Speakers (preliminary) - DeepSec IDSC 2014 Europe

Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more

Dawid Czagan (Silesia Security Lab / Future Processing)

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the greatest companies? If that sounds like fun, join this workshop!

I will discuss bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla and others). This is a two-day BYOL workshop, so make sure to have your laptop with you.

You will be given a VMware image with a specially prepared environment to play with the bugs. What’s more, after the workshop is over, you are free to take it home and hack again, at whatever pace is best for you.

To get the most of this workshop basic knowledge of web application security is needed. You should also have ever used a proxy, such as Burp, or similar, to analyse or modify the traffic.

You will need a laptop with at least 4 GB RAM, 20 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed.

Dawid Czagan has found security vulnerabilities in Google, Yahoo,
Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the
severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers
specialized security auditing services with a results-driven approach.
He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled
"Hacking web applications - case studies of award-winning bugs in
Google, Yahoo, Mozilla and more". To find out about the latest in
Dawid’s work, you are invited to visit his blog
(https://silesiasecuritylab.com/blog) and follow him on Twitter

IPv6 Attacks and Defenses - A Hands-on Workshop

Enno Rey (ERNW GmbH)

IPv6 deployment is rising every single day; Specifically, according to the statistics and the trends of the Internet Society, “2013 marked the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years.” At the same time, ARIN states that they are currently in phase four of their “IPv4 Countdown Plan”, while RIPE has reached its last /8 IPv4 address space quite some time ago. So, “this time it is for real”. Moreover, most of the Operating Systems, network and security devices (like firewalls, IDS, etc.) come with IPv6 pre-enabled. However, are we ready for the IPv6 era from a security perspective?
In this workshop, various attack methods that “exploit” IPv6 design and implementation security issues will be discussed. These issues, due to their nature, affect several modern and prestigious Operating Systems as well as network and security devices. Specifically, it will be explained and demonstrated how you can exploit IPv6-specific features for pen-testing IPv6 systems and networks. To this end, first, all the required theory regarding the changes that IPv6 brings with it and affects security will be presented. Then, it will be explained and demonstrated how to launch most of the known IPv6 attacks. Furthermore, some more advanced attacks will be presented, as well as ways of fuzzing the protocol implementation against various systems and security devices. For accomplishing our goals, a specific IPv6 pen-testing and security assessment tool written by the instructors will be provided. Finally, mitigation techniques to protect your IPv6 infrastructure from these attacks will also be discussed. At the end, two IPv6 Security challenges will be given to the attendees of the workshop to practice their IPv6 security skills: One for blue team members to get the experience of analysing real IPv6 attacks, and one for red team members to practice their IPv6 penetration testing skills.
Only by knowing the potential IPv6 security issues we shall be able to protect it effectively. The acquired knowledge will be valuable both to penetration testers who want to test IPv6 networks as well as to network and security engineers who want to protect effectively their IPv6 networks.

Enno (@Enno_Insinuator) is a long-time network security geek who likes to explore devices and protocols, and to break flawed ones. He has been involved with IPv6 since 1999 and blogs about IPv6 security in all its flavors at http://www.insinuator.net/tag/ipv6/.

Antonios Atlasis (MPhil, PhD) has been an IT engineer for more than 20 years, developer and instructor in several Computer Science and Computer Security related fields. The last years he has been specialised in IT Security, working mainly as a penetration tester, incident handler and intrusion analyst. His latest security researches focuses on IPv6 and some of his work has been presented at BlackHat Europe 2012, BlackHat Abu Dhabi 2012, at the IPv6 Security Summit of Troopers 13 and Troopers 14, while the newest one will be presented at BlackHat US 2014.

Understanding x86-64 Assembly for Reverse Engineering and Exploits

Xeno Kovah (MITRE)

This two-day class helps you bootstrap into the areas of reverse engineering, vulnerability exploitation, operating system design, code optimization, and compiler design. It’s extremely rare to see any security conference where assembly language isn’t mentioned in someone’s slides. If you don’t known assembly, you’re missing out on a full understanding of what people are trying to tell you!

Once you’ve taken this class, it will open the door to all the other specialty areas that depend on assembly knowledge. And this is the first time this class is being offered focusing on 64 bit rather than 32 bit assembly! Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This distribution is partially due to Windows’ dominance of the marketplace, but also because the tools on Windows are more user-friendly than those on Linux, allowing for a more gradual introduction for the student.

