TAG | TROOPERS
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again
Here we go:
Toby Kohlenberg: Granular Trust – Making it Work
Over the last 5 years the concept of using dynamic or granular trust models to control access to systems, networks and applications has become well known and is now seeing partial adoption in many places. The challenge is how granular and dynamic can you get and the question is whether it is worth it. As the architect of Intel’s trust model Toby can speak to the entire journey from initial idea through current implementation and the likely road ahead. This talk will include the good, bad and ugly parts of designing a trust model and then implementing it in a Fortune 50 company’s production environment. You will learn from his mistakes so you can make different ones.
Bio: Toby is a senior information security technologist with Intel corporation. He focuses on securing new and emerging technologies and threats. He has been doing this for a long time.
Florian Grunow: How to Own your Heart – Hacking Medical Devices
In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines.
However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients.
We decided to take a look at a few devices that are deployed in many major hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.
Bio: Florian Grunow holds a Bachelor’s degree in Medical Computer Sciences and a Master’s degree in Software Engineering. He used to work in hospitals and got an inside view on how the daily work of healthcare professionals dealing with IT looks like. He now works as a Security Analyst at ERNW in Heidelberg, Germany, with a focus on application security.
Alexander Polyakov & Dimitry Chastuhin: Injecting Evil Code in your SAP J2EE systems – Security of SAP Software Deployment Server
Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service.
“By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.”
Isn’t it a perfect victim for an attack? Who cares about the security of Deployment Server? That’s why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system.
Come and see how we did it in practice and how to prevent the described attacks.
Alexander Polyakov – CTO at ERPScan
Father of ERPScan Security Monitoring Suite for SAP. His expertise covers the security of critical enterprise software like ERP, CRM, SRM, banking and processing software. Manager of EAS-SEC. Well-known expert on the security of enterprise applications, such as SAP and Oracle. Published a significant number of vulnerabilities, frequently receives acknowledgements from SAP. Author of multiple whitepapers and surveys devoted to SAP security research, for example, the award-winning “SAP Security in Figures”. Invited to speak and train at BlackHat, RSA, HITB, and 35 more international conferences around the globe as well as internal workshops for SAP AG and Fortune 500 companies.
Dimitry Chastuhin — Head of Penetration Testing Department at ERPScan
Dimitry Chastuhin works upon SAP security, particularly upon Web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Google, Adobe, Vkontakte, Yandex.ru. He was a speaker at BlackHat, HITB, ZeroNights, Brucon.
Ivan Pepelnjak: Security and SDN – A perfect fit or oil-and-water?
Software-defined networks have quickly become one of the most overhyped networking concepts, with vendors promising earth-shattering results … and handwaving over scalability, reliability and security issues.
The presentation will briefly introduce the concepts of SDN and OpenFlow (the tool used to build controller-based networks that require low-level network device control), the security aspects of programmable- and controller-based networks and the potential SDN- and OpenFlow-based security use cases, from scale-out IDS clusters to first-hop network security and user authentication/authorization solutions.
Bio: Ivan Pepelnjak, CCIE#1354 Emeritus, is the chief technology advisor at NIL Data Communications. He has been designing and implementing large-scale service provider and enterprise networks as well as teaching and writing books about advanced technologies since 1990. He’s author of several Cisco Press books , prolific blogger and writer, occasional consultant, and author of a series of highly successful webinars.
Sebastian Schrittwieser & Peter Frühwirt: Security Through Obscurity, Powered by HTTPS
Applications on modern smartphone operating systems are protected against analysis and modification through a wide range of security measures such as code signing, encryption, and sandboxing. However, for network-enabled applications effective attack vectors can be found in their communication protocols. Most applications developers hide the implementation details of their protocols inside an HTTPS connection. While HTTPS is able to protect data leakage during transmission, it is an inadequate protection against protocol analysis. The concept of SSL interception applied to smartphone applications allows analysis and modification of transport protocols with endless possibilities: getting paid extras for free, cheating in games, finding design flaws in protocols, etc. In this talk, we demonstrate, based on several live demos, how application developers sometimes try to protect insecure protocols by wrapping them inside an HTTPS connection and show that known countermeasures are rarely used in practice.
