Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction.

Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks.

This two-day workshop will spend about half the time re-visiting the key aspects of GSM's security features and their publicly known weaknesses.

During the other half, attention is being paid to the hands-on practical sessions, where attendees will be walked through how to use the various tools for GSM security analysis like OsmocomBB, OpenBSC, airprobe, SIMtrace and others. All tools will be provided pre-compiled and pre-installed on a USB flash drive with a Linux-based live distribution.

The target audience of this workshop are GSM network operators and IT
security professionals. As attendee, you should be familiar with
working on a Linux/Unix command line shell. Prior knowledge of GSM/GPRS
network architecture is a plus, but not absolutely necessary.

IDS/IPS is rarely tested effectively on any Penetration Test. At best the results are based on a sacrificial host being exploited and either the detection system picked up the attack or it failed to. However very rarely does that actually show the real issue or a true reflection of the threats faced by a security device.

In this one day training course we will look at what exactly a IDS/IPS does and its capabilities, how detection takes place, and what should make up an effective IDS/IPS test/audit. This training will be of use to people who manage and maintain IDS/IPS solutions, or security testers who wish to offer IDS/IPS audits and assessments to their clients.

Attendees will learn why using a sacrificial host for a IDS/IPS audit has its inherent problems, and what alternative testing methods should be used. In addition, what particular issues should be looked at, and how tester can test for them.

Web application firewalls are now used as mitigation devices to prevent exploitation of web based assets. During this workshop the audience will learn how to exploit web applications that are deployed without any protection of web application firewalls. Typical attack vectors based on OWASP’s Top Ten 2013 are explained and experienced during several hands-on sessions. The second day will introduce possible mitigations scenarios using standard mod_security WAF rule sets.

The workshop participants shall learn how to configure mod_security on their own and why the default configuration or the out-of-box $WAF is an illusion. The experienced attacks of the first day shall be repeated and prevented by the participants themselves. During hands-on sessions the workshop trainer will advise and outline certain rules and evasion techniques. At the end of the second workshop day the audience is confronted with a highly customized mod_security ruleset to demonstrate the capabilities and the effort required to build secure web applications with $WAF and why secure coding and security requirements engineering is still required for web applications with or without $WAFs.

In this 2 day class we will study introductory to intermediate exploit development for Windows and Linux platforms. In class you will gain hands on experience finding vulnerabilities, writing working exploits from scratch, and porting public exploit code to meet your needs. We will start with the basics of stack based buffer overflows, structured exception handler overwrites. Then we will move onto bypassing more advanced anti-exploitation measures such as stack cookies, ASLR, DEP, etc. The use of techniques such as egghunters, ROP, heap exploitation, etc. will be covered. In addition to writing exploits from scratch we will look at public exploit code and porting it to fit our environment’s needs. We will also look at writing Metasploit modules and porting our exploits into Metasploit. Hands on labs for both Windows and Linux will be covered, exploiting real vulnerable programs.

What are you doing to protect your organisation against social engineering attacks?

This one day workshop provides an introduction to defending against one of the most prevalent threats faced by organisations today – social engineering.

Social engineering is a collection of techniques for manipulating people into providing inappropriate access to physical or information assets. It is a form of intrusion that depends on human interaction. It typically involves deceiving people and exploiting the innate human desire to be friendly and helpful and to avoid confrontation, so that they compromise normal security procedures.

Even where optimal physical and technical information security controls have been implemented, the human vulnerability can lead to compromised confidentiality, integrity, and availability.

The workshop focuses on attacks that your organisation may be subjected to, the steps you can take to defend yourself, and the ways you can improve your social engineering awareness to ensure a sustained defence.

The objective of the course is to provide participants with the tools and knowledge to identify and deal with social engineering attacks by learning the characteristics of and methods used by social engineers. As potential unwitting victims themselves, participants will gain a better understanding of what motivates them and how their own actions may be manipulated by an attacker. Most importantly, participants will return to their workplace confident in the knowledge that they are better prepared to counter any social engineering attempts, and know how to respond to such attempts.