Xeno is currently the team lead for the 5-person BIOS Analysis for Detection of Advanced System Subversion (B.A.D.A.S.S.) project. This project has been responsible for finding and disclosing multiple BIOS exploits, bypassing signed BIOS update requirements, defeating Windows 8 and UEFI SecureBoot, and bypassing other security mechanisms such as the Trusted Computing Group “Static Root of Trust for Measurement.” On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno has presented at conferences such as BlackHat USA, ACM CCS, CanSecWest, IEEE S&P, PacSec, ToorCon, Hack.lu, NoSuchCon, SummerCon, and others. Xeno is also the founder of OpenSecurityTraining.info, and current leading contributor, having posted 8 days of classes on deep system security, with an additional 2 day class on Intel TXT (Trusted Execution Technology) to be added soon.

Powershell for Penetration Testers

Nikhil Mittal (Hacker)

PowerShell has changed the way how Windows is used, secured and also the way Windows is 0wned. It is an automation platform for everybody; developers, defenders and attackers. PowerShell provides easy access to almost everything in a Windows machine and network. It comes installed by default in modern versions of Windows. During a penetration test, it could be really helpful to use this powerful shell and scripting language for further attacks.
This training would help anyone who wants to know more about powershell from a security perspective. If you are a defender, you could learn how this attack vector can be used against a corporate environment. If you are a pen tester you would learn how to use powershell for pen testing in a windows environment. You will learn various techniques like privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, in-memory code execution, using top sites as C&C, web shells, bots... the list goes on.
Learning how to use a target environment for your purpose is crucial in pen tests. Open source tools which help in achieving this would also be discussed including those written by the trainer. The training aims to bring PowerShell goodness to security professionals and includes hands-on in a lab environment and CTF like exercises. You would be able to write your own scripts for security testing after this training. This training aims to forever change how you pen test a Windows based environment.

Course Content
1. Introduction to PowerShell
2. Using ISE, help system, cmdlets and syntax of PowerShell
3. Writing simple PowerShell scripts
4. Functions, Objects, Pipeline, Jobs and Modules
5. Recon, Information Gathering and the likes - Tools written/integrated in powershell
6. Vulnerability Scanning and Analysis – Tools written/integrated in powershell
7. Exploitation – Usage with Metasploit
8. Post-Exploitation – What powershell is actually made for
9. Pivoting to other machines
10. Poshing the hashes™
11. PowerShell with Human Interface Devices
12. PowerShell for Web App Pen testing
13. Achieving Persistence
14. Owning other MS products – SQL Server, Exchange, AD etc.
15. Clearing Tracks
16. Quick System Audits with Powershell
17. Security controls available with PowerShell

Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Human Interface Devices in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil likes to do some vulnerability research and works on his projects.

Suricata Training Event

Victor Julien (Open Information Security Foundation)

Suricata is a high performance Network IDS, IPS, and Network Security Monitoring engine.  Open-source and owned by a community Suricata is managed by the non-profit foundation; the Open Information Security Foundation (OISF).  We are excited to offer, exclusively for DeepSec attendees, a unique opportunity to learn Suricata from the Suricata developers.  By attending this dynamic, hands-on learning event you will walk away with a great proficiency in Suricata's core technology, tips on troubleshoot, and an chance to bring your questions directly to Suricata's lead developers.

Victor has been active as a software developer in the infosec community for many years. He is the creator of the Vuurmuur firewall project, has been one of the developers at the Snort_inline IPS project. Victor has spent the last years doing contract development on Open Source security software including significant additions to Snort. At the end of 2007 he started development on the OISF codebase on which he now leads the development effort. Victor maintains a blog at http://www.inliniac.net/blog/ and uses twitter at http://twitter.com/inliniac Victor resides in Amsterdam, The Netherlands.

Welcome To DeepSec 2014

Michael Kafka & René Pfeiffer (DeepSec Organisation Team) (DeepSec)

The DeepSec organisation team welcomes you to the DeepSec 2014 conference.


Keynote: The Measured CSO

Alexander Hutton (IANS Research, "Systemically Important Financial Institution")

One of the most significant changes technology has wrought over the last decade is the current movement to use data and quantification as a means to better our everyday lives. In both our work life and leisure life, almost no aspect of modern life has escaped our desire to become better using evidence, data, and quantitative methods.

This talk discusses one method to help a Security Department build a better understanding of historically amorphous goals like "effectiveness, efficiency, secure, and risk" using data and models.

Alex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is a VP in Information Security for a "Systemically Important Financial Institution." A former principal for Research & Intelligence with the Verizon Business RISK Team, Alex also helped produce the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, was responsible for the VERIS data collection and analysis efforts, and developed information risk models for their Cybertrust services. Alex is the veteran of several security start-ups.

Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts (http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog (http://www.newschoolsecurity.com). Some of his earlier thoughts on risk can be found at the Riskanalys.is blog (http://www.riskanalys.is).