Sebastian Schrittwieser is a lecturer and researcher at the University of Applied Sciences St. Pölten, Austria and PhD candidate at the Vienna University of Technology. His research interests include, among others, digital forensics, software protection, code obfuscation, and mobile security. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
Peter Frühwirt is a researcher at SBA Research, the Austrian non-profit research institute for IT-Security and lecturer at the Vienna University of Technology. Peter received a Dipl. Ing. (equivalent to MSc) degree in Software Engineering and Internet Computing in 2013. His research interests include mobile security and database forensics.
More talks to follow soon, so stay tuned
See you @Troopers & have a great weekend everybody
This is a guest post from Antonios Atlasis.
Having just finished the second “Advanced Attack Techniques against IPv6 Networks” workshop (some of the course material can be found here), organised and hosted by ERNW and their partner HM Training Solutions, I would like to take this opportunity to release publicly one of my scripting tools, an IPv6 scanner. This tool is based on Scapy (so you have to install Scapy and its prerequisites before using it). It should not be considered as a replacement or a competitor of nmap against IPv6 or of the scanners incorporated into the great IPv6 toolkits already released by Marc Heuse and Fernando Gont, but, instead, as a tool released mainly for educational purposes. Specifically, this scanner, apart from supporting some of the most well known port scanning techniques, from ping scanning to SYN, RESET, ACK, XMAS, etc., etc., TCP or UDP scanning, it also combines, by using the suitable switches, some IDS/IPS evasion techniques. As I have found out up to now, at least two of them, if used “properly”, can be effective against a very popular IDS/IPS software used by many “Fortune 100” companies out there. This means that you can launch actually any type of the supported network-scanning techniques while flying under the radar of this specific IDS software (and perhaps some other too, who knows…). But first of all, as always please check the corresponding README file.
Have fun (and learn something ) watching, cu next year
Due to “popular demand” and given Marc couldn’t join us at the IPv6 Security Summit (as flights into FRA were canceled that day due to snow) we decided to invite him and Antonios Atlasis another time, to present their knowledge, skills & voodoo in two workshops held in Heidelberg, in late June. More details can be found here.
See you all potentially at the Heise IPv6 Kongress, take care
0 Comments | Posted by Enno Rey
if you’re following this blog regularly or if you’ve ever attended an ERNW-led workshop which included an “architecture section” you will certainly remember the “Seven Sisters of Infrastructure Security” stuff (used for example in this post). These are a number of (well, more precisely, it’s seven ) fundamental security principles which can be applied to any complex infrastructure, be that a network, a building, an airport or the like.
As part of our upcoming Black Hat and Troopers talks we will apply those principles to some VoIP networks we (security-) assessed and, given we won’t cover them in detail there, it might be helpful to perform a quick refresher of them, together with an initial application to VoIP deployments. Here we go; these are the “Seven Sisters of Infrastructure Security”:
- Access Control
- Entity Protection
- Secure Management
Now, let me discuss them in a bit more detail and put them into a VoIP context.
Access Control (“try to keep the threats out of the environment containing the assets to be protected”)
This should pretty much always be an early consideration as limiting access to “some complex infrastructure” obviously provides a first layer of defense and does so in a preventative way. Usually authentication plays a major role here. Please note that in computer networks the access control principle does not only encompass “access to the network [link]” (where unfortunately the most prevalent technology – Ethernet – does not include easy-to-use access control mechanisms. And, yes, I’m aware of 802.1X…) but can be applied to any kind of (“sub-level”) communication environment or exchange. Taking a “passive-interface” approach for routing protocols is a nice example here as this usually serves to prevent untrusted entities (“the access layer”) from participating in some critical protocol [exchange] at all.
In a VoIP scenario limiting who can participate in the various layers and communication exchanges, be it by authentication, be it by configuration of static communication peers for certain exchanges (yes, we know this might not scale and usually has a bad operational feasibility) would be an implementation of the access control principle.
Isolation (“separate some elements of the environment from others, based on attributes like protection need, threat potential or trust/worthiness”)
In computer networks this one is usually implemented by network segmentation (with different technologies like VLANs or VRFs and many others) and it’s still one of the most important infrastructure security principles. I mean, can you imagine an airport or corporate headquarters without areas of differing protection needs, different threat exposure or separate layers and means of access? [You can’t? So why do you think about virtualizing all your corporate computer systems on one big unified “corporate cloud”? ]
Again, it should be noted that “traditional network segmentation” is only one variant. Using RFC 1918 (or ULA, for that matter) addresses in some parts of your network without NATing them at some point, or refraining from route distribution at some demarcation point constitute other examples.
