TAG | conferences
Matthias and I currently have to pleasure to be at ACSAC, in New Orleans.
From my perspective, at ACSAC the usual conference visit side-effect of personal interaction with peers plays an even larger role than at many other events. In fact we met a number of people we hadn’t seen for quite some time and I could even clear a long unresolved debt (Hi Pastor! and thanks for those International Journal of PoC issues).
Nancy Leveson from MIT delivered a great keynote on “Applying Systems Thinking to Security and Safety“, mainly discussing how an approach she calls “System theoretic process analysis” (STPA) can be used for identifying hazard scenarios in complex systems, and laying out how the same methods can be used both for safety and security. Really inspiring stuff while at the same time highly relevant, in the age of the Internet of Things.
My personal highlight was the afternoon session on “30 Years Later: The Legacy of the Trusted Computer Systems Evaluation Criteria“. Having been exposed to Common Criteria here+there and having done some stuff in the MLS world many years ago I learned a lot from the three views & memories provided (btw: did you note that Perl was initially developed in the course of the BLACKER program? I didn’t).
We ourselves also had a little contribution today, with a short talk on “Designing State-of-the-Art Business Partner Connections” which goes back to a project described in this blog post. The slides can be found here.
Looking forward to tomorrow,
have a good one everybody
Last week Florian and I participated at this year’s DeepSec in Vienna. We had a really good time, thanks again to the DeepSec staff for a nice conference. Although it might be a bit late, I want to share some impressions about various talks I enjoyed.
Some of us had the pleasure to participate in this year’s Daycon VII, three days of Real Hacking and Relevant Content, in Dayton, OH. The event began on September 16th with the Packetwars bootcamp. We had the chance to teach some really promising young students and to prepare them for the Packetwars battle that was scheduled four days later. The students had to go through topics like Windows security, network security and web application security both practical and in theory.
Just recently on the NANOG mailing list a discussion popped up titled “SNMP DDoS: the vulnerability you might not know you have“.
There’s a couple of points here:
Yesterday I was giving two presentations about Cloud security at the BASTA! Spring 2013 Security Day. While my presentations covered Microsoft Azure security considerations (which also included a part of the Cloud security approach covered in our workshops; slides available here) and some major Cloud incidents (suitable to transport different messages about Cloud security in general ; slides available here), I also saw Dominick’s very interesting presentation about security aspects and changes in Windows 8. Inspired by that, we hope to be able to publish another blogpost on those aspects with regard to enterprise environments soon — most likely we won’t find any time for it before TROOPERS
Have a good one,
Two weeks ago we had a great time at Day-Con VI. Enno, Matthias, Rene, Frank and me traveled to Dayton, OH to give workshops and presentations. We started a tough week full of workshops on Tuesday where Rene gave a deep inside look into the world of security on current mobile platforms. Matthias discussed security problems and possible design patterns of cloud environments in his Cloud & Virtualization Security Workshop before he gave a first insight into the world of reverse engineering on Wednesday. Frank and me taught the basics of hacking and pentesting in the PacketWars bootcamp (comparable to the one at TROOPERS), preparing the participants for the PacketWars on Saturday. Obviously we were not the only ones having a great time
During the main conference day on Friday several talks about trust, gaining trust and measuring trustworthiness took place. As one could write books about the whole trust issue, Dr. Piotr Cofta did exactly this and hence was a perfect choice for the inspiring keynote on basic approaches to measure trust. As we also gave several talks throughout the day, you can find our material both on the Day-Con website and in our newsfeed.
We enjoyed our time in Dayton & see you there next year,
As every year, we will be attending Day-Con, a one-day security summit in Dayton, OH — this year for its VIth edition. Even though the actual conference comprises “only” one day full with talks and discussions (please find the agenda here), the overall event consists of trainings before the conference and PacketWars battles (including an infamous party) afterwards. Since we will be leading and attending some of the training sessions, those might be of particular interest for people who missed our Troopers workshops — so you don’t have to wait a whole year but get another chance in October
- October 12th: Conference (Agenda)
- October 13th: PacketWars (including the infamous party)
See you there & have a good one,
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again
Here we go:
Andreas Wiegenstein: Real SAP Backdoors
Abstract: In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.