Course content

Introduction to social engineering
This unit provides an introduction to social engineering, what it is, why it is a threat and who the malicious social engineers are. It will provide a brief summary of the evolution of social engineering from the golden era of the con man to the social engineering attacks of today.

Social engineering principles
This unit provides an overview of the principles on which social engineering is based and will help participants to understand why social engineering works.

Common social engineering techniques
This unit will discuss common techniques used by social engineers, such as mumble attacks, road apples, phishing/vishing/smishing, etc. It will include plenty of examples from real life experience and the media.

Defence against social engineering
This unit will suggest different methods for defending against social engineering attempts, including:
• Logical security controls
• Physical security
• Security policies
• Education and awareness

Social engineering testing
This unit will provide an introduction to social engineering testing and go through the stages involved in planning and executing an ethical social engineering test.

Who should attend?
Anyone with an interest in learning how to protect themselves or their organisation against social engineering attacks.

In the field of computer security, honeypots are systems aimed at deceiving malicious users who launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by individual hackers or malicious software launching automated attacks. In this workshop we will outline the operation of various research honeypots, by manual deployment and testing in real time. Participants will follow the procedure as described by the instructor. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. Others include web application exploits loggers and client-side tools for malware analysis. Furthermore, visualization tools will be presented for the aforementioned systems that can help information security professionals to get an overview of their activity, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus. Meanwhile, dedicated attackers are attempting intrusions over months and years while going undetected to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques, however, provide the ability to greatly enhance the security of an organization. Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attackers and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching for different platforms. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. With all mobile platforms supporting HTML5 application, there is significant increase in the hybrid applications.
At the same time Mobile applications are communicating with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services, APIs, OAuth, REST etc. The server side applications can be attacked with Injections and critical logical exploitations. New technology stacks are evolving over Mobile like HTML5 and Silverlight, which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners to understand these attack vectors to protect mobile infrastructure, user’s privacy, security and company’s intellectual property. The class features detail hands on for mobile attacks for different platforms, real life cases, live demos, scanning techniques, code analysis and defensive controls. The following topics will be covered during the class.

Introduction to Mobile Applications
• General Overview
• Case studies of Vulnerable and old AppStore applications
• Evaluation of Applications
• Trend in Mobile application Security
• Mobile Application Fundamental – What, Why, How and Where
iOS
Deep dive into iOS
• Sand boxing
• iOS Application Architecture
• Understanding iOS platforms
• iOS Structure
• Application Structure
• Application Distribution
• Permissions
• Installing application from IPA
• Objective-C Basics for penetration testing
• Cocoa/Cocoa touch Framework
• Introduction to xCode
• Running application in simulator
• JailBreaking
o What
o Why
o How
o Who
Set up Attack environment
• Intercepting traffic
o Configuring simulators to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
iOS Application Attacks & Reverse engineering
• Attacking Insecure storage
• Insecure network Communication
• Unauthorized dialing, SMS using rootkit
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive/Private data leakage
• Hardcoded passwords/keys
• Language issues
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• Parsing client side binary files to get session cookie
• Business Logical attacks
• Using debugger to analyze iOS applications
• Interesting things to look for after reverse engineering
Securing iOS Applications and source code analyzer
• Secure coding for iOS Application
• How to incorporate secure design and coding principles for developing iOS applications
• Safe/Unsafe APIs
• Avoiding Buffer Overflows And Underflows
• Validating Input And Inter process Communication
• Race Conditions and Secure File Operations
• Designing Secure User Interfaces
• Static Code Analyzer for iOS
Other Mobile/Smart TV Platforms
Windows Phone
• Understanding Windows Phone platforms (Windows phone 7 & Windows phone 8)
o Windows file System
o Application Distribution
o Permission model
• Windows phone development environment
• Running windows phone binary in simulator
• Intercepting traffic
BlackBerry
• Blackberry file System
• Application Distribution
• Permission model
• Intercepting traffic
Samsung smart TV applications
• Architecture
• Key component and browser stack
• Application model and structure
Android – Hacker friendly platform
Understanding Android platforms
• Android file System/Dalvik
• Application Distribution
• Permissions
• Introduction to android SDK and useful files
• Understanding android application key components
• Running application in Android emulator
• Key ADB commands to play with android emulator
Set up Attack environment
• Intercepting traffic
o Configuring emulator to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
Attacking android applications
• Insecure storage
o Internal storage
o External storage
o Shared secret
• Insecure network Communication – Carriers network security & WiFi network attacks
• Unauthorized dialing, SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Attacking Manifest file permission
• Analyzing local storage with file system monitoring
• Business Logical attacks
• Using AFE to create malicious APK
• Sending signals over wifi/mobile network
• Decompiling Android Application
• Attacking intellectual property by attacking android binaries
Secure coding for Android Applications and source code analyzer
• Secure coding for Android Application
• Using randomization
• Safe/Unsafe APIs
• Validating Input And Inter process Communication
• Controlling access with manifest
• Static Code Analyzer for Android
• Protecting intellectual property in android application
HTML 5 Applications on Mobile stack
Working with HTML5 applications on Mobile
• HTML5 specs for mobile
• Touch/Moving in mobile applications using HTMl5
• Hybrid applications and its permission model
• HTML5 tags supported with mobile platforms
HTML5 Attacks on Mobile
• LocalStorage stealing
• SQLite injections
• Click/Tap Jacking
• Business Logical attacks
• JavaScript reverse engineering
Hands-on:
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Hybrid will be provided for testing. Also, participants will be building a small application to capture important concepts of development as well.