In the VoIP world the main realization of the isolation principle is the commonly found approach of “voice vs. data VLAN[s]”.
Restriction (“once [as of the above principle] isolated parts get connected try to limit the interaction between those parts at the intersection point”)
This is the one most people think of when it comes to network security as this is what the most widely deployed network security control, that is firewalls, is supposed to do.
Two points should be noted here, from our perspective:
In some network security architecture documents phrases going like “the different segments are [to be] separated by firewalls” can be found. Which, well, is a misconception: usually a firewall connects networks (which would be isolated otherwise), it does not separate them. It may (try to) limit the traffic passing the intersection point but it still is a connection element.
And it should be noted that the restriction it applies (by filtering traffic) always has an operational price tag. Which is the one of the reasons why firewalls nowadays tend to fail so miserably when it comes to their actual security benefit…
Still it should be noted – again – that it has an operational price tag (key management and the like). Which – again – is the very reason why it sometimes fails so miserably when it comes to providing actual security…
This encompasses all measures intended to increase the security of individual elements. It’s not limited to simple hardening though, but includes all other “security [posture] quality assurance” things like pentesting or code reviews (when the element looked at is an application).
Adding a comment again I’d like to state that, in times of virtualization and vaporizing security layers (deploying shiny apps pretty much directly connecting customers to your ERP systems, by means of fancy webservices) this one might become more and more important. In the past many security architectures relied on layers of isolation & restriction and thereby skipped the hardening/quality assurance step (“we don’t have to harden this Solaris box as there’s a firewall in front of it”). As the talks’ case studies will show this one is a fundamental (and overlooked) one in many VoIP deployments.
Secure management usually can be broken down to:
- Restrict the endpoints allowed to establish management connections.
- Either use a trusted environment (network link) or use secure variants of mgmt. protocols instead of their less secure counterparts (SSH vs. Telnet, HTTPS vs. HTTP, SNMPv3 vs. community-based SNMP and the like).
- Require sufficient authentication (as for methods, authenticator [e.g. password] quality, personalized accounts etc.).
- Logging of security related events and potentially all management actions performed.
While this is (should be) an obvious security principle, daily assessment experience shows that failures/weaknesses in this space account for the majority of critical vulnerabilities when it comes to infrastructure security. This applies in particular to VoIP implementations (see the case studies for examples).
This is where logging (+ analysis), monitoring etc. come into play. We’d like to note that while this is a valid infrastructure security principle, its actual security benefit is often overestimated given the “detection/reaction” nature of this principle and its subsequent bad operational feasibility.
As the above application to VoIP shows, these fundamental security principles allow for tackling any type of “securing assets within a complex overall setting” by going through a simple (checklist-type) set of questions derived from them. These questions could look like
- Can we limit who’s taking part in some network, protocol, technology, communication act?
- Any need to isolate stuff due to different protection need, (threat) exposure or trust(worthiness)?
- What can be done, filtering-wise, on intersection points?
- Where to apply encryption in an operationally reasonable way?
- What about the security of the overall system’s main elements?
- How to manage the infrastructure elements in a secure way?
- How to provide visibility as for security-related stuff, with reasonable effort?
 As it requires the usually most scarce resource of an organization, that is humans and their brains. The part that can not be easily substituted by technology…
 In general preventative controls have a better cost/benefit ratio than detective or reactive ones. And this is still true in the “you’ll get owned anyway that’s why you should spend lots of resources on detective/reactive controls” marketing hype age…
 To provide another example from the routing protocol space: the “inter-operator trust and TCP-” based nature of BGP (as opposed to the “multicast and UDP-“based nature of other routing protocols) certainly is one of the most fundamental stability contributing properties of the current Internet.
We’re quite happy and looking forward to the event
Rodrigo Branco: Into the Darkness – Dissecting Targeted Attacks
The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.
This presentation analyzes a specific incident, last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.
Bio: Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America.
Carsten Amann: Security can not only Be Managed by Numbers – You Need More
Abstract: From “the management’s perspective” IT security is usually reduced to key performance indicators. Those indicators tend to leave some room for interpretation, especially for top management people. This room for interpretation can lead to decisions which do not only not improve the security level, but might actually decrease it.
The presentation will give an overview how IT security should be “managed by numbers”, to provide transparency and to gain the trust of the top management.
Bio: After his business information systems studies Carsten Amann started his career with a very large consulting company. He was assigned in managerial positions to software implementation projects for different clients. In 2007 he continued his career with a global supplier for technology and services. There he was initially responsible for the global IT security operations (virus protection, encryption, anti-spam etc.). After this assignment he took over the responsibility for the IT-Client topic (operating system, software distribution). Then he took over the responsibility for services within a product area.
Manuel Leithner: Cloud Storage and Its Implications on Security and Privacy
Abstract: With everything moving to the cloud nowadays, security and privacy is often left behind. An ever increasing number of cloud storage operators offer low cost online storage. In this talk we will present our results on the popular service Dropbox, which relied heavily on data deduplication for better user experience. While data deduplication is a straight forward way to decrease costs in terms of bandwidth and storage, it has implications on privacy and security of user data if done wrong – there ain’t no such thing as a free lunch. We will furthermore present methods how data deduplication can work correctly.
Bio: Manuel was introduced to information security while graduating from a technical college and has done research in the areas of mobile security, cloud computing and compile-time obfuscation. He has appeared on national television, podcasts and possibly Chinese security blacklists.
Furthermore, he’s known to use presentations with an average of 0.3 words per slide.
Piotr Cofta: Security professionals – plumbers of trust
Abstract: Trust is a foundation of security, so that it is often overlooked. The presentation analyses trust from the perspective of an information security professional. It discusses what trust is, how it is structured and what can be done about it, beyond the familiarity of trust assessment or trust management. As a result, participants will develop professional insight into trust.
Bio: Dr. Piotr Cofta is managing Security Transformation, having moved from his role as a Chief Researcher, Identity and Trust. Before that, he has been working for many years for Nokia and for Media Lab Europe, concentrating on the relationship between trust, risk, technology and society.
Dr. Cofta is a contributor to several international standards; he publishes and speaks frequently. He is an author of several patents and publications, from areas such as trust management, identity and privacy, digital rights management and electronic commerce. He is a CISSP and a senior member of IEEE. You can contact him at Piotr.Cofta@cofta.net or at http://piotr.cofta.net.
Frank Block & Michael Thumann: Some Notes on Web Application Firewalls or Why You still Get Owned
Abstract: This talk illuminates Web Application Firewalls (WAFs), with particular focus on the negative detection model. It will present methods how they can be fingerprinted and circumvented in order to demonstrate the wrong feeling of security they might create. Furthermore the tool tsakwaf (The Swiss Army Knife for Web Application Firewalls) will be covered, a little script written in perl that includes various code generation functions for circumventing WAFs and a fingerprinting routine to identify supported WAFs.
Of course there will be some nice demos to prove the point and the speakers will also share their experience from daily web application pentest tasks. Finally, as a special gift, an enhanced version of TSAKWAF will be released at Troopers.
Bios: Frank Block is a security consultant working for ERNW GmbH and penetration tester focusing on web application pentests. One of his passions is the analysis of security mechanisms to find ways to circumvent those.
Michael Thumann is the Chief Security Officer and the head of the ERNW’s application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers or VPN software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first German book on pentesting that has become a recommended reading at German universities.
In addition to his daily pentesting tasks he is a regular conference-speaker (incl. several Black Hat events, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and to reverse almost everything to understand the inner workings.
Johnny Deutsch: The Social Map
Abstract: In our talk we will discuss about the threats that social networks pose on organizations. We will display case studies from our clients that have encountered unwanted exposure on account of their employees or social network applications. The talk addresses issues, such as using the social network as a bed for corporate intelligence gathering, how do users interact with their co-workers and how can we infer from usage trends on the corporate social network policy.
We will demonstrate a variety of issues that corporations must think of when deciding to go on to the social networks. One of the most relevant usages on these networks is to harvest personal data and perform some data visualization tools, such as “Touch Graph”. This application performs this by mapping your friends, dissecting them into groups and creating a map of the employee’s social connections. The map is a good indicator of “closed groups”, a reference that indicated from where these people connect\relate to the employee. A tool that we manufactured for our cyber-services department can achieve a unique feature that enables intelligence gathering on people that user is directly related to or has social ties with. This tool creates a visualization of social circles that are not directly related to your profile, by gathering information that is open for the pubic on Facebook and displays it as a map of connections. In our talk we will display usage cases of the tool and how it relates to our social policy methodology.
Bio: Johnny Deutsch is a manager in the Advisory Services practice of Ernst & Young LLP. Johnny leads the cyber warfare and crime section at Ernst & Young?s Hacktics Advanced Security Center (HASC) based in Tel Aviv, Israel. This cutting-edge security team is dedicated to conducting attack and penetration assessments for EY clients. In this role Johnny is in charge of developing new methodologies and performs cyber vulnerability assessments for HASC clients. Johnny has over 10 years of experience in the field of IT systems and security specializing in large scale VoIP systems and data networking. Prior to Johnny`s employment at HASC, he was a consultant at the Israeli Ministry of Defense and managed large scale projects in the field of IRM (Information Rights Management) and NAC (Network Access Control) systems. Prior to the MoD, Johnny was employed by an American sub contractor for the American Department of Defense and managed projects in the field of cellular communication and its integration of VoIP based PBXs. Prior to the DoD, Johnny served in the Israeli Defense Force and managed integration projects in the field of enterprise storage systems (Netapp) and enterprise WAN communications. Johnny is an active reserve duty officer in the Israeli army at the rank of Lieutenant.
See you @Troopers, take care
Here we go:
Dmitry Sklyarov – “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?
Abstract: The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are a number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.
In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.
Bio: Dmitry is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.
Thomas Stocker: Business Application Security in a Global Enterprise
Abstract: In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.
Bio: Thomas works as Information Security Officer for the Holding of Allianz SE. He has initially established and continuously improved the business application security process since he took over the job six years ago. Prior to that he worked as an application developer and architect, so he knows his stuff from the ground up.
Meredith Patterson & Sergey Bratus: Theory of Insecurity
Abstract: Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.
In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
Bios: Meredith L. Patterson is a software engineer at Red Lambda. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa, and has continued expanding the technique ever since. She lives in Brussels, Belgium.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
Mariano Nunez Di Croce: SAP (In)security: Latest Attacks and Defenses
Abstract: This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.
Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.
Bio: Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Ekoparty, HackerHalted, DeepSec, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.
Mariano has discovered 50+ vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks and leads the “SAP Security In-Depth” publication. Mariano is also a founding member of BIZEC.org, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.
Mario Heiderich: Got your Nose! How to steal your precious data without using scripts
Nikhil Mittal: More fun using Kautilya or Is it a thumb drive? Is it a toy? no it’s a keyboard
Abstract: How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.
The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.
An updated version of Kautilya will be released at Troopers that includes a number of previously unseen Linux payloads.
Bio: Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has over 3 years experience in Penetration Testing of many Government Organizations of India and other global corporate giants at his current job position.
He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. . He is creator of Kautilya, a toolkit to utilize teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. He has spoken at Clubhack’10, Hackfest’11, Clubhack’11 and Black Hat Abu Dhabi’11.
More talks to follow next week, so stay tuned
See you @Troopers, take care
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again
Here we go:
Andreas Wiegenstein: Real SAP Backdoors
Abstract: In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.
This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several zero day security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publically discussed before. They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.
Bio: Andreas Wiegenstein has been working as a professional SAP security consultant for 9 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. He leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.
Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as BlackHat, HITB, Troopers and RSA. He is co-author of the first book on ABAP security (SAP Press 2009). He is also a founding member of BIZEC.org, the Business Security community.
Mike Ossmann: Welcome to Bluetooth Smart
Abstract: Bluetooth Smart, formerly known as Bluetooth Low Energy, is an entirely new wireless protocol that is not backward compatible with “classic” Bluetooth. With consumer devices emerging in early 2012, this is the perfect time to review Bluetooth Smart and how it works. Packet captures from actual devices will be dissected, and particular attention will be given to the new security procedures specified for Bluetooth Smart. Depending on what devices are commercially available by the time of the conference, I may or may not have a live demo prepared with actual consumer devices. At the very least, I will be able to do a demo using development boards as targets.
Bio: Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Previous work includes:
ShmooCon 2011: Project Ubertooth: Building a Better Bluetooth Adapter
ToorCon 2010: Real Men Carry Pink Pagers (with Travis Goodspeed)
ShmooCon 2010: Bluetooth Keyboards: Who Owns Your Keystrokes?
ShmooCon 2009: Building an All-Channel Bluetooth Monitor (with Dominic Spill)
Black Hat USA 2008: Software Radio and the Future of Wireless Security
Daniel Mende & Enno Rey: Protecting Voice-over-IP in 2012
Abstract: We’ve recently conducted a number of pentests in (mostly large) VoIP environments. While the fraction of “traditional VoIP attacks” (re-direct/sniff VoIP traffic, reconstruct VoIP calls) has decreased over time, we’ve been able to severely compromise pretty much every environment due to implementation flaws on the infrastructure or “supporting systems” level. Based on a number of warstories, in this talk we will lay out what went wrong in the respective cases and how to protect from the (types of) attacks we performed. Some demos will add spice to the talk. Furthermore a number of previously undisclosed severe vulnerabilities in the crypto architecture of a major vendor’s VoIP solution will be presented.
Bios: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.
Graeme Neilson: DISCQO: “Discourse on Implications for Security and Cryptography from Quantum Oddness”
Abstract: Quantum computing is a fascinating, emerging technology with a potentially huge impact on security. This talk introduces the principles of quantum computing and the current state of the art. This is followed by a discussion on the uses of quantum based computer systems within security, the potential implications for cryptography, now and in the future, and the possibility of hacking current quantum based cryptography systems.
What is quantum computing?
What is quantum key exchange?
Can quantum key exchange be hacked?
Will a quantum computer be able to decrypt all my encrypted data?
Do I need a quantum computer?
Do quantum computers even exist?
What are the implications of quantum computing on my current cryptography?
Bio: Graeme Neilson is NOT a quantum physicist or any other kind of physicist…not in this universe anyway…
Still, he does think it’s probable that he can help illuminate the subject of quantum computing for other non-physicists in IT. With over 14 years of experience in IT security Graeme currently works as a security researcher / consultant for Aura Information Security with specialisations in cryptography, reverse engineering and networking. Based out of New Zealand he is a regular speaker at international conferences including Blackhat, H2HC, CanSecWest, DayCon and Troopers.
Pete Herzog: Securing Robot Mosquitoes with Laser Beams for Eyes in the Enterprise
Abstract: One day employees start bringing robot mosquitoes into the office. They have robot mosquitoes at home and just they’re so damn useful for checking mail, making appointments, singing naptime songs, and spying over the neighbor’s fence. So why wouldn’t they? Your security policy doesn’t expressly forbid robot mosquitoes with laser beams for eyes or anything like it so here they are: riding the internal WiFi, carrying who knows what diseases and parasites from public, cyber ponds, melting the plastic plants, boiling the water cooler, and causing all sorts of other disruptions. Before you can ban them though you see that the CEO starts to bring his robot mosquito with laser beams for eyes in too. And he wants you not only support it but to make sure it doesn’t get hacked. Sounds familiar, right?
There will always be new technologies. Many of those new technologies pose new risks, perhaps even risks we hadn’t considered as risky to us before. So someone has to secure those new technologies. But how do we secure something we know so little about? Well, there’s a methodology for that. This talk will cover how to test new technologies, how to create the right policy for them, and how to control them, including robot mosquitoes with laser beams for eyes.
Bio: Pete Herzog is the Managing Director of the security research organization ISECOM and the creator of the OSSTMM.
Chema Alonso: Excel (and Office apps) Kills the Citrix (or Terminal Services) Star
Abstract: Microsoft Office (and Excel) are common applications in big companies and in a big amount of cases they are published through Terminal Services or Citrix. However, securing that environment against malicious users is very complicated. In this talk you’ll see a lot of demos hacking Citrix and Terminal Services using Excel… and maybe you’ll be scared after having seen this session.
Bio: Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politecnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including BlackHat Briefings, Defcon, ShmooCon, HackCON, Ekoparty and RootedCon. He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.
Rene Graf & Enno Rey: BYOD – Does it work?
Abstract: In many organizations “Bring Your Own Device” (BYOD) approaches are either subject to intensive discussion or are already practiced (with or without “proper governance”). Usually two security controls are of particular interest in BYOD scenarios, that are container solutions and acceptable use policies (AUPs).
The speakers have contributed to BYOD “implementations” in several environments and – based on actual case studies – are going to discuss three main aspects in their talk:
- What’s the role of the supply chain of a device, in BYOD settings? Is it possible to securely process – e.g. by means of a container solution – sensitive data on a device that was acquired on ebay or that the VIP using it received “as a present during an industry fair in an emerging market country”?
- What level of security is actually provided by container solutions? Do they sufficiently secure data (incl. temporary data) and which user behavior might be required for this?
- When are good AUPs needed and which elements should be included in those?
The goal of the talk is to enable the audience to realistically assess the security approaches and risks in BYOD scenarios.
Bios: Rene Graf leads the “Mobile Security” team at ERNW and has performed a number of BYOD projects including pentests of container solutions and forensic analyses of devices used by CxOs. Enno Rey leads the “Risk and Security Management” team at ERNW and has undertaken the risk assessments in several BYOD projects and written the accompanying AUPs.
More talks to follow next week, so stay tuned
See you @Troopers, have a great sunday everybody
On last year’s TROOPERS11, Matthias (mluft) and I gave a talk on Multifunction Devices. Hardly surprising: It was related to the state of secure operation of MFDs. It was heavily motivated by experiences we collected out in the wild. We faced a frightening low level of awareness concerning the role of MFDs for the overall security picture – in particular regarding the processing of sensitive data…
However, instead of only showing and proving well-known weaknesses and vulnerabilities, we decided to adapt ERNW’s Seven Sisters model in order to match the needs of secure MFD operation and to develop some kind of guideline. As Matthias already lost some words on this, I’m not gonna waste your valuable time by repeating, what has already been said. However I described our approach and our thoughts on that topic in a recently published ERNW Newsletter. If for what ever reason you didn’t see our talk or even didn’t attend TROOPERS11 at all, have a look on Newsletter 37 and give us feedback on what you think about the whole topic…
- ERNW_Newsletter_37_Security_Reflections_on_MFDs_en.pdf (491KB)
- ERNW_Newsletter_37_Security_Reflections_on_MFDs_en_signed.pdf (562KB)
Btw: Enno just wrote some lines about what’s so special about the TROOPERS conference. In case you might want to discuss mentioned and related topics at first hand, think about joining TROOPERS12. For our part, we cannot wait to come together at Heidelberg next March.
See you there
Michael alias Micele
Here we go again: TROOPERS12 is scheduled for March 19th – 23rd 2012 in Heidelberg, Germany.
Those who attended TROOPERS before know for what we are up to. For all newcomers I’ll quickly outline what’s going to happen:
TROOPERS is your premium IT security event in Europe. Think of your usual IT educational event without annoying sales pitching and outdated topics. Now add a superb conference location, an elite line-up of international researchers and practitioners as well as an organizing team not dedicated to make a living doing this, but to celebrate our craftsmanship together with like-minded people.
Sounds good? Let’s see what we have planned for you:
Monday & Tuesday
We start with a great selection of workshops. You’ll have a bigger choice than ever before:
One-day workshops on Monday:
- Advanced IPv6 Security
- Android Security
- ISECOM Workshop (to be announced shortly)
One-day workshops on Tuesday:
- Advanced Email Security
- iOS Security
- ISECOM’s “Smarter, Safer, Better” security awareness training
- Hacking 101 - Your personal preparation for PacketWars (and beyond…)
Wednesday & Thursday
These are the main conference days. Expect more than 20 international researchers coming in to present on their latest discoveries – ready to share their experience with you. In order to serve you with the latest and greatest we won’t announce a final agenda yet. Topics of already confirmed talks include:
- Web Application Firewalls
- SAP Hacking
- Quantum Cryptography
We’ll finish up with a bunch of roundtable sessions. This is the perfect place to recap the week’s happenings and look ahead on upcoming developments.
Something is missing right?
A TROOPERS conference is more than a yearly get-together of some IT guys. This event is for enthusiasts, idealists and doers of all nationalities, age groups and sexes. Our common denominator is the passion for what we do and the strong belief that we will succeed in the daily battle of IT security. Professionals from various backgrounds are longing for an environment where their thoughts, work and experience is appreciated and amplified.
Therefore we spare no efforts to do just that. To name just a few highlights of your complimentary supporting program:
- Shared dinner in the Old Town
- PacketWars hacking contest
- 10k Morning run to keep you going
- [TOP SECRET] Competition
We’re looking forward to meet you soon,
Florian & the TROOPERS/ERNW crew