Speakers (preliminary) - DeepSec IDSC 2013 Europe

Attacks On GSM Networks

Dieter Spaar & Harald Welte (Independent Researcher & HMW-Consulting)

Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction.

Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks.

This two-day workshop will spend about half the time re-visiting the key aspects of GSM's security features and their publicly known weaknesses.

During the other half, attention is being paid to the hands-on practical sessions, where attendees will be walked through how to use the various tools for GSM security analysis like OsmocomBB, OpenBSC, airprobe, SIMtrace and others. All tools will be provided pre-compiled and pre-installed on a USB flash drive with a Linux-based live distribution.

The target audience of this workshop are GSM network operators and IT
security professionals. As attendee, you should be familiar with
working on a Linux/Unix command line shell. Prior knowledge of GSM/GPRS
network architecture is a plus, but not absolutely necessary.

Dieter Spaar is a self-employed software developer and consultant with more than 25 years of experience in system-level and embedded development on a variety of architectures. In the last couple of years, he has been a key figure in the GSM research area. In 2008, he first co-presented on the subject of running small independent GSM networks for research use. At DeepSec 2009, he first demonstrated his implementation of the so-called RACH DoS attack.

Harald Welte is a freelancer, consultant, enthusiast, freedom fighter and hacker who is working with Free Software (and particularly the Linux kernel) since 1995. After having worked extensively in the area of IP network security where he co-authored netfilter/iptables, he has been researching non-IP communications protocols and systems such as RFID, DECT, GSM and TETRA. He is involved in the development of almost all the tools discussed in this workshop.

Effective IDS/IPS Auditing And Testing With Finux

Arron Finux Finnon (Alba13 Research Labs)

IDS/IPS is rarely tested effectively on any Penetration Test. At best the results are based on a sacrificial host being exploited and either the detection system picked up the attack or it failed to. However very rarely does that actually show the real issue or a true reflection of the threats faced by a security device.

In this one day training course we will look at what exactly a IDS/IPS does and its capabilities, how detection takes place, and what should make up an effective IDS/IPS test/audit. This training will be of use to people who manage and maintain IDS/IPS solutions, or security testers who wish to offer IDS/IPS audits and assessments to their clients.

Attendees will learn why using a sacrificial host for a IDS/IPS audit has its inherent problems, and what alternative testing methods should be used. In addition, what particular issues should be looked at, and how tester can test for them.


Exploiting Web Applications Protected By $WAFs

Florian Brunner (Holistic Security Consulting GmbH / Board Member OWASP Austria)

Web application firewalls are now used as mitigation devices to prevent exploitation of web based assets. During this workshop the audience will learn how to exploit web applications that are deployed without any protection of web application firewalls. Typical attack vectors based on OWASP’s Top Ten 2013 are explained and experienced during several hands-on sessions. The second day will introduce possible mitigations scenarios using standard mod_security WAF rule sets.

The workshop participants shall learn how to configure mod_security on their own and why the default configuration or the out-of-box $WAF is an illusion. The experienced attacks of the first day shall be repeated and prevented by the participants themselves. During hands-on sessions the workshop trainer will advise and outline certain rules and evasion techniques. At the end of the second workshop day the audience is confronted with a highly customized mod_security ruleset to demonstrate the capabilities and the effort required to build secure web applications with $WAF and why secure coding and security requirements engineering is still required for web applications with or without $WAFs.

My name is Florian Brunner and I work as security consultant at HolisticSec, a company I founded.
Before the foundation of my own company back in 2011, I was working as a software engineer for an international MES vendor. I have a bachelors degree in Secure Information Systems at the University of Applied Sciences Upper Austria, Campus Hagenberg and I will graduate my master's degree in the winter of 2013. Alongside my studies at university I was chairman of "Hagenberger Kreis zur Förderung der digitalen Sicherheit", a students association founded back in 2002 with the aim of enhancing the security awareness within Austria. The yearly ICT security conference "Security Forum" is organized by this association. The main activities within my own company focus on penetration testing, social engineering and secure software
development. Since 2008 I was part of the CTF team h4ck!nb3rg.

Hands On Exploit Development

Georgia Weidman (Bulb Security LLC)

In this 2 day class we will study introductory to intermediate exploit development for Windows and Linux platforms. In class you will gain hands on experience finding vulnerabilities, writing working exploits from scratch, and porting public exploit code to meet your needs. We will start with the basics of stack based buffer overflows, structured exception handler overwrites. Then we will move onto bypassing more advanced anti-exploitation measures such as stack cookies, ASLR, DEP, etc. The use of techniques such as egghunters, ROP, heap exploitation, etc. will be covered. In addition to writing exploits from scratch we will look at public exploit code and porting it to fit our environment’s needs. We will also look at writing Metasploit modules and porting our exploits into Metasploit. Hands on labs for both Windows and Linux will be covered, exploiting real vulnerable programs.

Georgia Weidman is an experienced penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), NIST 4011, and Offensive Security Certified Professional (OSCP) certifications. Her groundbreaking work in the field of smartphone exploitation has been featured in print and on television including MIT Technology Review, Ars Technica, PC World, Fox News and Global TV Canada. She has presented her research at conferences around the world including Shmoocon, Hacker Halted, Security Zone, and Bsides. Georgia has delivered highly technical security training at conferences, hacker spaces, and schools to excellent reviews. Building on her experience working in both the public and private sectors, Georgia founded Bulb Security LLC (http://www.bulbsecurity.com), a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.

Social Engineering Awareness Training - One Day Training Course

Sharon Conheady & Martin Law (First Defence)

What are you doing to protect your organisation against social engineering attacks?

This one day workshop provides an introduction to defending against one of the most prevalent threats faced by organisations today – social engineering.

Social engineering is a collection of techniques for manipulating people into providing inappropriate access to physical or information assets. It is a form of intrusion that depends on human interaction. It typically involves deceiving people and exploiting the innate human desire to be friendly and helpful and to avoid confrontation, so that they compromise normal security procedures.

Even where optimal physical and technical information security controls have been implemented, the human vulnerability can lead to compromised confidentiality, integrity, and availability.

The workshop focuses on attacks that your organisation may be subjected to, the steps you can take to defend yourself, and the ways you can improve your social engineering awareness to ensure a sustained defence.

The objective of the course is to provide participants with the tools and knowledge to identify and deal with social engineering attacks by learning the characteristics of and methods used by social engineers. As potential unwitting victims themselves, participants will gain a better understanding of what motivates them and how their own actions may be manipulated by an attacker. Most importantly, participants will return to their workplace confident in the knowledge that they are better prepared to counter any social engineering attempts, and know how to respond to such attempts.

Course content

Introduction to social engineering
This unit provides an introduction to social engineering, what it is, why it is a threat and who the malicious social engineers are. It will provide a brief summary of the evolution of social engineering from the golden era of the con man to the social engineering attacks of today.

Social engineering principles
This unit provides an overview of the principles on which social engineering is based and will help participants to understand why social engineering works.