Business continuity does not happen by chance. It is the result of careful planning and preparation. During this 1-day workshop you will be guided through all aspects of the creation and implementation of a Business Continuity Plan. Being smart and taking any hypothesis into consideration will be demonstrated by examining business continuity plans for small, medium and large enterprises (1000+ employees).

Target audience are non-specialists and specialists. Non-specialists are new to the topic, who are thinking about a Business Continuity Plan (BCP), are busy with creating a BCP or are willing to understand what the requirements are to create a BCP. Specialists will take part and see how their expertise can contribute to the creation of an BCP.


The DeepSec organisation team welcomes you to the DeepSec 2013 conference.

The current debate about the role of China as a nation, in international hacking incidents and corporate espionage is framed in an almost exclusively US-centric narrative. China, however, is a nation that has been familiar with innovation, economics and societal (im)balances long before Christopher Columbus accidentally landed in the New World. I will take the audience on a rollercoaster ride across more than 5000 years of history and cultural heritage that will allow us to not only understand the reality of APT and state-sponsored hacking - More than that, it should enable us to assess the threat and improve our protection.

IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.

In this talk I will introduce the Institute's research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?

In pentest/sec-audit projects main risk is not to fail to penetrate the system or find vulns in big enough software product, but to get your task right and explain your findings to the customer. Problem comes in many faces and on every phase of the project: goal setting from customer, system outline by IT, discussing progress or final presentation.

Missing means of communication or misuse of known is widespread tools of analysis and data representation is often the key to this problem: you can't discuss codes as is with CEO or explain your world of social enginiring tricks to system architect using charts.

This talk will cover what works and what fails in our day by day practice in pentest, security audit, forensics starting from general concepts and tools of analytics (text, charts, SWOT, gap) to domain-specific favorites adopted for our practice from OSSTMM, PTES, CSC.

Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has led to the general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is a highly unfortunate misconception, as the current generation of new Web APIs expose a level of security sophistication unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow for the first time to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices.

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases.

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternatives" (spoiler: HTML5 wins).

More specifically, the talk will cover:

# Client-side cross-domain communication:
- CORS (HTML5) vs. JSONP and/or crossdomain.xml

# Client-side persistance
- LocalStorage (HTML5) vs. Cookie-hacks

# In-browser communication
- PostMessage (HTML5) vs.
-- hash-identifier passing and/or
-- window.name setting and/or
-- domain relaxation

# ClickJacking protection
- X-Frames-Options (HTML5) vs. JavaScript framebusters

# Bonus track: The browser's new security capabilities

A quick overview of new browser features that can be used to secure Web sites:

- Content Security Policies
- Sandboxed iFrames
- Strict-transport Security

The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits).

