Some outright rants from a bunch of infosec practitioners.

TAG | conferences



Protocol Properties & Attack Vectors

Next week, at DeepSec, we’re going to give a talk about Multicast Listener Discovery (MLD), a component of IPv6 which is realized by means of ICMPv6 messages. There are two versions of MLD (mainly specified in RFC 2710 and RFC 3810 respectively) and while MLD is technically implemented by ICMPv6 exchanges, these specifications describe a whole set of rules and communication formats, hence we can safely talk about “the MLD protocol”.

Now, you might ask: how does one tackle the task of examining the security “of a protocol”?


, , | Post your comment here.



Power of Community 2014

I had the pleasure to participate in this year’s Power of Community and was invited to talk about the insecurity of medical devices. The conference is based in Seoul, Korea and started in 2006. It has a strong technical focus and it is a community driven event. For me it was great to participate as mostly hackers from Asia were there and I got the chance to talk to a lot of nice folks that I wouldn’t be able to meet otherwise. This is especially true for the host, vangelis.


| Post your comment here.

Hello Everybody and greetings from Sao Paulo,

We’re currently enjoying the Brazilian sunshine, waiting for H2H2 11’s closing remarks and decided to give you a few details on the past three days. The conference was opened by a short welcome by our fellow Trooper Rodrigo Rubira Branco and stuffed with loads of great talks. This year’s keynotes came from Daniel J. Bernstein and Halvar Flake and gave yet another insight into the ever changing world of InfoSec. The international lineup also included Travis Goodspeed, Sergej Bratus and Fernando Gont. H2HC was a great chance for us to talk to various Hackers from around the world and share our opinions and knowledge. (more…)

, , | Post your comment here.



North American IPv6 Summit 2014

Hello everyone,

I know I am a bit late with this post, but I was speaking on the North American IPv6 Summit in Denver three weeks ago. The focus of my talk was on Why IPv6 Security is hard – Structural Deficits of IPv6 & Their Implications (slightly modified/updated from the Troopers IPv6 Security Summit).  We consider the NA IPv6 Summit as one of the most important IPv6 events at all and we were happy to contribute to the overall success. The conference was organized for the 7th time by the Rocky Mountain IPv6 Task Force and took place in the Grand Hyatt Denver (37th floor ;-)). Luckily the weather was perfect, and the view of the landscape from the conference rooms was just amazing. I really enjoyed the time in Denver, as the organizer sdid all they could to treat the speaker well J. The talks were of mix of regular research or case-study type talks and some sponsored talks ranging from deployment experience, security and statistics to SDN (Yes, I said it ;)) and the Internet of Things (I said it again ;)). The line-up was nicely put together.


, | Post your comment here.



“Hacking for a B33r” at Ghent

This is a guest post by Antonios Atlasis.

This week I had the pleasure to attend BruCON 2014. While participating at the Brucon 5×5 program, I had also the chance to attend this well-known European Con which is held in the beautiful city of Ghent.


, | Post your comment here.



ERNW @BlackHat US 2014

Last week we had the opportunity and pleasure to present some of our research results at BlackHat US 2014 (besides of meeting a lot of old friends and having a great researchers’ dinner).

Enno and Antonios gave their presentation on IDPS evasion by IPv6 Extension Headers, described here.

The material can be found here: Slides, tools (the main tool used was Chiron, authored by Antonios) & whitepaper.

Ayhan and me presented our results of the security analysis of Cisco’s EnergyWise protocol. The protocol enables network-wide power monitoring and control (ie turning servers off or on, putting phones to standby — basically controlling the power state of all EnergyWise-enabled or PoE devices). The main problem (besides a DoS vulnerability we found in IOS, see official Cisco advisory) is its PSK-based authentication model, which enables an attacker to cause large-scale blackouts in data centers if the deployment is lacking certain controls (for example our good old favorite, segmentation…). There will be a longer blogpost/newsletter on this topic soon.
The material can be found here: Slides & tools



, , | Post your comment here.



More Troopers Talks Selected

Today we have to pleasure to announce another round of Troopers talks.
Here we go:

Noam Liram: Vulnerability Classification in the SaaS Era      FIRST TIME MATERIAL

Abstract: In this talk we will thoroughly analyze two major SaaS vulnerabilities that were found by Adallom (one of which is still in responsible disclosure stages at the time of writing). By demonstrating this new class of exploits which we have nick-named “Ice Dagger” attacks, we aim to change the current industry-wide criteria for vulnerability classifications, which were developed in the Desktop/Server world, are inadequate when classifying SaaS vulnerabilities. We will specifically discuss the details of MS13-104.

