The workshop will demonstrate how the Business Model for Information Security (BMIS) is used to create integrated infosec. It then takes security to the next level by introducing systemic solutions for security culture, human factors, emergence phenomena and governance. Using BMIS ensures seamless alignment with traditional management frameworks such as COBIT, ISO 27000 etc.

** Overview **

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in a number of production environments, with many other organizations planning to deploy IPv6 in the short or near term.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways.

The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated.

While there exist a number of courses and trainings about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies (such as transition/co-existence mechanisms) that are vital in all real IPv6 deployment scenarios.


** Learning Objectives **

This course will provide the attendee with an in-depth training on IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments.

The attendee will be given an in-depth explanation of each topic covered in this course, and will learn how each feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities.

This course will employ both existing and previously-unreleased tools to evaluate the security of IPv6 networks, and to provide live demos of many IPv6 vulnerabilities. Additionally, the attendee will be given the chance to experiment with these tools in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises.


** Who Should Attend **

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.


** Participants Are Required To **

Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump)


** Topics covered by this course **

Introduction to IPv6
IPv6 Addressing Architecture
IPv6 Header Fields
IPv6 Extension Headers
IPv6 Options
IPsec
Internet Control Message Protocol version 6 (ICMPv6)
Neighbor Discovery for IPv6
Multicast Listener Discovery
Stateless Address Auto-configuration (SLAAC)
Dynamic Host Configuration Protocol version 6 (DHCPv6)
DNS support for IPv6
IPv6 firewalls
Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.)
Network reconnaissance in IPv6
Security Implications of IPv6 on IPv4-only networks
IPv6 deployment considerations

Have you ever wondered whether your business-critical SAP implementation was secure? Do you know how to check it? Have you imagined which could be the impact of an attack to your core business platform? Do you know how to prevent it? This training is the answer to these questions.

For many years, SAP security has been a synonym of "segregation of duties" or "securing roles and profiles". While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked and are even more dangerous, such as the possibility of taking remote control of the entire SAP landscape without having any user in any system.

This training will help you to fill this knowledge gap, allowing you to understand the involved threats and risks and how to mitigate them. You will review the whole picture, from the security of the Environment and the SAP application-level gateways (SAProuter, Webdispatcher), through the assessment and hardening of the Operating Systems and Databases and their interaction with the SAP systems up to the security of the SAP Application Layer: Authentication, User security, Password Policies, Authorization subsystem, Interface Security, Web applications Security, Backdoors, ABAP (in)security, Auditing, Monitoring and more!

The training is organized with many hands-on exercises, which will help you grasp practical knowledge quickly. You will learn how to assess the security of an SAP implementation and then secure the critical security gaps you discovered. You will be able to learn how to use different SAP security tools, as well as Bizploit, the first opensource ERP Penetration Testing framework, developed by the instructor.

The training also provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly.

Social engineering is the use of deception or impersonation to gain unauthorised access to sensitive information or facilities. Because computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation.

Social engineering attacks can have disastrous consequences, both financially and reputationally. You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometrics, but they will not protect you from a social engineering attack. In any security programme people are the weakest link. Social engineering tests can be used to evaluate and strengthen this link.

Like any penetration test, social engineering tests can help to identify security weaknesses that could allow your IT systems to be compromised. Such tests can:
• Give a good indication of and even improve your staff’s level of security awareness
• Teach your staff how to identify and deal with social engineering situations
• Provide valuable recommendations on both security awareness and physical security
However, it can be difficult to know how to conduct a social engineering test. This training course will teach participants how to conduct an ethical social engineering test as well as giving recommendations on how to defend against social engineers. The two-day training course is split into four parts and will include practical exercises:
Part 1: Social engineering theory
- What is social engineering? The evolution of social engineering
- Why social engineering works? The principles on which social engineering is based
- Who are the social engineers?
- The legal and ethical aspects of social engineering tests
Part 2: Practical social engineering
- Common social engineering techniques (eg, mumble attack, road apples, 10 attack, phishing)
- Analysis of social engineering attacks:
o personal experience
o media case studies
- How to practice social engineering techniques
Part 3: The social engineering test
- The ‘get out of jail free’ card
- How to conduct a social engineering test:
o Target identification
o Reconnaissance (passive information gathering and physical reconnaissance)
o Pretexting/scenario creation
o Attack execution
- Evidence collection
- How to create a social engineering report
- Specific scenarios:
o Offices
o Data centres
o Call centres
Part 4: Defending against social engineering
- Logical security controls
- Physical security
- Security policies
- Education and awareness

