Speakers (preliminary) - DeepSec IDSC 2015 Europe

Crypto Attacks

Juraj Somorovsky (Ruhr University Bochum)

In this course, we provide cryptographic background and basics for security developers and penetration testers. We will cover a large variety of cryptographic primitives. On the first day we will handle hash functions and symmetric encryption schemes. On the second day we will handle asymmetric RSA encryption.

The course will cover cryptographic pitfalls and issues every security developer should be aware of. To understand the discussed problems, many cryptographic attacks will be covered and the participants will get an opportunity to develop these attacks using scenarios prepared in our virtual machine.


Day 1:
- Hash functions and hash extension attacks
- Symmetric encryption
- Stream ciphers, block ciphers
- Attacks on RC4
- Padding oracle attacks and attacks on XML Encryption
- BEAST, CRIME, POODLE
- Crypto APIs (small overview on how to use symmetric crypto in Java or python)

Day 2:
- RSA
- Signature and encryption in general
- Usage in certificates
- Bad randomness and how it can influence RSA keys/certificates
- Heartbleed
- Bleichenbacher / Manger attacks
- Application to TLS, Hardware Security Modules, XML Encryption
- Crypto APIs (small overview on how to use RSA in Java or python)

Dr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various cryptographic attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and cryptographic attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.

Hacking Web Applications – Case Studies of Award-winning Bugs in Google, Yahoo, Mozilla and more

Dawid Czagan (Silesia Security Lab)

OVERVIEW

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this hands-on training!

I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

After completing this training, you will have learned about:

- tools/techniques for effective hacking of web applications
- non-standard XSS, SQLi, CSRF
- RCE via serialization/deserialization
- bypassing password verification
- remote cookie tampering
- tricky user impersonation
- serious information leaks
- browser/environment dependent attacks
- XXE attack
- insecure cookie processing
- session related vulnerabilities
- mixed content vulnerability
- SSL strip attack
- path traversal
- response splitting
- bypassing authorization
- file upload vulnerabilities
- caching problems
- clickjacking attacks
- logical flaws
- and more…

If you want to know what students from Oracle, Adobe, ESET and other companies say about this training, visit this page (https://silesiasecuritylab.com/services/training/#opinions) to learn more.

WHAT STUDENTS WILL RECEIVE

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

WHAT STUDENTS SHOULD KNOW

To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version).

WHO SHOULD ATTEND

Pentesters, bug hunters, security researchers/consultants.

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as an Security Architect at Future Processing.

Dawid shares his security bug hunting experience in his hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more".
He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).

To find out about the latest in Dawid’s work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).

Pentesting and Securing IPv6 Networks

Marc Heuse

This training course shows you how to perform penetration testing on
IPv6 networks locally and remote - in theory and hands-on practice.
Learn at first hand from the developer of thc-IPv6 the tools and techniques that are
specific for IPv6.


IPv4 addresses have expired and IPv6 is now available on every
desktop and every server, as all operating systems support IPv6. Most
ISPs started to make IPv6 available and many Internet servers are
now reachable. This training explains the IPv6 issues, concentrating on
the security vulnerabilities inherent in the protocol as well as
configuration issues and implementation problems. Many known
vulnerabilities are presented and students will be able to try them out
themselves with supplied tools on the test network.
Then, switching sides, we see what can be done to configure IPv6
networks more securely, from design down to configuration.

On the first day the trainer will invite you for a free drink - so don't
plan anything else for the evening of the first training.

Marc “van Hauser” Heuse is the founder of The Hacker’s Choice (www.thc.org) and author of the thc-ipv6 IPv6 attack suite. Since 2006 he researches IPv6 security issues and reports vulnerabilities for all major OS on a regular basis. He also spoke at numerous conferences about his findings, e.g. CansecWest, Pacsec, Hack-in-the-Box, CCC Congress, etc. He is also known for the famous tools hydra, amap and THC-Scan among others.
Marc is an independent security researcher and consultant.

 

PowerShell for Penetration Testers

Nikhil Mittal (Independent)

Overview

PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language, available by default in all modern Windows computers. It can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell.
This training is aimed towards attacking Windows network by using PowerShell and is based on real world penetration tests done by the instructor. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase. Some of the techniques used in the course:
- In-memory shellcode execution using PowerShell from a Word macro.
- Exploiting SQL Servers (more than executing commands)
- Using Metasploit shellcode with no detection
- Active Directory trust mapping and abuse.
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
- Network relays, port forwarding and pivots to other machines.
- Reboot and Event persistence
- Bypass security controls like Firewalls, HIPS and Anti-Virus.


The course is a mixture of demonstrations, exercises, hands-on and lecture. It has a live CTF which attendees can try while and after the training.
After this training the attendees will be able to write own scripts and customize existing ones for security testing.It aims to change how you test a Windows based environment.