Bio: Noam Liran is the Chief Software Architect of Adallom, a SaaS application security provider. Noam is an alumnus of Israel Defense Force’s Unit 8200 and was a team leader in its cyber division.

Vladimir Katalov: Modern Smartphone Forensics – Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; Encrypted BlackBerry Backups (BB 10 and Olympia Service)

Apple iCloud Backups: there are various methods to perform data acquisition from iOS devices: logical, advanced logical (using hidden services running in iOS) and physical. iCloud analysis is the further step. The iCloud may contain complete device backups (for all devices connected to Apple ID), geolocation data (Find My Phone data), documents, and additional data saved by 3rd party applications. We show how (and where) this data is actually stored, how to request and decrypt it, and how to analyse it. Some information on iCloud keychain is also provided — and yes, sometime there is a way to get all your passwords (including ones from the other devices) and credit card data. And yes, most data is available to Apple itself, as well as to Amazon and Microsoft, so probably to three-letter agencies as well.
BlackBerry: For BB 10 devices, backups created with BlackBerry Link are always encrypted, but the encryption is not user-configurable, and there is no way to view the backup contents or even restore from thgs backup to the other device. We have found that encryption keys is being generated by BlackBerry ‘Olympia Service’, based on BlackBerry ID, password, and device PIN. ID and PIN is something we can get from the backup itself, and if we know the password as well, we can generate the series of requests to Olympia service to obtain the key and decrypt the backup. Backlup contains all applications (purchased from AppWorld), their data (such as WhatsApp conversations), device settings, call logs, passwords etc — most in the plain form or SQLite databases.

Bio: Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 in Moscow, Russia; studied Applied Mathematics at National Research Nuclear University. Vladimir works at ElcomSoft up until now from the very beginning (1990). Now he is driving all the R&D processes inside the company.

Sergey Bratus, Javier Vazquez & Ryan Speers: Making (and Breaking) an 802.15.4 WIDS

Abstract: Real-world security-critical systems including energy metering and physical security monitoring are starting to rely on 802.15.4/ZigBee digital radio networks. These networks can be attacked at the physical layer (reflexive jamming or via Packet-in-packet attacks), the MAC layer (dissociation storms), or at the application layers. Proprietary WIDS for 802.15.4 exist, but don’t provide much transparency into how their 802.15.4 stacks work and how they may be tested for evasion.
As the classic Ptacek & Newsham 1998 paper explained, tricks used to evade a NIDS tell us more about how a protocol stack is implemented than any specifications or even the RFCs. For WIDS, evasion can go even deeper: while classic evasion tricks are based on IP and TCP packet-crafting, evading 802.15.4 can be done starting at the PHY layer! We will explain the PHY tricks that will make one chip radio see the packets while the other would entirely miss them regardless of range; such tricks serve for both WIDS testing and fingerprinting.
We will release an open, extensible WIDS construction and testing kit for 802.15.4, based on our open-source ApiMote hardware. ApiMote uses the CC2420 digital radio chip to give you access to 802.15.4 packets at the nybble level. It can be easily adopted for detecting attacks at any protocol level. It also lets you test your ZigBee WIDS and devices from the frame level up. We will give out some of the ApiMotes.

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
Javier Vazquez is a researcher at River Loop Security specializing in wireless systems, PCB design, and hardware reverse engineering. Javier graduated from the University of Central Florida with a degree in Electrical Engineering and a focus on RF Engineering. Other interests include networking and software development.
Ryan Speers is a co-founder and security researcher at River Loop Security and has extensive experience in IEEE 802.15.4/ZigBee analysis and software and hardware security analysis. He maintains the KillerBee 802.15.4 assessment framework has previously spoken at ShmooCon and ToorCon Seattle, and has published at USENIX WOOT, IEEE/HICSS, and the Workshop on Embedded Systems Security. He enjoys breaking things, although not when volunteering as an EMT or when rock-climbing. He graduated from Dartmouth College with a degree in Computer Science.