On the Effectiveness of Full-ASLR on 64-bit Linux

Hector Marco (Departamento de Informática de Sistemas y Computadores - Universitat Politècnica de València)

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can
obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.

We have identified a security weakness on the implementation of the ASLR in GNU/Linux when the executable is PIE compiled. A PoC attack
is described to illustrate how the weakness can be exploited. Our attack bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.

Finally, after analyzing different mitigation alternatives we
conclude that a new ASLR design is needed. We propose an alternative to the current ASLR implementation which increases the effective entropy and removes the discovered weakness.

Hector Marco-Gisbert - http://hmarco.org
Ismael Ripoll Ripoll - http://personales.upv.es/~iripoll/

Cyber-security research group at http://cybersecurity.upv.es/

A Tale of an Unbreakable, Context-specific XSS Sanitizer

Ashar Javed (Ruhr University Bochum)

Cross-Site Scripting - `An epidemic` nowadays, developers' nightmare, but my love. This talk will present an unbreakable, context-specific (supports five common contexts i.e., HTML, script, attribute, URL and style), practical and easy to use XSS sanitizer. For HTML, script, attribute and style context, I only control 11 meta characters and for URL context, 3 regular expressions and `JOB DONE`.

But before telling you that 78,000+ recorded XSS attack attempts were unable to bypass the sanitizer in five common contexts ... this talk will present context-aware XSS attack methodology and then I will show how I leverage the attack methodology for the development of an unbreakable sanitizer. In fact, I will demonstrate that by looking at the context-specific attack methodology (e.g., XSS attack methodology related to `style` context is a four step process), even a child can code this sanitizer. I will also share the logs of 78K+ XSS attack attempts. The timing, mutation, script-less, browser quirks and Unicode tricks fail here.

Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

Java's SSLSocket: How Bad APIs Compromise Security

Dr. Georg Lukas (rt-solutions.de GmbH)

Internet security is hard. TLS is almost impossible. Implementing TLS correctly in Java is "Nightmare!". This talk will show how a badly designed security API introduced over 15 years ago, combined with misleading documentation and developers unaware of security challenges, causes modern smartphone applications to be left exposed to Man-in-the-Middle attacks.

Georg Lukas obtained his Ph.D. degree in 2012 in the context of wireless protocol design. Since then, he is working as an IT security consultant at rt-solutions.de GmbH, based in Cologne.

Addressing the Skills Gap

Colin McLean (Abertay University, Dundee, Scotland)

Mark Weatherford of the US Department of Homeland Security has stated “The lack of people with cyber security skills requires urgent attention. The DoHS can’t find enough people to hire”. The United Kingdom's National Audit Office has also stated “This shortage of ICT skills hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future”.

It is evident that there is a world-wide cyber-security skills shortage but what can be done about it?

The University of Abertay Dundee in Scotland was the first university to offer an undergraduate “hacking” degree in the UK, starting in 2006. The course is now widely recognised in the UK as a vocational supplier of security testing graduates, with many of the graduates receiving several job offers before they've even completed the course.

This talk focuses on the experiences of running the course and examines how the cyber security skills shortage can be addressed. Some of the issues discussed will be: -

Academia; There are many degrees with titles sounding like they may be producing the correct graduates, however, does the content match the type of skills required?

Industry; What can the security industry do to influence the content of academic courses to enable the correct type of graduate to be produced?

Colin McLean is a lecturer in Computing at the University of Abertay Dundee in Scotland. In 2006, he developed a course what is believed to be the world’s first undergraduate degree with the word “Hacking” in the title. The B Sc in Ethical Hacking at Abertay University in Dundee, Scotland has since become one of the main providers of graduates to the security testing industry in the UK.
Colin has been a lecturer at Abertay University for 23 years and has taught Robotics, Mechatronics, Computer Networking, Computer Programming and now Ethical Hacking. On the non-academic side, he has worked with NCR, R&D Dundee, Scotland on ATM security projects since 2005 and with various UK companies on security issues since around that time. He has previously talked at various security events including BSides London in 2011 and 2012, BruCon 2012, E-Crime Scotland Summit 2013 and BSides Lisbon in October 2013.

A Myth or Reality – BIOS-based Hypervisor Threat

Information Security Specialist

The talk is a status report of BIOS-based hypervisor research.

Our guest information security scientist is known by original works on Information Security Management and investigative style articles and presentations. He has PhD in computer science and is certified information security professional.

