Third set of accepted talks

The third set of accepted talks for #HITB2013AMS have been announced and like the first and second announcements, this set of presentations promise SSL-VPN and LTE 0days with a touch of crypto madness for good measure.

You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Banking Apps

Andrew Petukhov, George Noseevich and Dennis Gamayunov show how easy it is to break complex crypto in banking apps and how they’ve managed to submit fully trusted requests from “malicious” clients to a banking server as if they were generated by a legitimate client.  Oh yes, and they promise to show you the money!

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

Philippe Langlois of P1Security looks into specific vulnerabilities and talks about the very particular way that Network Equipment Vendors deal with security in the telecom domain. What better way to demonstrate this than by running a virtualized Huawei HSS from which he’ll show some of the vulnerabilities and attacks directly on the equipment itself.

Security Response in the Age of Mass Customized Attacks

Using four recent 0-day vulnerabilities as case studies, Peleus Uhley and Karthik Raman of Adobe’s Secure Software Engineering Team discuss Adobe’s response to attacks that use “mass-customized” malware. They will reflect on the relative success of sandboxing in the context of these attacks and explain how Adobe adapted their security response strategies to meet this new trend of exploitation.

System Shock: The Shodan Computer Search Engine

Shawn Merdinger covers the Shodan Computer Search Engine, it’s API and a special focus on some of the scariest and sp00kiest devices discovered on the Internet including SCADA systems, traffic lights, giant mining trucks, TV station antennas, gasoline pumps and more!

Virtually Secure: Analysis to Remote Root 0day on an Industry Leading SSL-VPN Appliance

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, Tal Zeltzer decided to take apart an industry leading SSL-VPN appliance and analyze it to bits. Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, he managed to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell.

In addition to the 60 minute talks above, two more HITB Lab sessions have also been added to the line up:

Defending the Enterprise the Russian Way

Fyodor Yarochkin, Vladimir Kropotov and Sergey Soldatov share the tips, tricks and tools they’ve developed to automatically detect and mitigate infected machines on the fly plus identify and trace APT hackers.

Attacking Ruby on Rails Applications

Joernchen of Phenoelit takes a closer look at attacking Ruby on Rails applications. Starting with a basic overview of the Rails framework and its security mechanisms, attendees will look at both general web application flaws as well as RoR specific issues along with some interesting security aspects of the framework itself.

The last and final set of accepted papers will be announced next week along with the draft conference agenda. Don’t forget that the #HITB1337Giveaway for #HITB2013AMS runs till the 8th of March. Tweet, re-tweet and enter as many times as you want for a chance to win a VIP ticket to the conference AND USD1337 to help towards travel costs!

_______________