2 Comments | Posted by Enno Rey
This is the second part of the – presumably – three-part series on IPv6 address planning which I started here.
Before an enterprise organization (strictly speaking “their internal service provider acting as LIR”, as laid out in the first part) starts assigning prefix[es]/lengths to their networks usually another discussion has to be undertaken & solved: “go with one /32 [PI space] from one RIR or apply for /32s from several RIRs”.
The background of this reflection is mainly them being concerned along the lines: how do we know if $PROVIDER in some part of the world is actually going to route our PI space, in particular if that’s allocated from ‘a foreign RIR’?
Today we have to pleasure to announce another round of Troopers talks.
Here we go:
Noam Liram: Vulnerability Classification in the SaaS Era FIRST TIME MATERIAL
Abstract: In this talk we will thoroughly analyze two major SaaS vulnerabilities that were found by Adallom (one of which is still in responsible disclosure stages at the time of writing). By demonstrating this new class of exploits which we have nick-named “Ice Dagger” attacks, we aim to change the current industry-wide criteria for vulnerability classifications, which were developed in the Desktop/Server world, are inadequate when classifying SaaS vulnerabilities. We will specifically discuss the details of MS13-104.
Bio: Noam Liran is the Chief Software Architect of Adallom, a SaaS application security provider. Noam is an alumnus of Israel Defense Force’s Unit 8200 and was a team leader in its cyber division.
Vladimir Katalov: Modern Smartphone Forensics – Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; Encrypted BlackBerry Backups (BB 10 and Olympia Service)
Apple iCloud Backups: there are various methods to perform data acquisition from iOS devices: logical, advanced logical (using hidden services running in iOS) and physical. iCloud analysis is the further step. The iCloud may contain complete device backups (for all devices connected to Apple ID), geolocation data (Find My Phone data), documents, and additional data saved by 3rd party applications. We show how (and where) this data is actually stored, how to request and decrypt it, and how to analyse it. Some information on iCloud keychain is also provided — and yes, sometime there is a way to get all your passwords (including ones from the other devices) and credit card data. And yes, most data is available to Apple itself, as well as to Amazon and Microsoft, so probably to three-letter agencies as well.
BlackBerry: For BB 10 devices, backups created with BlackBerry Link are always encrypted, but the encryption is not user-configurable, and there is no way to view the backup contents or even restore from thgs backup to the other device. We have found that encryption keys is being generated by BlackBerry ‘Olympia Service’, based on BlackBerry ID, password, and device PIN. ID and PIN is something we can get from the backup itself, and if we know the password as well, we can generate the series of requests to Olympia service to obtain the key and decrypt the backup. Backlup contains all applications (purchased from AppWorld), their data (such as WhatsApp conversations), device settings, call logs, passwords etc — most in the plain form or SQLite databases.
Bio: Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 in Moscow, Russia; studied Applied Mathematics at National Research Nuclear University. Vladimir works at ElcomSoft up until now from the very beginning (1990). Now he is driving all the R&D processes inside the company.
Sergey Bratus, Javier Vazquez & Ryan Speers: Making (and Breaking) an 802.15.4 WIDS
Abstract: Real-world security-critical systems including energy metering and physical security monitoring are starting to rely on 802.15.4/ZigBee digital radio networks. These networks can be attacked at the physical layer (reflexive jamming or via Packet-in-packet attacks), the MAC layer (dissociation storms), or at the application layers. Proprietary WIDS for 802.15.4 exist, but don’t provide much transparency into how their 802.15.4 stacks work and how they may be tested for evasion.
As the classic Ptacek & Newsham 1998 paper explained, tricks used to evade a NIDS tell us more about how a protocol stack is implemented than any specifications or even the RFCs. For WIDS, evasion can go even deeper: while classic evasion tricks are based on IP and TCP packet-crafting, evading 802.15.4 can be done starting at the PHY layer! We will explain the PHY tricks that will make one chip radio see the packets while the other would entirely miss them regardless of range; such tricks serve for both WIDS testing and fingerprinting.