Course Content
- Introduction to PowerShell
- Language Essentials
- Using ISE
- Help system
- Syntax of cmdlets and other commands
- Variables, Operators, Types, Output Formatting
- Conditional and Loop Statements
- Functions
- Modules
- PowerShell Remoting and Jobs
- Writing simple PowerShell scripts
- Extending PowerShell with .Net
- WMI with PowerShell
- Playing with the Windows Registry
- COM Objects with PowerShell
- Recon, Information Gathering and the like 
- Vulnerability Scanning and Analysis
- Exploitation – Getting a foothold
- Exploiting MSSQL Servers
- Client Side Attacks with PowerShell
- PowerShell with Human Interface Devices
- Writing shells in PowerShell
- Using Metasploit and PowerShell together
- Porting Exploits to PowerShell
- Post-Exploitation – What PowerShell is actually made for
- Enumeration and Information Gathering
- Privilege Escalation
- Dumping System and Domain Secrets
- Backdoors
- Pivoting to other machines
- Poshing the hashes™
- Replaying credentials
- Network Relays and Port Forwarding
- Achieving Persistence
- Clearing Tracks
- Quick System Audits with PowerShell
- Detecting PowerShell attacks
- Security controls available with PowerShell


What's in it for you?
1. PowerShell Hacker’s Cheat Sheet, access to the online CTF, solutions to exercises, sample source code, updated tools and extra slides explaining things which could not be covered.
2. Attendees will learn a powerful attack method which can be applied from day one after the training.
3. They'll understand that it is not always required to use a third party tool or non-native code on the target machine for post exploitation.
4. And learn how PowerShell makes things easier than previous scripting options on Windows like VB.


Prerequisites
1. Basic understanding of how penetration test are done.
2. Basic understanding of a programming or scripting language could be helpful but is not mandatory.
3. An open mind.


System Requirements
Windows 7 or later system, with administrative access and ability to run PowerShell scripts.

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients.


He specializes in assessing security risks in secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences.
He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.

He blogs at http://www.labofapenetrationtester.com/

Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices

Alexander Bolshev (Digital Security) & Boris Ryutin (ZORSecurity)

Today, you can find many devices based on AVR microcontrollers, from arduino-based amateur projects to serious automotive, home automation or industrial control system controllers and gateways. You may find many talks about reversing and exploit development for AVR-based devices, however there is still a lack of a full-scale guide that answers the question: "I have an AVR device. I have firmware (?). I have found something that looks like a vulnerability. What should I do now?". The goal of this workshop is to give an answer to this question.

During this workshop, you will learn AVR firmwares reversing and exploitation specifics. We will talk about tools and technics, review AVR architecture, teach you how to write ROP chains for AVR and use other methods that enforces MCU to do what wasn't expected by firmware developers. Post-exploitation topics (like reflashing and altering the bootloader) will also be covered. We will start our journey with simple programs, quickly move on to popular Arduino libraries and finish it with case of a real exploitation of an industrial gateway. We will talk about how to use Radare2 and (a bit) IDA Pro in reversing and exploiting AVR firmwares, also we will show you how to develop tools that help you with your task.

To participate this class you will need just a basic understanding of reverse engineering and buffer overflow/memory corruption vulnerabilities. All topics will be divided into four equal parts: introduction to AVR architecture and assembly, pre-exploitation (firmware extraction, debugging technics, circuit reverse engineering, etc.), firmware reversing and exploitation (including some post-exploitation technics).

Please bring a laptop with at least 4 GB RAM, 15 GB free hard drive space, two USB ports and administrative access with Windows (recommended) or Linux installed. Or VM inside VMWare/VirtualBox/Parallels etc. You will be supplied with all required software and hardware (debuggers and AVR development boards).

Alexander Bolshev is an information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, S4.

Boris (@dukebarman) has graduated from the Baltic State Technical University "Voenmeh", faculty of rocket and space technology. Currently he is a postgraduate student there, works as a security engineer at ZORSecurity and as a contributor to MALWAS post-exploitation framework Boris is a recurring writer for the ][akep magazine, and a contributor and developer involved in several open-source information security projects. Radare2 evangelist. Mutlple bug bounty awardee.

 

Social Engineering and Security Awareness

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

Social Engineering is a great method for hacking systems. Instead of attacking technical devices social engineers manipulate people to get what they want. Defending your organisation against social engineering attacks is vital, yet very hard to achieve. This workshop focuses on the psychological fundamentals of social engineering. I will show you how social engineering works, how psychology can be used to manipulate people and how social engineers use these skills to lever out security measurements. The second part of the workshop will focus on defence measures against social engineering attacks. I'll teach didactical methods and other skills required to train your users in a succesful, scientifically sound and empirically grounded security awareness campaign. Practical knowledge from human factors and organisational development research will top the workshop off.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive.
Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he's leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security.
He presents the research results regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Training: Developing and Using Threat Intelligence

John Bambenek (Fidelis Cybersecurity & SANS Internet Storm Center)

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus software. Meanwhile, dedicated attackers attempt intrusions over months and years, while going undetected, to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques however, provide the ability to greatly enhance the security of an organization. Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attacks and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.