Common social engineering techniques
This unit will discuss common techniques used by social engineers, such as mumble attacks, road apples, phishing/vishing/smishing, etc. It will include plenty of examples from real life experience and the media.

Defence against social engineering
This unit will suggest different methods for defending against social engineering attempts, including:
• Logical security controls
• Physical security
• Security policies
• Education and awareness

Social engineering testing
This unit will provide an introduction to social engineering testing and go through the stages involved in planning and executing an ethical social engineering test.

Who should attend?
Anyone with an interest in learning how to protect themselves or their organisation against social engineering attacks.

Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. She has presented on social engineering at security conferences including Deepsec, Defcon SE CTF, Brucon, Recon, CONFidence, ISSE, ISF and has featured on podcasts including pauldotcom.com and social-engineer.org.
After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.
If you see Sharon around your office, she requests that you kindly open the door to let her in.

Martin Law has over 20 years security expertise and has been performing physical and social engineering tests since 1994. As an accomplished penetration tester, he now specialises in accessing buildings physically by using a combination of social engineering and other techniques to bypass physical security.
Martin also undertakes investigations into actual or suspected security breaches, and specialises in the area of Information Warfare. He attempts to breach not only the logical security of systems and networks, but also the physical security of the infrastructure and buildings, including the use of social engineering when engaged in an “All-Out-Attack” against an enterprise.
Having a considerable depth of technical experience in open and distributed systems, as well as networking, in multi-vendor environments, Martin has spent nearly 24 years in the UNIX and TCP/IP arena, having started his career as a developer of UNIX systems.
Martin is an OWASP chapter leader, event planner with the ISF (Information Security Forum) and formerly a director of CREST (Council of Registered Ethical Security Testers) and a council member of the ISF.

Analyzing Internet Attacks With Honeypots

Ioannis Koniaris (Aristotle University of Thessaloniki / Pheron Ltd)

In the field of computer security, honeypots are systems aimed at deceiving malicious users who launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by individual hackers or malicious software launching automated attacks. In this workshop we will outline the operation of various research honeypots, by manual deployment and testing in real time. Participants will follow the procedure as described by the instructor. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. Others include web application exploits loggers and client-side tools for malware analysis. Furthermore, visualization tools will be presented for the aforementioned systems that can help information security professionals to get an overview of their activity, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Ioannis Koniaris is a CS graduate from Aristotle University of Thessaloniki, a PhD student in the field of Information Security. He has worked as an assistant in the Networks Operation Center of AUTH and has a passion for anything security and DevOps related. Current professional work includes mostly web application security testing. His main interests are honeypots, honeyclients, intrusion detection and security visualization. He released a number of different utilities in order to aid information security professionals using honeypots. Some of them are Kippo-Graph, Honeyd-Viz and the honeypot bundle Linux distro HoneyDrive. These tools are used by various CERT InfoSec teams and have also been included in the "Proactive detection of security incidents II - Honeypots" report by ENISA. Two academic papers on honeypots are also underway to review and publication.

Developing and Using Cybersecurity Threat Intelligence

John Bambenek (Bambenek Consulting / SANS Internet Storm Center)

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus. Meanwhile, dedicated attackers are attempting intrusions over months and years while going undetected to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques, however, provide the ability to greatly enhance the security of an organization. Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attackers and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.

John Bambenek is Chief Forensic Examiner for Bambenek Consulting and an Incident Handler with the Internet Storm Center. He has been working in security for 14 years researching emerging security threats. He is a published author of several articles, book chapters and one book, and has contributed to IT security courses and certification exams covering subjects such as: penetration testing, reverse engineering malware, forensics and network security. He has participated in many incident investigations spanning the globe.

Mobile Application – Scan, Attack and Exploit

Hemil Shah (eSphere Security Solutions Pvt Ltd)

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching for different platforms. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. With all mobile platforms supporting HTML5 application, there is significant increase in the hybrid applications.
At the same time Mobile applications are communicating with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services, APIs, OAuth, REST etc. The server side applications can be attacked with Injections and critical logical exploitations. New technology stacks are evolving over Mobile like HTML5 and Silverlight, which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners to understand these attack vectors to protect mobile infrastructure, user’s privacy, security and company’s intellectual property. The class features detail hands on for mobile attacks for different platforms, real life cases, live demos, scanning techniques, code analysis and defensive controls. The following topics will be covered during the class.

Introduction to Mobile Applications
• General Overview
• Case studies of Vulnerable and old AppStore applications
• Evaluation of Applications
• Trend in Mobile application Security
• Mobile Application Fundamental – What, Why, How and Where
Deep dive into iOS
• Sand boxing
• iOS Application Architecture
• Understanding iOS platforms
• iOS Structure
• Application Structure
• Application Distribution
• Permissions
• Installing application from IPA
• Objective-C Basics for penetration testing
• Cocoa/Cocoa touch Framework
• Introduction to xCode
• Running application in simulator
• JailBreaking
o What
o Why
o How
o Who
Set up Attack environment
• Intercepting traffic
o Configuring simulators to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
iOS Application Attacks & Reverse engineering
• Attacking Insecure storage
• Insecure network Communication
• Unauthorized dialing, SMS using rootkit
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive/Private data leakage
• Hardcoded passwords/keys
• Language issues
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• Parsing client side binary files to get session cookie
• Business Logical attacks
• Using debugger to analyze iOS applications
• Interesting things to look for after reverse engineering
Securing iOS Applications and source code analyzer
• Secure coding for iOS Application
• How to incorporate secure design and coding principles for developing iOS applications
• Safe/Unsafe APIs
• Avoiding Buffer Overflows And Underflows
• Validating Input And Inter process Communication
• Race Conditions and Secure File Operations
• Designing Secure User Interfaces
• Static Code Analyzer for iOS
Other Mobile/Smart TV Platforms
Windows Phone
• Understanding Windows Phone platforms (Windows phone 7 & Windows phone 8)
o Windows file System
o Application Distribution
o Permission model
• Windows phone development environment
• Running windows phone binary in simulator
• Intercepting traffic
• Blackberry file System
• Application Distribution
• Permission model
• Intercepting traffic
Samsung smart TV applications
• Architecture
• Key component and browser stack
• Application model and structure
Android – Hacker friendly platform
Understanding Android platforms
• Android file System/Dalvik
• Application Distribution
• Permissions
• Introduction to android SDK and useful files
• Understanding android application key components
• Running application in Android emulator
• Key ADB commands to play with android emulator
Set up Attack environment
• Intercepting traffic
o Configuring emulator to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
Attacking android applications
• Insecure storage
o Internal storage
o External storage
o Shared secret
• Insecure network Communication – Carriers network security & WiFi network attacks
• Unauthorized dialing, SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Attacking Manifest file permission
• Analyzing local storage with file system monitoring
• Business Logical attacks
• Using AFE to create malicious APK
• Sending signals over wifi/mobile network
• Decompiling Android Application
• Attacking intellectual property by attacking android binaries
Secure coding for Android Applications and source code analyzer
• Secure coding for Android Application
• Using randomization
• Safe/Unsafe APIs
• Validating Input And Inter process Communication
• Controlling access with manifest
• Static Code Analyzer for Android
• Protecting intellectual property in android application
HTML 5 Applications on Mobile stack
Working with HTML5 applications on Mobile
• HTML5 specs for mobile
• Touch/Moving in mobile applications using HTMl5
• Hybrid applications and its permission model
• HTML5 tags supported with mobile platforms
HTML5 Attacks on Mobile
• LocalStorage stealing
• SQLite injections
• Click/Tap Jacking
• Business Logical attacks
• JavaScript reverse engineering
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Hybrid will be provided for testing. Also, participants will be building a small application to capture important concepts of development as well.

