and when they get published. If we’ve missed a news article or blog posting, please send us an email.


Post Conference Coverage (Mainstream Media)

International Business Times: Cookiejacking: Glitch in Internet Explorer leaks user info, says researcher
http://www.ibtimes.com/articles/153799/20110528/microsoft-cookiejacking-rosario-valotta-facebook-twitter-iframe-windows-google-amsterdam-ie.htm

MyCE: IE “cookiejacking” security hole discovered, affecting all versions
http://www.myce.com/news/ie-cookiejacking-security-hole-discovered-affecting-all-versions-45798/

InfoBAE: Facebook pagará por detectar sus errores
http://america.infobae.com/notas/26281-Facebook-pagara-por-detectar-sus-errores

Playground (Russia) Найдена новая уязвимость всех версий Internet Explorer
http://www.playground.ru/blogs/other/21032/

Overclockers.RU (Russia): Ошибка в браузере Internet Explorer облегчает похищение сессионных куки
http://www.overclockers.ru/softnews/41984/Oshibka_v_brauzere_Internet_Explorer_oblegchaet_pohischenie_sessionnyh_kuki.html

Security.NL (Netherlands): IE-gebruikers kwetsbaar voor cookie-kapers
http://www.security.nl/artikel/37230/1/IE-gebruikers_kwetsbaar_voor_cookie-kapers.html

Terra: Investigadores dicen haber detectado fallas de seguridad en tarjetas bancarias
http://economia.terra.com.co/noticias/noticia.aspx?idNoticia=201105202202_BBM_79722007

Computer World: Microsoft downplays IE ‘cookiejacking’ bug
http://www.computerworld.com/s/article/9217116/Microsoft_downplays_IE_cookiejacking_bug

Net1news: IE: trovata falla in tutti gli Internet Explorer
http://www.net1news.org/ie-trovata-falla-in-tutti-gli-internet-explorer.html

HW Files (Italy) Vulnerabilità cookiejacking in Internet Explorer, risponde Microsoft
http://www.hwfiles.it/news/vulnerabilita-cookiejacking-in-internet-explorer-risponde-microsoft_37013.html

eWeek Europe: Internet Explorer Flaw Allows For Cookie Theft
http://www.eweekeurope.co.uk/news/internet-explorer-flaw-allows-for-cookie-theft-30438

Security.NL (Netherlands): Porno-knop beschermt IE tegen cookiemonsters
http://www.security.nl/artikel/37264/1/Porno-knop_beschermt_IE_tegen_cookiemonsters.html

eWeek: IE Flaw Lets Attackers Steal Cookies, Access User Accounts
http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/

Network World: IE Flaw Could Allow Hackers Access to your Facebook, Gmail, Twitter Accounts
http://www.networkworld.com/community/node/74259

Web News (Italy): Microsoft prepara la patch per il cookiejacking
http://www.webnews.it/notizie/microsoft-prepara-la-patch-per-il-cookiejacking/

IT Home (Taiwan): 研究人員揭露IE含有cookie綁架漏洞
http://www.ithome.com.tw/itadm/article.php?c=67874

Information Week: iOS 4 Hardware Encryption Cracked By Forensics Firm
http://www.informationweek.com/news/229700041

PC Magazin (Germany): IE-Lücke ermöglicht Cookie-Klau
http://www.pc-magazin.de/news/ie-luecke-ermoeglicht-cookie-klau-1142308.html

The Register: Unpatched IE bug exposes sensitive Facebook creds
http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

Rosbalt.RU (Russian): Итальянец создал новую программу для кражи цифрового удостоверения
http://www.rosbalt.ru/style/2011/05/28/853207.html

XAKEP (Russia): Microsoft: cookiejacking нас не волнует
http://www.xakep.ru/post/55821/

SYS-CON MEDIA: SSL : Implementation Gone Wrong
http://www.sys-con.com/node/1847737


The Guardian (UK): Hacking conference sees ‘enemies’ break boundaries
http://www.guardian.co.uk/technology/blog/2011/may/23/hack-in-the-box-security-conference