Martijn Jansen: How to Work towards Pharma Compliance for Cloud Computing – What Do FDA and Similar Regulations Mean for Your (Cloud) IT Delivery Organisation?      FIRST TIME MATERIAL

Abstract: Today, for life-sciences or consumer goods manufacturers/food/drug companies’ regulatory compliance is quite a heavy burden to their day-day operation. This applies in particular when business operations or sales are (also) in the US so that a company becomes a regulated entity under the very stringent FDA regime.
The presentation is about the translation of Pharmaceutical regulations (what regulations?) that could be applied to any cloud-related IT service into a quality management strategy and hands-on IT controls that could work for each one of us.
Think of how to bring compliance into the lifecycle of requirements, design, install and configuration plans etc. Furthermore we’ll discuss different types of controls in service creation or delivery, be them administrative, technical, procedural controls. Discussed are usable quality assurance controls for People, Process and Technology, projected onto services (components). These controls might be there already to re-use (but not auditable) or might need to be created.
As one of the first in the industry Martijn will show you, starting at the governance level (to leave no-one behind), examples from the trenches to categorize and map controls on how to utilise Telco and ISO experience best practices. Thus bringing Pharma compliance applicable to IT Cloud Computing down from the academic level to usable hands-on best practices! While compliance is highly theoretical Martijn and thus the material is heavily focussed on real-world usability.

Bio: Martijn has always been intrigued by electronics, transmission and any sort of security since he was a small kid. He built his first FM radio transmitter (after dis-assembling a few) very young, and always kept in touch with electronics and IT.
He is technically educated as construction engineer and -designer. After continued education he served as a diver team commander. Returning back to civilisation he worked in his initial field of expertise (CAD construction design), then turning to IT. Martijn has experience as IT trainer, engineer, architect and consultant in sales, design, implementation and operation of operating systems, networks and security. He auto-didactically studied for about 6 years in the evenings to acquire all the certificates and technologies that were relevant at the time. Till a short while ago, he owned his own 19 inch rack at home with routers, switches and virtualisation computing running.
As a principal consultant and architect Martijn took care of mostly bespoke and complex IT transformations for global pharma and manufacturing customers. He currently works as Security Controls Assurance manager for the Compliance department of a global telco. In this role he looks after compliance and security for the cloud computing proposition.

Matthias Luft & Felix Wilhelm: Compromise-as-a-Service: Our PleAZURE       FIRST TIME MATERIAL

Abstract: This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!

Matthias Luft is a senior security analyst at ERNW. He has extensive experience in penetration testing and security assessments of complex technical environments. He’s one of the first researchers who revealed major design flaws and vulnerabilities in the approach of Data Leakage Prevention. During the last years, he focused on the area of cloud security and presented both approaches for scalability and trust assessment of cloud service providers. He gives cloud security workshops on a regular base. Furthermore he was the project lead in a research study on a major cloud solution platform which ERNW performed resulting in the discovery of MS13-092. Matthias holds a Master’s degree in computer science from the University of Mannheim.
Felix Wilhelm is a senior security researcher at ERNW. He has extensive experience in performing penetration tests and security assessments of complex technical environments and he is specialized in kernel and virtualization security. Felix has discovered and published multiple critical security vulnerabilities in widely used software and participated in the first Microsoft Bluehat Prize contest to find defense techniques against modern software exploit techniques. Felix gives courses on topics like exploit analysis, reverse engineering and application security. He wrote the Linux kernel code exploiting the MS13-092 vulnerability. Felix holds a Bachelor degree in computer science from the RWTH Aachen University.

Juan Perez-Etchegoyen & Will Vandevanter: SAP BusinessObjects Attacks – Espionage and Poisoning of Business Intelligence Platforms

Abstract: Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?
SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.
Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

Juan Perez-Etchegoyen is the CTO at Onapsis, leading the Research & Development teams that keep the company on the cutting-edge of the ERP security industry. As a renowned thought-leader in the SAP cyber security field, Juan is responsible for the architecture of the innovative software solutions Onapsis X1 and Onapsis IPS.
Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP and Oracle. He has discovered and helped SAP AG fix several critical vulnerabilities. Juan also held the first presentation on advanced threats affecting Oracle’s JD Edwards applications.
As a result of his innovative research work, Juan has been invited to lecture at several of the most renowned security conferences in the world, such as Black Hat, SANS, OWASP AppSec, HackInTheBox, NoSuchCon and Ekoparty. He also holds private trainings for SAP AG and Global Fortune-100 organizations and is frequently quoted and interviewed by leading publications, such as IDG, DarkReading and PC World.
Will Vandevanter is a Senior Security Researcher at Onapsis where he focuses on SAP and ERP security. He has discovered and helped SAP AG patch numerous critical vulnerabilities in SAP software and is a regular contributor to the Onapsis SAP Security In-Depth publication. Prior to Onapsis, Will was the Lead Penetration Tester at Rapid7. He has previously spoken at Defcon, OWASP AppSec, SOURCE Barcelona, and a number of other conferences. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science with a focus in Secure Software Engineering from James Madison University.