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, company that provides Professional services in Security Arena. He is on advisory board on number of security companies and regular trainers at some of the best security conferences. He has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.

Secure your Business by Business Continuity Plans – One Day Training Course

Michel Wolodimiroff (Consultant, IT Expert Safety and Security)

Business continuity does not happen by chance. It is the result of careful planning and preparation. During this 1-day workshop you will be guided through all aspects of the creation and implementation of a Business Continuity Plan. Being smart and taking any hypothesis into consideration will be demonstrated by examining business continuity plans for small, medium and large enterprises (1000+ employees).

Target audience are non-specialists and specialists. Non-specialists are new to the topic, who are thinking about a Business Continuity Plan (BCP), are busy with creating a BCP or are willing to understand what the requirements are to create a BCP. Specialists will take part and see how their expertise can contribute to the creation of an BCP.

Michel Wolodimiroff  has worked for 25 years at Digital Equipment Corporation in Belgium. His positions included FS Engineer, Account Manager, and Project Manager. He also has 7 years of experience working at international organizations in Vienna (focussed on technical support).

Welcome To DeepSec 2013

Michael Kafka & René Pfeiffer (DeepSec Organisation Team)

The DeepSec organisation team welcomes you to the DeepSec 2013 conference.


Cultural Learning Of China To Make Benefit Glorious Profession Of Infosec

Wim Remes (IOActive Ltd, (ISC)2, BruCON)

The current debate about the role of China as a nation, in international hacking incidents and corporate espionage is framed in an almost exclusively US-centric narrative. China, however, is a nation that has been familiar with innovation, economics and societal (im)balances long before Christopher Columbus accidentally landed in the New World. I will take the audience on a rollercoaster ride across more than 5000 years of history and cultural heritage that will allow us to not only understand the reality of APT and state-sponsored hacking - More than that, it should enable us to assess the threat and improve our protection.

As a Managing Consultant at IOActive, Wim Remes leverages his 15 years of security leadership experience to advise clients on reducing their risk posture by solving complex security problems and by building resiliency into their organizations. Wim delivers expert guidance on reducing the high cost of IT security failures, both financially and in terms of brand reputation with his deep expertise in network security, identity management, policy design, risk assessment and penetration testing. Before joining the IOActive team Wim was a Manager of Information Security for Ernst and Young and a Security Consultant for Bull, where he gained valuable experience building security programs for enterprise class clients. Wim has been engaged in various infosec community initiatives such as the co-development of the Penetration Testing Execution Standard (PTES), InfosecMentors, The Eurotrash Security Podcast and organizing the BruCON security conference. Wim has been a featured speaker at international conferences such as Excaliburcon (China), Blackhat Europe, Source Boston, Source Barcelona and SecZone (Colombia).

Psychology of Security: a Research Programme

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.

In this talk I will introduce the Institute's research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?

Stefan Schumacher is head of the Magdeburger Institut für
Sicherheitsforschung (Magdeburg Institute for Security Research) and
currently running a research programme about the psychology of
security. This includes social engineering, security awareness and
qualitative research about the perception of security.

Hackanalytics: what's hot, what's not

Alexey Kachalin (Advanced Monitoring)

In pentest/sec-audit projects main risk is not to fail to penetrate the system or find vulns in big enough software product, but to get your task right and explain your findings to the customer. Problem comes in many faces and on every phase of the project: goal setting from customer, system outline by IT, discussing progress or final presentation.

Missing means of communication or misuse of known is widespread tools of analysis and data representation is often the key to this problem: you can't discuss codes as is with CEO or explain your world of social enginiring tricks to system architect using charts.

This talk will cover what works and what fails in our day by day practice in pentest, security audit, forensics starting from general concepts and tools of analytics (text, charts, SWOT, gap) to domain-specific favorites adopted for our practice from OSSTMM, PTES, CSC.

Over ten years in IT security testing and benchmarking, security audit, research and development.
Areas of interest: network security (attacks and detection), threat analysis, malware, cryptography, security audit.

Chief Inspirator in AdvancedMonitoring company managing security-related projects to happen and deliver worthy and actionable results.

Relax Everybody: HTML5 Is Securer Than You Think

Sebastian Lekies (SAP AG)

Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has led to the general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is a highly unfortunate misconception, as the current generation of new Web APIs expose a level of security sophistication unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow for the first time to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices.

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases.

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternatives" (spoiler: HTML5 wins).

More specifically, the talk will cover:

# Client-side cross-domain communication:
- CORS (HTML5) vs. JSONP and/or crossdomain.xml

# Client-side persistance
- LocalStorage (HTML5) vs. Cookie-hacks

# In-browser communication
- PostMessage (HTML5) vs.
-- hash-identifier passing and/or
-- window.name setting and/or
-- domain relaxation

# ClickJacking protection
- X-Frames-Options (HTML5) vs. JavaScript framebusters

# Bonus track: The browser's new security capabilities

A quick overview of new browser features that can be used to secure Web sites:

- Content Security Policies
- Sandboxed iFrames
- Strict-transport Security

The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits).


From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

Mikhail A. Utin (Rubos, Inc.)

In our previous analysis of the “Cloud Computing (CC)” we have concluded that CC is a generally misleading, marketing-driven idea born out of the need to utilize hosting services which became overly-abundant post Internet Bubble. Well-known CC models are useless, and in a case of so named “community cloud” models it amounts to little more than legal nonsense. In case of implementation of high level complex regulations like EU General Data Protection Regulation (GDPR), CC is not only useless, but by being misleading, it creates a dead-end situation where it is not possible to identify how exactly privacy will be protected in an Internet-based distributed computing environment.
However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will be the result of the “cloudization” – wasting tax payers’ money and a few people getting some political gain capitalizing on public inability to distinguish between new technology and technological opportunism? Or will it be the next technological step forward advancing our ability to move and process data wherever we want?
To understand what will happen and to prevent selling to the world yet another failure as an achievement, we need to go deep in the analysis of fundamental US government documents and draw our conclusion based on thorough analysis and known facts.
While the rule “garbage in – garbage out” has been proven on numerous occasions, we need to do that again considering all what is known as “cloud computing” and what US federal government plans to implement. Then we can answer whether we will get new technology protecting privacy or very costly garbage.