Safer Six - IPv6 Security in a Nutshell

Johanna Ullrich (SBA Research)

The history of computers is full of underestimation: 640 kilobyte, 2-digit years, and 32-bit Internet addresses. IPv6 was invented to overcome the latter as well as to revise other drawbacks and security vulnerabilities of its predecessor IPv4. Initially considered the savior in terms of security because of its mandatory IPsec support, it turned out not to be the panacea it was thought to be. Outsourcing security to IPsec but eventually removing it as well as other design decisions led to a number of vulnerabilities. They range from the already known spoofing of answers to link-layer address requests to novel possibilities regarding node tracking. In an effort to fix them, a vast amount of updates have been introduced. This talks discusses security and privacy vulnerabilities with regard to IPv6 and their current countermeasures. Further, we focus on three remaining challenges for IPv6 security, namely address assignment and structure, securing local network discovery, and address selection for reconnaissance.

I received a BSc in electrical engineering and information technology in 2010, and an MSc degree in automation engineering in 2013, both from Vienna University of Technology. My diploma thesis has already focused on IPv6 compression in power line communication. At this time, I gained various merits for outstanding academic achievements. Currently, I am pursuing my Ph.D. at Vienna UT. Further, I am working for the research center for IT security SBA Research and teach students of different ages. My main research interests include network security, security in clouds, cyber-physical system security and any combination thereof.

Reliable EMET Exploitation

René Freingruber (SEC Consult Unternehmensberatung GmbH)

The Enhanced Mitigation Experience Toolkit (EMET) is an application developed
by Microsoft which adds an additional layer of security to applications to
prevent attackers exploiting vulnerabilities in them.

It can be used to globally enable system mitigation techniques such as Address
Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or
Structured Exception Handler Overwrite Protection (SEHOP). In addition special
per-process protections can be added such as various
Return-Oriented-Programming (ROP) protections (LoadLibrary, MemProt, Caller,
SimExecFlow, StackPivot), Export Address Table Access Filtering (EAF and EAF+)
to prevent execution of shellcode, pre-allocations to defeat heap spraying and
kernel exploitation, additional randomization (bottom-up randomization and
mandatory ASLR) and advanced mitigations (deep hooks, anti detours and banned
functions) to prevent different types of attacks.

If an application supports DEP together with full ASLR the difficulty to write
a reliable exploit increases dramatically. The typical approach to defeat DEP
is to use ROP to disable it. ROP builds on the idea to return (or jump) to
small so-called gadgets (which are equal to already existing code from the
code-section which end with a return or jump instruction) to chain these
gadgets together to build new logic (like logic to disable DEP). If ASLR is
supported by all modules of the application this approach can't be applied
because the address of such gadgets is randomized by ASLR and thus unknown by
the attacker. In such a case the vulnerability must be turned into an
information disclosure vulnerability to first disclose an address to defeat
ASLR. Techniques to accomplish this (e.g. partial overwrites, overwriting the
length field of strings, ...) have already been discussed in the past and thus
will not be focus of this talk.

Instead further techniques will be discussed which can be used to bypass the
additional per-process protections of EMET. To apply these techniques a
vulnerability which allows code execution as well as leaking information (to
bypass ASLR) is required. These requirements are satisfied per default because
otherwise writing an exploit for a not-EMET protected application would be

The aim of this talk is to demonstrate new and more reliable exploitation
techniques as well as discussing in which situations already existing
techniques can be applied in a reliable way.

An important approach of exploit developers is to write bypasses in a way that
they can easily be ported to other exploits. For example, if a technique
requires jumping to already existing code a dumb approach would be to build it
application specific. Instead the technique can be built on top of the EMET
library which gets injected into all protected applications and thus is a good
target to minimize work load because the code for the bypass must only be
written one time. To apply such techniques various methods to identify the
presence, retrieving the imagebase as well as the version of EMET will be

EMET also supports none memory corruption related protection techniques (like
Attack Surface Reduction ASR and certificate pinning), however these will not
be discussed during the talk because the focus of the talk is on memory
corruption exploitation (e.g. buffer overflows, use-after-free bugs, type
confusion attacks and so on).

All techniques are implemented and demonstrated in a real-world Firefox
exploit. Even if the vulnerability is older (we at SEC Consult don't want to
publish reliable working exploit code for applications which are still in-use
these days) it is a very interesting vulnerability to study and together with
a highly configurable exploit it's easy to see the different techniques in
action. The exploit works reliable against any Windows operating system
(Windows XP, Windows Vista, Windows 7, Windows 8, Server 2003, Server 2008,
Server 2012, ...), on 32-bit as well as on 64-bit architectures and is able to
bypass EMET in all versions (including EMET 4.1 and EMET 5.0) with all
protections enabled.