We will release an open, extensible WIDS construction and testing kit for 802.15.4, based on our open-source ApiMote hardware. ApiMote uses the CC2420 digital radio chip to give you access to 802.15.4 packets at the nybble level. It can be easily adopted for detecting attacks at any protocol level. It also lets you test your ZigBee WIDS and devices from the frame level up. We will give out some of the ApiMotes.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
Javier Vazquez is a researcher at River Loop Security specializing in wireless systems, PCB design, and hardware reverse engineering. Javier graduated from the University of Central Florida with a degree in Electrical Engineering and a focus on RF Engineering. Other interests include networking and software development.
Ryan Speers is a co-founder and security researcher at River Loop Security and has extensive experience in IEEE 802.15.4/ZigBee analysis and software and hardware security analysis. He maintains the KillerBee 802.15.4 assessment framework has previously spoken at ShmooCon and ToorCon Seattle, and has published at USENIX WOOT, IEEE/HICSS, and the Workshop on Embedded Systems Security. He enjoys breaking things, although not when volunteering as an EMT or when rock-climbing. He graduated from Dartmouth College with a degree in Computer Science.
Martijn Jansen: How to Work towards Pharma Compliance for Cloud Computing – What Do FDA and Similar Regulations Mean for Your (Cloud) IT Delivery Organisation? FIRST TIME MATERIAL
Abstract: Today, for life-sciences or consumer goods manufacturers/food/drug companies’ regulatory compliance is quite a heavy burden to their day-day operation. This applies in particular when business operations or sales are (also) in the US so that a company becomes a regulated entity under the very stringent FDA regime.
The presentation is about the translation of Pharmaceutical regulations (what regulations?) that could be applied to any cloud-related IT service into a quality management strategy and hands-on IT controls that could work for each one of us.
Think of how to bring compliance into the lifecycle of requirements, design, install and configuration plans etc. Furthermore we’ll discuss different types of controls in service creation or delivery, be them administrative, technical, procedural controls. Discussed are usable quality assurance controls for People, Process and Technology, projected onto services (components). These controls might be there already to re-use (but not auditable) or might need to be created.
As one of the first in the industry Martijn will show you, starting at the governance level (to leave no-one behind), examples from the trenches to categorize and map controls on how to utilise Telco and ISO experience best practices. Thus bringing Pharma compliance applicable to IT Cloud Computing down from the academic level to usable hands-on best practices! While compliance is highly theoretical Martijn and thus the material is heavily focussed on real-world usability.
Bio: Martijn has always been intrigued by electronics, transmission and any sort of security since he was a small kid. He built his first FM radio transmitter (after dis-assembling a few) very young, and always kept in touch with electronics and IT.
He is technically educated as construction engineer and -designer. After continued education he served as a diver team commander. Returning back to civilisation he worked in his initial field of expertise (CAD construction design), then turning to IT. Martijn has experience as IT trainer, engineer, architect and consultant in sales, design, implementation and operation of operating systems, networks and security. He auto-didactically studied for about 6 years in the evenings to acquire all the certificates and technologies that were relevant at the time. Till a short while ago, he owned his own 19 inch rack at home with routers, switches and virtualisation computing running.
As a principal consultant and architect Martijn took care of mostly bespoke and complex IT transformations for global pharma and manufacturing customers. He currently works as Security Controls Assurance manager for the Compliance department of a global telco. In this role he looks after compliance and security for the cloud computing proposition.
Matthias Luft & Felix Wilhelm: Compromise-as-a-Service: Our PleAZURE FIRST TIME MATERIAL
Abstract: This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!
Matthias Luft is a senior security analyst at ERNW. He has extensive experience in penetration testing and security assessments of complex technical environments. He’s one of the first researchers who revealed major design flaws and vulnerabilities in the approach of Data Leakage Prevention. During the last years, he focused on the area of cloud security and presented both approaches for scalability and trust assessment of cloud service providers. He gives cloud security workshops on a regular base. Furthermore he was the project lead in a research study on a major cloud solution platform which ERNW performed resulting in the discovery of MS13-092. Matthias holds a Master’s degree in computer science from the University of Mannheim.