Furthermore there’s some new workshops; just have a look at the agenda ;-)

Everybody have a great weekend,



, , | Post your comment here.

At first a very happy new year to all our readers!

Today we announce the third round of Troopers 2014 talks (first round here, second here).

Here we go:


Daniel Mende: Implementing an USB Host Driver Fuzzer         FIRST TIME MATERIAL

Abstract: The Universal Serial Bus (USB) can be found everywhere these days, may it be to connect a mouse or keyboard to the computer, transfer data on a flash drive connected via USB or to attach some additional hardware like a Digital Video Broadcast receiver. Some of these devices use a standardized device class which are served by an operating system default driver while other, special purpose devices, do not fit into any of those classes, so vendors ship their own drivers. As every vendor specific USB driver installed on a system adds additional attack surface, there needs to be some method to evaluate the stability and the security of those vendor proprietary drivers. The simplest way to perform a stability analysis of closed source products is the fuzzing approach. As there have been no publicly available tools for performing USB host driver fuzzing, I decided to develop one ;-), building on Sergey’s and Travis’ legendary Troopers13 talk. Be prepared to learn a lot about USB specifics, and to see quite a number of blue screens and stack traces on major server operating systems…

Bio: Daniel Mende is an ERNW security researcher specialized on network protocols and technologies. He s well known for his routing protocol attack tool LOKI, the DIZZY fuzzing framework and a bunch of testing tools from the 3GPP domain. He has presented on protocol security at many occasions including Troopers, Blackhat, CCC, HackInTheBox and ShmooCon. Usually he releases a new tool when giving a talk.



Martin Gallo: SAP’s Network Protocols Revisited         FIRST TIME MATERIAL

Abstract: What network protocols does my SAP system use? Are those services secure from a network perspective? Are old and well-known attacks still relevant? What’s the remote attack surface of my SAP environment? Do I really know my level of exposure? Are there tools available to assess the security of the services?

This talk is the result of my journey trying to answer these questions and understanding how the different SAP network protocols work, after spending some of my spare time during the last months working on expanding my knowledge about the network attack surface of SAP systems, reversing some of the protocols and implementing tools and libraries to work with them.

The talk will bring some details and realistic attack vectors regarding the different networks protocols available on both new and classic SAP installations. Some hardening and mitigation ideas will be discussed aimed at increasing the defenses against these threats and attacks.

Bio: Martin Gallo is Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.

Previous talks:
Uncovering SAP vulnerabilities – Reversing and breaking the Diag protocol, BruCon 2012 / Defcon XX

Advisories published:

CORE-2012-1128 – SAP Netweaver Message Server Multiple Vulnerabilities
CORE-2012-0123 – SAP Netweaver Dispatcher Multiple Vulnerabilities

Tools released:
SAP Dissection plug-in for Wireshark

Articles published:



Stefan Schumacher: Psychology of Security

Abstract: IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.

In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?

Bio: Stefan Schumacher is the Head of the Magdeburger Institut fuer Sicherheitsforschung and Editor of the Magdeburger Journal zur Sicherheitsforschung. He studied Educational Science and Psychology and is currently managing the research project Psychology of Security.

His research interest focusses on Social Engineering, Security Awareness and Qualitative Research about the Perception of Security. He is also an Assistant Lecturer at the University Magdeburg.
He has been involved in the Hacker and Open Source Scene (NetBSD) for the last 20 years. He gave more than 140 public talks in the last 10 years at conferences like DeepSec Vienna, DeepIntel, Chaos Communication Congress, Chaos Communication Camp, Chemnitzer Linux-Tage, Datenspuren, LinuxDays Luxembourg, DGI Forum Wittenberg, GUUG FFG, ILA etc. and published several articles and a book on IT and Security Policy.

A full list of publications and talks can be downloaded at



Attila Marosi: Easy Ways To Bypass Anti-Virus Systems

bstract: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem.
Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the detection with a detection rate in 0.
In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much.

Bypassed AntiVirus Systems:
F-Secure, AVG, NOD32 6 and 7, !avast, Kaspersky, Trend Micro, McAfee…

Educational value of the topic:
– We look at how the virus writers develop their codes.
– We will develop a puzzle which may distract the AV virtualization engine to avoid the detection.
– We will develop a code to encrypt/decypt our malicious shellcode.
– We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.)
– We will look at what solutions are often used to avoid the sandbox.
– Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will a real challenge for the AVs.