Overview

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Learning Objectives

• Web hacking landscape and attack surface analysis.
• Advanced protocol analysis and exploitation.
• Penetration testing methodologies and modeling techniques.
• Web application footprinting, discoveries and profiling.
• Fault injection and fuzzing for applications and error enumeration techniques.
• Abuse of functionalities, Denial of Services, Overflows and application traversal attack vectors and penetration.
• Advanced injections with SQL, LDAP, XPATH and OS command.
• Dealing with Blind injections across applications.
• Client Side Attacks and Exploits with XSS, CSRF, Open Redirects, Clickjacking and Browser hacking.
• Exploiting application with various tools and scripts.
• Web 2.0 attacks with Widgets, Mashups and JavaScripts.
• Hacking RIA components written in Flash and Silverlight.
• Reverse engineering Web based applications and tools for deep scanning and analysis.
• Hacking and exploiting cloud based APIs and SOAP structures.
• DOM based attack surface and mobile application pen-testing.
• Source code analysis and hybrid pen-testing approaches.
• Introduction to exploit tools for web hacking.
• Build your tool – writing your own tools for pen-testing.
• Understanding and exposure to scanners and their limitations.
• Live Hacking on sample .NET and J2EE applications.
• Advanced labs for Web 2.0 and RIA applications.
• WAF bypass and obfuscation techniques.
• Defense planning and report building for end users.

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class modules end with a challenge exercise. Working within a limited time period, participants are expected to analyze, scan, pen-test, identify loopholes, exploit vulnerabilities present in the applications on the basis of learnt concepts.

Class Prerequisites

• Basic knowledge on Web Application Architecture and Design.
• Basic understanding of web technologies and languages.
• Familiarity with application scanning tools and approaches would be handy.
• Script writing ability using perl, ruby or python would help in coding quick tools (Not a must)

Who Should Attend?

• Web Security analyst, auditors (PCI-DSS), consultants, pen-testers and security professionals who are looking to upgrade their skill-set on enterprise application security and hacking.
• QA and Developers who are looking for new tools and methodologies.
• Program managers and team leaders, responsible for securing SDLC in their enterprise environment.

Hardware / Software Requirements

To participate in hands-on exercises you will need to come with a windows-based laptop.

• OS : XP, Vista, Win7 or Server family
• Please install .NET and J2EE.
• 1 GB RAM
• All other tools will be provided

Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction.

Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks.

This two-day workshop will spend about half the time re-visiting the key aspects of GSM's security features and their publicly known weaknesses.

During the other half, attention is being paid to the hands-on practical sessions, where attendees will be walked through how to use the various tools for GSM security analysis like OsmocomBB, OpenBSC, airprobe, SIMtrace and others.  All tools will be provided pre-compiled and pre-installed on a USB flash drive with a Linux-based live distribution.

The target audience of this workshop are GSM network operators and IT
security professionals.  As attendee, you should be familiar with
working on a Linux/Unix command line shell.  Prior knowledge of GSM/GPRS
network architecture is a plus, but not absolutely necessary.

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1

This hands-on session will only focus on the injection flaws and the attendees will get an "in-depth" understanding of the flaws arising from this vulnerability. The topics covered in the class are:

• SQL Injection           
• XPATH Injection
• LDAP Injection
• Hibernate Query Language Injection
• Direct OS Code Injection
• XML Entity Injection

The workshop covers classical issues such as SQL Injection, which is an oldie yet very relevant in today's scenario as well as some lesser known injection flaws such as LDAP, XPATH and XML Injection.