Felix Wilhelm is a senior security researcher at ERNW. He has extensive experience in performing penetration tests and security assessments of complex technical environments and he is specialized in kernel and virtualization security. Felix has discovered and published multiple critical security vulnerabilities in widely used software and participated in the first Microsoft Bluehat Prize contest to find defense techniques against modern software exploit techniques. Felix gives courses on topics like exploit analysis, reverse engineering and application security. He wrote the Linux kernel code exploiting the MS13-092 vulnerability. Felix holds a Bachelor degree in computer science from the RWTH Aachen University.
Juan Perez-Etchegoyen & Will Vandevanter: SAP BusinessObjects Attacks – Espionage and Poisoning of Business Intelligence Platforms
Abstract: Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?
SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.
Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Juan Perez-Etchegoyen is the CTO at Onapsis, leading the Research & Development teams that keep the company on the cutting-edge of the ERP security industry. As a renowned thought-leader in the SAP cyber security field, Juan is responsible for the architecture of the innovative software solutions Onapsis X1 and Onapsis IPS.
Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP and Oracle. He has discovered and helped SAP AG fix several critical vulnerabilities. Juan also held the first presentation on advanced threats affecting Oracle’s JD Edwards applications.
As a result of his innovative research work, Juan has been invited to lecture at several of the most renowned security conferences in the world, such as Black Hat, SANS, OWASP AppSec, HackInTheBox, NoSuchCon and Ekoparty. He also holds private trainings for SAP AG and Global Fortune-100 organizations and is frequently quoted and interviewed by leading publications, such as IDG, DarkReading and PC World.
Will Vandevanter is a Senior Security Researcher at Onapsis where he focuses on SAP and ERP security. He has discovered and helped SAP AG patch numerous critical vulnerabilities in SAP software and is a regular contributor to the Onapsis SAP Security In-Depth publication. Prior to Onapsis, Will was the Lead Penetration Tester at Rapid7. He has previously spoken at Defcon, OWASP AppSec, SOURCE Barcelona, and a number of other conferences. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science with a focus in Secure Software Engineering from James Madison University.
Furthermore there’s some new workshops; just have a look at the agenda
Everybody have a great weekend,
1 Comment | Posted by Matthias Luft
In the course of our virtualization research, we came across a certain technical issue we couldn’t find an easy solution on knowledge bases and the like. However, as we found the question several times on the web, the following post gives just a short hint on a technical detail.
If you want to connect two virtual machines in VMware Fusion using a serial port (e.g. for debugging purposes), Fusion doesn’t provide you an GUI option to configure that. However, if you just add the following config to the debugger system’s VMX file:
serial0.present = “TRUE”
serial0.fileType = “pipe”
serial0.fileName = “/path/to/pipe”
serial0.yieldOnMsrRead = “True”
serial0.pipe.endPoint = “client”
and the following lines to the debuggee system’s VMX file:
serial0.present = “TRUE”
serial0.fileType = “pipe”
serial0.fileName = “/path/to/pipe”
serial0.yieldOnMsrRead = “True”
HTH & have a good one,
During a recent research project we performed an in-depth security assessment of Microsoft’s virtualization technologies, including Hyper-V and Azure. While we already had experience in discovering security vulnerabilities in other virtual environments (e.g. here and here), this was our first research project on the Microsoft virtualization stack and we took care to use a structured evaluation strategy to cover all potential attack vectors.