Softpedia News: Exclusive Interview: Facebook Chief Security Officer, Joe Sullivan
http://news.softpedia.com/news/Softpedia-Exclusive-Interview-Facebook-Chief-Security-Officer-Joe-Sullivan-201935.shtml

Terra: Investigadores dicen haber detectado fallas de seguridad en tarjetas bancarias
http://economia.terra.com.ve/noticias/noticia.aspx?idNoticia=201105202202_BBM_79722007

El Nuevo Dia: Tarjetas con fallas de seguridad
http://www.elnuevodia.com/tarjetasconfallasdeseguridad-971686.html

PC-Facile: Facebook prepara i soldi per le segnalazioni di vulnerabilità
http://www.pc-facile.com/news/facebook_soldi_segnalazioni_vulnerabilita/69554.htm

Softpedia News: Facebook to Offer Rewards for Security Vulnerabilities
http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml

BBC Mundo: Investigadores dicen haber detectado fallas de seguridad en tarjetas bancarias
http://www.bbc.co.uk/mundo/ultimas_noticias/2011/05/110520_ultnot_tecnologia_tarjetas_sao.shtml

NRC Handelsblad: Zelf laptop- en telefoondieven vangen met Prey
http://weblogs.nrc.nl/hebben/2011/05/17/zelf-laptop-en-telefoondieven-vangen-met-prey/

NOS News (Radio): ‘Hacker is ontzettend vasthoudend’
http://nos.nl/audio/242046-hackers-is-ontzettend-vasthoudend.html

Tweakers.net: Nieuwe creditcard-beveiliging is te omzeilen
http://tweakers.net/nieuws/74574/nieuwe-creditcard-beveiliging-is-te-omzeilen.html

Security.NL: “Hacker kan hardware permanent saboteren”
http://www.security.nl/artikel/37173/1/%22Hacker_kan_hardware_permanent_saboteren%22.html

Tweakers.net: Onderzoeker waarschuwt voor gevaarlijke SAP-configuraties
http://tweakers.net/nieuws/74562/onderzoeker-waarschuwt-voor-gevaarlijke-sap-configuraties.html

Security.NL: Facebook: Verbod anoniem account is innovatie
http://www.security.nl/artikel/37154/1/Facebook%3A_Verbod_anoniem_account_is_innovatie.html

CHIP Online (CZ): Facebook bude hackery odměňovat
http://www.chip.cz/clanky/bezpecnost/2011/05/facebook-bude-hackery-odmenovat

Post Conference Coverage (Blogs)

SYS-CON Media: SSL : Implementation Gone Wrong
http://www.sys-con.com/node/1847737

Acros Security: The Anatomy of COM Server-Based Binary Planting Exploits
http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html

SecureList: Hack in The Box Security Conference 2011 Amsterdam / NL
http://www.securelist.com/en/blog/208188077/Hack_in_The_Box_Security_Conference_2011_Amsterdam_NL

/dev/random: HITB2011Ams Wrap-up Day #1
http://blog.rootshell.be/2011/05/19/hitb2011ams-wrap-up-day-1/

/dev/random: HITB2011Ams Wrap-up Day #2
http://blog.rootshell.be/2011/05/20/hitb2011ams-wrap-up-day-2/

CupFighter: HitB2011AMS: Credit Card Skimming and PIN Harvesting in an EMV World
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-emv/

CupFighter: HitB2011AMS: iPhone Data Protection in-Depth
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-iphone/

CupFighter: HitB2011AMS: Let met Stuxnet You
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-pdos/

CupFighter: HitB2011AMS: A Real-Life Study of What Really Breaks SSL
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-what-breaks-ssl/

CupFighter: HitB2011AMS: WebShells: A Framework for Penetration Testing
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-webshells/

CupFighter: HitB2011AMS: A Million Little Tracking Devices
http://www.cupfighter.net/index.php/2011/05/hitb2011ams-100000-tracking-devices/

CupFighter: HitB2011AMS: Beyond Botnets – Dissecting the Ecosystem
http://www.cupfighter.net/index.php/2011/05/hitb2001ams-beyond-botnets/


The finalized conference agenda is now available for download:

http://conference.hackinthebox.org/hitbsecconf2011ams/hitb2011ams-agenda.pdf

There’s still about 3 weeks +/- to register for your conference seats and if you haven’t already done so, then we strongly encourage you to register now (unless the idea of standing for 2 days listening to talks sounds appealing)! Places for the training courses on the 17th and 18th of May are also selling out fast. See you guys next month!