During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered.

The key objectives of the class are: 

1.    Understand the problem of Injection Flaws

2.    Learn a variety of advanced exploitation techniques which hackers use.

3.    Understand how to fix the problem?



What do real modern terrorists do with encryption tools? Do they use them? Do they know how to communicate securely?

The spectre of international terrorism networks hiding behind “unbreakable” crypto communications was the war cry for security agencies lobbying for “key escrow” and inherently insecure encryption during the “Crypto Wars” of the 1990s. The agencies lost their campaign. Key escrow proposals hit the trash.

After 9/11, the zeitgeist changed. New laws compelling targets to hand over crypto keys were introduced globally. Were they needed? Do the laws work? Can they work?

The reality of terrorists’ communications and crypto is mundane, repeating classic centuries old errors – such as the wannabee airline bomber who told Al Qaeda’s new chief to reject AES and use insecure homebrew methods instead. (He was arrested within the week.)

Many exotic claims about terrorist encryption have been shown to be fantasy, and their competence exagguerated.

Intrusion Detection Systems or IDS for short have been sold for many years as a solution to stop attackers from both the "inside" of a network, and the "outside". There is little doubt that the capabilities of these devices have been over sold, and at their very heart is some implementation problems that have no simple fixes.

The talk looks at one of the underlying problems an IDS faces when conducting packet inspection, reassembly.

Reassembly evasion techniques aims is to confuse an IDS system during packet inspection, by either supplying data to an IDS that will never be factored in at the receiving end (insertion), or by confusing an IDSs very process of reconstructing the data stream. In essence Reassembly evasion techniques attack the very process of inspection.

From the insertion of rogue nulls, to over-lapping, and over-writing the contents of packets, mean that an IDS has very little chance of being able to catch all bad traffic. Many IDS systems are geared to dealing with a high traffic volume, and any reassembly is going to be both difficult and taxing on system resources, whilst slowing the network down. With very little enumeration a potential attacker can utilise a number of reassembly evasion techniques to aid in the escape of otherwise prohibited traffic.

The talk will look at a few of the known reassembly evasion, and some of the not so well known techniques.

With the aim of educating the attendees of the talk on what to look out for, and how to better understand the threat faced by IDSs. In short this talk looks at: Getting The Fragments Out

The situation of severe economic crisis is surely known to all; the European Union to reduce the crisis has prepared an ambitious project, “Europe 2020”, defined as a “european strategy for smart, sustainable and inclusive growth". One of the key elements of this strategy is the Digital Agenda, a set of tools and strategies based on IT that will bring economic and social benefits in the short and long term. The Digital Agenda is Europes strategy for a flourishing digital economy by 2020 and, to achieve these goals, the European Commission will work closely with national governments, concerned organisations and companies.

A so wide strategy provides a strong coordination between public and private institutions, located in countries with different concepts and procedures relating to IT security.
In 2010 I have explored the phenomenon of responses to attack in an industrial context, in 2011 I extended my analysis to the political structures and countries involved in the Digital Agenda program of the European Commission.
The main focus of the research was directed towards two issues: the perception of security among the various types of attack and the communication with the various stakeholders.
To explore the first theme I simulated attacks against more than 40 agencies, located in 12 different countries, measuring performance and results. The simulations involved 1084 workers in six months.
The second issue has led to the analysis of security policies and simulations of communication for 78 agencies, located in 21 different countries, both in relation to external communication with its members, which with the press and other interested parties. This second analysis involved 2418 users, each with a different nationality and language and computer skills and communications.
Special attention was devoted to analyzing the transmission of knowledge and learning (training) as well as analysis of the form of social engineering used to overcome IT security systems.

The study does not want to criticize the digital agenda, which is one of the best strategies applicable to solve the economic crisis, but only to demonstrate the critical and weaknesses of computer security in the european public sector. a true digital economy will never take off without IT security.
And IT security means understanding the phenomenon and invest money in research, education and infrastructure.

Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures were moving up the Bluetooth stack, and for example L2CAP robustness showed some improvement. Only for a moment though, as recent tests again show a steady decline in results.

