Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the greatest companies? If that sounds like fun, join this workshop!

I will discuss bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla and others). This is a two-day BYOL workshop, so make sure to have your laptop with you.

You will be given a VMware image with a specially prepared environment to play with the bugs. What’s more, after the workshop is over, you are free to take it home and hack again, at whatever pace is best for you.

To get the most of this workshop basic knowledge of web application security is needed. You should also have ever used a proxy, such as Burp, or similar, to analyse or modify the traffic.

You will need a laptop with at least 4 GB RAM, 20 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed.

IPv6 deployment is rising every single day; Specifically, according to the statistics and the trends of the Internet Society, “2013 marked the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years.” At the same time, ARIN states that they are currently in phase four of their “IPv4 Countdown Plan”, while RIPE has reached its last /8 IPv4 address space quite some time ago. So, “this time it is for real”. Moreover, most of the Operating Systems, network and security devices (like firewalls, IDS, etc.) come with IPv6 pre-enabled. However, are we ready for the IPv6 era from a security perspective?
In this workshop, various attack methods that “exploit” IPv6 design and implementation security issues will be discussed. These issues, due to their nature, affect several modern and prestigious Operating Systems as well as network and security devices. Specifically, it will be explained and demonstrated how you can exploit IPv6-specific features for pen-testing IPv6 systems and networks. To this end, first, all the required theory regarding the changes that IPv6 brings with it and affects security will be presented. Then, it will be explained and demonstrated how to launch most of the known IPv6 attacks. Furthermore, some more advanced attacks will be presented, as well as ways of fuzzing the protocol implementation against various systems and security devices. For accomplishing our goals, a specific IPv6 pen-testing and security assessment tool written by the instructors will be provided. Finally, mitigation techniques to protect your IPv6 infrastructure from these attacks will also be discussed. At the end, two IPv6 Security challenges will be given to the attendees of the workshop to practice their IPv6 security skills: One for blue team members to get the experience of analysing real IPv6 attacks, and one for red team members to practice their IPv6 penetration testing skills.
Only by knowing the potential IPv6 security issues we shall be able to protect it effectively. The acquired knowledge will be valuable both to penetration testers who want to test IPv6 networks as well as to network and security engineers who want to protect effectively their IPv6 networks.

This two-day class helps you bootstrap into the areas of reverse engineering, vulnerability exploitation, operating system design, code optimization, and compiler design. It’s extremely rare to see any security conference where assembly language isn’t mentioned in someone’s slides. If you don’t known assembly, you’re missing out on a full understanding of what people are trying to tell you!

Once you’ve taken this class, it will open the door to all the other specialty areas that depend on assembly knowledge. And this is the first time this class is being offered focusing on 64 bit rather than 32 bit assembly! Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This distribution is partially due to Windows’ dominance of the marketplace, but also because the tools on Windows are more user-friendly than those on Linux, allowing for a more gradual introduction for the student.

PowerShell has changed the way how Windows is used, secured and also the way Windows is 0wned. It is an automation platform for everybody; developers, defenders and attackers. PowerShell provides easy access to almost everything in a Windows machine and network. It comes installed by default in modern versions of Windows. During a penetration test, it could be really helpful to use this powerful shell and scripting language for further attacks.
This training would help anyone who wants to know more about powershell from a security perspective. If you are a defender, you could learn how this attack vector can be used against a corporate environment. If you are a pen tester you would learn how to use powershell for pen testing in a windows environment. You will learn various techniques like privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, in-memory code execution, using top sites as C&C, web shells, bots... the list goes on.
Learning how to use a target environment for your purpose is crucial in pen tests. Open source tools which help in achieving this would also be discussed including those written by the trainer. The training aims to bring PowerShell goodness to security professionals and includes hands-on in a lab environment and CTF like exercises. You would be able to write your own scripts for security testing after this training. This training aims to forever change how you pen test a Windows based environment.