Microsoft as well as other vendors typically suggest as a workaround for new
memory corruption vulnerabilities to install EMET to protect the application.
The aim of the presentation is to show the audience that attackers can still
exploit such protected applications by using one of the many existing

We at SEC Consult do not believe in putting additional security layers like
EMET, DEP, ASLR, application firewalls and so on on top of applications.
Rather we demand from software developers and especially from the software
industry itself to focus on secure software development instead of forcing
their customers to create a chain of security layers to protect their software

Protections such as EMET, DEP and ASLR are useful to add an additional hurdle
for attackers but are not unbreakable.

René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. During his bachelor thesis he developed more than 700 exploits to study different mitigation techniques implemented by modern operating systems and how they can be bypassed by attackers.

MLD Considered Harmful - Breaking Another IPv6 Subprotocol

Enno Rey, Antonios Atlasis & Jayson Salazar (ERNW GmbH)

Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era. There will be demos and a tool release. ;-)

Enno Rey (@Enno_Insinuator) is a long-term network security geek who loves to explore devices & protocols, and to break flawed ones. He has been involved with IPv6 since 1999.

Trusting Your Cloud Provider. Protecting Private Virtual Machines.

Armin Simma (Vorarlberg University of Applied Sciences, FHV)

SECRETS: My talk is first and foremost about secrets.
Most people refer to data at rest or data in motion by the term "secrets". When we talk about secrets usually we mean data at rest or data in motion. There are effective measures to protect these data, one of which is encryption. As you write in CfP 2013: "..uses encryption, access control…". Concerning (IaaS-)clouds we have data IN EXECUTION. That is, the virtual image / virtual machine (VM) sent to the cloud provider is the secret to be protected. The problem is: this secret must execute on someone else's system. Of course, we cannot simply encrypt the VM and send it to the provider. Homomorphic encryption would be a solution to this problem but at the time of writing it is academic i.e. it is not ready (and secure enough) to be used in real systems. In my talk (and our project) I want to show that it is possible to protect secrets (VM of the cloud customer) running on the providers host system using Trusted Computing technology.
FAILURES: Root users (superusers) usually have full control over and full access to a system. In our case the root user at the cloud providers site has full access to the provider's host system. Thus he has full access to the guest image (i.e. the VM of the customer). What if root is doing wrong or malicious action? He could gain insight or manipulate the guest image. Here is potential failure. In my talk I want to show how to keep root users from failures.
VISIONS: In our project we were building a prototype to show that it is possible to build the proposed system. But the technical system is not enough. We need an "ecosystem" to bring our idea to real life. This is my vision: We have a trusted third party (I call it TTT trusted third tester) that vouches for a trustworthy (in that case thoroughly tested) system and publishes reference hash values to compare with the running system. The cloud customer can use these reference values plus attestation technology to check that a trustworthy system is running on the provider's host. Using so-called sealing technology the VM will be decrypted on the provider's site only if the provider's system matches the reference hashes.

Studied computer science at University of Linz, Austria. After several stays abroad for gaining work experience I worked in two projects at CERN, Switzerland. Since 2001 lecturer at Vorarlberg University of Applied Sciences. Professor for IT Security since 2007. Research (and teaching) field is IT Security including the "surrounding" i.e. computer networking, operating systems, embedded systems.

The IPv6 Snort Plugin

Martin Schütte (DECK36)

There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.

Martin Schütte is a system administrator and contributor to different open source projects. He studied political science and computing science in Potsdam. He is currently working as a consultant for DECK36 in Hamburg.

An innovative and comprehensive Framework for Social Vulnerability Assessment

Enrico Frumento (CEFRIEL Center of Excellence for Innovation, Research and Education in the field of ICT)

As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most attacks. Even recent JP Morgan latest Chase data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail.Into this new scenario it is hence of paramount importance to consider the human factor into companies' risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?
These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec conference (https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf), we are working on the extension of traditional security assessment, going beyond the technology and including the "Social" context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.
This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.
In this talk, we will share our experience, describing of we do Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected. 

His research activity started at CEFRIEL (www.cefriel.com) in the field of e-health service and telemedicine systems where he contributed with most of his scientific production. Since 1998, he moved his research interests towards wearable electronic systems and unconventional security. Thanks to his participation to several European projects and specialized task forces, he gained a strong experience in the area of cyber-crime and unconventional security. He is actually working as a member of the CEFRIEL’s security research team, which is continuing the innovation mission of the centre in the security area (bridge the research to the enterprises to help their innovation needs). He actually contributes with his research on Secure Code Development, hacking/cracking techniques (Reverse Code Engineering and Code Hardening) and social engineering evolutions. Moreover, in collaboration with the CEFRIEL security team, he conducted several on-field Social Vulnerability Assessments with big enterprises. He is also member of the DCC (Microsoft Digital Crime Community) and participates to the EECTF (European Electronic Crime Task Force).