In this session, will discuss Bluetooth vulnerabilities and the problems they may cause. We will share our test results from plugfests and car kit tests, including a few demos of actual test cases. That will basically demonstrate how easily everything crashes: we were unable to complete a single test run successfully. Sooner or later, usually sooner, every equipment failed.

Of course, presenting one failed test case after another is not very interesting in the long run. That is why the second part of the presentation consists of discussion on fuzzing techniques and creating intelligent fuzzers for Bluetooth systems. We will discuss attack vectors, different approaches and opportunities, and speculate the possibility to break the pairing requirement. We will also discuss how and why building intelligent fuzzers is basically a waste of time, since all the test targets will fail even with the less intelligent test suites.

Abstract:
Presentation gives insight into Russian black market pricing and revolves around available "products", means of payment, how these "products" ended up for sale, and most importantly how not to end up for sale yourselves.

The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.

The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.

A number of OEM manufacturer weaknesses, "features?" will be discussed and a demonstration of how these "features" can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM "functionality" to compromise sensitive information.

Cyberwar and Cybercrime are currently heavily discussed topics even in the mainstream media. IT, and therefor IT security, spread almost everywhere, from automobiles to home automation, from main battle tanks to nuclear power plants and from desktop PCs to smart phones. This raises several security problems in different technical and non-technical domains.

I try to develop an international strategy for IT security, which shall give some answers regarding technical, psychological/social and political security problems. It will also outline some questions which have to be answered by security research in the near future. Those questions include Cyber Law and Cyber Law Enforcement, Security Awareness, Teaching Security, Operating Systems Security and Product Liability for Software Developers.

In this talk I will show how to make a phone send an SMS message without the user’s consent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or not and also on any GSM/UMTS network. I will present how you can take advantage of sending a special crafted SIM Toolkit command message in order to achieve all that. Finally, I will present the results and their impact on the user and mobile networks security.

What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture?

We will then look at the SOMAP.org project which is an Open Source project working on tools to handle IT-Compliance aggregation and IT Security compliance management in general. We will discuss why compliance management is not only about hot air but can make sense when done right.

This presentation describes the enhancement of scapy, the powerful interactive packet manipulation program, by the layer-3 of the Global System for Mobile Communications (GSM) protocol. Layer-3 of the GSM protocol is part of the UM-interface, which
is the air interface connecting the mobile devices to the operators network. In addition to the demonstration of the addon we will introduce
new attacks on the GSM baseband, targeting the logic of the baseband state-machine. Thus far attacks on GSM were mainly directed to vulnerable code running directly on the phone. Recently a totally new attack-vector was successfully used to exploit mobile stations over the air, attacks on
the baseband stack. Security researchers working on GSM baseband security lack of open-source tools to analyze the security of the baseband stack. This presentation introduces a scapy-addon allowing
users to create GSM layer 3 packets using simple python syntax. Furthermore, this presentation will continue the effort of security researchers to test
the security of the baseband stack, that has been, until now, neglected. This is done using and enhancing already existing open-source tools. In
addition, possible scenarios of novel attacks on the GSM baseband stack are discussed. This presentation demonstrates attacks and tests on the
logic of the GSM state-machine using our newly created addon. One of our results are that
classical attacks, found in the literature have been successfully rebuild using our tool. Furthermore, possibly vulnerable parts of the GSM state-machine are explored and discussed in this talk. To the best knowledge of the author there is no prior work presenting a tool allowing to build the whole layer 3 of the GSM specification on the
command line, as well as there is no work presenting attacks on the state-machine of the
GSM baseband stack, so far.
In a nutshell, while one focus is to introduce the new part of scapy, another focus is put on classical as well as on novel
attacks.

By using practical Web 2.0 examples our talk highlights the design challenges for modern IT-security systems, which are used by a mass of end-users. It is based on the fact that the number of (IT security-) untrained end-users results in security-challenges that are mainly caused by human factors instead of technical problems. Based on “Personas” from the EC funded project uTRUSTit we will highlight the challenges in modern IT-security system design. By comparing the cognitive nature of end-users and developers we will show usability challenges and attempt to provide processes for the solution of current problems and misunderstandings. We will show how a user centric design process (based on ISO/TR16982) can be adopted to tackle the challenges in IT-security system design. The user is the weakest link in the chain and this has to be understood when designing IT security systems.

