View all Speakers

HITBSecConf2005 - Keynote Speakers

1.) Tony Chor, Group Program Manager, Microsoft Internet Explorer, Microsoft Corporation
2.) Mikko Hypponen Chief Research Officer, F-Secure Corp.

HITBSecConf2005 - Conference Speakers

(Listed in alphabetical order)

1. Aaron Higbee, Principal Consultant, Foundstone, a division of McAfee,Inc.
2. Anthony Zboralski (Gaius), Founder, Hackers Emergency Response Team (HERT)
3. Christoff Breytenbach, Senior IT Security Consultant, Sensepost
4. Dave Aitel , CEO, Immunity Inc.
5. Dave Mckay, Independent Security Consultant
6. Emmanuel Gadaix, Founder, Telecom Security Task Force (TSTF)
7. Fabio Ghioni
8. Fabrice Marie, Manager, FMA-RMS
9. Fyodor Yarochkin, Co-Author, X-Probe
10. Jim Geovedi, Information Security Consultant, PT Bellua Asia Pacific
11. Joanna Rutkowska Founder, Invisiblethings.org
12. Jose Nazario, Senior Software Engineer, Arbor Networks
13. Nish Bhalla, VP Consulting Solutions, Security Compass
14. Marc Shoenefeld,Freelance Network Security Consultant
15. Marius Eriksen, Google
16. Meder Kydyraliev, Co-Author, X-Probe
17. Roberto Preatoni, Founder, Zone-H Defacement Mirror
18. Rohyt Belani, Director, Red Cliff Consulting
19. San, Member, X-Focus China
20. Shreeraj Shah, Director, Net-Square Solutions
21. Swaraj, Suresec UK
22. The grugq, Independent Anti-forensics Researcher
23. Tim Pritlove, Chaos Computer Club
24. Zubair Khan, Freelance Network Security Consultant

Presentation Title: Mobile Malware
Presentation Details:

The first real viruses infecting mobile phones were found during late 2004. Since then, dozens of different viruses and Trojans - including cases like Commwarrior, Lasco and Skulls - have been found. Mobile phone viruses use totally new spreading vectors such as Multimedia messages and Bluetooth.

How exactly do these mobile viruses work? We’ll have a look at their code and discuss what factors affect their spreading speeds. Virus writers have always been trying to attack new platforms. What draws them now towards the mobile phone? Are phones as a platform simply widespread enough, or is the possibility of making easy money via phone billing systems driving this development? Where are we now and what can we expect to see in the Mobile Malware of the future?

About Mikko:

Mr. Mikko Hypponen is the Chief Research Officer at F-Secure Corp. He has been analysing viruses since 1991. He has consulted several high-profile organizations on computer security issues, including IBM, Microsoft, FBI, US Secret Service, Interpol and the Scotland Yard. Mr. Hypponen (35) led the team that infiltrated the Slapper worm attack network in 2002, took down the world-wide network used by the Sobig.F worm in 2003 and was the first to warn the world about the Sasser outbreak in 2004.

Mr. Hypponen and his team has been profiled by Wall Street Journal, Vanity Fair, New York Times and Newsweek. He has been an invited member of CARO (the Computer Anti-Virus Researchers Organization) since 1995.

Apart from computer security issues, Mr. Hypponen enjoys collecting and restoring classic arcade video games and pinball machines from past decades. He lives with his family, and a small moose community, on an island near Helsinki.

Presentation Title: Internet Explorer Security: Past, Present, and Future
Presentation Details:

Microsoft’s Internet Explorer team is on the frontline of the battle to protect users from malware and social attacks. Tony Chor will outline threats to secure browsing, discuss Microsoft’s response with Internet Explorer for Windows XP SP2, and detail the implementation of safety features in the upcoming Internet Explorer 7.0, such as the Phishing Filter and Protected Mode.

About Tony:

Tony Chor is the Group Program Manager of the Microsoft’s Internet Explorer team. He is responsible for leading the IE team’s security response as well as for driving the design, development, and release of new versions of IE including IE 6 in XP SP2 and IE 7 for XP and Windows Vista.

Tony is a fifteen year veteran of Microsoft and has worked on a variety of projects including digital imaging in Windows Vista, MSN Explorer, Works, Encarta Online, Bookshelf, Picture It!, and Golf. He holds a B.S. in Computer Science from Stanford University.

