Conference Presentations and Slides

Some of my security presentations are available for download.

Pager inSecurity v1.1

Date 2014
Event Ruxmon, Melbourne, Australia
Abstract
• What’s a pager?
• Who is using pagers?
• There is no pager security
• What pager messages look like
• Who is intercepting pager messages?
• Pager protocols (POCSAG & FLEX)
• Receiving pager frequencies (Modifying pagers, Radio Scanning, Software Defined Radio)
• Software to decode pager messages
• Pager frequencies in Australia (how to find them)
• Legal issues
• Online pager databases
• Security issues
• How to decode pager messages

Conference Link http://ruxmon.com/assets/Uploads/Pager-inSecurity-Andrew-Horton-v1.1.pdf

Abode Vulnerabilities & Decrypting the Cloud

Date November 2011
Event Kiwicon V, Wellington, New Zealand
Abstract See a couple of urbanadventurer’s recent projects. 1) Abode Vulnerabilities. Learn how to bring hardware hacking closer to home by hacking New Zealand’s most popular garage doors. This project is powered by the Arduino, the opensource hardware platform that makes electronics more accessible. 2) Decrypting the Cloud. This is a cautionary tale about failed opsec, weak crypto and misplaced trust in the cloud. Take a guided tour through a treasure trove of cracked ciphertext booty including CCs, SQLis, 0days, password dumps, and more.
No info or downloads are available at present.

Conference Link https://kiwicon.org/the-con/talks/#e34

Clickjacking for Shells

Date September 2011
Event OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011
Abstract Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.

Research Homepage Check out the Clickjacking for Shells page for exploit code, video presentation, slides, etc.
OWASP Event Link https://www.owasp.org/index.php/New_Zealand#2011

How Does Your Gut Stack Up?

Date November 2010
Event Kiwicon IV, Wellington, New Zealand
Abstract Inspired by the work of Dan Farmer in his seminal survey of the exploitable internet population “Shall We Dust Moscow” (1997), we use two recently developed tools (WhatWeb by Andrew and BlindElephant by Patrick) to update the global vulnerability census for 2010, discovering unpatched and vulnerable devices and applications across a sample of 2 million hosts. We use the results to pose and discuss various (real and imagined) correlations of security posture to other factors, and surprise ourselves (and hopefully you) in the process.

Who is more up to date; the US or Nigeria? What about porn sites vs governments sites? *Nix based or Windows based? Now: *Why* do you think that, and if the actual answer surprises you, what does that help us learn about our thought process as analysts and security professionals? We bring data (and some pretty graphs and maps) to let you test your instincts against reality and learn to ask deeper questions.

This work was done with collaboration from Patrick Thomas, a security research engineer with Qualys.
No info or downloads are available at present.

Conference Link http://2010.kiwicon.org/the-con/talks/#e32

Next Generation Web Scanning – New Zealand

Date December 2009
Event Kiwicon III, Wellington, New Zealand
Abstract Includes a methodology to scan the webspace of an entire nation using some new tools and techniques. WhatWeb, bing-ip2hosts, gggooglescan and basedomainname are open source security tools developed by MorningStar Security that were published during the first presentation of this at the KIWICON III conference in December, 2009.

Conference Link http://2009.kiwicon.org/presentations/#urbanadventurer
Tools Links WhatWeb, Bing-ip2hosts, GGGGooglescan
Presentation

Download Next Generation Web Scanning Conference Presentation.pdf