11 New Speakers, Draft Conference Agenda and the Return of the Google Conference Grant for Women

The last batch of speakers for #HITB2013AMS has been announced. This means the speaker list is now finally complete. Which also means the draft conference agenda is now released with all three concurrent tracks – so you can start marking down your must-attend-talks now! Joining the line up are 11 new speakers making for a grand total of 41 international researchers set to invade Amsterdam next month.

These last set of papers fill the final 8 presentation slots in our 2-day triple track line up and includes a 120-minute lab session and a very special if somewhat scary paper that didn’t quite fit anywhere else…

OAuth 2.0 and the Road to XSS

Andrey Labunets and Egor Homakov of Tyumen State University performed a security study of one of the world’s largest implementations – Facebook’s OAuth 2.0 and in this presentation share a technical description of multiple high-impact security issues they uncovered.

iNalyzer: An End to Blackbox iOS Analysis

Performing security analysis of iOS applications is a tedious task – there is no source code and there is no true emulation available. Chilik Tamir of AppSec Labs developed a new approach to performing security assessments of iOS applications utilizing iNalyzer – a free open-source framework for security assessment of iOS Applications.

To Watch or Be Watched: Turning Your Surveillance Camera Against You

Low cost IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan shows close to 100000 cameras active all over the world. Sergey Shekyan and Arten Hartuyunyan from Qualys are about to release a toolkit for extracting, altering and re-packaging original components of IP surveillance cameras including a framework for automating it all.

Abusing Twitter’s API and OAuth Implementation

Twitter’s new web API requires every request to be signed with OAuth. OAuth is a mechanism supposed to prevent abuse and allow Twitter to ban third-party clients that do not adhere to their new, much stricter terms of service. After studying how Twitter uses OAuth however, Nicolas Seriot has found that a rogue client can impersonate a ‘blessed’ client by using its OAuth consumer tokens and access the API unnoticed.

Abusing Browser User Interfaces for Fun and Profit

As social engineering became the dominant method of malware distribution, browsers makers started to design more robust and recognizable UIs in order to help users make more conscious choices while surfing. Rosario Valotta has found a way to abuse notification bars in major browsers (Chrome 24, IE9, IE10) with a little (or no) social engineering involved which leads to a compromise of a users security and even code execution on the victim’s machine.

Dreamboot: A UEFI Bootkit

Sebastien Kaczmarek of QuarksLAB presents an inner look at the architecture of UEFI from a security point of view with a focus on a bootkit implementation for Windows 8 x64. The Windows boot process and its evolution from BIOS to UEFI implementation will be covered and all bootkit implementation details explained. In addition he also describes how to develop for UEFI platforms using Tianocore SDK and the new security risks its deployment implies.

Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars

What could be insecure about charging an electric car? Just plug in to a power outlet and off you go… Nothing can be further from the truth. Ofer Shezaf aims to show the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety. He will discuss charge station architecture and functionality to identify potential weak spots and explore real world vulnerabilities in these systems.

HITB Lab: Secure Coding – Web and Mobile

In this 120 minute lab-workshop-bootcamp, Jim Manico of WhiteHat Security demonstrates and interactively works with participants on the most important security-centric computer-programming techniques necessary to build low-risk web-based applications. He’ll also show off attack techniques that bypass even some of the most modern web applications and defensive coding techniques.

Terminal Cornucopia

In a talk that’s two parts humor and one part pure scariness, Evan Booth will wrap up proceedings in Track 3 (HITB Labs) on Day 2 exploring a seldom-discussed facet of airport security: what happens after the back-scatter/millimeter wave scan or the friendly pat-down? Booth aims to show how a marginally resourceful and MacGyver-esque individual can breeze through terminal gift shops, restaurants, magazine stands and duty-free shops to find everything they need to wage war on an airplane. Better get your duty-free shopping done while the shops are still open!

____________

In other good news, Google has confirmed that they are once again offering the EMEA Conference and Travel Grant for Women Computer Scientists to attend HITBSecConf – Amsterdam. The grant includes a ticket to the conference on the 10th and 11th of April (valued at EUR1299) plus up to EUR1000 to help with travel expenses! Women hackers should get their submissions in no later than the 13th of March 2013. The application form is here.

____________