Without doubt, Skype is the most famous and widely used service for voice and video-chats over the internet.

Philippe Biondi and Fabrice Desclaux already described in their BlackHat 2006 talk "Silver Needle in the Skype" how Skype Ltd., as the operator of the CA of the Skype network, is virtually capable of easily eavesdropping on every single call made in the Skype-Network.

Though it is unclear, whether this capability is really made use of or is maybe even sold to governmental organisations.

To mitigate these severe privacy issues, a tool was developed, that extends the latest Skype-Clients for Windows with functionality for making verifiable secure and eavesdrop-safe P2P calls over the Skype-Network. The security-gain arises from an authenticated key-exchange that is performed for each new call between the involved extended Skype-Clients. The securely exchanged key is then used to establish an additional cryptographic layer that covers every IP-packet that is exchanged between the involved parties of a call. At it's cryptographic heart the developed tool uses the proven Off-The-Record Library (libOTR) as well as Microsoft's Cryptography API.

This way Skype-users do neither need to rely any longer on the trustworthiness of Skype Ltd.'s central CA nor on the correctness and effectiveness of the Skype-Clients' own cryptographic implementations.

The planned presentation will describe the major challenges that had to be taken during the implementation of the tool and give an overview on its architectural details. Besides that, a short insight will be given on how parts of the Skype-Client for Windows were reverse engineered.

The development of the described tool was part of the composition of the author's Diploma Thesis "Konzeption und Implementierung einer zusätzlichen Verschlüsselungsschicht für Skype" that will be handed in at the Ruhr-Universität Bochum within the next weeks.

Rule-based behavioral security has been talked about for decades BUT is it really the silver bullet solution to the malware problem? We don’t think so. In this talk, we’ll discuss the pros and cons of rule-based behavioral systems, using real-world threats as case studies to showcase the approach’s strengths and weaknesses. Next we will discuss how techniques such as supervised and unsupervised machine learning can address many of the inherent limitations in legacy behavioral systems. We will demonstrate how to implement such a machine learning-based behavioral system using freely available tools like WEKA, and provide the attendee with sufficient information to further investigate this area on their own. Finally, we will discuss their limitations of these machine learning-based solutions and propose several potentially fruitful areas of research. The talk will use real world threat examples to illustrate points.

Here is the outline of the talk:

Motivation behind behavioral security
Malware space data analytics
Rule-based Behavioral Security Overview
Explanation of rule-based behavior blocking
Pros and cons of the rule-based model
Malware case studies
New cutting edge approaches
Machine Learning: Supervised & Unsupervised
How to build a machine learning-based behavioral system
Practical Application, Limitations and Challenges
Challenges of real-world deployment
Requirements of real-world behavioral solutions
Real-world case study review
All the things that can and will go wrong
Final review of the solution
Strengths and weaknesses

Mobile devices are everywhere - and they get smarter by the minute.

But are mobile devices safe? This talk looks at physical and psychological aspects of mobile device security, and also covers the various types of software attacks!

FakeAntivirus or Rogue malware is a common threat seen by most computer users today. They are penetrating into mobile and mac world too. I would like to give a brief picture of different types of Fakeantivirus , how they were born and evolved , what they do and how industry is tackling this threat. I would also like delve deep into how they are sold/created in underground forums and introduce about packers used for producing fakeav and also investigate how their business network work.

An overview of the security risks in non-executable files such as PDF, rich media and office documents. The extent and the roots of the issues (not only in terms of infection). The approaches to store and hide, in order to avoid detection, malicious data inside these file formats and what can be done in terms of prevention. Also, ramifications for the embedded sector. The talk aims to range from global considerations to individual cases.