Mikhail A. Utin completed his basic engineering education in 1975 in Computer Science and Electrical Engineering. Career in Russia included working for several research and engineering organizations. Doctorate / PhD in Computer Science (1988) from then Academy of Science of the USSR. From 1988 to 1990 founded information technology company and successfully worked in emerging Russia’s private sector. Had several USSR patents and published numerous articles.
Immigrated in the US with family in 1990 to escape from political turmoil and hoping for continuing professional career. Worked in the US in information technology and information security fields for numerous companies and organizations including contracting for US government DoN and DoT. Together with colleagues formed private company Rubos, Inc. for IT security consulting and research in 1998. The company is a member of ISSA New England chapter.
(ISC)2 certified professional for seven years. Published articles on Internet and in professional journal, and a reviewer of articles submitted to (ISC)2 Information Security Journal: A Global Perspective.
Current research focus on information security governance, regulations and management, and the relationship between regulations, technology, business activities and businesses' security status. Most of the research is pioneering work never discussed by the information security community.

spin: Static Instrumentation For Binary Reverse-Engineering

David Guillen Fandos

My talk proposal is about binary instrumentation and its applications in the field of reverse-engineering and hacking. Binary instrumentation is a technique used in many fields such as computer architecture, application profiling, emulation and dynamic translation. But its interactions with the security field so far have been mostly in malware and threat analysis.
This talk proposes new applications for binary instrumentation such as executable hacking and function hooking. As an example we present a simple analysis routine capable of locating security critical functions in serial protected applications by performing runtime analysis of the program's functions. In the end we are able to modify the programs behavior to accept any user input. Another interesting application presented is the ability to locate and hook critical functions in a web browser: we are able to find and hook Opera's HTTP request generator function and sniff out data sent to the server before it gets ciphered under SSL and TLS layers.
Finally we present a tool called spin which is the base for all the examples shown. This tool performs static binary instrumentation in a very lightweight way: it only instruments at function level statically.

David Guillen Fandos graduated in Computer Science (2012) and Telecommunications Engineering (2013) from Polytechnic University of Catalonia in Barcelona. Loves computer architecture, operating systems, compilers and, of course, hacking. Reverse-engineering and obfuscation are his main research areas. He has also worked in video games since he was 14 and developed video-games for consoles such as PSP and GameCube/Wii. He has a passion for Electronics and hardware hacking, specially firmware and driver development though he hasn't published any research done in those fields so far. Currently he is working at Intel in the area of processor architecture design.

Risk Assessment For External Vendors

Luciano Ferrari

When you have to handle confidential and regulated data for a third party it's a big challenge to define the risk if you are not going to be on site for a real assessment. Considering the amount of data companies are transferring to the cloud and external vendors the regulations, especially in a globalized world, require proper management to be effective, compliant and efficient in order to protect the data and the companies reputation. 

Luciano Ferrari has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achived if all units of an organization cooperate - and with a change in culture.

This presentation provides a summary of steps to get your organization on track.

Luciano holds an MBA in Business Management, post graduation in Network Computers and has a degree in Microelectronic Engineering. He is also a Certified Information Systems Security Professional, and a Cisco Certified Network Associate.

With 15+ years of experience in Information Technology Luciano Ferrari leads External Vendors Risk Assessment, PKI, RACF and Web Portal Gateway, assuring awareness and compliance to global regulations and standards for security and maintaining the privacy of client and employee data records.
Luciano Ferrari worked at many different segments at carriers, internet service providers, education and financial institutions.

Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities

Arron Finux Finnon (Alba13 Research Labs)

Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer. Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines!

Although the above sounds ludicrous and out of place, it isn't that far fetched from a lot of the literature produced by Network Intrusion Prevention/Detection System vendors. This talk looks at the very long and fruitful history the world of network detection systems has to offer (you'll be surprised they're nearly 4 decades old). With a overview of just some of the failings these systems have had over the years, and how these failures shaped their development. At places this talk will be cynical and it won't win any friends from vendors, but attendees will be given enough background information to understand why detection systems like IDS/IPS can work, but why they're set to fail all at the same time.

Poor testing and the general acceptance by nearly everyone within the security industry that these systems can't deliver is only the beginning of their history of fail. I intend to discuss why certain evasion techniques worked, and why they will continue to work until we understand the inherent problems. Consider this talk a historical journey with one eye fixed on the future.

Twitter: http://twitter.com/f1nux
Speaker: http://www.finux.co.uk
Alba13 Labs: http://www.alba13.com

Arron "finux" Finnon has been involved in security research for a over 7 years. Arron has discussed a wide range of security related topics at a number of Security/Hacking conferences in both the UK and internationally, as well as producing over 100 security related podcasts. Interviewing countless security professionals as part of the Finux Tech Weekly podcast show.

During Arron’s time at The University of Abertay Dundee he was also awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software for his work whilst president of The UAD Linux Society.

Arron now spends his time between consulting as well as research for Alba13 Research Labs, a company which he founded.

My Name Is Hunter, Ponmocup Hunter

Tom Ueltschi (Swiss Post)

In early 2011 we discovered some malware infected systems in our network. Starting from one A/V event we found several host- and
network-based indicators to identify and confirm several infections within our company. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully
patched systems protected by firewalls, IPS and multi-layered A/V without using exploits (only social engineering).

The malware got some media attention in June 2012 with titles such as “printer virus”, “printer bomb” or “Trojan.Milicenso: A Paper Salesman’s Dream Come True”. A/V detection names for this malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IPs and URL patterns changed to avoid detection.

In late 2012 a “anti-sinkholing technique” was introduced in using C&C domains. Just recently I discovered how this technique can be overcome to allow sinkholing of botnet domains again. Unfortunately the currently used C&C domains are not as well known as they were after the incident and analysis in 2011.

Tom Ueltschi received his Bachelors and Masters of Science in Computer Science and Engineering from the University of Texas at Arlington. After about 6 years working in Software development (mainly Java web applications) he switched to IT Security five and a half years ago. Hunting for and analyzing new malware is part of his job and hobby as well. He's an (in-)frequent blogger about APT resources and malware/botnet research (c-apt-ure.blogspot.com) and believes in sharing threat and malware intelligence using Twitter (@c_APT_ure), Storify, CIF feeds and IOCs. He holds several GIAC certifications (GCIH, GWAPT, GXPN) and received the SANS Lethal Forensicator Coin for submitting several IOCs to ForensicArtifacts.com. He's a member of several closed/trusted groups for fighting cybercrime and sharing malware and APT intelligence.

Effective IDS Testing – The OSNIF's Top 5

Arron 'Finux' Finnon (Alba13 Research Labs)



Easy Ways To Bypass AntiVirus Systems

Attila Marosi (GovCERT-Hungary)

All IT security professionals know that antivirus systems can be avoided.
But few of them know how very easy it is to elude them - and if it is easy the impact is big. In this presentation I am going to fully bypass many antivirus systems live,
using basic techniques.