This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several zero day security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publically discussed before. They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.
Bio: Andreas Wiegenstein has been working as a professional SAP security consultant for 9 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. He leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.
Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as BlackHat, HITB, Troopers and RSA. He is co-author of the first book on ABAP security (SAP Press 2009). He is also a founding member of BIZEC.org, the Business Security community.
Mike Ossmann: Welcome to Bluetooth Smart
Abstract: Bluetooth Smart, formerly known as Bluetooth Low Energy, is an entirely new wireless protocol that is not backward compatible with “classic” Bluetooth. With consumer devices emerging in early 2012, this is the perfect time to review Bluetooth Smart and how it works. Packet captures from actual devices will be dissected, and particular attention will be given to the new security procedures specified for Bluetooth Smart. Depending on what devices are commercially available by the time of the conference, I may or may not have a live demo prepared with actual consumer devices. At the very least, I will be able to do a demo using development boards as targets.
Bio: Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Previous work includes:
ShmooCon 2011: Project Ubertooth: Building a Better Bluetooth Adapter
ToorCon 2010: Real Men Carry Pink Pagers (with Travis Goodspeed)
ShmooCon 2010: Bluetooth Keyboards: Who Owns Your Keystrokes?
ShmooCon 2009: Building an All-Channel Bluetooth Monitor (with Dominic Spill)
Black Hat USA 2008: Software Radio and the Future of Wireless Security
Daniel Mende & Enno Rey: Protecting Voice-over-IP in 2012
Abstract: We’ve recently conducted a number of pentests in (mostly large) VoIP environments. While the fraction of “traditional VoIP attacks” (re-direct/sniff VoIP traffic, reconstruct VoIP calls) has decreased over time, we’ve been able to severely compromise pretty much every environment due to implementation flaws on the infrastructure or “supporting systems” level. Based on a number of warstories, in this talk we will lay out what went wrong in the respective cases and how to protect from the (types of) attacks we performed. Some demos will add spice to the talk. Furthermore a number of previously undisclosed severe vulnerabilities in the crypto architecture of a major vendor’s VoIP solution will be presented.
Bios: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.
Graeme Neilson: DISCQO: “Discourse on Implications for Security and Cryptography from Quantum Oddness”
Abstract: Quantum computing is a fascinating, emerging technology with a potentially huge impact on security. This talk introduces the principles of quantum computing and the current state of the art. This is followed by a discussion on the uses of quantum based computer systems within security, the potential implications for cryptography, now and in the future, and the possibility of hacking current quantum based cryptography systems.
What is quantum computing?
What is quantum key exchange?
Can quantum key exchange be hacked?
Will a quantum computer be able to decrypt all my encrypted data?
Do I need a quantum computer?
Do quantum computers even exist?
What are the implications of quantum computing on my current cryptography?
Bio: Graeme Neilson is NOT a quantum physicist or any other kind of physicist…not in this universe anyway…
Still, he does think it’s probable that he can help illuminate the subject of quantum computing for other non-physicists in IT. With over 14 years of experience in IT security Graeme currently works as a security researcher / consultant for Aura Information Security with specialisations in cryptography, reverse engineering and networking. Based out of New Zealand he is a regular speaker at international conferences including Blackhat, H2HC, CanSecWest, DayCon and Troopers.
Pete Herzog: Securing Robot Mosquitoes with Laser Beams for Eyes in the Enterprise
Abstract: One day employees start bringing robot mosquitoes into the office. They have robot mosquitoes at home and just they’re so damn useful for checking mail, making appointments, singing naptime songs, and spying over the neighbor’s fence. So why wouldn’t they? Your security policy doesn’t expressly forbid robot mosquitoes with laser beams for eyes or anything like it so here they are: riding the internal WiFi, carrying who knows what diseases and parasites from public, cyber ponds, melting the plastic plants, boiling the water cooler, and causing all sorts of other disruptions. Before you can ban them though you see that the CEO starts to bring his robot mosquito with laser beams for eyes in too. And he wants you not only support it but to make sure it doesn’t get hacked. Sounds familiar, right?
