applied security conferences and training: CanSecWest | PacSec | EUSecWest |

EUSecWest 2012

The seventh annual EUSecWest conference will be held on September 19/20 2012 at the NH Hotel Antwoordnummer 7247 1000 RA in central Amsterdam, Netherlands.

World Security Professional Summit in European Union

AMSTERDAM, Netherlands -- The worlds security professionals will converge on Amsterdam on September 19th and 20th, 2012, to discuss new technology, and share best practices. The most significant new discoveries, technologies, and products will be presented at the sixth annual EUSecWest conference, brought to you by the organizers of PacSec and CanSecWest.

The latest in cutting edge information security threats, defenses, applications, and theory will be showcased in a series of one hour presentations by the brightest minds in the security field from all nations.

Catered breaks and lunches are provided to make a comfortable social environment to network with your peers. Wired and wireless networking will be provided for attendees to stay in touch with their offices, and remain productive, so bring your laptop.

Conference reception (registrants only) will begin at 20:00.


Mobile PWN2OWN


Mapping and Evolution of Android Permissions - Andrew Reiter & Zach Lanier, Veracode
APK Infection on Android - David Sancho Cañete, Trend Micro
NFC For Free Rides and Rooms (on your phone) - Corey Benninger & Max Sobelli, Intrepidus Group
Using HTTP headers pollution for mobile networks attacks - Bogdan Alecu
iOS Application Auditing - Julien Bachmann
SinFP3: More Than A Complete Framework for Operating System Fingerprinting - Patrice Auffret
BeEF, Browser Exploitation Framework - Michele Orru, BeEF Project
HTML5 Heap Sprays, Pwn All The Things - Anibal Sacco & Federico Muttis, Core
Phone Bootloader Security - Thomas Roth
UmTRX, open-source, budget-friendly hardware for OpenBTS, and OpenBSC - Alexander Chemeris, Fairwaves
Fuzzing SMS - TBA, Codenomicon
Owning Windows 8 With Human Interface Devices - Nikhil Mittal
Videoconf Lightning Talks with Ekoparty

2012-08-11-20:00:00 Mobile PWN2OWN Rules

Zero Day Initiative (ZDI), along with our sponsors RIM and AT&T, will offer four prizes, one each to the first researcher to successfully compromise a device through one of the following vectors:

Each contestant will be allowed to select the device they wish to compromise during the pre-registration process. The only requirement is that it be a current device and running the latest operating system. The exact OS version, firmware and model numbers will be coordinated with the pre-registered researcher. Some examples of devices include:

For researchers registering on-site, we will have the above devices available if the target/vector has not already been compromised. Exact details of the OS version, firmware and model numbers will be available in a future update. We will review the devices prior to the competition and ensure they are in a clean state.

A successful attack against these devices must require little or no user interaction and must compromise or exfiltrate useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be an 0-day. ZDI reserves the right to determine what constitutes a successful attack. As always, vulnerabilities revealed by contest winners will be disclosed to affected vendors through HP’s Zero Day Initiative.


A successful compromise of any of these targets will win the contestant the cash prize, the device itself, and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.

*Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.

Along with the prize money, each winner will receive a BlackBerry PlayBook courtesy of RIM. Prize money for the first researcher to compromise a device for each of the vectors is listed below.


For this competition contestants are asked to pre-register by contacting ZDI via e-mail at This will allow us to ensure we have the necessary resources in place to facilitate the attack. If more than one researcher registers for a given category, the order of the contestants will be drawn at random. The schedule will be announced a week before the contest.

On-site registration will still be available if the targets have not been compromised and if the required hardware and software prerequisites are available.

Each contestant will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites).