TAG | TROOPERS12
As there has been some public demand for that, here we go with the final agenda for the Troopers “TelcoSecDay“. The workshop is meant to provide a platform for research exchange between operators, vendors and researchers. The slides of the talks will potentially be made available as well.
- 8:30: Opening Remarks & Introduction
- 9:00: Sebastian Schrittwieser (SBA Research): Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
- 10:00: Peter Schneider (NSN): How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
- 10:45: Break
- 11:00: Kevin Redon (T-Labs): Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
- 11:45: Christian Kagerhuber (Group IT Security, Deutsche Telekom AG): Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
- 12:30: Lunch
- 13:45: Philipp Langlois (P1 Security): Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
- 15:00: Break
- 15:15: Harald Welte (sysmocom): Structural deficits in telecom security
- 16:30: Closing Remarks
- 17:00: End of workshop
- 19:00: Joint dinner (hosted by ERNW) in Heidelberg Altstadt for those interested and/or staying for the main conference
Synopses & Bios
Sebastian Schrittwieser: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
Synopsis: Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. In this talk, we present our experimental results, which revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, and enumerate subscribers.
Bio: Sebastian Schrittwieser is a PhD candidate at the Vienna University of Technology and a researcher at SBA Research. His research interests include, among others, digital forensics, software protection, code obfuscation, and digital fingerprinting. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
Peter Schneider: How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
Synopsis: This talk briefly introduces the security architecture of an LTE mobile network as specified by 3GPP and shows which threats it mitigates and which not. It discusses additional, not-standardized security measures and how they can contribute to making mobile networks as secure as they need to be.
Bio: After many years of research, prototyping and systems engineering in the area of communication technologies, Peter works currently as a senior expert for mobile network security in the Security Technologies Team at Nokia Siemens Networks Research. He is author of various mobile network related security concepts. He is also active in the 3GPP security standardization and in several security research projects.
Kevin Redon: Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
Synopsis: Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Bio: Kevin Redon does his master of computing at the Technische Universitaet Berlin. He also works for “Security in Telecommunication” (SecT), a research group of the university.
Christian Kagerhuber: Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
Synopsis: Today, Service Providers are in need of comprehensive information relevant to effective security management. Service Providers have to evaluate and verify the compliance of their infrastructure and services to corporate security directives and legal guidelines. This includes being able to retrace OSS Operators’ behavior on OSS systems via standardized log messages. But to answer all necessary security compliance questions, log data alone appears not to be sufficient.
Service Providers need configuration data and telemetry data centralized at hand without manual, time-consuming OSS Operator activity. Even interactive polling of their devices is not sufficient because Service Providers must track down changes in the environment and the effective date/period. The talk is about what to solve this problem.
Bio: Christian is a Senior Security Expert at Deutsche Telekom (DT), responsible for the security of DT’s NGOSS system (called NGSSM) and BNG/SCRAT project. He build up T-Online’s Identity Management and CERT and is the author of various Deutsche Telekom security standards, e.g. on platform virtualisation and SSH.
Philippe Langlois: Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
Synopsis: GRX is the global private network where Telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was being to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
We’ll see how this infrastructure is protected and can be attacked, and we’ll discover the issues with the specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see its implication with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several typical vulnerabilities that we will be showed in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Bio: Philippe Langlois is a leading security researcher and expert in the domain of telecom and network security. He founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His founded his first business, Worldnet, France’s first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI). He is a FUSR-U (Free University for Security Research) collaborator and founding member. Philippe is providing industry associations (GSM Association Security Group, several national organizations) and governmental officials with Critical Infrastructure advisory conferences in Telecom and Network security. Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com
He has presented previously at these security/hacking conferences: Hack.lu, Hack in the Box (HITB), Blackhat, Hackito Ergo Sum (paris, France), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop… (some events listed there http://www.p1sec.com/corp/about/events/ )
Harald Welte: Structural deficits in telecom security
Synopsis: Especially in recent years, numerous practical attacks and tools have been developed and released. The attack patterns and methods from the dynamic Internet world have finally caught up with the dinosaur of the Telecom world. So far, the industry has failed to demonstrate sufficient interest in developing proper responses. The changes so far have been superficial. Are they a sufficient response for what is to come? Has the telecom industry realized the true implications of having left the “walled garden”? The talk will leave the field of actual attacks behind in order to talk about what at least the author perceives as structural deficits in terms of IT security at operators and equipment vendors.
Bio: Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.
Have a great Sunday everybody, see you soon at Troopers
This is a guest post by the SAP security expert Juan Pablo Perez-Etchegoyen, CTO of Onapsis. Enjoy reading:
At Onapsis we are continuously researching in the ERP security field to identify the risks that ERP systems and business-critical applications are exposed to. This way we help customers and vendors to increase their security posture and mitigate threats that may be affecting their most important platform: the one that stores and manages their business’ crown jewels.
We have been talking about SAP security in many conferences over the last years, not only showing how to detect insecure settings and vulnerabilities but also explaining how to mitigate and solve them. However, something that is still less known is that since 2009 we have been also doing research over Oracle’s ERP systems (JD Edwards, Siebel, PeopleSoft, E-Business Suite) and reporting vulnerabilities to the vendor. In this post, I’m going to discuss some of the vulnerabilities that we reported, Oracle fixed and released patches in the latest CPU (Critical Patch Update) of January 2012. In this CPU, 8 vulnerabilities reported by Onapsis affecting JD Edwards were fixed.
What’s really important about these vulnerabilities is that most of them are highly critical, enabling a remote unauthenticated attacker to fully compromise the ERP server just having network access to it. I’m going to analyze some these vulnerabilities to shed some light on the real status of JD Edwards’ security. Most of these vulnerabilities are exploitable through the JDENET service, which is a proprietary protocol used by JDE for connecting the different servers.
Let’s take a look at the most interesting issues:
ONAPSIS-2012-001: Oracle JD Edwards JDENET Arbitrary File Write
Sending a specific packet in the JDENET message, an attacker can basically instruct the server to write an arbitrary content in an arbitrary location, leading to an arbitrary file write condition.
ONAPSIS-2012-002: Oracle JD Edwards Security Kernel Remote Password Disclosure
Sending a packet containing key hard-coded in the kernel, an attacker can “ask for” a user’s password (!)
ONAPSIS-2012-003: Oracle JD Edwards SawKernel Arbitrary File Read
An attacker can read any file, by connecting to the JDENET service.
ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification Modifications to the server configuration (JDE.INI) can be performed remotely and without authentication. Several attacks are possible abusing this vulnerability.
ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service
If an attacker sends packets larger than a specific size, then the server’s CPU start processing at 100% of its capacity. Game over.
As a “bonus” to this guest blog post, I would like to analyze a vulnerability related to the set of security advisories we released back on April 2011 (many of them also critical). This vulnerability is the ONAPSIS-2011-07.
The exploitation of this weakness is very straight-forward, as the only thing an attacker needs to do is to send a packet to the JDENET command service (typically UDP port 6015) with the message “SHUTDOWN”, and all JD Edwards services are powered off! Business impact? None of the hundreds/thousands of the company’s employees that need the ERP system to do their every-day work will be able to do their job.
Some people still talk about ERP security as a synonym of Segregation of Duties controls. This is just an example of a high-impact Denial of Service attack that can be performed against the technical components of these systems. No user or password. No roles or authorizations.
Even worse, as UDP connections are stateless, it’s trivial for the attacker to forge its source and exploit the vulnerability potentially bypassing firewall filters.
Hope you enjoyed our post and I’d like to thank Enno, Florian and the great ERNW team for their kind invitation.