There will always be new technologies. Many of those new technologies pose new risks, perhaps even risks we hadn’t considered as risky to us before. So someone has to secure those new technologies. But how do we secure something we know so little about? Well, there’s a methodology for that. This talk will cover how to test new technologies, how to create the right policy for them, and how to control them, including robot mosquitoes with laser beams for eyes.
Bio: Pete Herzog is the Managing Director of the security research organization ISECOM and the creator of the OSSTMM.
Chema Alonso: Excel (and Office apps) Kills the Citrix (or Terminal Services) Star
Abstract: Microsoft Office (and Excel) are common applications in big companies and in a big amount of cases they are published through Terminal Services or Citrix. However, securing that environment against malicious users is very complicated. In this talk you’ll see a lot of demos hacking Citrix and Terminal Services using Excel… and maybe you’ll be scared after having seen this session.
Bio: Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politecnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including BlackHat Briefings, Defcon, ShmooCon, HackCON, Ekoparty and RootedCon. He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.
Rene Graf & Enno Rey: BYOD – Does it work?
Abstract: In many organizations “Bring Your Own Device” (BYOD) approaches are either subject to intensive discussion or are already practiced (with or without “proper governance”). Usually two security controls are of particular interest in BYOD scenarios, that are container solutions and acceptable use policies (AUPs).
The speakers have contributed to BYOD “implementations” in several environments and – based on actual case studies – are going to discuss three main aspects in their talk:
- What’s the role of the supply chain of a device, in BYOD settings? Is it possible to securely process – e.g. by means of a container solution – sensitive data on a device that was acquired on ebay or that the VIP using it received “as a present during an industry fair in an emerging market country”?
- What level of security is actually provided by container solutions? Do they sufficiently secure data (incl. temporary data) and which user behavior might be required for this?
- When are good AUPs needed and which elements should be included in those?
The goal of the talk is to enable the audience to realistically assess the security approaches and risks in BYOD scenarios.
Bios: Rene Graf leads the “Mobile Security” team at ERNW and has performed a number of BYOD projects including pentests of container solutions and forensic analyses of devices used by CxOs. Enno Rey leads the “Risk and Security Management” team at ERNW and has undertaken the risk assessments in several BYOD projects and written the accompanying AUPs.
More talks to follow next week, so stay tuned
See you @Troopers, have a great sunday everybody
We’re delighted to announce the first speakers of next year’s Troopers edition. Looks like it’s going to be a great event again .
Here we go:
Ravishankar Borgaonkar & Kevin Redon: Femtocell: Femtostep to the Holy Grail (Attacks & Research Track)
Abstract: Femtocells are now being rolled out across the world to enhance third generation (3G) coverage and to provide assurance of always best connectivity in the 3G telecommunication networks. It acts as an access point that securely connect standard mobile handset to the mobile network operator’s core network using an existing wired broadband connection.
In this talk, we will evaluate security mechanisms used in femtocells and discuss practical & potential misuse scenarios of the same. In particular, our talk will cover:
# Femtocell and Telecom business model
# Security architecture of the femtocell
# Location verification techniques and how to beat them for free roaming calls
# Hacking of the device
-accessing confidential information stored on the device
-installing malicious applications on the device
-accessing mobile network operator’s infrastructural elements
# Possible countermeasures
Bios: Ravi received his joint master degree in Security and mobile computing from Royal Institute of Technology (KTH) and from Helsinki University of Technology (TKK). After finishing his master degree, he works as a researcher in the the Security in Telecommunications department at Deutsche Telekom Laboratories (T-labs) and is pursuing his PhD studies. His research themes are related to data security challenges in new telecommunication technologies. His research interest includes Wireless networking security (in particular, security in 2G/3G networks), M2M security, and malware & botnet analysis.
