Topic 

Marc Bown

Trustwave SpiderLabs APAC

Paper Title:

Sharing the Love: Forensics in Shared Hosting Environments

Today, everyone who is anyone has a website.  Many of these sites are located on cheap, shared hosting space.  A single shared hosting server can be host to thousands of websites.  On a single server there can be sites hosting pictures of kittens with witty captions, e-commerce sites that collect payment card information and sites dedicated to plans to take over the world.

It turns out that when a company's web hosting budget is just cents per day, their security budget if often even smaller.  As a result, compromises of these shared hosting environments is not uncommon.  For forensic investigators though, these shared hosting environments are pretty unfriendly places.

For one thing, you're very unlikely to be able to get a full disk image of that compromised server.  Even the dodgiest of hosting providers will usually see the privacy implications of giving you access to more than one of their customers' details.

For another – many of the artefacts you are used to relying on (e.g. Web access logs) are completely missing in these low cost environments.  Logging = disk space = money, so they are kept for the minimum period possible.

In this talk I'll cover my experience working in shared hosting environments.  I'll talk about how to acquire evidence from these environments, when kicking down the door and physically taking the server isn't an option.  I'll detail some of the evidence sources I've discovered to be useful in recent investigations, as well as how to analyse them.

I'll also be running through the most common attack vectors that I have seen and showing you how to detect them quickly and easily.

Graeme "wily" Bell

Assurance 

Title:

Doctor Strangelock ...or: How I learned to stop worrying and love the key.

Wily Kubrick discusses the arms race that is physical security. Through an analysis of patents from 1865 to the present day, some very cool -- and ridiculous -- lock security features are discussed. If you are yet to migrate to RFID implants to open your house, office and car, this talk may be of interest to you.

Presenter Bio:
Graeme "wily" Bell is a Senior Consultant with Assurance Pty Ltd, with a background in UNIX, network and infrastructure security. In his spare time Graeme enjoys photography and self-indulgent piano solos. He has presented at information security conferences and run lockpicking workshops. He once got caught in a set of (seized) handcuffs trying to show off to a pretty girl. 

Loukas Kalenderidis

Assurance 

Title:

DE MYSTERIIS DOM JOBSIVS (EFI Threats to Mac OS X)

Abstract:

The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers.

This presentation will provide a full account of how an EFI-­‐based rootkit might work. We will begin with some background on the EFI architecture -­‐ what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel.

Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.

A portion of this material was previously presented at Ruxcon 2011 and Kiwicon V in 2011 (on kernel rootkit techniques) and SyScan 2012, however, the focus of this talk is on ongoing EFI research.

Presenter Bio:

Loukas Kalenderidis is Principal Consultant at Assurance Pty Ltd, a former software engineer, long time Mac fanboy, avid musician, and aficionado of the world's beers (all of them). Loukas has previously presented at Ruxcon, Kiwicon, SyScan 2012 and SAGE­‐AU events.