Events

Troopers 2014 – Second Round of Talks Selected

We’re very happy to announce the second round of Troopers 2014 talks today (first round here).
Some (well, actually most 😉 ) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.

 

Andreas Wiegenstein & Xu Jia: Risks in Hosted SAP Environments. FIRST TIME MATERIAL

Synopsis: Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though.

But how secure is hosted data in a SAP environment?
This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties.
The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.

Bio: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP security audits and received credit for more than 60 SAP security patches related to vulnerabilities he discovered in the SAP standard.

As CTO, he leads the Virtual Forge Research Labs, a team focusing on SAP/ABAP specific research and security solutions.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at multiple SAP-specific conferences (like TechEd) as well as at general security conferences such as Troopers, BlackHat, HITB, IT Defense, DeepSec and RSA. He is co-author of the first book on ABAP security (SAP Press 2009) and wrote the security chapter of the ABAP Best Practices Guideline for DSAG, the German SAP User Group (2013). He is also member of BIZEC.org, the Business Security Community.

 

===

Marion Marschalek & Joseph Moti: What Happens In Windows 7 Stays In Windows 7.

Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library.

Now we want to make use of exactly that fact to uncover potential vulnerabilities.
What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.

Bios: 

Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Pölten and has been speaking at international security conferences, including Defcon Las Vegas, hackl.lu Luxembourg and POC Seoul. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.
Moti Joseph has been involved in computer security for a long time. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland Warsaw, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan,Taipe.

 

===

Rob Lee: Get Over It – Privacy is Good for Security. FIRST TIME MATERIAL

Synopsis: Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.

Bio: Robert M. Lee is the Founder and Director of hackINT, a 501©(3) non-profit organization that teaches entry level cyber security classes in the subjects of hacking, forensics, intelligence, and defense. Additionally, he is an active-duty US Air Force Cyberspace Operations Officer working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency where he leads a national level cyber defense team. Robert is also an Adjunct Lecturer at Utica College where he teaches graduate level classes in digital forensics and cyber counter intelligence in the M.S. Cybersecurity program. He received his B.S. from the United States Air Force Academy, his M.S. in Cybersecurity – Digital Forensics from Utica College, and is currently working on his PhD in War Studies at Kings College London where he is researching control systems cyber security.

Robert has written on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal. He has also presented related topics at thirteen conferences in eight countries as well as presenting critical infrastructure protection topics to multiple international think tanks. Lastly, he has taught over 500 students through hackINT and his time at Utica College. Routinely consulted for his expertise on such subjects, Robert M. Lee is an active cyber advocate and educator.

 

=== 

Robin Sommer: Bro – A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.

Synopsis: Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at http://www.bro.org. 

Bio: Robin Sommer is leading the Bro project as a Senior Researcher at the International Computer Science Institute, Berkeley, USA. He is also a member of the cybersecurity team at the Lawrence Berkeley National Laboratory; and he is a co-founder of Broala, a recent startup providing professional Bro services to corporations and government customers. Robin Sommer’s research focuses on network security and privacy, with a particular emphasis on high-performance network monitoring in operational settings. He holds a doctoral degree from TU München, Germany. 

 

===

Christian Sielaff & Daniel Hauenstein: OSMOSIS – Open Source Monitoring Security Issues. FIRST TIME MATERIAL

Synopsis: By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.

Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.

Bios:

Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console.
As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.

Daniel Hauenstein: With over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.

==================

More talks to follow soon… so stay tuned 😉

See you @Troopers. Happy Holidays! to everybody

Enno

Continue reading
Building

ERNW Newsletter 42: Dangers of Disabled Pre-Boot Authentication in Corporate Environments

It’s been a long time… we just published an ERNW Newsletter. Here’s the abstract:

In order to protect sensitive data on corporate laptops, most companies are using full disk encryption solutions. While native encryption products like Microsoft Bitlocker, Apple FileVault and open source solutions like TrueCrypt were already heavily scrutinized by security researchers, many popular commercial third party products are to some point still black boxes.

In this paper, we discuss Check Point Full Disk Encryption (FDE) with active “Windows Integrated Logon”. Checkpoint FDE is a software package that is part of Check Point Endpoint Security and offers full disk encryption on Microsoft  Windows and Mac OS X systems. The “Windows Integrated Logon” feature reduces total cost of ownership by disabling pre-boot authentication. Check Point themselves warn about security risk associated with using this feature.

We argue that missing TPM integration and integrity checks make Check Point FDE with activated ”Windows Integrated Logon“ highly insecure against sophisticated attackers. Furthermore, we demonstrate the extraction of AES encryption
keys on a running system and subsequent decryption of the encrypted disk. Our analysis is limited to Check Point FDE v.7.4.9 on Windows operating systems and was performed during a penetration test of an encrypted customer enterprise laptop. Therefore, we concentrate on the client architecture and ignore other aspects like enterprise management interfaces.

===

The document itself can be found here.

Enjoy reading & Happy Holidays to everybody

Enno

 

Continue reading
Events

ACSAC 2013

Matthias and I currently have to pleasure to be at ACSAC, in New Orleans.
From my perspective, at ACSAC the usual conference visit side-effect of personal interaction with peers plays an even larger role than at many other events. In fact we met a number of people we hadn’t seen for quite some time and I could even clear a long unresolved debt (Hi Pastor! and thanks for those International Journal of PoC issues).

Nancy Leveson from MIT delivered a great keynote on “Applying Systems Thinking to Security and Safety“, mainly discussing how an approach she calls “System theoretic process analysis” (STPA) can be used for identifying hazard scenarios in complex systems, and laying out how the same methods can be used both for safety and security. Really inspiring stuff while at the same time highly relevant, in the age of the Internet of Things.

My personal highlight was the afternoon session on “30 Years Later: The Legacy of the Trusted Computer Systems Evaluation Criteria“. Having been exposed to Common Criteria here+there and having done some stuff in the MLS world many years ago I learned a lot from the three views & memories provided (btw: did you note that Perl was initially developed in the course of the BLACKER program? I didn’t).

We ourselves also had a little contribution today, with a short talk on “Designing State-of-the-Art Business Partner Connections” which goes back to a project described in this blog post. The slides can be found here.

Looking forward to tomorrow,
have a good one everybody

Enno

Continue reading