Bending and Twisting Networks

Paul Coggin (Dynetics, Inc)

Learn about network attack vectors that an adversary can use to control, and influence network traffic flows and exfiltrate data by exploiting network devices and protocols in the LAN, WAN and Cloud. Defensive methods and techniques for monitoring and protecting against the outlined attack vectors will be discussed. This presentation explores advanced methods and techniques that penetration testers, network engineers and security auditors need to understand about network infrastructure and protocols.
Strategies for attacking network infrastructure
Undocumented method for tunneling IPv6
Layer 3 LAN based MITM attack
Methods for exfiltrating data from the core network infrastructure including MPLS core network infrastructure
Router tricks that penetration testers need to know
Often over looked network trust relationships, integration, dependencies and interdependencies
Features hackers know about routers that need to be understood by auditors and network administrators.
Switch security the Achilles heel of networks everywhere and what to do about it.
Ensure that you know when someone is twisting and bending your network infrastructure to suit their purposes
Advanced service provider technologies that be utilized by an attacker to enable data exfiltration and WAN based
MITM attack vectors, manipulate and override routing paths

Paul Coggin is an internetwork consulting solutions architect with Dynetics, a Huntsville, Ala.-based mid-tier company that provides complete lifecycle analysis, engineering, information technology and hardware solutions to support customer missions. Coggin is responsible for architecting and securing large complex tactical, critical infrastructure and service provider networks. His expertise includes tactical, service provider and ICS\SCADA network infrastructure hacker attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks. Coggin is a frequent speaker on cyber security offense and defense issues related to service provider and critical infrastructure. He has presented at conferences around the world.

He is a Cisco Systems Certified Instructor #32230, Certified EC-Council Instructor, and certified SCADA security architect. He has a bachelor’s degree in mathematics, a master’s in Computer Information Systems and second MS in information assurance and security. He is currently pursuing a masters degree in systems management In addition, he holds a wide array of certifications from Cisco, EC Council, ISC^2 and other computer security organizations.

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Juraj Somorovsky (3curity / Ruhr University Bochum)

As a countermeasure against the famous Bleichenbacher attack on RSA based ciphersuites, all TLS RFCs starting
from RFC 2246 (TLS 1.0) propose “to treat incorrectly
formatted messages in a manner indistinguishable from
correctly formatted RSA blocks”. In this talk we show that this objective has not been achieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.

Dr.-Ing. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.

Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT)

Benjamin Brown (Akamai Technologies)

When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate some of the cognitive biases relevant to OSINT and what can be done about them.

Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in non-profit, academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.

Build Yourself a Risk Assessment Tool

Vlado Luknar (Orange Slovensko a.s. (France Telecom Orange Group))

Risk assessment should reflect the overall security knowledge and experience accumulated over the years in the company. This knowledge is company-specific, and applying it should not be dependent on/bound to any proprietary methodology, vendors and their products. Never-ending queset for the "best" tool or methodology is a futile exercise.
Existing commercial or free tools are (often) done by programmers, process/audit/compliance “gurus” and other people who were never managing security in a real company.
The consequence of which is that you'll spend 80% of your time on things which solve only 20% of your real security needs.

In the end it is you, the security specialist, who adds the most value to a risk assessment / threat modelling process for your company. The practical your risk management process supported with a custom-made tool is a vehicle through you can actually demostrate how to link security to business goals.

The presentation will demonstrate that it is quite easy to capture your overal security knowledge in a home-made, free-of-charge tool. The examples will be done by using a specific variant of open-source wiki.

for the last fifteeen years Chief Security Officer for Orange Slovakia, specializing in ISMS and risk assessment
before 1999 - at Digital Equipment, MBA in information systems, CISSP, CISM, CISA, ISO 27001 Lead Implementer, CSSLP.

Why IT Security Is Fucked Up And What We Can Do About It

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

IT Security is in a miserable state. The problems have been discussed again and again without advancing IT Security.

Discussing the key length of AES is necessary, but not the peak of IT Security, as long as users chose weak passwords, developers implement buffer overflows and vendors deliver faulty banana software.

IT Security research did not adapt well to the challenges of IT security. Instead of focusing on fields like man-machine interaction, perception of security by users and developers or political measures like producer's liability the same simple problems are discussed again and again.
This is not surprising, since Computer Science is a trivial science and only successful because it ignores hard problems like human behaviour.

This rant will give an overview about what's wrong in IT Security and Security Research. I will show you why cryptosystems really fail, what Psychology knows about security and what IT Sec has to do if it ever wants to break the current circle jerk and start generating more security.