Part of our research concentrated on the Hyper-V hypervisor itself and we discovered a critical vulnerability which can be exploited by an unprivileged virtual machine to crash the hypervisor and potentially compromise other virtual machines on the same physical host. This bug was recently patched, see MS13-092 and our corresponding post.
continuing our tradition from last year (see here and here), we summarized more of our hardening recommendations for you. This guide is covering Tomcat 7 and is supposed to provide a solid base of hardening measures. It includes configuration examples and all necessary commands for each control, specifically for the most recent branch of Tomcat as there were some significant changes. Download: ERNW_Checklist_Tomcat7_Hardening.pdf
Have a good one,
5 Comments | Posted by Enno Rey
In an upcoming series of blog posts I will discuss some principles & considerations on developing an IPv6 address plan. In (hopefully) rather quick succession there will be three posts:
- the first on some general rules as for IPv6 address planning which we regard instrumental in the process.
- the second covering the “PI space from a single RIR or PI space from each (relevant, as for $ORG) RIR?” debate.
- the third on actual approaches to structuring/grouping each region’s /32 (or /36) into subdivisions like sites, VRFs, facilities, use types, buildings, whatever. I understand that this part is probably the one quite some readers are most interested in; still for a reasonable line of thought the others have to be covered in advance.
We wish you a happy new year and a good start to 2014. A new year has begun and, just before that, 30C3 took place. I think almost all of you have heard about the congress and its topics. In particukar there was Glenn Greenwald’s keynote or there were new publications/revelations by Jacob Appelbaum, which you will probably have heard about from main media.
But besides of all that, there were really a lot of other interesting talks we want to give you a short introduction to. Overall it was a really good conference this year and a lot of awesome talks. But, like always, it is not possible to see all of them, so here is a short summary of some of our favorites:
First of all, I hope you all had a good start to 2014. Having some time off “between the years” (which is a German saying for the time between Christmas and NYE), I caught up on several virtualization security topics.
While virtualization is widely accepted as a sufficiently secure technology in many areas of IT operations (also for sensitive applications or exposed systems, like DMZs) by 2014, there are several recent vulnerabilities and incidents that are worth mentioning.
First of all, a rather old vulnerability (codename “VMDK Has Left the Building“) was eventually patched by VMware, the day before Christmas’ eve (honi soit qui mal y pense… ). While the initially described file inclusion vulnerability cannot be exploited anymore, first tests in our lab show that attempts to exploit the vulnerability lead to a complete freeze of the shared ESXi host. We still need to dig deeper into the patch and will keep you posted.
On November’s patch Tuesday, an important vulnerability in Hyper-V was patched by Microsoft. The bulletin does not provide a lot of details as for the vulnerability, but the relevant sentence is this one: “An attacker who successfully exploited this vulnerability could execute arbitrary code as System in another virtual machine (VM) on the shared Hyper-V host.”. This does not allow code execution in the hypervisor. However, Hyper-V’s architecture comprises the so-called root partition, which is a privileged virtual machine used for all kinds of management functionality. This means that code execution in this particular virtual machine most probably will still give an attacker complete control over the hypervisor. Even without this root partition, the vulnerability would be one of the worst-case vulnerabilities in the age of Cloud computing, provided that MS Azure employs Hyper-V (which can be considered a fair assumption. Still we have no distinct knowledge here). Again, we’ll have a closer look at this one in the near future.
At the end of December, OpenSSL suffered from a virtualization-related incident. The shared hypervisor was compromised using a weak password of the hosting provider. While password-related attacks are not specific to virtualized environments, it emphasizes the need for secure management practices for virtualization components. This sounds like a very basic recommendation, but many security assessments we conducted in this space resulted in the need to include “attacks against management interfaces” in the top ERNW virtualization risks, which we cover in our virtualization and cloud security workshops. Also we mentioned this in some presentations and research results.
As the described events show, virtualization security will remain an important topic in 2014 (even though marketing material suggest to simply adopt virtualization – I won’t give any links here, you’ve probably already seen plenty ). We will cover several aspects during this year’s Troopers edition. While our workshop on “Exploiting Hypervisors” is already online (for the detailed description, see here), one talk is missing: Due to some rather strict NDAs, we can’t provide any details so far (but if you’ve read the MS13-092 credits carefully, it shouldn’t be too hard to guess ).
I hope you’re looking forward to 2014 as much as I do, stay tuned,
At first a very happy new year to all our readers!