Three years ago, I gave a talk at DeepSec called Fear, Uncertainty and the Digital Armageddon on the subject of critical infrastructure compromise. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. It appears that our threat landscape has changed considerably since then and that the Internet (and by proxy the world?) is a significantly more dangerous place. Cyberwar, Stuxnet, and APT have become common industry buzzwords. Malware has become prevalent on platforms other than windows, and it seems like every month or so another security company suffers a high profile compromise or data leak. Are we really hurtling towards the Infocalypse? An age where the Internet is mainly a conduit for espionage and organised crime? Or is this simply hype in a industry obsessed with $$$$??? This talk will examine aspects of the security arms race occurring today, one that is both digital and ideological.

There are a number of protocols and standards designed to deliver mechanisms for enabling the identity attributes of users to be shared between different web sites. Identity technologies such as OAuth and OpenID are being adopted by small and large size organizations to share or consume user resources across the web.

This presentation is a focuses study of some of these emerging user-centric Identity technologies and their key security implications. We will present scenarios of how insecure implementations of these protocols can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and focus on secure application implementation and countermeasures against attacks.

The talk starts with an introduction to OAuth and OpenID which will set the foundation for the upcoming attack vectors and countermeasures.  The majority of the presentation will be spent on attacks and remediation techniques. We will cover real-world examples of insecure implementations by presenting code snippets and design flaws. 

While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from both government side and cybercriminals affects small businesses capability of conducting business as usual. It is questionable whether in such situation adequate security level to protect information could be achieved.
This presentation is our attempt to address such gap and to analyze current status of information security processes in masses based on the situation in the US, and to identify our ability to protect personal information through government regulatory affairs and regulations implementation. We recognize that the US has a specific form of government, laws and business organization. However, since information security and protection of personal information is a growing global concern, the hope is that our analysis will help international security community at large to avoid some pitfalls discussed below.
While the US has numerous laws protecting personal information, two of the regulations are most pertinent. They are the federal HIPAA/HITECH and state of Massachusetts MGL c.93H/201 CMR 17.00. This paper considers obstacles in achieving compliance with both regulations. In particular, the compliance process affects small and mid-size businesses. Those types of businesses, by and large, do not have sufficient resources to be compliant. The situation is made even more difficult by virtue of government not providing any help to start the compliance process. The second problem is that US government doesn’t take the appropriate measures to enforce the compliance. Authors consider degradation in security as a result of the deficiencies in the enforcement process. Such uncertain and grim security situation can be significantly improved if government and businesses worked together as a part of one process. Authors recommend certain measures for achieving a better security posture, including automation of compliance process phases.

This talk give you an update on the new things in Suricata, the next-gen IDS engine! Suricata is being developed by the Open Information Security Foundation (OISF) and has been released with a stable version in July 2010.

We’ve all heard of - or have even been a victim of - attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult.

These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where - as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had to rob the banks the old fashioned way with guns and actual physical presence, risking his life and endangering lives of others. Today, 90% of all money is in a digital form inside banking databases. It therefore shouldn’t surprise us if tomorrow’s Suttons will break into banks disguised in malicious server requests that sneak past the predictable e-guards and force the compliable bank e-tellers to hand over the money or send it to a foreign account.

An online banking server application is an implementation of the business logic that provides online banking services to remote users on PCs or mobile devices. Security requirements are plenty and diverse, for instance: making sure who the user is, preventing users from accessing data or funds from another user (unless authorized) and limiting payments to available funds and preventing unauthorized overdrafts. And stakes are very high: a single error in such application can potentially provide a way to steal large sums of money from personal or corporate users, to instantly borrow an unlimited amount without authorization, to enter a maliciously-doctored legally binding agreement with the bank or even to create new money out of thin air.

This presentation will reveal future attacks against online banks, which we continually find possible in our security reviews. We’ll show how e-bank robbers of tomorrow will approach the targets, hide their reconnaissance and attacks, cloak their identities and retrieve the stolen funds. You will also see how a frequent error in online banking applications allows users to make serious profits on simple automated operations – without ever breaking the law.