In our previous analysis of the “Cloud Computing (CC)” we have concluded that CC is a generally misleading, marketing-driven idea born out of the need to utilize hosting services which became overly-abundant post Internet Bubble. Well-known CC models are useless, and in a case of so named “community cloud” models it amounts to little more than legal nonsense. In case of implementation of high level complex regulations like EU General Data Protection Regulation (GDPR), CC is not only useless, but by being misleading, it creates a dead-end situation where it is not possible to identify how exactly privacy will be protected in an Internet-based distributed computing environment.
However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will be the result of the “cloudization” – wasting tax payers’ money and a few people getting some political gain capitalizing on public inability to distinguish between new technology and technological opportunism? Or will it be the next technological step forward advancing our ability to move and process data wherever we want?
To understand what will happen and to prevent selling to the world yet another failure as an achievement, we need to go deep in the analysis of fundamental US government documents and draw our conclusion based on thorough analysis and known facts.
While the rule “garbage in – garbage out” has been proven on numerous occasions, we need to do that again considering all what is known as “cloud computing” and what US federal government plans to implement. Then we can answer whether we will get new technology protecting privacy or very costly garbage.

My talk proposal is about binary instrumentation and its applications in the field of reverse-engineering and hacking. Binary instrumentation is a technique used in many fields such as computer architecture, application profiling, emulation and dynamic translation. But its interactions with the security field so far have been mostly in malware and threat analysis.
This talk proposes new applications for binary instrumentation such as executable hacking and function hooking. As an example we present a simple analysis routine capable of locating security critical functions in serial protected applications by performing runtime analysis of the program's functions. In the end we are able to modify the programs behavior to accept any user input. Another interesting application presented is the ability to locate and hook critical functions in a web browser: we are able to find and hook Opera's HTTP request generator function and sniff out data sent to the server before it gets ciphered under SSL and TLS layers.
Finally we present a tool called spin which is the base for all the examples shown. This tool performs static binary instrumentation in a very lightweight way: it only instruments at function level statically.

When you have to handle confidential and regulated data for a third party it's a big challenge to define the risk if you are not going to be on site for a real assessment. Considering the amount of data companies are transferring to the cloud and external vendors the regulations, especially in a globalized world, require proper management to be effective, compliant and efficient in order to protect the data and the companies reputation. 

Luciano Ferrari has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achived if all units of an organization cooperate - and with a change in culture.

This presentation provides a summary of steps to get your organization on track.

Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer. Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines!

Although the above sounds ludicrous and out of place, it isn't that far fetched from a lot of the literature produced by Network Intrusion Prevention/Detection System vendors. This talk looks at the very long and fruitful history the world of network detection systems has to offer (you'll be surprised they're nearly 4 decades old). With a overview of just some of the failings these systems have had over the years, and how these failures shaped their development. At places this talk will be cynical and it won't win any friends from vendors, but attendees will be given enough background information to understand why detection systems like IDS/IPS can work, but why they're set to fail all at the same time.

Poor testing and the general acceptance by nearly everyone within the security industry that these systems can't deliver is only the beginning of their history of fail. I intend to discuss why certain evasion techniques worked, and why they will continue to work until we understand the inherent problems. Consider this talk a historical journey with one eye fixed on the future.

In early 2011 we discovered some malware infected systems in our network. Starting from one A/V event we found several host- and
network-based indicators to identify and confirm several infections within our company. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully
patched systems protected by firewalls, IPS and multi-layered A/V without using exploits (only social engineering).

The malware got some media attention in June 2012 with titles such as “printer virus”, “printer bomb” or “Trojan.Milicenso: A Paper Salesman’s Dream Come True”. A/V detection names for this malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IPs and URL patterns changed to avoid detection.

In late 2012 a “anti-sinkholing technique” was introduced in using C&C domains. Just recently I discovered how this technique can be overcome to allow sinkholing of botnet domains again. Unfortunately the currently used C&C domains are not as well known as they were after the incident and analysis in 2011.

T.B.A.