You can get more information about our work at www.onapsis.com
0 Comments | Posted by Florian Horsch
This is a guest post by the SAP security experts of BIZEC. Enjoy reading:
On March 20th, the first BIZEC workshop will be held at the amazing Troopers conference in Heidelberg, Germany. For those still unfamiliar with BIZEC: the business application security initiative is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructures.
The main goals of BIZEC are:
- Raise awareness, demonstrating that ERP security must be analyzed holistically.
- Analyze current and future threats affecting these systems.
- Serve as a unique central point of knowledge and reference in this subject.
- Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
- Organize events with the community to share and exchange information.
The “BIZEC workshop at Troopers 2012” will dive into the security of SAP platforms. Still to this day, a big part of the Auditing and Information Security industries believe that Segregation of Duties (SoD) controls are enough to protect these business-critical systems.
By attending this session, InfoSec professionals and SAP security managers will be able to stop “flying blind” with regards to the security of their SAP systems. They will learn why SoD controls are not enough, which current threats exist that could be exploited by evil hackers, and how to protect their business-critical information from cyber-attacks.
Attendees can expect a high-dose of technical content covering the latest advances in the SAP security field.
The agenda is really exciting, covering hot topics such as:
- Real-world cyber-threats to SAP systems, by Mariano Nunez Di Croce (Onapsis)
- Five years of ABAP Code Reviews – A retrospective, by Frederik Weidemann (VirtualForge)
- SAP Solution Manager from the hackers point of view, by Ralf Kemp (akquinet)
The workshop will be full of live demonstrations of attacks and discussions on possible mitigation techniques. Furthermore, attendees will have the pleasure of enjoying a great introduction by Gary McGraw, CTO of Cigital and pioneer in software security.
If you want to stay ahead of the threats affecting your SAP platforms, you can’t miss this workshop!
The BIZEC team
Comment by the Insinuator: We’ve prolongued the early-bird period until February 10th. We hope that helps to get your favorite event budgeted
Here we go:
Dmitry Sklyarov – “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?
Abstract: The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are a number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.
In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.
Bio: Dmitry is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.
Thomas Stocker: Business Application Security in a Global Enterprise
Abstract: In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.
Bio: Thomas works as Information Security Officer for the Holding of Allianz SE. He has initially established and continuously improved the business application security process since he took over the job six years ago. Prior to that he worked as an application developer and architect, so he knows his stuff from the ground up.
Meredith Patterson & Sergey Bratus: Theory of Insecurity
Abstract: Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.
In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
Bios: Meredith L. Patterson is a software engineer at Red Lambda. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa, and has continued expanding the technique ever since. She lives in Brussels, Belgium.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
Mariano Nunez Di Croce: SAP (In)security: Latest Attacks and Defenses
Abstract: This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.
Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.
Bio: Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Ekoparty, HackerHalted, DeepSec, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.
Mariano has discovered 50+ vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks and leads the “SAP Security In-Depth” publication. Mariano is also a founding member of BIZEC.org, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.
Mario Heiderich: Got your Nose! How to steal your precious data without using scripts
Nikhil Mittal: More fun using Kautilya or Is it a thumb drive? Is it a toy? no it’s a keyboard
Abstract: How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.
The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.
An updated version of Kautilya will be released at Troopers that includes a number of previously unseen Linux payloads.
Bio: Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has over 3 years experience in Penetration Testing of many Government Organizations of India and other global corporate giants at his current job position.
He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. . He is creator of Kautilya, a toolkit to utilize teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. He has spoken at Clubhack’10, Hackfest’11, Clubhack’11 and Black Hat Abu Dhabi’11.
More talks to follow next week, so stay tuned
See you @Troopers, take care
About two months ago the Bluetooth SIG renamed their latest standard, which was previously known as “Bluetooth v4.0″. When version numbers get higher and higher marketing likes to interfere and try something new. In this case: Bluetooth Smart.
Sounds smart, but is it?
