Ruxcon security gurus hit Sydney

Ruxcon, Australia's only 'grass roots' security conference, will in Sydney this weekend showcase Australia's top minds in the cloak and dagger world of information security.

Ruxcon, Australia's only 'grass roots' security conference, will in Sydney this weekend showcase Australia's top minds in the cloak and dagger world of information security.

Ruxcon-logo.JPG

(Credit: Ruxcon)

After a year hiatus, the organisers of Ruxcon have rustled up Australia's leading IT security researchers in a line-up that organiser Chris Spencer described as world-class, including Mark Dowd, who, in the name of improving Windows security, obliterated Vista security at this year's Black Hat conference.

It's the fifth Ruxcon event in Australia, and it's the closest thing Australia has to Defcon or Black Hat held in the US each year, however with much less fanfare, Spencer said.

"This is a very grass roots event and there's nothing else like it in this country," Spencer told ZDNet.com.au. "It's not like Black Hat. You go to Black Hat these days and it's like a rock show and presenters are like celebrities."

In other words, the conference will suffer from a distinct lack of rock stars and Ferraris, but even without the flair, around 400 security and tech boffins have registered for the event, to be held at the University of Technology Sydney.

Silvio Cesare, who has previously presented at Black Hat and CanSecWest, will discuss his work, some of which has been detailed in his blog, on an emulator called Memcheck, designed to debug or detect software vulnerabilities within the Linux kernel.

"Of particular interest, I'll be releasing some software that operates very much like [debugging tool] Valgrind and detects out of bounds heap access in the Linux kernel," said Cesare. If Memcheck finds a flaw in the Linux kernel it generates a report which a security professional could use to remediate a problem before it's exploited.

Over Cesare's 15-year career, which has landed him work in France and the US, the security expert has witnessed IT security evolve from a special interest group to a concern for the masses.

"In the past 15 years security has gradually built up momentum and now everyone — industry, academia, independent researchers, and the general public — can get involved," he said.

Nishad Herath, an independent security researcher, who says he has spent past Ruxcons downing beer with like-minded security boffins, will detail his research into binary obfuscation.

Using technologies applied in digital rights management (DRM) technology to protect copyright material, malware distributors have taken to obfuscation in an attempt to delay the turnaround time on antivirus signature-writing, said Herath.

It's not like Black Hat. You go to Black Hat these days and it's like a rock show and presenters are like celebrities.

Ruxcon organiser Chris Spencer

"Binary obfuscation is used in DRM. It is also used in highly secure or sensitive systems. For example, in a military application, if you have something deployed in the field that falls into enemy hands; it would be bad enough that they had access to your technology, but even worse if they can learn from it and alter it," he said.

Obfuscation of malware is behind the antivirus industry's foray into behavioural analysis, said Herath, which looks at the actions a piece of code takes rather than its binary structure. It was hailed a saviour by AV companies, but predictably the bad guys have cottoned on.

"Binary obfuscation has done the same thing with increasing complexity over the past years. But you can actually create systems that have obfuscated binary and behavioural features," he said.

Kiwi security researcher, Graeme Neilson has investigated the threat of attacks on the supply chain, specifically relating to Juniper Networks' switches and routers.

"A client was interested in if for example someone exploited one of the boxes or gained the password surreptitiously or if the third-party supplier of these boxes decided to do something bad," explained Neilson. He plans to hack Juniper firewalls, and then rebuild and reload the operating system to create an untraceable "zombied" firewall.

The real challenge he is making is to assumptions — vendors and users assume that nothing could be done to those boxes, the researcher said said.

"Juniper supply the operating system as a firmware blob — a chunk of code that you upload to a device over FTP or web interface," he said. "In a nutshell, my presentation is about taking one of the blobs and extracting the OS in binary form, disassembling it, modifying it, repackaging it, and have it accepted by Juniper as a valid image which is allowed to run."