Here we go:
Daniel Mende: Implementing an USB Host Driver Fuzzer FIRST TIME MATERIAL
Abstract: The Universal Serial Bus (USB) can be found everywhere these days, may it be to connect a mouse or keyboard to the computer, transfer data on a flash drive connected via USB or to attach some additional hardware like a Digital Video Broadcast receiver. Some of these devices use a standardized device class which are served by an operating system default driver while other, special purpose devices, do not fit into any of those classes, so vendors ship their own drivers. As every vendor specific USB driver installed on a system adds additional attack surface, there needs to be some method to evaluate the stability and the security of those vendor proprietary drivers. The simplest way to perform a stability analysis of closed source products is the fuzzing approach. As there have been no publicly available tools for performing USB host driver fuzzing, I decided to develop one ;-), building on Sergey’s and Travis’ legendary Troopers13 talk. Be prepared to learn a lot about USB specifics, and to see quite a number of blue screens and stack traces on major server operating systems…
Bio: Daniel Mende is an ERNW security researcher specialized on network protocols and technologies. He s well known for his routing protocol attack tool LOKI, the DIZZY fuzzing framework and a bunch of testing tools from the 3GPP domain. He has presented on protocol security at many occasions including Troopers, Blackhat, CCC, HackInTheBox and ShmooCon. Usually he releases a new tool when giving a talk.
Martin Gallo: SAP’s Network Protocols Revisited FIRST TIME MATERIAL
Abstract: What network protocols does my SAP system use? Are those services secure from a network perspective? Are old and well-known attacks still relevant? What’s the remote attack surface of my SAP environment? Do I really know my level of exposure? Are there tools available to assess the security of the services?
This talk is the result of my journey trying to answer these questions and understanding how the different SAP network protocols work, after spending some of my spare time during the last months working on expanding my knowledge about the network attack surface of SAP systems, reversing some of the protocols and implementing tools and libraries to work with them.
The talk will bring some details and realistic attack vectors regarding the different networks protocols available on both new and classic SAP installations. Some hardening and mitigation ideas will be discussed aimed at increasing the defenses against these threats and attacks.
Bio: Martin Gallo is Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.
- Uncovering SAP vulnerabilities – Reversing and breaking the Diag protocol, BruCon 2012 / Defcon XX
Stefan Schumacher: Psychology of Security
Abstract: IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.
In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
Bio: Stefan Schumacher is the Head of the Magdeburger Institut fuer Sicherheitsforschung and Editor of the Magdeburger Journal zur Sicherheitsforschung. He studied Educational Science and Psychology and is currently managing the research project Psychology of Security.
His research interest focusses on Social Engineering, Security Awareness and Qualitative Research about the Perception of Security. He is also an Assistant Lecturer at the University Magdeburg.
He has been involved in the Hacker and Open Source Scene (NetBSD) for the last 20 years. He gave more than 140 public talks in the last 10 years at conferences like DeepSec Vienna, DeepIntel, Chaos Communication Congress, Chaos Communication Camp, Chemnitzer Linux-Tage, Datenspuren, LinuxDays Luxembourg, DGI Forum Wittenberg, GUUG FFG, ILA etc. and published several articles and a book on IT and Security Policy.
A full list of publications and talks can be downloaded at
Attila Marosi: Easy Ways To Bypass Anti-Virus Systems
bstract: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem.
Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the VirusTotal.com detection with a detection rate in 0.
In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much.
Bypassed AntiVirus Systems:
F-Secure, AVG, NOD32 6 and 7, !avast, Kaspersky, Trend Micro, McAfee…
Educational value of the topic:
- We look at how the virus writers develop their codes.
- We will develop a puzzle which may distract the AV virtualization engine to avoid the detection.
- We will develop a code to encrypt/decypt our malicious shellcode.
- We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.)
- We will look at what solutions are often used to avoid the sandbox.
- Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will a real challenge for the AVs.
Bio: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking.