Presentation Title: Corp. vs. Corp: Profiling Modern Espionage
Presentation Details:

** Presenting with Roberto Preatoni

An impressionistic overview of what makes the difference today and in the future (in the digital playground) in the balance of power between economic and military powers. The presentation will also cover a description of the business behind espionage worldwide as well as the asymmetric organizations that are the real master of puppets.

- How do digital espionage asymmetric networks work
- Secret servicies and network mercenaries
- Prevention and monitoring vs data retention and “special laws” in today’s terrorism and data theft situations.

About Fabio:

Fabio Ghioni is advisor to several Multinational Corporations as well as Governments. He is the leading expert in the field of information security, competitive intelligence and intrusion management in an asymmetric environment. As consultant to several different Government institutions he has been the key to the solution of several terrorism cases in the past. He has serviced leading international corporations involved in the military, telecommunications, banking and technology industries. His key fields of research range from mobile and wireless competitive security to the classification of information and forensics technologies applied to identity management and ambient intelligence.

Look out for the special edition Zone-H Comic “Clustermind” that will be released at HITBSecConf2005 - Malaysia!

Presentation Title: Trends in Real World Attacks: A Compilation of Case Studies
Presentation Details:

The number of reported security incidents has always been proportional to the number of vendor-issued vulnerabilities. However, recently this trend seems to have broken. This can be attributed to an increase in attacks against custom applications, attacks targeting end-users, zero-day exploits, and self-propagating worms. This presentation will discuss such trend-breaking real world attacks ranging from the installation of keystroke-logging Trojans on end-user machines through an IE buffer overflow to attacks against wireless clients. Each case study will discuss the motivation of the attack, an overview of the underlying technical details and its impact on business.

About Rohyt:

Rohyt Belani is a Director with Red Cliff Consulting. His expertise encompasses the areas of wireless security, application security and incident response. Rohyt is also an experienced and talented instructor of technical security education courses.

Prior to joining Red Cliff, Mr. Belani was a Principal Consultant at Foundstone. Earlier in his career, he was a Research Group Member for the Networked Systems Survivability Group at the Computer Emergency Response Team (CERT).

Mr. Belani is a frequent author of articles for SecurityFocus, a reputed information security portal. He is also a contributing author for the Osborne publication, Hack Notes – Network Security. Rohyt is a regular speaker at various industry conferences and forums like OWASP, HTCIA, FBI-Cyber Security Summit, HP World, New York State Cyber Security Conference and HackInTheBox-Malaysia. Additionally, he has presented at several Institute of Electrical and Electronics Engineers (IEEE) and Association for Computing Machinery (ACM) -sponsored conferences on the topics of fault-tolerant distributed systems, wireless networks, and advanced network simulation.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He is a Certified Information Systems Security Professional (CISSP).

Presentation Title: Phishing Attacks: A guide to self assessment
Presentation Details:

This is not another presentation about identifying phishing attacks and other scams. Phishing Attacks, a guide to self assessment aims to answer all the political and technical questions in planning and executing a phishing exercise for your own organization.

The audience will learn how to organize a phishing attack and leverage it into an exercise that will test user awareness and IT’s procedures to phishing incident response. Technical topics will include:

1.) How to word a compelling, believable phishing email scenario
2.) How to build the phishing web server
3.) How to mass mail the phishing scam to bypass potential mail filters
4.) How to safely collect the data of those who fall for the scam

The presentation will also cover the non-technical considerations that need to be thought of before and after the attack. If the phishing attack was planned right, the email and firewall team will be better prepared to respond to this threat, and more importantly, the recipient will gain valuable security awareness training that will help them at work and at home. With proper planning and execution, the victims actually thank you when it’s over.

About Aaron:

Aaron Higbee is a principal consultant for Foundstone, a division of McAfee. Prior to Foundstone, Aaron was a network abuse investigator for Earthlink Network and Roadrunner and has witnessed every type of Internet abuse since its inception. Aaron draws on his consulting experience building phishing exercises for Foundstone’s clients.

Presentation Title: Hacking Internet Banking Applications
Presentation Details:

The general public sentiment is that the banks, having always been the guardians of our money, are expert at safeguarding it. Unfortunately, internet corporate banking and personal banking applications are usually ridden with bugs. Internet Banking Applications development is nowadays out-sourced to third party software vendors that have poor understanding of security, and incomplete quality management processes. Most of the time the applications are extremely insecure before they get audited by security professional third-parties.