Bio: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking.



Job de Haas: 20 Ways past Secure Boot

Abstract: This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices. On both sides of the fence secure boot is a vital mechanism to understand.
Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenters experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.


Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, smart meters and a variety of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics.
At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has participated in the creation of several certification schemes for customers of embedded products. Job has a long speaking history at international conferences, including talks on security of mobile technologies, reverse engineering of firmware and side channel attacks on embedded systems.


Furthermore there’s a new workshop of Jose Miguel Esparza (@EternalTodo) on “Squeezing Exploit Kits and PDF Exploits”. Detailed agenda here.

Stay tuned & have a great weekend everybody



, , | Post your comment here.

We’re very happy to announce the second round of Troopers 2014 talks today (first round here).
Some (well, actually most ;-) ) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.


Andreas Wiegenstein & Xu Jia: Risks in Hosted SAP Environments. FIRST TIME MATERIAL

Synopsis: Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though.

But how secure is hosted data in a SAP environment?
This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties.
The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.

Bio: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP security audits and received credit for more than 60 SAP security patches related to vulnerabilities he discovered in the SAP standard.

As CTO, he leads the Virtual Forge Research Labs, a team focusing on SAP/ABAP specific research and security solutions.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at multiple SAP-specific conferences (like TechEd) as well as at general security conferences such as Troopers, BlackHat, HITB, IT Defense, DeepSec and RSA. He is co-author of the first book on ABAP security (SAP Press 2009) and wrote the security chapter of the ABAP Best Practices Guideline for DSAG, the German SAP User Group (2013). He is also member of, the Business Security Community.



Marion Marschalek & Joseph Moti: What Happens In Windows 7 Stays In Windows 7.

Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library.

Now we want to make use of exactly that fact to uncover potential vulnerabilities.
What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.


Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Pölten and has been speaking at international security conferences, including Defcon Las Vegas, Luxembourg and POC Seoul. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.
Moti Joseph has been involved in computer security for a long time. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland Warsaw, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan,Taipe.



Rob Lee: Get Over It – Privacy is Good for Security. FIRST TIME MATERIAL

Synopsis: Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.

Bio: Robert M. Lee is the Founder and Director of hackINT, a 501©(3) non-profit organization that teaches entry level cyber security classes in the subjects of hacking, forensics, intelligence, and defense. Additionally, he is an active-duty US Air Force Cyberspace Operations Officer working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency where he leads a national level cyber defense team. Robert is also an Adjunct Lecturer at Utica College where he teaches graduate level classes in digital forensics and cyber counter intelligence in the M.S. Cybersecurity program. He received his B.S. from the United States Air Force Academy, his M.S. in Cybersecurity – Digital Forensics from Utica College, and is currently working on his PhD in War Studies at Kings College London where he is researching control systems cyber security.

Robert has written on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal. He has also presented related topics at thirteen conferences in eight countries as well as presenting critical infrastructure protection topics to multiple international think tanks. Lastly, he has taught over 500 students through hackINT and his time at Utica College. Routinely consulted for his expertise on such subjects, Robert M. Lee is an active cyber advocate and educator.



Robin Sommer: Bro – A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.

Synopsis: Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at 

Bio: Robin Sommer is leading the Bro project as a Senior Researcher at the International Computer Science Institute, Berkeley, USA. He is also a member of the cybersecurity team at the Lawrence Berkeley National Laboratory; and he is a co-founder of Broala, a recent startup providing professional Bro services to corporations and government customers. Robin Sommer’s research focuses on network security and privacy, with a particular emphasis on high-performance network monitoring in operational settings. He holds a doctoral degree from TU München, Germany. 



Christian Sielaff & Daniel Hauenstein: OSMOSIS – Open Source Monitoring Security Issues. FIRST TIME MATERIAL

Synopsis: By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.

Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.


Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console.
As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.

Daniel Hauenstein: With over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.


More talks to follow soon… so stay tuned ;-)

See you @Troopers. Happy Holidays! to everybody


, , | Post your comment here.

Such was the title of a talk I gave yesterday at ACSAC 29. It was an updated and shortened version of a similar talk I had given at the Troopers IPv6 Security Summit (btw: this is the preliminary agenda of the 2014 event).

The slides of the ACSAC talk can be found here.

have a great weekend everybody


, | Post your comment here.

Older posts >>


Mail | Twitter | Imprint

©2010-2013 ERNW GmbH
To top