- Bypass signatures
- Bypass emulation/virtualization
- Bypass sandboxing
- Bypass firewalls

How much time and money do i need for this result?
Not more than 15 hours time, not 1 cent of investment!
If I can do this, anyone can do it - I think we are in trouble.

In this presentation I will test only Windows systems and AV for Windows systems, but, 
I think, that the techniques I'll introduce can easily be applied to any other system.
And for my demonstration I'll only use techniques AVs already are aware of: 

- plain text signature 
- virtualization and emulation  
- behaviour analysis and process separation 
- sandboxing 

The code I´ll hide is a shell_reverse_tcp. It is a well-known to AVs and it is
the cheapest code for an attacker, because it is in the Metasploit and anyone can use it.
The techniques I use are well documented, just google "antivirus bypass"...

I use VirusTotal.com to speed up my research. Code testing is a time-consuming process: if you would like to test/scan each version of your code with multiple AVs the time you need for your research will also multiply...
The VirusTotal.com test is not the same like a real test, but good enough to discover a 
good way of bypassing. If the detection rate is low, we are on the right track ;) 
Once I reach a detection result that is low enough to satisfy me, I will test the code with virtual machines to verify the VirusTotal.com result.
After that I'll show the attendees that fully patched and trusted AVs
cannot detect the code and therefor can not protect us completely.

Attila Marosi has been working in the information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Recently he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he does some teaching on different levels; including lessons for white hat hackers. Lately he gave a talk at the yearly organized national level conference dealing with ethical hacking - a presentation concerning the vulnerability of the best sold antivirus and firewall softwares.



Hacking Medical Devices

Florian Grunow (ERNW GmbH)

In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines. However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients. We decided to take a look at a few devices that are deployed in many major german hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient's safety. The results will be presented in this talk.

Florian Grunow holds a Bachelor's degree in Medical Computer Sciences and a Master's degree in Software Engineering. He used to work in hospitals and got an inside view on how the daily work of healthcare professionals dealing with IT looks like. He now works as a Security Analyst at ERNW in Heidelberg, Germany, with a focus on application security.

Prism Break – The Value Of Online Identities.

Frank Ackermann (-)

Online opinion making, blogging and journalism have developed a considerable market potential and turned into a source of revenue. With that online identities themselves have become valuable assets to possess – and thus targets for theft and fraud. At the same time internet users willingly share detailed private data on social platforms, resulting in in-depth-profiling and potential misuse.
This non-technical talk illustrates in an easily comprehensible way the value of online identities in our modern internet relying society. It explains how information is processed, used and analyzed by internet platforms and how this opens vulnerabilities or fraudulent misuse. The final aim of the talk is to enable the audience to a better evaluation of #Neuland's territory in which Prism, search-engines, clouds and big data exist next door.

Frank Ackermann, Senior Security Professional lives in Düsseldorf/Germany. He has been working in the field of IT & Information Security for over 13 years and CISSP, Security Researcher and Analyst.
'Security is not my job – it is my passion.'







Auditing Virtual Appliances - An Untapped Source Of 0-days

Stefan Viehböck (SEC Consult)

In the past auditing appliances was like auditing embedded devices. Hard to come by, hard to crack open. Since most appliances are now provided in the virtual form factor, they can be easily analyzed. Yet from a security point of view they are still not much different from embedded devices.
This talk will discuss the process from getting a root shell on an appliance, assessing the general system hardening posture to finding exploitable vulnerabilities. The state of the art when it comes to application security is discussed based on vulnerabilities in security appliances from F5, Symantec, Sophos and the like. It will be demonstrated that appliances can be the weakest link in a network and cause a huge headache for incident responders.

Stefan Viehböck is a security researcher/consultant with a strong focus on application security. While he spent some time reverse engineering embedded devices (MIPS/ARM) in the past, he has now moved on to large enterprise appliances. Stefan has discovered numerous vulnerabilities in software products. These include critical vulnerabilities in products from companies like: Barracuda Networks, F5, Siemens, Symantec, Telekom Austria and Vodafone. He has also found a flaw in the Wi-Fi Protected Setup (WPS) specification that enables a very powerful brute force attack on the WPS PIN. All major Wi-Fi router vendors are/were affected.

Hack The Gibson: Exploiting Supercomputers

John Fitzpatrick (MWR InfoSecurity)

We have had the luxury of spending a good amount of time looking at the security of supercomputers.
This presentation will cover our research and demonstrate some of the most interesting and significant vulnerabilities we have uncovered so far. We will also be demonstrating exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once.

The material we are covering affects the majority of the top 500 supercomputers. But even if you have never encountered a supercomputer before you'll be surprised how accessible and familiar many of the technologies are. The UNIX crowd amongst you will certainly enjoy seeing interesting exploits against large UNIX environments.

John Fitzpatrick heads up MWR InfoSecurity’s consultancy team in the UK. With over 7 years experience in the industry he has had the opportunity to play around with and hack a whole bunch of different technologies. Currently settled on supercomputers for now, past interests include VMware, BlackBerry, IPv6 and anything with a network interface. John has spoken at a number of security events.

Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage.

Vladimir Katalov (ElcomSoft Co. Ltd.)

Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user.

Backups: iCloud suggests backing up iMessage, SMS, photos and videos, device settings, documents, music and other things on-the-fly, which is useful for syncing or restoring in case your iDevice is lost or damaged. However, there is only one way to access iCloud backup data by organic means: You can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now I can show you a method to simply download everything onto any desired computer at hand, provided that we have Apple ID and password.

Find My iPhone: this application was meant to help you to track your own iDevices geographically and should be available strictly to the user under his/her own Apple account. But there is a way to get the geo-location data having neither a Apple device tethered to that account readily available nor access to the iCloud website. If the location services are switched on, the geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other map).

Storage: Apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage. For example, some application files (e.g. data generated by SoundHound) you may have on your iPad  - or whatever - won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly, even without launching a work session in iCloud.

Conclusion: iCloud stores large amounts of information. Before now access to this info was restricted either by the necessity to have iDevice available or by using Internet and web-browser (knowing Apple ID and password is required). Now, that I have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and download iCloud data and its changes in standalone mode.

Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 he grew up in Moscow, Russia. He studied Applied Mathematics at Moscows Engineering-Physics Institute (State University); from 1987 to 1989 he was a sergeant in the Soviet Army. Vladimir works at ElcomSoft up until now from the very beginning (1990). In 1997, he created the first program the password recovery software line has started from: Advanced ZIP Password Recovery. Now he coordinates the software development process inside the company and constantly calls in question the appearing security tools and services.

Vladimir manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other law enforcement organizations.

Vladimir regularly visits various IT security- related events, conferences and trainings all over the world. He has shared his expertise through dozens of conference sessions. Here is an incomplete list of the events: TechnoSecurity, BlackHat, CEIC, Infosecurity (Europe, Russia, Japan), IT Security Area (it-sa), European Police Congress, e-Crime, Troopers, EuroForensics, FT-Day, China Computer Forensic Conference, CanSecWest, CrimeLab, Forensics Europe Expo, Interpolitex...