Stefan Schumacher is head of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and currently running a research programme about the psychology of security. This includes social engineering, security awareness and qualitative research about the perception of security.

Mobile SSL Failures

Tony Trummer & Tushar Dalvi (Linkedin)
  1. Mobile SSL Failures
  2. Failure to validate Certificate Authorities - Approximately 40 well-known apps
  3. Failure to validate Certificate Hostnames - Approximately 40 well-known apps
  4. Failure to encrypt at all - Tens of millions passwords and credit cards
  5. Recent FTC settlement related to this topic
  6. Review of why physical security isn't assured with mobile - Smudge attacks
    - No screen lock
    - Screen lock bypass - Creating invisible MitM attacks
    - Creating persistent MitM attacks
  7. SSL Session caching exploit
  8. A fool-proof defensive coding approach

We will discuss how prevalent SSL certificate validation failures are in very popular applications. We will show how some popular applications failed to encrypt traffic at all resulting in the leakage of tens of millions of users' data. We will cover recent U.S. Government penalties that companies who fail to protect data may be subject to. We will discuss a new attack, that is particular applicable to mobile and especially on the Android platform, which potentially allows for a persistent MitM attack that is undetectable on the device itself. Lastly, we will cover how organizations can implement a fool-proof method to protect themselves against this mistake.

Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he's not hacking, he enjoys thinking about astrophysics, playing devil's advocate and has been known to dust his skateboard off from time-to-time

Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.

Cyber Security Information Sharing

Oscar Serrano (NATO Communication and Information Agency)
Organizations operate increasingly in a coalition and federated environment and the necessity of relying on each other’s information systems in such an environment increases the need to exchange various types of cyber security information, such as data on vulnerabilities, threats and incidents at both the strategic and tactical levels. However, information sharing between partners remains a critical requirement that is only partly met by various approaches that do not deliver the required efficiency and effectiveness.
It is also becoming increasingly apparent that given the complexity of modern CIS and the speed at which cyber-attacks progress, there is a need to develop highly automated cyber security capabilities. The ideal responses in a number of current and future cyber-attack scenarios rely on the use of automated processes. Since automation is a function on a set of input data, the correctness of this input data is critical. Input data must therefore be both comprehensive and accurate. However, collecting and assuring the quality of the cyber security data required to support automation is a daunting task that few, if any, organisations can actually perform. In a coalition environment, it is necessary to pool expert resources in a burden-sharing arrangement to collect and assure cyber security data. It is also necessary to allow for the commercial outsourcing of this work.
This presentation introduces the main problems that organizations face when sharing Cyber Security information and propose solutions that once implemented would enable the development of a comprehensive platform for Cyber Security information sharing.
The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of NATO Communications and information Agency, nor does it represent an endorsement of any kind.
Oscar Serrano holds PhD, master and bachelor degrees in Computer Engineering. He has worked for more than 12 years as  consultant and researcher for large international companies, including Telefonica, Vodafone, the Austrian Institute of Technology, Siemens and Eurojust. In August 2012, he joined the North Atlantic Treaty Organization (NATO) as senior scientist in the field of Cyber Security, where he supports NATO efforts to improve the cyber defence capabilities of the alliance.
His research interests include Cyber Security information sharing, detection of advanced threats, risk analysis and management, policy and governance development and cyber Law.

Social Authentication: Vulnerabilities, Mitigations, and Redesign

Marco Lancini (CEFRIEL - Politecnico di Milano)

As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts.
In this work, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the Social Authentication concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks.

Marco Lancini has recently obtained a M.Sc. degree in Engineering of Computing Systems at Politecnico di Milano, where he was a member of the Computer Security Group, under advice from Prof. Stefano Zanero.

Since May 2013 he is a Security Researcher and Consultant at CEFRIEL (ICT Center of Excellence For Research, Innovation, Education and Industrial Labs partnership), where he works across several aspects of computer security. His principal research interests are mobile security, privacy, and web applications' security.

TextSecure and RedPhone-bring them to iOS

Christine Corbett (Open WhisperSystems)

I will talk about Open WhisperSystems iOS efforts, including a general overview of the protocols as well as specifics of the challenges and rewards of managing an active repository for open source iOS development.

MIT educated, I'm an astrophysicist, software developer and cryptographer. Lead of iOS team at Open WhisperSystems.

Advanced Powershell Threat: Lethal Client Side Attacks using Powershell

Nikhil Mittal (Hacker)

APT - A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks.

Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc.

The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc.

The code used in the above talk will be released as open source. The talk would be full of live demonsrations.

Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Human Interface Devices in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil to do some vulnerability research and works on his projects. He has spoken/trained at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest and more.