John Bambenek is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

Hacking Cookies in Modern Web Applications and Browsers

Dawid Czagan (Silesia Security Lab)

Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from an attacker's point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities, that lead, for example, to user impersonation, remote cookie tampering, XSS and more.

Developers tend to forget that multi-factor authentication does not help if cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with the secure processing of cookies in modern browsers. And browser dependent exploitation can be used to launch more powerful attacks.

That's why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented:

- cookie related vulnerabilities in web applications
- insecure processing of secure flag in modern browsers
- bypassing HttpOnly flag in Safari
- problems with Domain attribute in Internet Explorer
- cookie tampering in Safari
- underestimated XSS via cookie
- HTTP Strict Transport Security (HSTS)
- importance of regeneration
- and more

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing.
Dawid shares his security bug hunting experience in his hands-on training "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more".
He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).

To find out about the latest in Dawid’s work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).

The New Art of Threat Defense

Paul Davis (Cisco)

Attacks are becoming more sophisticated, APTs are still a threat and our networks are growing in size and scope, with increasing usage of mobility and cloud. This session will discuss the current challenges with current security architecture design approaches and provide a vision of an integrated cross vendor architecture model, using open standards and threat intelligence. This is a new vision of tomorrow’s IT security framework, that will enable security teams to be more effective at detecting and defeating attacks.

Paul Davis, ThreatGRID's VP of Delivery, is a seasoned IT Security Executive with a 20 year track record for building and delivering successful IT Security organizations and services for top global companies. He has worked with many organizations including General Motors, GE, Dow Chemical, The Washington Post, The United Nations, MCI, a major financial trading exchange and multiple startups. Paul’s career includes being EDS’ CISO at General Motors, EDS’ CSO at Dow Chemical, a CTO, a COO, and VP of Unisys’ global MSSP services. His background includes incident response, IT security operations, professional services, systems engineering, outsourcing, and product development. Throughout his career, he has demonstrated strength in anticipating and leading change to meet business challenges. Paul has a CISSP certification, and is a member of ISSA, IACs, IEEE and the MIT Enterprise Forum of Cambridge

How to Break XML Encryption – Automatically

Juraj Somorovsky (Ruhr University Bochum)

Web Services Introduction
Web Service specific attacks
- WS-Addressing Spoofing
- XML Signature Wrapping
New Attacks on XML Encryption
Automatic Analysis of WS interfaces for XML Encryption attacks with WS-Attacker

Dr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various cryptographic attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and cryptographic attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.

Yes, Now YOU Can Patch That Vulnerability Too!

Mitja Kolsek (ACROS d.o.o.)

Software vulnerabilities are likely the biggest problem of information security, fueling a rapidly growing market for “0days”, “1days” and exploits alike.
It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there’s been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions that can be bypassed by any motivated attacker.
But almost nothing has changed at the core of the problem: software vendors still produce critical vulnerabilities, aren’t motivated to provide patches, and only a handful of them are capable of responding and delivering a security update when a 0day gets published. And then, when a vendor’s security update is available, it takes weeks or months before it gets applied throughout a corporate network as the risk of interrupting business processes requires testing and gradual deployment. (And do we need to mention that exploit kits tend to add exploits just a few days after official patches come out?)
Now, what if vendors didn’t have a monopoly on patching their code because any vulnerability researcher could write a patch instead of (okay, in addition to) writing an exploit? And what if admins weren’t afraid to apply the patches because patches could be applied instantly without relaunching applications or restarting computer, and could also be instantly un-applied if they turned out to be causing problems?
The technology for this exists, and will allow vulnerability researchers to not only research a vulnerability but also fix it with just a few well-chosen machine code instructions – and monetize their hard work in an unquestionably ethical way.
In this session, we will take apart a known vulnerability, determine its root cause and create a micropatch for it, which will then get applied to the vulnerable application while the application is running. We’ll look at the tools needed for this and hopefully turn some of the exploit developers in the audience into patch creators.

In over 16 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as “session fixation”, and new twists on the known ones, such as “binary planting”. He’s currently working on solving the problem of quick, efficient and risk-free elimination of vulnerabilities using microscopic patches.

File Format Fuzzing in Android - Giving a Stagefright to the Android Installer

Alexandru Blanda (Intel Corporation)

The presentation focuses on revealing a fuzzing approach that can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. The session will be targeted on exposing the general idea behind this approach and how it applies to several real-life targets from the Android OS, with examples of actual discovered vulnerabilities. These vulnerabilities affect critical components of the Android OS and the audience will have the opportunity to learn about the way they were discovered and possible exploit scenarios. The most important targets that will be included in the talk: the Android APK installer and the Stagefright media framework.

Alexandru Blanda is a software security engineer as part of the Open Source Technology Center at Intel Corporation. He is currently involved in working on projects related to the overall security of the Android OS, mainly focusing on methods to improve the efficiency of fuzzing techniques inside this environment and discovering ways to uncover vulnerabilities inside different components of the operating system.

Bridging the Air-Gap: Data Exfiltration from Air-Gap Networks

Mordechai Guri, Yuval Elovici (Ben-Gurion University of the Negev)

Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.

T.B.A.

Building a Better Honeypot Network

Josh Pyorre (OpenDNS)

Honeypots and honeypot networks help security researchers to get a good look at different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data.
Installing a network of honeypots to provide useful information should be an easy task, but there just isn't much to tie everything together in a useful manner.
In this presentation, I will demonstrate how I modify and use existing honeypot frameworks and applications with personal tools and techniques to process attack-related data, to automate analysis and create actionable intelligence.
All the code and instructions I use will be made available for others to work with.

Josh is a security analyst with OpenDNS. Previously, he worked as a threat analyst with NASA, where he was part of the team to initially help build out the Security Operations Center. He has also done some time at Mandiant.
His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.
Josh rides motorcycles, likes minimalist camping and makes dark electronic music.
Josh has presented at Defcon, various B Sides across the US and Source Boston.

Cryptography Tools, Identity Vectors for Djihadists

Julie Gommes (Econocom-Osiatis / Security and Governance Consultant)

Today jihadist movements use cryptography everyday.
What's new is that they're now using it on mobile tools and chat tools.
Studies of the Middle East Media Research Institute (MEMRI) tend to show that al-Qaeda has been using encryption tools for a long time:
"Since 2007,al-Qaeda's use of encryption technology has-been based on the platform
Mujahideen Secrets which has developed to include mediums for mobile,
instant messaging, and Macs." 
The encryption of communications then stopped to emails and the "mujahedin secret"platform.

The year 2013 marks a turning point in the spread of encryption:
Instant Messaging in February with Pidgin, SMS in September with Twofish, texts
on December on AES web sites... - Edward Snowden's revelations, which began in
June 2013, were not the starting point of the "cryptodjihad", but seem to have played the role of an accelerator.

The jihadists also use proprietary encryption tools, they themselves
have developed, such as Amn al-Mujahid (Al-Fajr Technical Committee) or
al-Asrar ghurabaa used by ISIS. It seems that every movement has wanted
to develop its own tools. On its forum, ISIS promotes the use of Tails.

As a cybersecurity consultant for Econocom, Julie Gommes lived and worked three years in 
the Middle East. She worked for several years on the use of circumvention tools and
their online presence among jihadists. Julie is also a trainer on security for lawyers, journalists
and NGOs, and gives talks at various conferences.

Advanced SOHO Router Exploitation

Lyon Yang (Vantage Point Security)

In this talk we will look into how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. We will elaborate on the techniques that were used in this research to locate exploitable routers, discover 0day vulnerabilities and successfully exploit them on both the MIPS and ARM platforms.

The talk will cover the following topics:

- Dumping and analyzing router firmware from an ISP provided router.
- Tips and Tricks to discovering vulnerabilities on the router
- Identification of vulnerabilities
- Explanation of how to write ARM / MIPS exploits
- ROP Gadgets used for writing ARM and MIPS Proof-Of-Concept
- Post exploitation concepts – creative use of exploits

Lyon Yang is a senior security consultant at Vantage Point Security with a research focus on embedded systems hacking and exploitation. He is from sunny Singapore, the world’s first smart city. His regular discoveries of zero days in a variety of router models has earned him a reputation as the go-to guy for router hacking in Singapore, where he has been hired to do firmware source code reviews on popular router models. He is currently working on a comprehensive testing framework for ARM and MIPS based routers as well as shell code generation and post-exploitation techniques.

OSINT Barn Cat: Mining Malware for Intelligence at Scale

John Bambenek (Fidelis Cybersecurity & SANS Internet Storm Center)

According to Virus Total, on January 4th, 2015 they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks.

Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.

OSINT Barn Cat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known malware and then strip out the configurations from them to produce near time intelligence of known malware command-and-control hostnames and IP addresses.

The goal is to create automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations.

This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.

John Bambenek is a Sr. Threat Analyst with Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

A Case Study on the Security of Application Whitelisting

René Freingruber (SEC Consult )

Application whitelisting is a concept which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. It works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. In this talk we discuss the general security of such a concept and what holes are still open to attacks. After that, we focus on a product which can be used for application whitelisting to see the bypasses in practice. This will include different techniques to bypass application whitelisting to achieve code execution, bypass read- and write-protections as well as a discussion on user account control (UAC) bypasses on such protected systems. Moreover the security of the memory corruption protections will be discussed. At the end some product related design flaws and vulnerabilities will be presented.

René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, IT-Secx, DeepSec, 31C3 and NorthSec.

Deactivating Endpoint Protection Software in an Unauthorized Manner

Matthias Deeg (SySS GmbH)

Many endpoint protection software like antivirus or firewall software offer a password protection in order to restrict the access to management functionalities to authorized users only, for example to deactivate protection features temporarily.

In this talk, it will be demonstrated how different popular, widely-used endpoint protection software products can be deactivated by low-privileged users or malware in an unauthorized manner.

Matthias is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. He has more than 8 years of professional experience in the field of information security and currently works as IT security consultant and leader of R&D for the IT security company SySS GmbH.

50 Shades of WAF - Exemplified at Barracuda & Sucuri

Ashar Javed (Hyundai AutoEver Europe GmbH)

This talk will present 50 (25*2) bypasses of Barracuda and Sucuri's WAF default signatures that deal with Cross-Site Scripting (XSS). 150,000 organizations worldwide including Fortune 1000 companies are using Barracuda while around 10,000 web applications are behind Sucuri's cloud-based WAF. The XSS bypasses we will present in this talk are also applicable to other WAFs. All bypasses were responsibly reported to the vendors and most of them were fixed. Further, we will show XSS in Barracuda's admin interface and in their web application. Finally, we will present one unfixed bypass of Barracuda and Sucuri and will see how quickly vendors will react to fix it, given it will make thousands of sites vulnerable.

Ashar Javed is a web security researcher and pentester. His PhD thesis (under submission) from Ruhr University Bochum, Germany is about Cross-Site Scripting. He has been listed 11 times in Googles Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke at the main security events like Black Hat, Hack in the Box, OWASP Spain, RSA Europe (OWASP Seminar), SAP product security conference, ISACA Ireland and DeepSec.

Temet Nosce - Know thy Endpoint Through and Through; Processes to Data

Thomas Fischer (Digital Guardian / Security B-Sides London)

Most organisations today accept that they have been compromised or will be compromised. To that end it is key to be able to gather the intelligence from all sides to take informed decisions on the next steps. The ability to understand the Hows, Whens and Whats can help to responsibly disclose but also to take future actions to better contain and prevent compromise.
By bringing back end point protection, using behaviour based techniques and real time or near real time local event correlation, as a keystone in security infrastructure, we start to answer questions like «how did it happen?» or «what did I lose?». This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring0makes it possible to see how a malicious process or party is acting and the information being touched.
Key step to moving forward and bringing better protection to the infrastructure is to move away from the traditional mechanism and bring forward behavioral detection through the real time or near real time identification and aggregation of the individual events happening on the host; identifying the malicious activities and blocking them.
This talk looks at how introducing endpoint protection can answer some of the most pertinent questions in the incident response process: When was I compromised? How did it happen? How to detect the next malicious agent or APT? And importantly what was ex-filtrated and how sensitive is it?
Using a simple tool like procmon will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that by living as close as possible to Ring0 makes it possible to see how a malicious process or party is acting as well as the information being touched: By building a map of the events that the attackers or malware undertake and with this visibility introduce a mechanism to be able to detect, log and block the activity where it counts – at the endpoint.
This presentation is targeted for forensics, incident response teams and IT security management who want a better understanding and control of what is going on at the end point.

With over 20+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management,  secure development and incident response and forensics. Thomas has held roles varying from security architect in large companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in malicious activity and threat analysis for Digital Guardian.

The German Data Privacy Laws and IT Security

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data.
Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it's main ideas.
I will also show how it can be used to further IT security especially in the SME sector. This mostly refers to the identification and description of processes that work with data and therefore have to be protected.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. 

Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he's leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. 

He presents the research results regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit

Alfonso De Gregorio (secYOUre)

The entire X.509 PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Is there sufficient assurance that this hasn't happened already?

This talk explores this scenario from both an experimental and speculative point of view.

From the experimental standpoint, the talk reports on illusoryTLS, an entry to the first Underhanded Crypto Contest. illusoryTLS is an instance of the Young and Yung elliptic curve, an asymmetric backdoor in the RSA key generation. It targets a Certification Authority public-key certificate imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively to eavesdrop on their communications (i.e., confidentiality loss).

illusoryTLS backdoor has some noteworthy properties:
1. NOBUS (Nobody But Us): The exploitation requires access to resources not embedded in the backdoor itself. In this case the secret resource is an elliptic-curve private key.
2. Indistinguishability: As long as a computational hardness assumption called Elliptic-Curve Decisional Diffie-Hellman (ECDDH) holds, the illusoryTLS backdoored key pairs appear to all probabilistic polynomial time algorithms like genuine RSA key pairs. Therefore black-box access to the key-generator does not allow detection.
3. Forward Secrecy: If a reverse-engineer breaches the key-generator, then the previously stolen information remains confidential (secure against reverse-engineering).
4. Reusability: The backdoor can be used multiple times and against multiple targets.

In the Internet X.509 PKI the security impact of such backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security fictional. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.

Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation. It becomes essential also to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers.

Have we sufficient assurance about the tens or hundreds CA certificate we daily entrust our business upon?

The talk concludes contributing a novel way to embed an elliptic-curve asymmetric backdoor into a RSA modulus based on Elligator. Both the backdoor embedding and the key-recovery algorithms will be provided in a step-by-step walkthrough that includes working code.

Alfonso De Gregorio is a security technologist, founder of BeeWise, the first cyber security prediction market, and Principal Consultant at secYOUre. He started his career in information security in the late 1990s. Since then he never stopped contributing his little share to the discussion and practice of security engineering. Among the positions held, he served as Chief Security Architect at an HSM vendor, Expert for the European Commission and Visiting Scholar at the Computer Security and Industrial Cryptography (COSIC) research group, K.U. Leuven. In his career as a public speaker, Alfonso addressed a wide range of audiences across the globe, including industry executives, academics, security practitioners, and hackers, speaking about security economics, software security, intelligence support systems, cryptography engineering and cryptographic backdooring. Alfonso researches solutions for building cybersecurity incentives, tweets @secYOUre, and generally does not speak of himself in the third person.

Have We Penetrated Yet??

Johnny Deutsch (Ernst & Young)

Penetration testing is a subject that seems to has been discussed thoroughly. How to test, what tools to use and who is doing the testing .

But how do we connect all of the real issues around pen testing?
And how should we create a successful process that truly makes sure that the right part of our business are safely and securely tested?

I have been involved with the pen testing business for the better half of the last decade.
The target of this talk is to help security professionals to get an understanding of various approaches that are currently implemented around the world within leading companies, of how they test their business (and not their systems) and what process and controls they have in place to make sure they are on the right path to success.
We will discuss the common mistakes of security professionals when they approach penetration testing, and try to debunk some common myths around the business behind this practice.
This talk is aimed at security professionals that are a part of IT security operations and governance teams, but the benefits of the insights will assist client servicing professionals just as well.
I'll talk about some of the leading practices I have been exposed to and of some of the process and controls that the team I work with have been able to implement with some of the world’s largest and successful companies (or as we call them, “our clients”).
This talk will provide you with an overall understanding of why tests not always succeed - not because of a lack of a professional knowledge, but because of an unwelcome surprise, a root cause you didn’t think about…
We will review the world of pen testing from a global perspective; where do we find the best infrastructure testers, application testers, or reverse engineers? and why do we find them all in different geographic regions, scattered around the globe?
We will review how a cyber-security team can  communicate their findings to the company’s management in a non-technical manner, and how  pen testing can help you to get more budget and recognition within the organization.
Another aspect we'll talk about is what you can test, within your organization.
Or in other words, how to focus on testing the right issues, and, more importantly how not to focus on the wrong ones.  Tthere is only one thing better than learning how to do something, and that is how not to do it.
Another corner stone of this talk is automation. The technology is already available, and leading organizations, with adequate planning, have been using it correctly to automate all that can be automated. But there are still some processes which they don't automate. Some things are still considered to be tasks, no computing power is able to deal with.

This talk is in no way a sales talk. Besides the “EY” logo on the slide deck template I will not try to promote our business, I give this talk with the full intention of sharing the insights I have from seeing a wide range of pen testing processes with the clients I have worked for.

Johnny Deutsch is a Senior Manager in the Advanced Security Center part of the Advisory Services practice of Ernst & Young LLP.

This cutting-edge security team is dedicated to implementing advance defense techniques to counter today’s growing forces in the global cyber arena for EY’s clients.
In his experience, Johnny has delivered the following services:
• Cyber Threat Intelligence Services - providing in-depth insights on the latest threats in the world of cyber crime.
• Cyber Simulation Testing - manage and performed cyber penetration tests aimed at simulating real world scenarios of cyber attacks, combined of a wide range of operational needs in various domains, such as: application security, infrastructure and embedded devices.
• Cyber Risk Assessment - survey and asses the validity of cyber security risks within complex environments, such as critical infrastructure or high availability oriented environments.
• Cyber Strategy Planning - work with the organization to characterize and prepare for relevant threat from the cyber arena.

Johnny Deutsch's experience is coming from the intelligence community, in which Johnny has performed numerous cyber security roles, over an extend time period.

Johnny was a speaker in several international cyber security conferences, such as: Troopers, DeepINTEL, Toorcon, GrrCon.

Prior to Johnny's employment at EY, he was a consultant at the Israeli Ministry of Defense (MoD) and managed large scale projects in the field of cyber security.

Chw00t: How To Break Out from Various Chroot Solutions

Balazs Bucsay (IT-Security Expert / Freelancer)

Chroot syscall is part of POSIX. All Unix systems have this syscall, so it is possible to create separated environments. Until this presentation there was no documentation/tutorial about the techniques how to create a reasonably "secure" chroot environment or how to breakout from a misconfigured one. Now, with this presentation, I attempt to create a knowledge base for this topic. I've managed to collect 6 different techniques that are working fully on Linuxes (not all of them requires root privs). Furthermore I wrote a tool that automates the breakouts and helps the user to get a shell outside of the chrooted environment. This tool is an opensource tool, already released. The tool supports only Linux at the moment, but will be improved until the conference.
Additionally I tested 7 Unix systems overall and compared my findings there.
I'm going to explain all of the techniques that are implemented in the tool, how they work and why and about the difference between operating systems.

Balazs Bucsay is an IT-Security expert and techie geek, mainly focusing on penetration testing. He held multiple talks around the globe (Atlanta, London, Moscow, Budapest) on various advanced topics (mimikatz, PayPass, XSS worms, distributed password cracking) and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology he starts the second shift right after work to do some research to find new vulnerabilities.

Continuous Intrusion: Why CI Tools Are an Attacker's Best Friends.

Nikhil Mittal (Independent)

Continuous Integration (CI) tools provide excellent attack surfaces due to no/poor security controls, the distributed build management capability and the level of access/privileges in an enterprise.

This talk looks at the CI tools from an attacker’s perspective, using them as portals to get a foothold and for lateral movement. We will show how to execute attacks like command and script execution, credentials stealing and privilege escalation; how to not only compromise the build process but the underlying Operating System and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

Popular CI tools, open source as well as proprietary, will be the targets. The talk will be full of live demonstrations.

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients.

He specializes in assessing security risks in secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences.
He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.
He blogs at http://www.labofapenetrationtester.com/

Cryptographic Enforcement of Segregation of Duty within Work-Flows

Thomas Maus (Self-employed, No Affiliations)
Workflows with Segregation-of-Duty requirements or involving multiple
parties with non-aligned interests (typically mutually distrustful) pose
interesting challenges in often neglected security dimensions.

Cryptographic approaches are presented to technically enforce strict
auditability, traceability and multi-party-authorized access control and
thus, also enable exoneration from allegations.

These ideas are illustrated by challenging examples - constructing various
checks and balances for Telecommunications data retention, a vividly 
discussed and widely known issue.

Thomas Maus holds a graduate in computer science.
He is consulting in the areas of system security, the analysis, tuning,
and prognosis of system performance, as well as the management of large,
heterogenous, mission-critical installations since 1993.

Projects range from architecture, implementation and operation of large
application clusters over technical project management, organisational and technical trouble-shooting, security assessments, establishing of security governance processes, security policies and analysis for trading rooms and the like to training of international police special forces for combatting cyber-crime.

He started his computing career 1979, at the age of sixteen, when winning the computing equipment for his school in a state-wide competition.
Soon followed the teamworked development of a comprehensive SW for school
administration on behalf of the federal state -- here a long lasting affection
for questions of system security, performance and architecture started.
Around 1984 he fell in love with UNIX systems and IP stacks and embraced the idea of Free Software.

DDoS: Barbarians at the Gate(way)

Dave Lewis (Akamai Technologies)

This talk will examine the tools, methods and data behind the DDoS attacks that are prevalent in the news headlines.

Using collected information, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated DDoS attacker.

We will look at their motivations and rationale and try to give you some sort of understanding of what  patterns to be aware of for your own protection.

Dave has almost two decades of industry experience. Currently, he works as a Global Security Advocate for Akamai Technologies.

He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave also serves on the (ISC)2 Board of Directors and writes a column for CSO Online and Forbes.

Prior to his present position, Dave worked in finance, healthcare, entertainment, manufacturing and critical infrastructure verticals. He has worked for a defense contractor as a security consultant for clients such as the FBI, US Navy, Social Security Administration, US Postal Service and the US Department of Defense, to name a few.

When not at work Dave can be found spending time with his family, playing bass guitar and polishing his “brick of enlightenment”.

Legal Responses Against Cyber Incidents

Oscar Serrano (NATO Communications and Information Agency)

Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that the cyber domain is technically complex; there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve. This talk summarizes the current legal status of Cyber Attacks. It defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to different legal frameworks.

Oscar Serrano has more than 15 years of consultancy experience, working for large international organizations such as the Austrian Research Centers, Siemens or the European Union. Since 2013 Oscar Serrano works as Senior Scientist in Cyber Security at the NATO Communications and Information Agency, where he performs tasks regarding conception, procurement and deployment of new Cyber Security systems, policy development and security risk management and accreditation. His main research interests include Cyber Security information exchange, detection of APTs and cyber security law.

Revisiting SOHO Router Attacks

Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro (Independent Researchers)

Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of this paper is to appraise SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosed security vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers have still much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research.


Outline of the talk:

1. Introduction. Brief explanation about the main goals of our research.

2. State of the art. Current progress in router security, including: previous investigations, cybercrime exploitation and manufacturers’ response to previously disclosed vulnerabilities.

3. Common security problems. 
a. Routers provide too many pointless services which largely increase attack surfaces. 
b. Routers still make use of default public credentials. This eases the attacks.

4. Security flaws. Main part of the presentation in which the discovered security problems are explained, including the following live demos:
a. DNS Hijacking exploiting a Cross Site Request Forgery vulnerability.
b. Infecting a browser exploiting a Unauthenticated XSS vulnerability by sending a DHCP Request PDU.
c. Bypassing the authentication in order to download the whole router filesystem (including passwd and configuration files) by exploiting a SMB misconfiguration vulnerability.
d. Causing a persistent DoS / restoring router to default settings without requiring any authentication process.

5. Developed tools

6. Mitigations. Security advices for both customers and manufacturers.

7. Results. Graphical explanation of the audit report.

8. Conclusion. Has SOHO router security improved over the last couple of years?

José Antonio Rodríguez García was born in Salamanca, Spain. He received his BSc degree in computer engineering from Universidad de Salamanca and his MSc degree in ICT security from Universidad de Madrid. Mr. Rodríguez is an independent researcher, who developed an expertise in computer hardware and performance benchmarking. He has published several
articles and his own hardware monitoring tool, which gained great acceptance in the enthusiast community.

Iván Sanz de Castro was born in Madrid, Spain. He received his BSc degree in telecommunications engineering from Universidad de Alcalá and his MSc degree in ICT security from Universidad de Madrid. Mr. Sanz has taken part in several security projects for multinational enterprises during the last years. He is currently working in the Ethical Hacking department at a Spanish security company.

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library

Bernhard Göschlberger, MSc MLBT BSc (Research Studios Austria FG)

Despite decades of security research and authentication standards there's still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. Therefore this organisation is now able to integrate arbitrary web based systems. Moreover, others can follow the proposed approach and tailor similar solutions at low cost.

Bernhard Göschlberger studied Software Engineering at the faculty of Informatics, Communication and Media of the University of Applied Sciences Upper Austria (Campus Hagenberg) and Legal and Business Aspects in Technics at the Johannes Kepler University Linz.
He is currently a PhD student in Computer Science at the institute of Telecooperation at the Johannes Kepler University Linz.
Since 2011 he has been working for the Research Studios Austria FG as a researcher in the field of technology enhanced learning.

Visualizing Wi-Fi Packets the Hacker's Way

Milan Gabor (Viris)

Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open Source area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards, correlate some interesting data and do some deep digging for Wi-Fi packets. It gives hackers and also administrators a quick view into Wi-Fi space and offers a range of new possibilities to get interesting data really fast.
One half of the talk will be dedicated to a presentation of how this can be done, telling you about some issues that we had and solutions to them, while the rest of the talk will be demonstrating the true power of our research.

Milan Gabor is a Founder and CEO of Viris, a Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and the rest of the World. He also does ethical hacking trainings. He is always on a hunt for new and uncovered things and he really loves and enjoys his job and dreams about parachute jumping.

ZigBee Smart Homes - A Hacker's Open House

Tobias Zillner (Cognosec GmbH)

ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices.
ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?
No, definitely not. Due to “requirements” on interoperability and compatibility as well as the application of ancient security concepts it is possible to compromise ZigBee networks and take over control of all included devices. For example it is easily possible for an external to get control over every smart light bulb that supports the ZigBee Light Link profile. Also the initial key transport is done in an unsecured way. It is even required by the standard to support this weak key transport. On top of that another vulnerability allows third parties to request secret key material without any authentication and therefore takeover the whole network as well as all connected ZigBee devices. Together with shortfalls and limitations in the security caused by the manufacturers itself the risk to this last tier communication standard can be considered as highly critical.
This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities. Therefore new features in the ZigBee security testing tool SecBee will be demonstrated and made public available.

Tobias Zillner works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements and to provide a customers management with an independent opinion regarding the effectiveness, and efficiency of IT systems. Furthermore, Tobias evaluates and assures security of Information Technology by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a Bachelor degree in Computer and Media Security, a Master degree in IT Security and a Master degree in Information Systems Management. Tobias expertise also applies to the IT Governance, Risk and Compliance domains. He was speaking at well known international security conferences such as Black Hat or Defcon and also holds a wide range of certifications, like CISSP, CISA, QSA, CEH, ITIL or COBIT.

Powershell for Security Analysts

Michelle D'israeli (Babcock MSS)

You're stuck on a basic Windows estate, you can't pull the data out, there's no SIEM, and you have 20GB of logs you've been tasked to turn into actionable intelligence. Powershell brings not just in-built tools for querying Windows event logs, but also extremely powerful text processing tools and much more. This talk will give you a quick overview of these features and its notable quirks, allowing you to pull off tricks that are often thought to be only for *NIX environments.

When not knee-deep in powershell, Michelle is a security analyst specialising in major incident management.

Not so Smart: On Smart TV Apps

Marcus Niemietz (3curity GmbH)

One of the main characteristics of Smart TVs are apps. Apps extend the Smart TV behavior with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise a question on new attack scenarios and general security of Smart TV apps.

We investigate attack models for Smart TVs and their apps, and systematically analyze security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of the market share leader Samsung can gain access to the credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices like smartphones and tablets connected with it. Based on our findings, we provide recommendations that are of general importance and applicable to areas beyond Smart TVs.

Marcus Niemietz is a co-founder of 3curity and security researcher at the Ruhr-University Bochum in Germany. He is focusing on web security related stuff like HTML5 and especially UI redressing. Marcus has published a book about UI redressing and clickjacking for security experts and web developers in 2012. Beside that he works as a security consultancy and gives security trainings for well-known companies. Marcus has spoken on a large variety of international conferences.