Without getting into too much detail, let me quickly quote Wikipedia to get started:
“Cost-reduced single-mode chips, which enable highly integrated and compact devices, feature a lightweight Link Layer providing ultra-low power idle mode operation, simple device discovery, and reliable point-to-multipoint data transfer with advanced power-save and secure encrypted connections at the lowest possible cost.”
http://en.wikipedia.org/wiki/Bluetooth#Bluetooth_v4.0 (sounds more like a marketing text than a proper technical specification, but gives you a rough idea what you as an end-user can expect ;)).
So we’re talking about the usual stuff: Lower energy consumption combined with more functionality. Great!
Sounds smart, but is it safe?
With “Bluetooth Smart Ready” products just coming in it’s too early to tell. But one thing is for sure: 2012 will be the year where every major consumer product (smartphones, heart-rate straps or even simple clocks) will be equipped with it. Oh, and guess what… a new wireless standard doesn’t just come along with a new shiny gadget. Obviously you need an app for that. How about tracking your heart beat? Personally I’m looking forward for the first Bluetooth Smart Ready cardiac pacemaker…
And back to security: Either you trust the Bluetooth committee which states “Bluetooth technology is an industry leader when it comes to wireless data security.”, OR you ask somebody who would tell you the plain truth (given there is one): Michael Ossmann.
We did the latter and invited Michael to talk at TROOPERS12. He is a wireless security experts who also makes hardware tools to progress with his research. In early 2011 he successfully crowd-funded his latest gadget: Ubertooth One. A very capable Bluetooth monitoring device.
We’re looking forward to mid March where we all meet to discuss things in more depth at TROOPERS12. Until then keep yourself up-to-date and have a look into Michael’s latest blog entry: Bluetooth for Bad Guys
Have a wonderful Christmas time,
PS: Drop us a comment, when you find some “Bluetooth Smart Ready” labels under your Christmas tree
Here we go again: TROOPERS12 is scheduled for March 19th – 23rd 2012 in Heidelberg, Germany.
Those who attended TROOPERS before know for what we are up to. For all newcomers I’ll quickly outline what’s going to happen:
TROOPERS is your premium IT security event in Europe. Think of your usual IT educational event without annoying sales pitching and outdated topics. Now add a superb conference location, an elite line-up of international researchers and practitioners as well as an organizing team not dedicated to make a living doing this, but to celebrate our craftsmanship together with like-minded people.
Sounds good? Let’s see what we have planned for you:
Monday & Tuesday
We start with a great selection of workshops. You’ll have a bigger choice than ever before:
One-day workshops on Monday:
- Advanced IPv6 Security
- Android Security
- ISECOM Workshop (to be announced shortly)
One-day workshops on Tuesday:
- Advanced Email Security
- iOS Security
- ISECOM’s “Smarter, Safer, Better” security awareness training
- Hacking 101 – Your personal preparation for PacketWars (and beyond…)
Wednesday & Thursday
These are the main conference days. Expect more than 20 international researchers coming in to present on their latest discoveries – ready to share their experience with you. In order to serve you with the latest and greatest we won’t announce a final agenda yet. Topics of already confirmed talks include:
- Web Application Firewalls
- SAP Hacking
- Quantum Cryptography
We’ll finish up with a bunch of roundtable sessions. This is the perfect place to recap the week’s happenings and look ahead on upcoming developments.
Something is missing right?
A TROOPERS conference is more than a yearly get-together of some IT guys. This event is for enthusiasts, idealists and doers of all nationalities, age groups and sexes. Our common denominator is the passion for what we do and the strong belief that we will succeed in the daily battle of IT security. Professionals from various backgrounds are longing for an environment where their thoughts, work and experience is appreciated and amplified.
Therefore we spare no efforts to do just that. To name just a few highlights of your complimentary supporting program:
- Shared dinner in the Old Town
- PacketWars hacking contest
- 10k Morning run to keep you going
- [TOP SECRET] Competition
We’re looking forward to meet you soon,
Florian & the TROOPERS/ERNW crew