Job de Haas: 20 Ways past Secure Boot
Abstract: This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices. On both sides of the fence secure boot is a vital mechanism to understand.
Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenters experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.
Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, smart meters and a variety of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics.
At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has participated in the creation of several certification schemes for customers of embedded products. Job has a long speaking history at international conferences, including talks on security of mobile technologies, reverse engineering of firmware and side channel attacks on embedded systems.
Furthermore there’s a new workshop of Jose Miguel Esparza (@EternalTodo) on “Squeezing Exploit Kits and PDF Exploits”. Detailed agenda here.
Stay tuned & have a great weekend everybody
We’re very happy to announce the second round of Troopers 2014 talks today (first round here).
Some (well, actually most ) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.
Andreas Wiegenstein & Xu Jia: Risks in Hosted SAP Environments. FIRST TIME MATERIAL
Synopsis: Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though.
But how secure is hosted data in a SAP environment?
This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties.
The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.
Bio: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP security audits and received credit for more than 60 SAP security patches related to vulnerabilities he discovered in the SAP standard.
As CTO, he leads the Virtual Forge Research Labs, a team focusing on SAP/ABAP specific research and security solutions.
Andreas has trained large companies and defense organizations on ABAP security and has spoken at multiple SAP-specific conferences (like TechEd) as well as at general security conferences such as Troopers, BlackHat, HITB, IT Defense, DeepSec and RSA. He is co-author of the first book on ABAP security (SAP Press 2009) and wrote the security chapter of the ABAP Best Practices Guideline for DSAG, the German SAP User Group (2013). He is also member of BIZEC.org, the Business Security Community.
Marion Marschalek & Joseph Moti: What Happens In Windows 7 Stays In Windows 7.
Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library.
Now we want to make use of exactly that fact to uncover potential vulnerabilities.
What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.
Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Pölten and has been speaking at international security conferences, including Defcon Las Vegas, hackl.lu Luxembourg and POC Seoul. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.
Moti Joseph has been involved in computer security for a long time. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland Warsaw, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan,Taipe.
Rob Lee: Get Over It – Privacy is Good for Security. FIRST TIME MATERIAL
Synopsis: Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.
Bio: Robert M. Lee is the Founder and Director of hackINT, a 501©(3) non-profit organization that teaches entry level cyber security classes in the subjects of hacking, forensics, intelligence, and defense. Additionally, he is an active-duty US Air Force Cyberspace Operations Officer working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency where he leads a national level cyber defense team. Robert is also an Adjunct Lecturer at Utica College where he teaches graduate level classes in digital forensics and cyber counter intelligence in the M.S. Cybersecurity program. He received his B.S. from the United States Air Force Academy, his M.S. in Cybersecurity – Digital Forensics from Utica College, and is currently working on his PhD in War Studies at Kings College London where he is researching control systems cyber security.
Robert has written on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal. He has also presented related topics at thirteen conferences in eight countries as well as presenting critical infrastructure protection topics to multiple international think tanks. Lastly, he has taught over 500 students through hackINT and his time at Utica College. Routinely consulted for his expertise on such subjects, Robert M. Lee is an active cyber advocate and educator.
Robin Sommer: Bro – A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.
Synopsis: Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at http://www.bro.org.
Bio: Robin Sommer is leading the Bro project as a Senior Researcher at the International Computer Science Institute, Berkeley, USA. He is also a member of the cybersecurity team at the Lawrence Berkeley National Laboratory; and he is a co-founder of Broala, a recent startup providing professional Bro services to corporations and government customers. Robin Sommer’s research focuses on network security and privacy, with a particular emphasis on high-performance network monitoring in operational settings. He holds a doctoral degree from TU München, Germany.
Christian Sielaff & Daniel Hauenstein: OSMOSIS – Open Source Monitoring Security Issues. FIRST TIME MATERIAL
Synopsis: By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.
Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.
Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console.
As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.
Daniel Hauenstein: With over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.
More talks to follow soon… so stay tuned
See you @Troopers. Happy Holidays! to everybody