Below are the winners from the first and second round of Capture the Flag Pre Qualifications. Congratulations to those who cracked our challenge, we look forward to seeing all of you for the on-site game in Amsterdam on the 19th and the 20th of May. If you have any questions or comments please email hitbctf-ams@hackinthebox.org

Round Two CTF Pre-Qual Binary Reversing Top 5

1. Team CoP
2. dxp
3. Gijs
4. Alexandru M.
5. Mihaela P.

Round Two CTF Pre-Qual Web Challenge

1. Alexandru M.
2. Mihaela P.

Round Two CTF Pre-Qual Binary & Web Challenge

1. Alexandru M.
2. Mihaela P.

Round One CTF Pre-Qual Binary Reversing Top 4

1. Team Consortium of Pwners
2. Worawita
3. Xelenonz
4. ius

Round One CTF Pre-Qual Web Challenge Top 10

1. Can4opan4o
2. karniv0re
3. anant
4. testdata
5. aczid
6. brainsmoke
7. stef
8. dorucriv
9. vvdveen
10. jongyii

As part of Google’s ongoing commitment to encouraging women to excel in computing and technology, Google is pleased to announce the HITB2011 Conference Grant. This grant is set up to enable more female computer scientists to attend and participate in HITB2011AMS. The grant includes a pass to the conference on 19th and 20th of May (accommodation not included) & travel expenses up to EUR500! We encourage all female hackers and computer scientists to apply.

To be eligible for a conference grant, candidates must:

• Be a female working in or studying Computer Science
• Maintain a strong academic background with demonstrated leadership ability
• Be able to attend the 2 full days of the main conference

How To Apply

To apply, send an e-mail before 20th April 2011 to europe-events@google.com with the subject “HITB 2011 Conference Grant” and the following details:

1.) Your full name and email address
2.) Current address, contact phone number and copy of photo ID
3.) Your CV
4.) A 1-page statement (no more than 600 words) about why you wish to attend HITB2011AMS and why attending is important to your research and/or future career

Winners and claim process

The winners will be notified via e-mail by April 27 2011. If you are a successful applicant, you will be sent your free ticket and a payment form to expense your travel costs to be completed and submitted after the event.

Below are the second round of speakers who have been confirmed for HITBSecConf2011 – Amsterdam. The draft conference agenda has also been published:

Draft Conference Agenda

Additional Conference Speakers

1.) Andreas Wiegenstein (Team Lead, CodeProfiler Research Labs, Virtual Forge)
2.) Andrew Gavin (Creator, OpenDLP)
3.) Aditya K. Sood (Founder, SecNiche)
4.) Claudio Criscione (CTO, Secure Network)
5.) Guillaume Delugré (Sogeti / ESEC)
6.) Itzik Kotler (CTO, Security Art)
7.) Ivan Ristić (Qualys SSL Labs)
8.) Jean-Baptiste Bédrune (Sogeti / ESEC)
9.) Jean Sigwald (Sogeti / ESEC)
10.) Jim Geovedi (Independent Researcher)
11.) Laurent Oudot (Founder, TEHTRI Security)
12.) Mariano Nuñez Di Croce (Director of R&D, Onapsis)
13.) Shreeraj Shah (Founder, BlueInfy)

DAY 1 CLOSING – OpenLeaks Exclusive by Daniel Domscheit-Berg

19th & 20th May – Quad Track Security Conference

Below are the first round of speakers who have been confirmed for HITBSecConf2011 – Amsterdam. Stay tuned for more speakers to be announced this week and the draft conference agenda which will be released on Friday, 11th March 2011.