The Economics Of False Positives

Gavin 'Jac0byterebel' Ewan (Alba13 Research Labs)

The topic of false positives within IDS, in fact within any computer related field, has been discussed from a technical perspective on a number of occasions. It is true that abuse of false positives could be used to perform denial of service (DoS) attacks, also that they can be weaponised and used as an attack vector. My brother in arms Finux even recently discussed how false positives can be used to enumerate an IDS system. This is all great, but the problem is that this rarely (never?) translates into the facts and figures that management require in order to decide that false positives are indeed a problem that have a tangible cost impact on the business.

As it stands, the only people talking figures are the sales staff of IDS vendors, and the figure they like to talk about is throughput. According to one vendor site, the question (and it seems, the ONLY question) is finding an IPS appliance with exactly the right throughput for your network. We, as defenders, then ask why management are basing buying decisions on same said throughput figures and not the scary, uber-technical jargon we give them.

Well, now it's time to harden up and give management what they want, so ultimately we can get our own way. This talk will bridge the gap between all of us 'geek' types (a group of which I am firmly a member) and the aforementioned management types (a group which people seem to think I belong in!).

Taking false positive figures from a number of real business entities ranging in size and business area (don't worry, they're anonymised), the aim of this talk is to arm my fellow hackers and testers with the knowledge and, more importantly, the language to put a case forward to the powers that hold the purse strings within our business and ask

'Can I have X amount of budget to mitigate our false positive problem that is costing Y?'

Gavin ‘Jac0byterebel’ Ewan is a ranty, shouty, sweary Scottish hacker.

After selling lots of things to lots of people, he decided to get firmly into the field of information security, always having been a geek at heart.

Educated in psychology and economics, Gavin spends his time debunking social engineering myths (the psychology bit) and working out ways to sell infosec to management types (the economics bit)

Already a successful speaker, Gavin has delivered talks worldwide to various audiences.

Uncovering your trails. Privacy issues of bluetooth devices.

Verónica Valeros & Garcia Sebastian (MatesLab Hackspace)

Bluetooth devices are ubiquitous. However, until recently, there were no tools to perform bluetooth wardriving. Considering that each cell phone usually identifies one person and that the position of these devices can be stored, it is possible to extract and visualize people's behavior. Most people is not aware that their bluetooth device allows to easily abuse their privacy. A new tool called Bluedriving is presented to capture and store the position and information of bluetooth devices. The devices can be visualized on a map and different alerts can be used to follow people in the street. We present the tool along with a large capture dataset and a deep privacy analysis. We conclude that it is possible to follow people using their bluetooth device.

Veronica Valeros is one of the founders of the MatesLab Hackerspace, the first hackerspace in Mar del Plata, Argentina. She is actually based on Czech Republic. Her passion lies on information security and privacy, python programming, networking analysis, lockpicking and traveling. Her work is focused now on malware research and anomaly detection.






Sebastián García is co-founder of the Mateslab HackSpace in Argentina and a PhD student in the UNICEN University in Argentina and the ATG of CVUT Univeristy in Czech Republic. His research interests include network-based botnet behavior detection, bluetooth analysis, anomaly detection, penetration testing, honeypots, malware detection and keystroke dynamics. His recent projects focus on using unsupervised and semi-supervised machine learning techniques to detect botnets on large networks based on their behavioral models.





Pivoting In Amazon Clouds

Andres Riancho (-)

From no access at all to the company Amazon’s root account - this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon’s services through it’s API.

The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user.

Except from the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.

The tools used by this intruder are going to be released after the talk and will provide the following features:
Enumerate access to AWS services for current IAM role
Use poorly configured IAM role to create new AWS user
Extract current AWS credentials from meta-data, .boto.cfg, environment variables, etc.
Clone DB to access information stored in snapshot
Inject raw Celery task for pickle attack

Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.

In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.

His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like PHDays (Moscow), SecTor (Toronto), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

Andrés founded Bonsai, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Building The First Android IDS On Network Level

Jaime Sánchez (-)

Being popular is not always a good thing and here’s why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level.

This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching.

In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom built signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.

Jaime is a security reseacher specialized in network protocols and technologies, with over ten years of experience in positions of consulting, risk management, secure network architectures and ethical hacking.

He works in the Security Operations Center (SOC) of a multinational telecommunications company, offering managed security services for IBEX35 companies. He is a frequent speaker and has given talks at conferences like Rootedcon, Nuit Du Hack, Blackhat Arsenal, Defcon or DerbyCon. He holds several security certifications, like CISA or CISM, and an Executive MBA.

Jaime is also a frequent contributor to several technical magazines in Spain featuring state-of-the-art attack and defense mechanisms, network security and general ethical hacking techniques.

Future Banking And Financial Attacks

Konstantinos Karagiannis (BT)

Dark days for infosec may be ahead. Cyber attackers have only gotten more daring this decade, encouraged by the headline-generating successes of hacktivists and APTs. Now security professionals are scrambling to stay ahead, with organizations of all types operating in an environment where breaches are the expectation. Financial organizations are particularly at risk, as “doing it for the lulz” takes a backseat to international cyber warfare and digital organized crime. Attackers are going where the money is.

Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

Here are the four major areas covered, with some example attacks in each:

Advanced User Enumeration and DDoS
Surprisingly few organizations go out of their way to protect user IDs. Attackers will soon be using this easily obtained information to perform sophisticated brute force attacks, massive account lockouts (a new DDoS), and diversionary attacks hiding other exploits.

Trading Turret and Timing Attacks
The past few years have shown that attackers are often hired to disrupt competitors. A look at local and network-based attacks that could cost competitors millions of dollars in milliseconds.

Internal User Attacks and APTs
Attackers are only beginning to fully exploit what it means to have an internal foothold in an organization. Future APTs will enable massive, simultaneous attacks on end user accounts and funds.

External User Attacks and MitE
New breeds of malware will allow for complete fraudulent actions and theft to occur right on the victim’s machine. Forget about sniffing passwords and traffic--attackers will increasingly focus on transfers occurring right from trusted sessions and IP addresses via Man in the Endpoint attacks.

Konstantinos Karagiannis is the Practice Technical Lead for Ethical Hacking in BT Advise Assure. He has extensive experience performing application and network assessments and penetration tests, and specializes in financial applications. He has spoken at dozens of technical conferences around the world. Konstantinos began as a Physics major before finding his way into the world of hacking.He enjoys probing how everything works, from programs to particles.

Trusted Friend Attack: Guardian Angels Strike

Ashar Javed (Chair of Network & Data Security, Ruhr University Bochum, Germany)

In this talk we present our survey of  "forgot your password'' functionality of fifty popular social networks and investigate the security of the password recovery mechanisms. We were able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process. 