The bankers in the audience will have a rare opportunity to get a heads up about future attacks before these are mounted against their systems, and those developing online banking systems will get a list of most critical security flaws they absolutely have to avoid. The attacks presented will be a mix of surprising triviality and devious cleverness, leaving the audience slightly worried about the fragility and vulnerability of today’s financial systems.

Bank robbers are kindly asked not to attend.

Browser security is still one of the trickiest challenges to afford
nowadays. A lot of efforts has been spent on mitigating browser
exploitation from heap and stack overflows, pointers dereference and other
memory corruption bugs. On the other hand there is still an almost
unexplored landscape.

X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing
are good starting points to mitigate the XSS plague, but they are still
not widely implemented.

We will see how a framework like BeEF can be used to abuse the security
context of a browser. As we are able to manipulate the DOM for fun and
profit in 95% of web applications, a trivial reflected or DOM-based XSS is
enough to hook a victim browser to BeEF and control it completely.

The presentation will cover the following main areas, between the many:
Cutting: stealth activities, target enumeration and analysis, comman
module autorun.
Devouring: internal network fingerprint via JS, exploiting internal
services through the browser, keylogging, browser pwnage, autopwn.
Digesting: persistence, tunneling sqlmap/Burp through BeEF proxy, XSS Rays
integration.

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when they are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness can be compared to that of the existing IPv4 implementations. Thirdly, there is much less implementation experience with the IPv6 protocols than with their IPv4 counterpart, and “best current practices” for their implementation are not available. Fourthly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts.

While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols.

During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out a comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols.

Fernando Gont will discuss the results of the aforementioned project, highlighting the most important aspects of IPv6 security, providing advice on how to deploy the IPv6 protocols securely, and explaining a number of vulnerabilities that were found in IPv6 implementations (together with possible strategies to mitigate them). Additionally, he will demonstrate the use of some attack/assessment tools developed as part of this project (yet unreleased).

Further information can be provided if requested by the Program Commitee.

Through the adoption of Web 2.0 and cloud based services, we have increasingly come to rely upon free services provided by commercial entities. Web mail, online backup, social networking, photo sharing, web browsers, pdf readers, anti virus software, etc.

Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users.

However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties.

Unsurprisingly, the default values for many of the tools we use have been selected to guarantee that most consumers will be tracked, and their personal data analyzed. Privacy does not come first.

This talk combines behavioral economics, awareness of Internet business models, and a healthy dose of paranoia to analyze one of the primary reasons we have so little privacy online - because it would limit the profits of those whose free products and services we use.

"SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organizations SAP platform in order to perform espionage, sabotage and fraud attacks.

SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed.

Update: New attacks not presented in previous conferences will be also demonstrated. You will see how the content of your SAP Enterprise Portal may be accessed by anonymous attackers from the Internet, abusing default weak configurations. Well also talk about a misconfiguration in default SAP Java Application Servers that may allow access to sensitive features, bypassing authentication and authorization capabilities. As usual, you will learn which are the protection measures that you need to implement before your business crown jewels are gone.

James Bond has the coolest tools in the world, but when do we get to play with them?

Almost everyone out there wants to have the coolest gadgets from the movies, but when do you we get them. This talk will look into the advancements of technology and the ability
for todays tech toys to be tomorrows super gadget. The talk will walk the participants through a number of historical advances touching on espionage and security subvergence
and the relation of what is real and what is only available in the movies. Once the participants have an understanding of how normal every day devices can be leveraged to be more
than they appear Kizz will dive into how the relation of this can be applied to the thought process of every organizations security policy and procedures.

The acceptance and integration of technicologically advanced devices, into our everyday life has allowed for them to penetrate deep into secure areas. In particular, the ability
to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. Smartphones and tablets have only just begun to enter
our environments and most dont understand the security risks when allowing their use.

Having developed "The WMD Package" as a penetration testing platform it allows users leverage over a number of security controls. This presentation will provide participants
with the ability to view the applications of such a device and provide an understanding as to how to approach securing an organization against most of the attack vectors. At the
end of the presentation the audience will take part in a live demonstration of how "The WMD Package" works and have a chance for some question and answer time.