Course Content
1. Introduction to PowerShell
2. Using ISE, help system, cmdlets and syntax of PowerShell
3. Writing simple PowerShell scripts
4. Functions, Objects, Pipeline, Jobs and Modules
5. Recon, Information Gathering and the likes - Tools written/integrated in powershell
6. Vulnerability Scanning and Analysis – Tools written/integrated in powershell
7. Exploitation – Usage with Metasploit
8. Post-Exploitation – What powershell is actually made for
9. Pivoting to other machines
10. Poshing the hashes™
11. PowerShell with Human Interface Devices
12. PowerShell for Web App Pen testing
13. Achieving Persistence
14. Owning other MS products – SQL Server, Exchange, AD etc.
15. Clearing Tracks
16. Quick System Audits with Powershell
17. Security controls available with PowerShell

Suricata is a high performance Network IDS, IPS, and Network Security Monitoring engine.  Open-source and owned by a community Suricata is managed by the non-profit foundation; the Open Information Security Foundation (OISF).  We are excited to offer, exclusively for DeepSec attendees, a unique opportunity to learn Suricata from the Suricata developers.  By attending this dynamic, hands-on learning event you will walk away with a great proficiency in Suricata's core technology, tips on troubleshoot, and an chance to bring your questions directly to Suricata's lead developers.

The DeepSec organisation team welcomes you to the DeepSec 2014 conference.

One of the most significant changes technology has wrought over the last decade is the current movement to use data and quantification as a means to better our everyday lives. In both our work life and leisure life, almost no aspect of modern life has escaped our desire to become better using evidence, data, and quantitative methods.

This talk discusses one method to help a Security Department build a better understanding of historically amorphous goals like "effectiveness, efficiency, secure, and risk" using data and models.

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can
obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.

We have identified a security weakness on the implementation of the ASLR in GNU/Linux when the executable is PIE compiled. A PoC attack
is described to illustrate how the weakness can be exploited. Our attack bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.

Finally, after analyzing different mitigation alternatives we
conclude that a new ASLR design is needed. We propose an alternative to the current ASLR implementation which increases the effective entropy and removes the discovered weakness.

Cross-Site Scripting - `An epidemic` nowadays, developers' nightmare, but my love. This talk will present an unbreakable, context-specific (supports five common contexts i.e., HTML, script, attribute, URL and style), practical and easy to use XSS sanitizer. For HTML, script, attribute and style context, I only control 11 meta characters and for URL context, 3 regular expressions and `JOB DONE`.

But before telling you that 78,000+ recorded XSS attack attempts were unable to bypass the sanitizer in five common contexts ... this talk will present context-aware XSS attack methodology and then I will show how I leverage the attack methodology for the development of an unbreakable sanitizer. In fact, I will demonstrate that by looking at the context-specific attack methodology (e.g., XSS attack methodology related to `style` context is a four step process), even a child can code this sanitizer. I will also share the logs of 78K+ XSS attack attempts. The timing, mutation, script-less, browser quirks and Unicode tricks fail here.

Internet security is hard. TLS is almost impossible. Implementing TLS correctly in Java is "Nightmare!". This talk will show how a badly designed security API introduced over 15 years ago, combined with misleading documentation and developers unaware of security challenges, causes modern smartphone applications to be left exposed to Man-in-the-Middle attacks.

Mark Weatherford of the US Department of Homeland Security has stated “The lack of people with cyber security skills requires urgent attention. The DoHS can’t find enough people to hire”. The United Kingdom's National Audit Office has also stated “This shortage of ICT skills hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future”.

It is evident that there is a world-wide cyber-security skills shortage but what can be done about it?

The University of Abertay Dundee in Scotland was the first university to offer an undergraduate “hacking” degree in the UK, starting in 2006. The course is now widely recognised in the UK as a vocational supplier of security testing graduates, with many of the graduates receiving several job offers before they've even completed the course.

This talk focuses on the experiences of running the course and examines how the cyber security skills shortage can be addressed. Some of the issues discussed will be: -

Academia; There are many degrees with titles sounding like they may be producing the correct graduates, however, does the content match the type of skills required?

Industry; What can the security industry do to influence the content of academic courses to enable the correct type of graduate to be produced?

The talk is a status report of BIOS-based hypervisor research.

The history of computers is full of underestimation: 640 kilobyte, 2-digit years, and 32-bit Internet addresses. IPv6 was invented to overcome the latter as well as to revise other drawbacks and security vulnerabilities of its predecessor IPv4. Initially considered the savior in terms of security because of its mandatory IPsec support, it turned out not to be the panacea it was thought to be. Outsourcing security to IPsec but eventually removing it as well as other design decisions led to a number of vulnerabilities. They range from the already known spoofing of answers to link-layer address requests to novel possibilities regarding node tracking. In an effort to fix them, a vast amount of updates have been introduced. This talks discusses security and privacy vulnerabilities with regard to IPv6 and their current countermeasures. Further, we focus on three remaining challenges for IPv6 security, namely address assignment and structure, securing local network discovery, and address selection for reconnaissance.