Kevin received bachelor of Computing from Napier University Edinburgh, Scotland. He is now finishing his Master degree in Computing with specialization in Communication Systems at the Technical University of Berlin. This is also where he joined the Security in Telecommunication work group in cooperation with the Deutsche Telekom Laboratories (T-labs). His research interest includes network security, in particular telecommunication network as GSM/UMTS, peer to peer networks, and smart cards.
Mariano Nuñez Di Croce: Your crown jewels online – Attacks to SAP Web Applications (Defense & Management Track)
Abstract: “SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.
SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.
Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.
Bio: Mariano Nuñez Di Croce is the Director of Research and Development at Onapsis. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications.
Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP & ERP Penetration Testing Frameworks and has discovered more than 50 vulnerabilities in SAP applications. Mariano is also the lead author of the “SAP Security In-Depth” publication and founding member of BIZEC, the Business Security community.
Mariano has been invited to hold presentations and trainings in many international security conferences such as BlackHat USA/EU, HITB Dubai/EU, DeepSec, Sec-T, Hack.lu, Ekoparty and Seacure.it as well as to host private trainings for Fortune-100 companies and defense contractors. He has also been interviewed and quoted in mainstream media such as Reuters, IDG, NY Times, PCWorld and others.
Friedwart Kuhn & Michael Thumann: Integration of the New German ID Card (nPA) in Enterprise Environments – Prospects, Costs & Threats (Defense & Management Track)
Abstract: The talk will cover the new nPA and related software like the AusweisApp with a special focus on possible use cases in the enterprise (“have the government run your corporate PKI” ). Besides outlining prerequisites for an integration of the nPA within an organization, it will also answer questions about legal aspects that have to be considered and threats and risks that must be controlled and mitigated. Furthermore we will give a short overview about our own security research of the AusweisApp.
Bios: Friedwart Kuhn is a senior security consultant, head of the ERNW PKI team and co-owner of ERNW. He is a frequent speaker at conferences and has published a number of whitepapers and articles. Besides the daily consulting and assessment work, Windows enterprise security and aspects of technical and organizational PKI related topics are areas of special interest for him. In his (sparse) free time Friedwart likes to play music and loves literature.
Michael Thumann is Chief Security Officer and head of the ERNW “Research” and “Pen-Test” teams. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers/VPN software/VoIP software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas—a Cisco Password Cracker’, ikeprobe—IKE PSK Vulnerability Scanner’ or ‘dnsdigger—a dns information gathering tool’) and his experience with the community. Next to numerous articles and papers he wrote the first German Pen-Test Book that has become a recommended reading at German universities. In addition to his daily pentesting tasks he is a regular conference speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michael’s main interest is to uncover vulnerabilities and security design flaws from the network to the application level.
Chema Alonso: I FOCA a .mil domain (Attacks & Research Track)
Abstract: FOCA is a tool to help you in the fingerprinting phase among a pentesting work. This tool helps you to find lost data, hidden information in public documents, fingerprinting servers, workstations, etc.
This talk will provide an extensive demo as a good example of the results which can be obtained using FOCA. The target domain? You’ll see in Troopers…
Chema is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant in the last ten years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a frequent speaker at security conferences and is currently working on his PhD thesis about Blind Techniques.
Graeme Neilson: Tales from the Crypt0 (Defense & Management Track)
Abstract: Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users. Join Graeme Neilson (Aura Software Security) for a series of scary stories of real-world crypto failures and to learn how to do it the right way (with lots of code samples).
Bio: Graeme Neilson is lead security researcher at Aura Software Security based in Wellington, New Zealand. Originally from Scotland he has 10 years of
security experience. Graeme specialises in secure networks, network infrastructure, reverse engineering and cryptanalysis. Graeme is a regular presenter at international security conferences and has spoken at conferences in Australia, Europe and the US including Black Hat.
More talks to follow soon. See you in Heidelberg next year,