Claudio Merloni



About speaker:
Claudio Merloni, M.S. in Computer Engineering, has graduated from the Politecnico of Milano school of engineering. Since 2004 he is working as security consultant for Secure Network, a firm specializing in information security consulting and training, based in Milan. His daily work is focused mainly on security policies and management, security assessment and computer forensics.

Talk 1:
The BlueBag: A Mobile, Covert Bluetooth Attack and Infection Device

Abstrakt 1:
How could an attacker steal the phone numbers stored on your mobile, eavesdrop your conversations, see what you’re typing on the keyboard, take pictures of the room you’re in, and monitor everything you’re doing, without ever getting in the range of your Bluetooth mobile phone?

In this talk we present a set of projects that can be combined to exploit Bluetooth devices (and users…), weaknesses building a distributed network of agents spreading via Bluetooth which can seek given targets and exploit the devices to log keystrokes, steal data, record audio data, take pictures and then send the collected data back to the attacker, either through the agents network or directly to the attacker. We show the different elements that compose the whole project, giving an estimate, through real data and mathematical models, of the effectiveness of that kind of attack. We also show what our hidden, effective and cool worm-spreading trolley looks like: say hello to the BlueBag!

Talk 2:
String Analysis for the Detection of Web Application Flaws

Abstrakt 2:
Today, web applications are the most powerfull way to provide services and informations to customers and suppliers. Finding security flaws into web applications is becoming very difficult due to the growing complexity of these systems and no silver bullet, able to solve the automatic detection, exists.

Although we think that there is no general solution, for some particular use cases it is possible to adopt useful techniques: source code static analysis is one of these approaches.

Combining well know theoretical methodologies with string analysis, we propose a new way to automatically detect vulnerabilities. All informations to and from web applications can be modelled as the exchange of textual objects in which the string variables/functions are the simplest entities. We track each potential unsafe method or function, ?trying to generate a static approximation of the runtime invocation; comparing this approximation with a knowledge base of safe parameters our technique is able to identify input validation flaws.

We developed a plugin for the Eclipse IDE which is able to analyze and find vulnerabilities into J2EE applications, implementing our methodology. In this talk we present an overview of the input validation flaws, we show the theoretical aspects and our tool, evaluating the effectiveness of that solution during the development of safe web applications.