All IT security professionals know that antivirus systems can be avoided.
But few of them know how very easy it is to elude them - and if it is easy the impact is big. In this presentation I am going to fully bypass many antivirus systems live,
using basic techniques.

- Bypass signatures
- Bypass emulation/virtualization
- Bypass sandboxing
- Bypass firewalls

How much time and money do i need for this result?
Not more than 15 hours time, not 1 cent of investment!
If I can do this, anyone can do it - I think we are in trouble.

In this presentation I will test only Windows systems and AV for Windows systems, but, 
I think, that the techniques I'll introduce can easily be applied to any other system.
And for my demonstration I'll only use techniques AVs already are aware of: 

- plain text signature 
- virtualization and emulation  
- behaviour analysis and process separation 
- sandboxing 

The code I´ll hide is a shell_reverse_tcp. It is a well-known to AVs and it is
the cheapest code for an attacker, because it is in the Metasploit and anyone can use it.
The techniques I use are well documented, just google "antivirus bypass"...

I use VirusTotal.com to speed up my research. Code testing is a time-consuming process: if you would like to test/scan each version of your code with multiple AVs the time you need for your research will also multiply...
The VirusTotal.com test is not the same like a real test, but good enough to discover a 
good way of bypassing. If the detection rate is low, we are on the right track ;) 
Once I reach a detection result that is low enough to satisfy me, I will test the code with virtual machines to verify the VirusTotal.com result.
After that I'll show the attendees that fully patched and trusted AVs
cannot detect the code and therefor can not protect us completely.

In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines. However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients. We decided to take a look at a few devices that are deployed in many major german hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient's safety. The results will be presented in this talk.

Online opinion making, blogging and journalism have developed a considerable market potential and turned into a source of revenue. With that online identities themselves have become valuable assets to possess – and thus targets for theft and fraud. At the same time internet users willingly share detailed private data on social platforms, resulting in in-depth-profiling and potential misuse.
This non-technical talk illustrates in an easily comprehensible way the value of online identities in our modern internet relying society. It explains how information is processed, used and analyzed by internet platforms and how this opens vulnerabilities or fraudulent misuse. The final aim of the talk is to enable the audience to a better evaluation of #Neuland's territory in which Prism, search-engines, clouds and big data exist next door.

In the past auditing appliances was like auditing embedded devices. Hard to come by, hard to crack open. Since most appliances are now provided in the virtual form factor, they can be easily analyzed. Yet from a security point of view they are still not much different from embedded devices.
This talk will discuss the process from getting a root shell on an appliance, assessing the general system hardening posture to finding exploitable vulnerabilities. The state of the art when it comes to application security is discussed based on vulnerabilities in security appliances from F5, Symantec, Sophos and the like. It will be demonstrated that appliances can be the weakest link in a network and cause a huge headache for incident responders.

We have had the luxury of spending a good amount of time looking at the security of supercomputers.
This presentation will cover our research and demonstrate some of the most interesting and significant vulnerabilities we have uncovered so far. We will also be demonstrating exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once.

The material we are covering affects the majority of the top 500 supercomputers. But even if you have never encountered a supercomputer before you'll be surprised how accessible and familiar many of the technologies are. The UNIX crowd amongst you will certainly enjoy seeing interesting exploits against large UNIX environments.

Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user.

Backups: iCloud suggests backing up iMessage, SMS, photos and videos, device settings, documents, music and other things on-the-fly, which is useful for syncing or restoring in case your iDevice is lost or damaged. However, there is only one way to access iCloud backup data by organic means: You can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now I can show you a method to simply download everything onto any desired computer at hand, provided that we have Apple ID and password.

Find My iPhone: this application was meant to help you to track your own iDevices geographically and should be available strictly to the user under his/her own Apple account. But there is a way to get the geo-location data having neither a Apple device tethered to that account readily available nor access to the iCloud website. If the location services are switched on, the geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other map).

Storage: Apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage. For example, some application files (e.g. data generated by SoundHound) you may have on your iPad  - or whatever - won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly, even without launching a work session in iCloud.