The rapid evolution of cloud based computing is often used to illustrate
a possible paradigm shift in computing. The centralized processing and
storing of data allows the development of new architectural approaches
as well as completely new usage experiences. The implementation of these
architectural models is a critical requirement to profit from a shift in
computing to this new model.
To provide a toolset for measuring potential profits for performing this
shift, we want to introduce "skyscraper": It is a framework für load
testing cloud based applications including a specially developed demo
application for major cloud platforms. Using skyscraper, the results of
several load tests are illustrated to show possibilities and caveats of
the scalability of cloud based infrastructures. The evaluations were
performed against the platforms of several major cloud service providers
hosting the demo application of skyscraper. This demo application is
utilizing all possibilities to improve scalability and security of
cloudified applications, so a guide to the security and scalability
features and limitations of cloud platforms is presented in addition.

After a long time I have been researching for the whole way for a popular game trojan steal password from network game players. The research include:
How to install a trojan into user’s system
The workflow for a game trojan
How it pass AV detection
How to steal user information
The underground market
Part 2 is the main part for this topic, it include the technology of inject a dll file under Ring3, packer encryption, and so on.

SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

T.B.A.

Current trends in automotive industry are changing the car more and more from mechanic engineering towards electric engineering. The car is starting to resemble more to a computer with mechanical peripherals, yet the same does not seem to happen on its security. One big step towards securing cars was of course the introduction of immobilizer, yet as everyday living shows, new vehicles are still being stolen. Immobilizers can be bypassed by one of the following methods:
• Disable the immobilizer by replacing factorys’ ICM that contains and controls data, with a new masquerading unit, thus the immobilizer can’t be activated.
• By attaching an electronic device between the computer unit and the OBD. We are able to decode the immobilizer, allowing the deletion of existing system.
• Copy the e-keys of the immobilizer units.
• Tapping the transmitted signal-code.
• Accessories Attacks (MP3 players, infotainment system).
• DoS from RFID Zapper. Immobilizers use RFID authentication.
Of course there’s always the possibility of using after-market audible alarm device, yet this usually does not prevent stealing, but rather deters, moreover if not properly installed, it may create new entry points.
In order to patch some of these security breaches and create a more extensible in-vehicle computer system, we propose the use of a TTP entity inside the vehicle, which sends the ignite signal to the engine only if the main parts of the vehicle have properly been authenticated. The vehicle’s MCU takes the role of the TTP, therefore applying a “Deny all” policy towards any possible malicious hardware injection. In order to secure the MCU from software attacks, the MCU resides inside an application firewall which filters incoming traffic.
Moreover, we apply a role based approach towards possible vehicle users, which are authenticated by appropriate credentials. Finally we categorize vehicle parts enabling the vehicle to be usable if certain secondary parts fail to function, something that is very usual in vehicles, due to severe use.

Social Engineering threatens many businesses around the world and it seems that the best solution to date is employee training. This doesn't stop the attacks; it just makes it harder for the attacker. My final year project at university is to model social engineering attacks and then draw upon computer security principles to determine a solution to the problem.

The ultimate objective is to find a single (or at least a small number) of solutions that solve all (or the vast majority) of social engineering attacks. If the project is successful it could revolutionise how we defend against social engineering attacks.



When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and releasing an advisory has not been agreed upon despite efforts to the contrary, and because of this, they are handled in a number of ways. Add unexpected third parties, uncooperative vendors, and potentially lawyers into the mix and youve got quite the party. This talk aims to educate individuals about the process of responsible disclosure, commons pitfalls and mistakes, and various techniques to make your lives easier if you ever find yourself in a situation where you just made calc.exe pop up on your friends box using a previously unknown technique. A number of various personal stories from the presenter will also be included to enlighten, educate, and hopefully humor the audience about the experience of the chess game that is responsible disclosure. I will talking about an online gateway that I plan to develop and to help researchers and teams find security contacts and develop their own security policies in house. I will also briefly mention third parties like VUPEN, ZDI, upSploit etc. and how they can help to manage your vulnerabilities.