In addition, we present a novel, practical and high severity attack on the password recovery feature of Facebook and we call it Trusted Friend Attack (TFA). The term TFA was coined during our discussions with the Facebook Security Team. Trusted friends are also known as Guardian Angels. If a user wants to login to a web service without remembering his password, usually an email containing a new password (or a password reset link) is sent to the user, enabling him to choose a new password for his account. A problem occurs, when this user along with his password lost access to the email account provided during registration. In that case, Facebook introduced a new feature called Trusted friends, that allows account recovery based on the trust a user has in his friends.

The TFA exploits the victim's trust in his friend or friends (3 in total) to compromise his/her account, so it is very beneficial for the attacker to be on the victim's friends list as a starting point (though attack is possible with low probability even if the attacker is not on the victim's friends list). There are two variants of the Trusted Friend(s) Attack: One involves only one attacker while the other requires three attackers. To show the applicability of our attack, we tested 250 Facebook accounts. We show how TFA can lead to a complete compromise of a user's Facebook account. This talk also describes Chain Trusted Friend Attack (CTFA). In CTFA, attacker make a chain of hacked accounts in order to compromise more accounts.

The talk further demonstrates a highly practical Denial of Service (i.e., DoS of trusted friends feature) due to weakness in Facebook's password recovery procedure. Both attacks i.e., TFA and DoS can easily be launched against any Facebook user by knowledge of his user-name only, which is public information. We have responsibly reported all attacks to the respective security teams and they have acknowledged our work. In the end, we give some guidelines to social networks' users.

Ashar is a researcher in Chair of Network & Data Security, Ruhr University Bochum, Germany and working towards his PhD. His name has been listed nine times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat etc.

Static Data Leak Prevention In SAP - The Next Generation Of DLP

Andreas Wiegenstein (Virtual Forge GmbH)

Industrial espionage is an increasingly serious problem for many companies. Even minor data leakage can endanger a company's competitiveness, if data falls into the wrong hands.
This talk introduces a fundamentally new concept: Static Data Leak Prevention. While most DLP solutions analyze network traffic during runtime, S-DLP is designed to identify data leaks already during application development.
The code examples and data leaks presented are native to SAP environments.

Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications.

As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures.

Andreas has trained large companies and defense organizations on ABAP security. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org, the Business Security Community.



Malware Datamining And Attribution

Michael Boman (Independent Researcher)

Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.

Security consultant during daytime, malware researcher at nighttime. My latest claim to fame is the MART Project (Malware Analysts Research Tool) which is more like a collection of tools and procedures then a stand-alone application. MART allows a malware analyst to quickly analyse malware on a limited time and budget.

Mutually Assured Pwnage

Karin Kosina

"Cyberwar" has become a thing. (Never mind that no-one seems to really
know what that thing really is.) Along with the militarisation of
cyberspace - or shall we say: "the fifth domain of warfare" - there
has been a flurry of attempts to draw analogies to other models of
conflict. While this is understandable to a certain extent - What
worked in the past may work again in the future, right? And let's not
be so cynical here to speak about hammers and things that look like
nails... -, it has in many cases only added to the confusion around an
already confused subject. Exhibit A: the attempts to liken the brave
new world of "cyberwar" to the good old Cold War days. Or bad old Cold
War days, depending on how you look at it. In any case, there has been
a proliferation of headlines such as "Cyberthreats: Welcome to the New
Cold War". To what degree do such comparisons make sense though?

The presentation will take a critical look at what Cold War analogies
can and cannot teach us about war in the 5th domain. It will discuss
issues such as deterrence, arms control, international agreements,
escalation, trust building measures, the role of state-actors and
non-state actors, and more.

Karin Kosina, virtually known as "kyrah", has a background in both
computer science and international relations. She worked for 10+ years
in research and development before deciding to go into diplomacy
(Long story.) She wrote her master's thesis on "Wargames in the Fifth
Domain", arguing that "cyberwar" is vastly over-hyped. She is now with
the Federal Ministry of European and International Affairs. (It should
be noted though that her presentation only reflects her private views
and not those of the Republic of Austria.)

The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

Shay Chen (Hacktics ASC, Ernst & Young)

It's not as easy as it used to be.
Although applications without security flaws are still considered a fairy tale, the implementation of application security mechanisms is improving.
Authentication enforcement procedures, privilege enforcement layers, input validation mechanisms, web application firewalls and a wide variety of security controls have become an integral part of many applications.
This is where session puzzling and session race conditions (TSRC) come in.
These under-emphasized attack patterns are designed to allow both new and traditional attack vectors to bypass security mechanisms and attack the application from a trusted resource: the session attributes and database values – *locations that are rarely validated*.
Their detection process, however, was tedious, long, and in many cases, even arbitrary… until now.
The release of the Diviner project enhances the detection process, helping pen-testers to identify these exposures, bypass traditional security mechanisms, and justify the implementation of designated session variable overloading prevention mechanisms.

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects.

As the co-author of the platforms "Diviner" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners.

Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

Europe In The Carna Botnet: Telnet's Threat To The Largest Economy

Parth Shukla (AusCERT (Australian Computer Emergency Response Team))

This presentation will showcase the latest analysis and the progress of industry collaboration on the problem of internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper.

A complete list of compromised devices that formed part of the Carna Botnet was obtained exclusively by Parth Shukla. This list is NOT publicly available from any source. This data was acquired directly from the anonymous researcher who performed the Internet Census. As confirmed by the researcher, AusCERT to date remains the only organization and researcher in the world that has the complete dataset. Relevant snippets of this data, however, have been provided to CERTs around the world in order to reduce the threat made explicit by the Carna Botnet.

This presentation at DeepSec will provide up-to-date analyses of all the different identifying information for each of the compromised devices that formed part of the Botnet. This detailed analysis will indicate the prevalence of easily-exploited vulnerabilities in different countries, regions and in the devices of different manufacturers. Therefore, what these security problems mean for DeepSec attendees, IT professionals and manufacturers around the world will be thoroughly examined.
The ultimate aim of this presentation is to continue to draw public awareness to the larger concerns for information security professionals worldwide and for the world’s largest economy of Europe. Hopefully, this awareness will persuade manufacturers and even local ISPs to collaborate and address this problem. The Carna Botnet reminds us all that there are numerous, simpler vulnerabilities at risk of exploitation and in need of immediate attention.

Parth Shukla is an Information Security Analyst in the Operations Centre at the Australian Computer Emergency Response Team (AusCERT). He specialises in providing analysis, monitoring threats and responding to member requests for incident handling. Parth has extensive experience working in the IT field over the past 8 years. He has worked for the University of Queensland (UQ) for a number of years taking on various positions. In addition to working as the Information Technology Support Officer at the UQ Library, he has also held a range of Research Assistant roles in various IT projects, and he has tutored both practical programming and other theoretical computer courses at both advanced and capstone levels for the School of Information Technology and Electrical Engineering (ITEE). Parth’s previous roles outside the University include working as a system administrator and a freelance website programmer. In terms of academics, he has excelled in his studies, being awarded the prestigious “UQ Excellence Scholarship”, which he maintained for the full 4 years.