Conclusion: iCloud stores large amounts of information. Before now access to this info was restricted either by the necessity to have iDevice available or by using Internet and web-browser (knowing Apple ID and password is required). Now, that I have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and download iCloud data and its changes in standalone mode.

The topic of false positives within IDS, in fact within any computer related field, has been discussed from a technical perspective on a number of occasions. It is true that abuse of false positives could be used to perform denial of service (DoS) attacks, also that they can be weaponised and used as an attack vector. My brother in arms Finux even recently discussed how false positives can be used to enumerate an IDS system. This is all great, but the problem is that this rarely (never?) translates into the facts and figures that management require in order to decide that false positives are indeed a problem that have a tangible cost impact on the business.

As it stands, the only people talking figures are the sales staff of IDS vendors, and the figure they like to talk about is throughput. According to one vendor site, the question (and it seems, the ONLY question) is finding an IPS appliance with exactly the right throughput for your network. We, as defenders, then ask why management are basing buying decisions on same said throughput figures and not the scary, uber-technical jargon we give them.

Well, now it's time to harden up and give management what they want, so ultimately we can get our own way. This talk will bridge the gap between all of us 'geek' types (a group of which I am firmly a member) and the aforementioned management types (a group which people seem to think I belong in!).

Taking false positive figures from a number of real business entities ranging in size and business area (don't worry, they're anonymised), the aim of this talk is to arm my fellow hackers and testers with the knowledge and, more importantly, the language to put a case forward to the powers that hold the purse strings within our business and ask

'Can I have X amount of budget to mitigate our false positive problem that is costing Y?'

Bluetooth devices are ubiquitous. However, until recently, there were no tools to perform bluetooth wardriving. Considering that each cell phone usually identifies one person and that the position of these devices can be stored, it is possible to extract and visualize people's behavior. Most people is not aware that their bluetooth device allows to easily abuse their privacy. A new tool called Bluedriving is presented to capture and store the position and information of bluetooth devices. The devices can be visualized on a map and different alerts can be used to follow people in the street. We present the tool along with a large capture dataset and a deep privacy analysis. We conclude that it is possible to follow people using their bluetooth device.

From no access at all to the company Amazon’s root account - this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon’s services through it’s API.

The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user.

Except from the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.

The tools used by this intruder are going to be released after the talk and will provide the following features:
Enumerate access to AWS services for current IAM role
Use poorly configured IAM role to create new AWS user
Extract current AWS credentials from meta-data, .boto.cfg, environment variables, etc.
Clone DB to access information stored in snapshot
Inject raw Celery task for pickle attack

Being popular is not always a good thing and here’s why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level.

This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching.

In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom built signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.

Dark days for infosec may be ahead. Cyber attackers have only gotten more daring this decade, encouraged by the headline-generating successes of hacktivists and APTs. Now security professionals are scrambling to stay ahead, with organizations of all types operating in an environment where breaches are the expectation. Financial organizations are particularly at risk, as “doing it for the lulz” takes a backseat to international cyber warfare and digital organized crime. Attackers are going where the money is.

Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

Here are the four major areas covered, with some example attacks in each:


Advanced User Enumeration and DDoS
Surprisingly few organizations go out of their way to protect user IDs. Attackers will soon be using this easily obtained information to perform sophisticated brute force attacks, massive account lockouts (a new DDoS), and diversionary attacks hiding other exploits.

Trading Turret and Timing Attacks
The past few years have shown that attackers are often hired to disrupt competitors. A look at local and network-based attacks that could cost competitors millions of dollars in milliseconds.

Internal User Attacks and APTs
Attackers are only beginning to fully exploit what it means to have an internal foothold in an organization. Future APTs will enable massive, simultaneous attacks on end user accounts and funds.

External User Attacks and MitE
New breeds of malware will allow for complete fraudulent actions and theft to occur right on the victim’s machine. Forget about sniffing passwords and traffic--attackers will increasingly focus on transfers occurring right from trusted sessions and IP addresses via Man in the Endpoint attacks.

