iSCSI is insecure. SCSI calls have traditionally been used from an IDE hard drive to the motherboard (the grey ribbon inside your computer). iSCSI takes all the benefits of SCSI and the connectivity of IP to provide large volumes of storage dynamically to any machine, any time, over any IP network. While iSCSI brings a tremendous amount of connectivity benefits, it simply has ignored security. Any protocol or product that controls large volumes of critical data should strongly support the core principles of security, including authentication, authorization, and availability. Unfortunately iSCSI does not support these aspects very well nor does it enable many of these principles by default. Furthermore, vendors like Microsoft, Cisco, NetApp, and EMC are pushing iSCSI into the market, but are failing to address the security issues that their customers will face.

The iSCSI Security presentation will contain three specific sections to educate users about the drastic security problems that are being overlooked with iSCSI storage. The presentation will include an Introduction/Protocol Overview, a description and demonstration of iSCSI Attacks, information on the iSCSI Defenses for each attack identified, and a short Conclusion. The presenter will described the security weaknesses, issues, and exploits concerning authentication and authorization and will follow-up each discussion with a demonstration of the actual attack. iSCSI attacks will show how 300 gigabytes of data can be compromised over the IP network without a single username of password. The attack demonstration will show how application and operating system security is important, but should not overshadow storage devices. The demonstration will also show that a compromise of a storage device can be equal to compromising 10 to 20 applications and/or operating systems combined, both of which are accessible over the IP network.

"The telecommunications landscape is undergoing multiple revolutions, from analog to digital, from simple mobility to complex roaming, from TDM to VoIP, from centralized to distributed, from proprietary systems to open standards and more importantly, from a closed environment to an increasingly interconnected world. Those changes are creating new security challenges, and the battle between privacy advocates and law enforcement is far from being over. As legal interception techniques become more ubiquitous, solutions to counter them such as cryptography and distributed non-standard protocols, are increasing in popularity. Similarly, hacking techniques and countermeasures for the new communications protocols such as VoIP, 3G/4G, IMS, WiMAX and others, are gaining in complexity and are becoming a growing concerns for authorities, operators and subscribers alike."

This talk aims to dispel the myths surrounding Mac OSX regarding it's ability to stand up to viruses and malicious code. The talk would begin with an introduction to ppc architecture, showing a few basic assembly instructions, then go into an overview of the mach-o format. Following this i would run through a few methods of infecting mach-o files which i have worked on recently, showing C based proof of concepts for these.

I would also look at hooking functions and stealing arguments and some mach-o specific anti debug method. Finally i would finish up with a conclusion about the likelihood of infection on OSX showing possible attack vectors etc.