Conference Speakers (alphabetical order)

1.) Asia Slowinska (Independent Security Researcher, Vrije Universiteit)
2.) Daniel Mende (ERNW)
3.) Didier Stevens (Security Consultant, Contraste Europe NV)
4.) Don A. Bailey (Security Consultant, iSEC Partners)
5.) Elena Kropochkina (Devoteam Security)
6.) Enno Rey (ERNW)
7.) Itzhak ‘Zuk’ Avraham (Founder, Zimperium)
8.) Joffrey Czarny (Devoteam Security)
9.) Mitja Kolsek (CTO, ACROS Security)
10.) Rosario Valotta (Tentacolo Viola)
11.) Stefan Esser (Head of R&D, SektionEins GmbH)
12.) Thomas Caplin (Sogeti / ESEC)
13.) Travis Goodspeed (GoodFET Project)

Individuals and teams wanting to participate in the Capture The Flag – World Domination competition at #HITB2011AMS will need to go through a pre-qualification round (held online) over the weekend of the 19th and 20th March. This pre-qual game will also give participants an insight into what to expect come game day.

The game will last for 24 hours from March 19th to March 20th and you must successfully complete at least one puzzle in order to compete at the CTF at HITB Amsterdam. Each round will start 0900 US Eastern Standard Time. Each player will be presented with two puzzles to solve. You will have 24 hours to complete the puzzle and submit your answer via email. The puzzle site details will be emailed to you at the start of the round.

For further details and to register, please see: http://hitb.eventbrite.com/

The pre conference PDF flyer which includes all the event details and highlights is now available for download:

HITB Pre Conference Flyer (A4)



Welcome to the official homepage of HITBSecConf2011 – Amsterdam – the second annual HITBSecConf in Europe! At our first ever .EU event in 2010 we brought a brand new quad track format conference and this year we’re about to bring a new feature first introduced at HITB2010KUL – the keynote panel discussion. For HITB2011AMS the discussion will focus on The Economics of Vulnerabilities and features keynote panelist from Google, Adobe, McAfee, TippingPoint and Mozilla!

HITBSecConf2011 – Amsterdam will also feature a brand new Capture The Flag – World Domination run by the HITB.nl CTF Crew, an expanded Hackerspaces Village (with participation from .NL and .EU based hackerspaces) a lock picking village set up and run by members from TOOOL.nl and of course the HITBSIGINT sessions – 15 minute talks held during the coffee and lunch breaks with a focus on highlighting up and coming research and researchers.

There are only 500 seats available for HITB2011AMS and we encourage you to register early! Students and members of the various participating hackerspaces get to attend the conference on the 19th and 20th of May at only EUR 250!

About HITBSecConf

The main aim of the HITBSecConf conference series is to create a truly technical and deep knowledge event in order to allow you to learn first hand on the security threats you face in todays super connected world. The HITBSecConf platform is used to enable the dissemination, discussion and sharing of critical network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, our events routinely highlight new and ground-breaking attack and defense methods that have not been seen or discussed in public before. Our conferences are held annually in Dubai (UAE), Kuala Lumpur (Malaysia) and now Amsterdam in The Netherlands!


Venue: The Grand Krasnapolsky
Dam 9, 1012 JS Amsterdam,
The Netherlands

Technical Training – DAY 1 and DAY 2
Date: 17th and 18th May 2011
Time: 0900 – 1700

TECH TRAINING 1 – Hunting Web Attackers
TECH TRAINING 2 – The Exploit Laboratory 5.0
TECH TRAINING 3 – Windows Physical Memory Acquisition & Analysis
TECH TRAINING 4 – Web Hacking 2.0: Attacks, Penetration and Exploits

Conference DAY 1 and DAY 2
Date: 19th and 20th May 2011
Time: 0900 – 1700

Quad Track Security Conference
HITB Labs
HITB SIGINT
Capture The Flag – World Domination
Lock Picking Village by TOOOL.nl
Hackerspaces Village