In this talk we present our survey of  "forgot your password'' functionality of fifty popular social networks and investigate the security of the password recovery mechanisms. We were able to compromise accounts on six social networks, block account on one big social network due to the weaknesses in the password recovery feature and help from their untrained and naive support teams during the account recovery process. 

In addition, we present a novel, practical and high severity attack on the password recovery feature of Facebook and we call it Trusted Friend Attack (TFA). The term TFA was coined during our discussions with the Facebook Security Team. Trusted friends are also known as Guardian Angels. If a user wants to login to a web service without remembering his password, usually an email containing a new password (or a password reset link) is sent to the user, enabling him to choose a new password for his account. A problem occurs, when this user along with his password lost access to the email account provided during registration. In that case, Facebook introduced a new feature called Trusted friends, that allows account recovery based on the trust a user has in his friends.

The TFA exploits the victim's trust in his friend or friends (3 in total) to compromise his/her account, so it is very beneficial for the attacker to be on the victim's friends list as a starting point (though attack is possible with low probability even if the attacker is not on the victim's friends list). There are two variants of the Trusted Friend(s) Attack: One involves only one attacker while the other requires three attackers. To show the applicability of our attack, we tested 250 Facebook accounts. We show how TFA can lead to a complete compromise of a user's Facebook account. This talk also describes Chain Trusted Friend Attack (CTFA). In CTFA, attacker make a chain of hacked accounts in order to compromise more accounts.

The talk further demonstrates a highly practical Denial of Service (i.e., DoS of trusted friends feature) due to weakness in Facebook's password recovery procedure. Both attacks i.e., TFA and DoS can easily be launched against any Facebook user by knowledge of his user-name only, which is public information. We have responsibly reported all attacks to the respective security teams and they have acknowledged our work. In the end, we give some guidelines to social networks' users.

Industrial espionage is an increasingly serious problem for many companies. Even minor data leakage can endanger a company's competitiveness, if data falls into the wrong hands.
This talk introduces a fundamentally new concept: Static Data Leak Prevention. While most DLP solutions analyze network traffic during runtime, S-DLP is designed to identify data leaks already during application development.
The code examples and data leaks presented are native to SAP environments.

Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.

"Cyberwar" has become a thing. (Never mind that no-one seems to really
know what that thing really is.) Along with the militarisation of
cyberspace - or shall we say: "the fifth domain of warfare" - there
has been a flurry of attempts to draw analogies to other models of
conflict. While this is understandable to a certain extent - What
worked in the past may work again in the future, right? And let's not
be so cynical here to speak about hammers and things that look like
nails... -, it has in many cases only added to the confusion around an
already confused subject. Exhibit A: the attempts to liken the brave
new world of "cyberwar" to the good old Cold War days. Or bad old Cold
War days, depending on how you look at it. In any case, there has been
a proliferation of headlines such as "Cyberthreats: Welcome to the New
Cold War". To what degree do such comparisons make sense though?

The presentation will take a critical look at what Cold War analogies
can and cannot teach us about war in the 5th domain. It will discuss
issues such as deterrence, arms control, international agreements,
escalation, trust building measures, the role of state-actors and
non-state actors, and more.

It's not as easy as it used to be.
Although applications without security flaws are still considered a fairy tale, the implementation of application security mechanisms is improving.
Authentication enforcement procedures, privilege enforcement layers, input validation mechanisms, web application firewalls and a wide variety of security controls have become an integral part of many applications.
This is where session puzzling and session race conditions (TSRC) come in.
These under-emphasized attack patterns are designed to allow both new and traditional attack vectors to bypass security mechanisms and attack the application from a trusted resource: the session attributes and database values – *locations that are rarely validated*.
Their detection process, however, was tedious, long, and in many cases, even arbitrary… until now.
The release of the Diviner project enhances the detection process, helping pen-testers to identify these exposures, bypass traditional security mechanisms, and justify the implementation of designated session variable overloading prevention mechanisms.

This presentation will showcase the latest analysis and the progress of industry collaboration on the problem of internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper.