The Enhanced Mitigation Experience Toolkit (EMET) is an application developed
by Microsoft which adds an additional layer of security to applications to
prevent attackers exploiting vulnerabilities in them.

It can be used to globally enable system mitigation techniques such as Address
Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or
Structured Exception Handler Overwrite Protection (SEHOP). In addition special
per-process protections can be added such as various
Return-Oriented-Programming (ROP) protections (LoadLibrary, MemProt, Caller,
SimExecFlow, StackPivot), Export Address Table Access Filtering (EAF and EAF+)
to prevent execution of shellcode, pre-allocations to defeat heap spraying and
kernel exploitation, additional randomization (bottom-up randomization and
mandatory ASLR) and advanced mitigations (deep hooks, anti detours and banned
functions) to prevent different types of attacks.

If an application supports DEP together with full ASLR the difficulty to write
a reliable exploit increases dramatically. The typical approach to defeat DEP
is to use ROP to disable it. ROP builds on the idea to return (or jump) to
small so-called gadgets (which are equal to already existing code from the
code-section which end with a return or jump instruction) to chain these
gadgets together to build new logic (like logic to disable DEP). If ASLR is
supported by all modules of the application this approach can't be applied
because the address of such gadgets is randomized by ASLR and thus unknown by
the attacker. In such a case the vulnerability must be turned into an
information disclosure vulnerability to first disclose an address to defeat
ASLR. Techniques to accomplish this (e.g. partial overwrites, overwriting the
length field of strings, ...) have already been discussed in the past and thus
will not be focus of this talk.

Instead further techniques will be discussed which can be used to bypass the
additional per-process protections of EMET. To apply these techniques a
vulnerability which allows code execution as well as leaking information (to
bypass ASLR) is required. These requirements are satisfied per default because
otherwise writing an exploit for a not-EMET protected application would be
impossible.

The aim of this talk is to demonstrate new and more reliable exploitation
techniques as well as discussing in which situations already existing
techniques can be applied in a reliable way.

An important approach of exploit developers is to write bypasses in a way that
they can easily be ported to other exploits. For example, if a technique
requires jumping to already existing code a dumb approach would be to build it
application specific. Instead the technique can be built on top of the EMET
library which gets injected into all protected applications and thus is a good
target to minimize work load because the code for the bypass must only be
written one time. To apply such techniques various methods to identify the
presence, retrieving the imagebase as well as the version of EMET will be
shown.

EMET also supports none memory corruption related protection techniques (like
Attack Surface Reduction ASR and certificate pinning), however these will not
be discussed during the talk because the focus of the talk is on memory
corruption exploitation (e.g. buffer overflows, use-after-free bugs, type
confusion attacks and so on).

All techniques are implemented and demonstrated in a real-world Firefox
exploit. Even if the vulnerability is older (we at SEC Consult don't want to
publish reliable working exploit code for applications which are still in-use
these days) it is a very interesting vulnerability to study and together with
a highly configurable exploit it's easy to see the different techniques in
action. The exploit works reliable against any Windows operating system
(Windows XP, Windows Vista, Windows 7, Windows 8, Server 2003, Server 2008,
Server 2012, ...), on 32-bit as well as on 64-bit architectures and is able to
bypass EMET in all versions (including EMET 4.1 and EMET 5.0) with all
protections enabled.

Microsoft as well as other vendors typically suggest as a workaround for new
memory corruption vulnerabilities to install EMET to protect the application.
The aim of the presentation is to show the audience that attackers can still
exploit such protected applications by using one of the many existing
techniques.

We at SEC Consult do not believe in putting additional security layers like
EMET, DEP, ASLR, application firewalls and so on on top of applications.
Rather we demand from software developers and especially from the software
industry itself to focus on secure software development instead of forcing
their customers to create a chain of security layers to protect their software
product.

Protections such as EMET, DEP and ASLR are useful to add an additional hurdle
for attackers but are not unbreakable.

Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era. There will be demos and a tool release. ;-)

SECRETS: My talk is first and foremost about secrets.
Most people refer to data at rest or data in motion by the term "secrets". When we talk about secrets usually we mean data at rest or data in motion. There are effective measures to protect these data, one of which is encryption. As you write in CfP 2013: "..uses encryption, access control…". Concerning (IaaS-)clouds we have data IN EXECUTION. That is, the virtual image / virtual machine (VM) sent to the cloud provider is the secret to be protected. The problem is: this secret must execute on someone else's system. Of course, we cannot simply encrypt the VM and send it to the provider. Homomorphic encryption would be a solution to this problem but at the time of writing it is academic i.e. it is not ready (and secure enough) to be used in real systems. In my talk (and our project) I want to show that it is possible to protect secrets (VM of the cloud customer) running on the providers host system using Trusted Computing technology.
FAILURES: Root users (superusers) usually have full control over and full access to a system. In our case the root user at the cloud providers site has full access to the provider's host system. Thus he has full access to the guest image (i.e. the VM of the customer). What if root is doing wrong or malicious action? He could gain insight or manipulate the guest image. Here is potential failure. In my talk I want to show how to keep root users from failures.
VISIONS: In our project we were building a prototype to show that it is possible to build the proposed system. But the technical system is not enough. We need an "ecosystem" to bring our idea to real life. This is my vision: We have a trusted third party (I call it TTT trusted third tester) that vouches for a trustworthy (in that case thoroughly tested) system and publishes reference hash values to compare with the running system. The cloud customer can use these reference values plus attestation technology to check that a trustworthy system is running on the provider's host. Using so-called sealing technology the VM will be decrypted on the provider's site only if the provider's system matches the reference hashes.

There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.

As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most attacks. Even recent JP Morgan latest Chase data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail.Into this new scenario it is hence of paramount importance to consider the human factor into companies' risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?
These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec conference (https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf), we are working on the extension of traditional security assessment, going beyond the technology and including the "Social" context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.
This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.
In this talk, we will share our experience, describing of we do Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected. 

Learn about network attack vectors that an adversary can use to control, and influence network traffic flows and exfiltrate data by exploiting network devices and protocols in the LAN, WAN and Cloud. Defensive methods and techniques for monitoring and protecting against the outlined attack vectors will be discussed. This presentation explores advanced methods and techniques that penetration testers, network engineers and security auditors need to understand about network infrastructure and protocols.
Strategies for attacking network infrastructure
Undocumented method for tunneling IPv6
Layer 3 LAN based MITM attack
Methods for exfiltrating data from the core network infrastructure including MPLS core network infrastructure
Router tricks that penetration testers need to know
Often over looked network trust relationships, integration, dependencies and interdependencies
Features hackers know about routers that need to be understood by auditors and network administrators.
Switch security the Achilles heel of networks everywhere and what to do about it.
Ensure that you know when someone is twisting and bending your network infrastructure to suit their purposes
Advanced service provider technologies that be utilized by an attacker to enable data exfiltration and WAN based
MITM attack vectors, manipulate and override routing paths

As a countermeasure against the famous Bleichenbacher attack on RSA based ciphersuites, all TLS RFCs starting
from RFC 2246 (TLS 1.0) propose “to treat incorrectly
formatted messages in a manner indistinguishable from
correctly formatted RSA blocks”. In this talk we show that this objective has not been achieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.

When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate some of the cognitive biases relevant to OSINT and what can be done about them.

Risk assessment should reflect the overall security knowledge and experience accumulated over the years in the company. This knowledge is company-specific, and applying it should not be dependent on/bound to any proprietary methodology, vendors and their products. Never-ending queset for the "best" tool or methodology is a futile exercise.
Existing commercial or free tools are (often) done by programmers, process/audit/compliance “gurus” and other people who were never managing security in a real company.
The consequence of which is that you'll spend 80% of your time on things which solve only 20% of your real security needs.

In the end it is you, the security specialist, who adds the most value to a risk assessment / threat modelling process for your company. The practical your risk management process supported with a custom-made tool is a vehicle through you can actually demostrate how to link security to business goals.

The presentation will demonstrate that it is quite easy to capture your overal security knowledge in a home-made, free-of-charge tool. The examples will be done by using a specific variant of open-source wiki.

IT Security is in a miserable state. The problems have been discussed again and again without advancing IT Security.

Discussing the key length of AES is necessary, but not the peak of IT Security, as long as users chose weak passwords, developers implement buffer overflows and vendors deliver faulty banana software.