While at AusCERT, Parth has been analysing the data of the Carna Botnet that he obtained exclusively from the anonymous researcher. He has provided relevant snippets of the datasets to CERTs around the world as well as relevant organisations within Australia. He has taken on the mission of spreading public awareness on the security implications of his research by conducting detailed region-specific analyses of the Carna Botnet at various conferences around the world. So far, Parth has presented at the following conferences: The Hackers Conference in Delhi, India; APNIC 36 in Xi’an, China; AusNOG 2013 in Sydney, Australia; Security on the Move Conference in Sydney, Australia; and AusCERT 2013 Conference at the Gold Coast, Australia. Parth has also been invited to present on the South American data for the Carna Botnet at BlackHat in Sao Paulo.

His presentation at DeepSec will cover exclusive and detailed never-before-presented content. Parth has been strongly interested in information security from the earliest days of his career. His passion for computer security covers a wide range of topics from botnet and malware analysis to network and infrastructure security. Outside work, Parth also runs his own small VM farm of servers at home as a hobby and for private research. His personal interests are far and wide, including physics, politics, religion, philosophy and cricket!

Top 10 Security Mistakes In Software

Peter af Geijerstam (Factor10)

What are the most common mistakes made during the software development process which lead to security problems in the finished product?

In this talk, Peter af Geijerstam will present the top 10 issues leading to insecure software systems.

This talk is NOT about the technical aspects of buffer overflows, shell code or use-after-free vulnerabilities. It is about language- and OS-independent security-aspects such as design decisions, concepts, mistakes and bad luck.

If you are looking for in-depth technical security, this is not your talk. If you are a developer, curious about what you need to know about security, you should definitely attend. What to learn: What should you as developer be aware of? When should the alarm bells go off inside your head, saying "We need to think this over really carefully" or "I need to get an expert opinion on this"? How can you become an even better developer?

Peter af Geijerstam is a software developer who specializes in computer security. He has been doing software development for over 15 years and has experience from small businesses, large-scale telecom and computer security for government agencies. Peter believes in solving problems, not using any particular technology. He currently works as a software consultant for factor10 where he works to bring security-awareness to software developers. Peter is on twitter as @p4fg and blogs on http://www.shellcode.se





Using Memory, Filesystems And Runtime To App Pen iOS And Android

Andre Gironda

The whitehat presenter will unlock some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations.

The ethical attendee will learn how to take any popular, off-the-shelf mobile device (including ones that claim encrypted memory/flash) and transform it into a powerful tool that can be used to understand what risks can happen to the user/owner of that device.

Andre Gironda is an app pen-tester. He has been banging up iOS and Android apps for the Fortune 10 and their partners, along with Web Services and some webapps, using full-scope software security assessments for 2 years at HP after 4 years of freelance pen-testing and reverse engineering. He is a strong believer in the power of the individual to learn, unlearn, and re-learn code alongside debugging, hooking, and tracing techniques.

Mobile Fail: Cracking Open "Secure" Android Containers

Chris John Riley (Raiffeisen Informatik)


 We've known for some time that physical access to a device means game over. In response, we've begun to rely more and more on "secure" container applications to keep our private and company data secret. Whether you use LastPass to secure your passwords, or GOOD for Enterprise to make sure your company emails are safe and sound, this presentation will demonstrate that more often than not, the container isn't as secure as you think. 

In this presentation I will discuss specific design flaws in the security of "secure" Applications that promise to keep your data / password and even company email safe and sound should the device fall into the wrong hands. 

Chris John Riley is a senior penetration tester and part-time security researcher working for Raiffeisen Informatik Security Competence Center . With over 15 years experience in various aspects of Information Technology, Chris now focuses full time on Information Security. Chris is one of the founders of the PTES (Penetration Testing Execution Standard), regular conference attendee and avid blogger (blog.c22.cc), as well as being a regular contributor to the open-source Metasploit project and generally getting in trouble in some way or another. When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast. 


Applied Crypto Hardening

Aaron Kaplan (CERT.at), DI Ramin Sabet, Daniel Kovacic



Bypassing Security Controls With Mobile Devices

Georgia Weidman (Bulb Security LLC)

"We've got Mobile Device Management, BYOD is not a risk for us!" "Our proxy filters all outbound traffic, no one is getting a shell out ever!" Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put those big claims to the test and look at ways to bypass security restrictions on mobile devices. For example, we will see if that MDM that claims it can detect rooting/jailbreaking has ever heard of polymorphic code. And that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Code examples of all the techniques used will be demoed live and released as additions to the author's Smartphone Pentest Framework.

Georgia Weidman is an experienced penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), NIST 4011, and Offensive Security Certified Professional (OSCP) certifications. Her groundbreaking work in the field of smartphone exploitation has been featured in print and on television including MIT Technology Review, Ars Technica, PC World, Fox News and Global TV Canada. She has presented her research at conferences around the world including Shmoocon, Hacker Halted, Security Zone, and Bsides. Georgia has delivered highly technical security training at conferences, hacker spaces, and schools to excellent reviews. Building on her experience working in both the public and private sectors, Georgia founded Bulb Security LLC (http://www.bulbsecurity.com), a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.

Automation In Android & iOS Application Security Review

Hemil Shah (eSphere Security Solutions Pvt Ltd)

Mobile application hacking and its security is becoming a major concern in today’s world - especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching.

Currently scanning and vulnerability detection are two major issues for mobile applications. Attacking techniques and exploit delivery on different platforms are evolving, protection is even tougher as code bases are different.
Amongst the mobile attacks, local storage being the key target for attacks which affect the security and privacy of the user. What we really need right now is a automated program to penetrate local storage of the most widely used mobile platforms (Android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file systems. On the iOS, one needs to jailbreak a device to attack local storage. Along with the presentation, free tools (Separate for android and iOS) will be released. The Android tool uses API to monitor the Android file system where the iOS tool relies on OS features. Methodology to perform the application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms.
The presentation will conclude with a list of interesting spots on Android and iOS for penetration testers to exploit local storage.

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides professional services in the security area. He is also on advisory board at several security companies and a regular speaker/trainer at some of the best security conference. He has published several tools and whitepapers and has given talks and lectures at numerous conferences including OWASP, HITB, HackCon, SyScan and NullCon. Hemil is an expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code review, web application assessment, security architecture review and Mobile application security review.

The Dark Side of the Internet

Moritz Schafhuber

Darknets (aka "network telescope") are used by security researchers as well as network and system engineers to gain information about traffic in a seemingly unused ("dark") address space of a network.

Due to the fact that the darknet has no active services or hosts, no legitimate packets should enter it.
Traffic to the darknet thus is caused e.g. by Malware or attackers which are scanning networks and trying to infect new hosts.

This talk will focus on the analysis of the information collected using the darknet as well as the setup used.
The motivaton for the initial setup will be elaborated and results/statistics of the metadata and packet analysis presented.