A complete list of compromised devices that formed part of the Carna Botnet was obtained exclusively by Parth Shukla. This list is NOT publicly available from any source. This data was acquired directly from the anonymous researcher who performed the Internet Census. As confirmed by the researcher, AusCERT to date remains the only organization and researcher in the world that has the complete dataset. Relevant snippets of this data, however, have been provided to CERTs around the world in order to reduce the threat made explicit by the Carna Botnet.

This presentation at DeepSec will provide up-to-date analyses of all the different identifying information for each of the compromised devices that formed part of the Botnet. This detailed analysis will indicate the prevalence of easily-exploited vulnerabilities in different countries, regions and in the devices of different manufacturers. Therefore, what these security problems mean for DeepSec attendees, IT professionals and manufacturers around the world will be thoroughly examined.
The ultimate aim of this presentation is to continue to draw public awareness to the larger concerns for information security professionals worldwide and for the world’s largest economy of Europe. Hopefully, this awareness will persuade manufacturers and even local ISPs to collaborate and address this problem. The Carna Botnet reminds us all that there are numerous, simpler vulnerabilities at risk of exploitation and in need of immediate attention.

What are the most common mistakes made during the software development process which lead to security problems in the finished product?

In this talk, Peter af Geijerstam will present the top 10 issues leading to insecure software systems.

This talk is NOT about the technical aspects of buffer overflows, shell code or use-after-free vulnerabilities. It is about language- and OS-independent security-aspects such as design decisions, concepts, mistakes and bad luck.


If you are looking for in-depth technical security, this is not your talk. If you are a developer, curious about what you need to know about security, you should definitely attend. What to learn: What should you as developer be aware of? When should the alarm bells go off inside your head, saying "We need to think this over really carefully" or "I need to get an expert opinion on this"? How can you become an even better developer?

The whitehat presenter will unlock some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations.

The ethical attendee will learn how to take any popular, off-the-shelf mobile device (including ones that claim encrypted memory/flash) and transform it into a powerful tool that can be used to understand what risks can happen to the user/owner of that device.

 We've known for some time that physical access to a device means game over. In response, we've begun to rely more and more on "secure" container applications to keep our private and company data secret. Whether you use LastPass to secure your passwords, or GOOD for Enterprise to make sure your company emails are safe and sound, this presentation will demonstrate that more often than not, the container isn't as secure as you think. 

In this presentation I will discuss specific design flaws in the security of "secure" Applications that promise to keep your data / password and even company email safe and sound should the device fall into the wrong hands. 

T.B.A.

"We've got Mobile Device Management, BYOD is not a risk for us!" "Our proxy filters all outbound traffic, no one is getting a shell out ever!" Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put those big claims to the test and look at ways to bypass security restrictions on mobile devices. For example, we will see if that MDM that claims it can detect rooting/jailbreaking has ever heard of polymorphic code. And that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Code examples of all the techniques used will be demoed live and released as additions to the author's Smartphone Pentest Framework.

Mobile application hacking and its security is becoming a major concern in today’s world - especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching.

Currently scanning and vulnerability detection are two major issues for mobile applications. Attacking techniques and exploit delivery on different platforms are evolving, protection is even tougher as code bases are different.
Amongst the mobile attacks, local storage being the key target for attacks which affect the security and privacy of the user. What we really need right now is a automated program to penetrate local storage of the most widely used mobile platforms (Android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file systems. On the iOS, one needs to jailbreak a device to attack local storage. Along with the presentation, free tools (Separate for android and iOS) will be released. The Android tool uses API to monitor the Android file system where the iOS tool relies on OS features. Methodology to perform the application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms.
The presentation will conclude with a list of interesting spots on Android and iOS for penetration testers to exploit local storage.

Darknets (aka "network telescope") are used by security researchers as well as network and system engineers to gain information about traffic in a seemingly unused ("dark") address space of a network.

Due to the fact that the darknet has no active services or hosts, no legitimate packets should enter it.
Traffic to the darknet thus is caused e.g. by Malware or attackers which are scanning networks and trying to infect new hosts.

This talk will focus on the analysis of the information collected using the darknet as well as the setup used.
The motivaton for the initial setup will be elaborated and results/statistics of the metadata and packet analysis presented.