IT Security research did not adapt well to the challenges of IT security. Instead of focusing on fields like man-machine interaction, perception of security by users and developers or political measures like producer's liability the same simple problems are discussed again and again.
This is not surprising, since Computer Science is a trivial science and only successful because it ignores hard problems like human behaviour.

This rant will give an overview about what's wrong in IT Security and Security Research. I will show you why cryptosystems really fail, what Psychology knows about security and what IT Sec has to do if it ever wants to break the current circle jerk and start generating more security.

1. Mobile SSL Failures
2. Failure to validate Certificate Authorities - Approximately 40 well-known apps
3. Failure to validate Certificate Hostnames - Approximately 40 well-known apps
4. Failure to encrypt at all - Tens of millions passwords and credit cards
5. Recent FTC settlement related to this topic
6. Review of why physical security isn't assured with mobile - Smudge attacks
   - No screen lock
   - Screen lock bypass - Creating invisible MitM attacks
   - Creating persistent MitM attacks
7. SSL Session caching exploit
8. A fool-proof defensive coding approach

We will discuss how prevalent SSL certificate validation failures are in very popular applications. We will show how some popular applications failed to encrypt traffic at all resulting in the leakage of tens of millions of users' data. We will cover recent U.S. Government penalties that companies who fail to protect data may be subject to. We will discuss a new attack, that is particular applicable to mobile and especially on the Android platform, which potentially allows for a persistent MitM attack that is undetectable on the device itself. Lastly, we will cover how organizations can implement a fool-proof method to protect themselves against this mistake.

As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts.
In this work, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the Social Authentication concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks.

I will talk about Open WhisperSystems iOS efforts, including a general overview of the protocols as well as specifics of the challenges and rewards of managing an active repository for open source iOS development.

APT - A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks.

Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc.

The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc.

The code used in the above talk will be released as open source. The talk would be full of live demonsrations.

Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?
SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.
Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our “Smite’em the Stealthy” PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smite’em, to sleep.

But if you’ve been following our work (specifically “Defeating Signed BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”) you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC “Sandman” attack using the same infrastructure as Copernicus 2. We will also explain the caveats to both the secure function of Copernicus 2 and the ability of Sandman to attack a system. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you’re vulnerable, and what you may be able to do about it.

T.B.A.

In recent years many efforts have been invested in the detection of malicious mobile applications for Android operating systems. These efforts have been focused on dynamic analysis sandboxing based on complex, tedious and slow processes which explode the analysis of binary code. This research explores the potential of detecting malicious apps on Android platforms by analysing only the permissions of each apk. The key of the analysis introduced here is to improve the accuracy of detection by minimizing the ratio of false negative. This way it has been possible to propose a first stage approach that reduce the workload of traditional analysis by reducing the set of suspected applications. To obtain the results we have been working through a massive experimentation that has involved over 750 000 applications from different markets (Google Play, …). Exploding antimalware tools results, an automated analysis has allowed us to infer a very particular behavior in these malicious apps, modelled as a combination of specified permissions. This knowledge has allowed the usage of machine learning algorithms to determine if a given apps is suspected of being malicious or not. This preliminary analysis allows a significant reduction of the problem to be solved by traditional solutions, reducing, by extension, the time that runs until an apps is analyzed. In addition, the independence with code analysis permits to detect some malicious apps that cannot be detected by signature comparison.

The most of honeypot systems pretend that they are vulnerable or badly confirured systems in other to gather information about unkonwn attackers and the techniques they using during the attacks. In my research, I chaged this approach a little bit.

In my lecture I will share the result of my research which is about how to trap a botnet variant to collect valuable information directly for the bad guys. It is a kind of honeypot where the malware is allowed to run in a dedicate and carefully separated network (network sandboxing) to do its dirty job. The infected machine can communicate with the Command and Control (C&C) servers but the other network connections are absolutely just simulated. As a result of this “cheat”: the C&C servers and the bot think they have the ability to spread the spam emails. In real, all the messages, and any other network actions, are just emulated (not threaten the world) and the only result of their activities is that we will have all the spams and all the malware variants they try to spread during the champagnes.

With observation and monitoring a working botnets you can gain more knowledge and information about it. We will get everythink, not just the spam samples they are trying to send but, the C&C network they are using, and you are able to collect information about other victims (tipically, infected sites) which are used by the botnets. With this intel you can easily eliminate the damage of the botnet, and you could help others in the world – if you share the information with others. ☺
Most of the cases, a spam message has a link to somewhere but these links usually points not to the destination address directly but to a legitimate and (!)infected site to make the detection harder and the reaction slower. The spammers also use URL-sorter services to hide the real destination of the link. With analysing the spam messages (extract the link, follow the destination) we can disclosure the final destination, thus we can easily collect all the victim server URLs and all the malicious sort-links. With this information we can alert the victims and we can bolck the malicious addresses as well.