This presentation will demonstrate the various attacks that almost always work (and those that do not), on your “bank-next-door” internet banking application, illustrated with real life statistics. We will outline the regular technical attacks and will focus on a hit parade of business logic attacks. We will steal money from other customers, buy shares for free, and spy on other customers bank records among many other frauds.

This demonstration will highlight the solutions to some of the challenges the banks will face online to ensure that their data handling practices are compliant with their country’s privacy regulations and banking regulations among others.

About Fabrice:

Fabrice is the manager of FMA-RMS, a small dedicated security consulting firm based in Singapore. Developer by trade for many years, he has been involved in the information security field for over 6 years. His interests are in secure programming, cryptography, open source and firewalling techniques. For the last few years he has been breaking mostly bank and telecom web applications in the Asia Pacific region, as well as performing penetration tests for them. Originally from France, Fabrice has been staying in Singapore for the last 5 years.

Presentation Title: Exploiting Microsoft Services For Unix
Presentation Details:

Microsoft Services for Unix is a new component in the Windows suite which lets you run UNIX based applications on a win32 platform with very little effort. Microsoft has ported a number of utilities and packages to make the transition an easy task and to eliminate the need to have a dedicated UNIX platform. This presentation will cover the weakness in such a deployment and further cover all security issues including design flaws of the subsystem internals and will focus on different exploitation techniques.

About Swaraj:

Swaraj works for suresec as a senior security researcher, he enjoys code auditing and writing exploits for fun, he also works for debian linux distribution as a member of the security audit group which proactively fixes security vulnerabilities.He goes by an alias called jaguar ,in the past has found a number of vulnerabilities and has contributed to the debian project.

Presentation Title: VoIPhreaking: How to make free phone calls and influence people
Presentation Details:

The recent explosion in internet telephony has led to the exposure of the (previously) closed Public Service Telephone Network (PSTN) to the wilds of the internet. Voice over IP (VoIP) technology presents new and interesting security challenges, many of which are completely ignored until after deployment. These security issues, such as new avenues for fraud, present serious risks to tradition telephony companies. This talk explores the technologies behind VoIP infrastructures, focusing on their weaknesses and faults. LIVE DEMOS will help illustrate that attacks which violate VoIP system security are not only practical, but are already here. The era of VoIPhreaking has begun.

About The Grugq:

The grugq has been researching anti-forensics for almost 5 years. Grugq has worked to secure the networks and hosts of global corporations, and hes also worked for security consultanting companies. Currently, he slaves for a start-up, designing and writing IPS software and also as a freelance security consultant. Grugq has presented to the UK’s largest forensic practioner group where he scared the police. In his spare time, grugq likes to drink and rant.

Presentation Title: Web hacking Kung-Fu and Art of Defense
Presentation Details: Web attacks are on the rise and new methods of hacking are evolving. This presentation will cover new methodologies for web application footprinting, discovery and information gathering with a new range of tools.

Web applications are getting exploited using various new injection techniques like advanced SQL injection, LDAP query, XPATH goofing etc. All these new exploit methods will be discussed. The HTTP stack is changing in application frameworks like .NET. The stack can be utilized for defense using HTTP interfaces. Defense methodology for web applications are required to combat new threats emerging in the field.

This will be a deep-knowledge presentation that will be full of live demos, examples and new tools!

About Shreeraj:

Shreeraj Shah is founder and director of Net-Square. He has five years of experience in the field of security with a strong academic background. He has experience in system security architecture, system administration, network architecture, web application development, security consulting and has performed network penetration testing and application evaluation exercises for many significant companies in the IT arena. Shreeraj graduated from Marist College with a Masters in Computer Science, and has a strong research background in computer networking, application development, and object-oriented programming. He received his Bachelor’s degree in Engineering, Instrumentation and Control from Gujarat University, and an MBA from Nirma Institute of Management, India.

Shreeraj is the co-author of “Web Hacking: Attacks and Defense” published by Addison Wesley. He has published several advisories, tools, and white papers as researcher, and has presented at conferences including HackInTheBox, RSA, Blackhat, Bellua, CII, NASSCOM etc. You can find his blog at http://shreeraj.blogspot.com/.