During the presentation we also walk through a quick guide how to set up a trap like this, which free tools can be used to handle the problem of the network sandboxing and the network service emulation.
I will also share the statistic result of the uses of this trap which can provide a real life information about the spam botnets and the activities of them. As a sneak peek: only (!)one spam bot can spread almost 800K message a week and each of them are a little bit different, but if we had all the spam messages and all the new malware variants at the same minute as it would start to spread, I think, we would be in a good position. This is the purpose of this research.


Educational value of the topic:
The audience will see:
- how a typically spam-bot works
- how the bad guys spread spam (advertising) messages and malicious files as well through the botnet
- how they spread the malware to keep the network alive and growing
- how often release a new polimorf version and how often release a realy new one
- which is the relation with spams and infected sites
- I will demonstrate, how to set up a trap, which free tools can be used in this project
- I will share the collected and summarized statistic data with audience about the activities of the bot (the current dataset was generated in 10 days but it is still working and available so, it is still growing)

Technical level of the topic:
It is likely every IT security professional (technical expert and manager as well) will understand what I am speaking about. The logic of the trapping concept is quite simple and the gaming with virtual machines is nowadays a kind of ordinary thing. The network sandboxing is also easily understandable.

This talk provides exclusive insights in the daily business of the national computer emergency response team (CERT) of Austria - CERT.at. One learns about what a national CERT really does, how it's done, and provides answers to questions like what is nationally relevant and what is not, how to find the most appropriate point of contact, or even how many people it takes. Hence this talk dives deep into the specific details even explaining the actually used tools - publicly available ones as well as homebrewn software.

Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. This talk discusses a methodology to encapsulate the validation at the object level, thus allowing each object to have validated or sanitised data at any given point in time.

Two kinds of patterns will be discussed, a validated object pattern and a tokenised object pattern. Examples of use-cases will be detailed for the delegates.

Advantages and possible pitfalls of these patterns in security design will also be reviewed.

Examples will be given in several main programming languages.

Based on my work about antivirus evasion techniques (see link below), I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these.

A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.
Further test techniques I developed are, for example:
- Windows API calls
- using enhanced CPU features, as FPU, MMX registers etc.
- 64bit payloads

At the time of this writing I developed 36 different techniques as proof of concept code and tested them against 8 different products. More techniques and engines are pending.
Together with documentation, papers and talks from other researchers, this gives a deeper understanding for the functionality of antivirus software and shows, where it is failing generally and in particular.

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust
mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal
information to different servers. Sometimes when communication between mobile application and server is encrypted we
have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make
our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be
discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach
is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods,
instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on
non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an
application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case
Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this
method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new
possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to
see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications.
With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.

The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. I will show a demo of this solution, and how it can be used to find 'unknown' malware. This solution is based on my personal research. The idea is to spend 20 mins on the presentation piece and 10-15 minutes on the demo. Leaving 5-10 minutes on the Q&A.

I will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques.

Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools.

While each of these tools have their strengths, I would like to show how open source tools like 'Volatility' can be utilized to extract memory fragments automatically and feed this data to an analytics engine. My analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs.

Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs : I will simulate a Threat Intelligence feed, and show how my solution can be used to detect malware based on data received from OpenIOC or Cybox.

Approach Two - Finding Malware by benchmarking your environment: I will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state.

This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons.

I will end the presentation with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.

The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.

Since Edward Snowden's revelations, no longer are only large corporations and conspiracy theorists interested in IT security: Security has gained popular interest and is discussed at the societal level. Not only the marketing and sales armies of European corporations, but also our politicians are now braced for action. There is no doubt that we are in the middle of a catastrophe, but are their plans going to help us? In order to understand which steps are now necessary on a political level, we should first understand how it could ever come this far.

This talk gives an introduction to the TLS protocol, basic understanding of cryptography and security principles which TLS relies on and surveys attacks and protocol flaws on TLS over the last two decades. Upcoming security and privacy enhancements to TLS will be discussed as well as mitigation of various attack vectors and upcoming TLS standards.