SAP BusinessObjects Attacks: Espionage and Poisoning of Business Intelligence platforms

Juan Perez-Etchegoyen (Onapsis, Inc.)

Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?
SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.
Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

Juan is the CTO of Onapsis, leading the Research & Development teams that keep the Company in the cutting-edge of the ERP security industry. Juan is responsible for the design, research and development of the innovative Onapsis' software solutions Onapsis X1 and Onapsis IPS, as well as the future Company's products.

Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP, Oracle and JD Edwards. He is also credited for being the first to present on advanced threats to Oracle JD Edwards applications, having discovered numerous critical vulnerabilities in this platform.

As a result of his innovative research work, Juan has been invited to lecture trainings and presentations in some of the most renowned security conferences of the world, such as BlackHat, OWASP and HackInTheBox, as well as to host private trainings for Global Fortune-100 organizations.

SENTER Sandman: Using Intel TXT to Attack BIOSes

Xeno Kovah (MITRE)

At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our “Smite’em the Stealthy” PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smite’em, to sleep.

But if you’ve been following our work (specifically “Defeating Signed BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”) you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC “Sandman” attack using the same infrastructure as Copernicus 2. We will also explain the caveats to both the secure function of Copernicus 2 and the ability of Sandman to attack a system. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you’re vulnerable, and what you may be able to do about it.

Xeno Kovah leads a team of 5 researchers focusing on low level PC firmware and BIOS security. His specialty area is stealth malware and its ability to hide from security software and force security software to lie and report the system is clean when it is not. To combat such attacks he researches trusted computing systems that can provide much stronger guarantees than normal COTS. He is also the founder and lead contributor to OpenSecurityTraining.info, where he has posted 8 days of material on x86 assembly, architecture, binary formats, and rootkits.

Suricata Intrusion Detection

Victor Julien (Open Information Security Foundation)



The prime Suspect is the Butler cause he holds all the “Keys”

Sergio de los Santos (Head of Labs 11Paths) & Jesús Torres (Senior Developer)

In recent years many efforts have been invested in the detection of malicious mobile applications for Android operating systems. These efforts have been focused on dynamic analysis sandboxing based on complex, tedious and slow processes which explode the analysis of binary code. This research explores the potential of detecting malicious apps on Android platforms by analysing only the permissions of each apk. The key of the analysis introduced here is to improve the accuracy of detection by minimizing the ratio of false negative. This way it has been possible to propose a first stage approach that reduce the workload of traditional analysis by reducing the set of suspected applications. To obtain the results we have been working through a massive experimentation that has involved over 750 000 applications from different markets (Google Play, …). Exploding antimalware tools results, an automated analysis has allowed us to infer a very particular behavior in these malicious apps, modelled as a combination of specified permissions. This knowledge has allowed the usage of machine learning algorithms to determine if a given apps is suspected of being malicious or not. This preliminary analysis allows a significant reduction of the problem to be solved by traditional solutions, reducing, by extension, the time that runs until an apps is analyzed. In addition, the independence with code analysis permits to detect some malicious apps that cannot be detected by signature comparison.

Authors: Sergio de los Santos, Alfonso Muñoz, Antonio Guzmán y Chema Alonso
Speaker: Sergio de los Santos (Head of Labs 11paths) & Jesús Torres (Senior developer)

[Sergio de los Santos]
Currently head of labs 11 Paths, responsible for creating new projects, tools and prototypes. In the past (2005-2013), he has been Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for several services in the company (antifraud, vulnerabilities alert... mostly bank industry oriented), and responsible for the most veteran security newsletter in Spanish. Since 2000 he has worked as an auditor and technical coordinator in G2Security and Forzis Security solution, and as network administrator for a big network. He has an informatics degree, is a former CISA, former PCI Qualified Security Assesor, MVP Consumer security 2013 and 2014, and is well-known speaker at conferences in Spain and teacher of different courses, masters and lectures at universities and private companies.

[Jesús Torres]
Jesús Torres has a degree in Granada University. He works as a security
developer at Eleven Paths, with tools related to Android. He has strong
skills in big data analysis, data bases and security based technology.

Trap a Spam-Bot for Fun and Profit

Attila Marosi (SophosLab, Senior Threat Researcher)

The most of honeypot systems pretend that they are vulnerable or badly confirured systems in other to gather information about unkonwn attackers and the techniques they using during the attacks. In my research, I chaged this approach a little bit.

In my lecture I will share the result of my research which is about how to trap a botnet variant to collect valuable information directly for the bad guys. It is a kind of honeypot where the malware is allowed to run in a dedicate and carefully separated network (network sandboxing) to do its dirty job. The infected machine can communicate with the Command and Control (C&C) servers but the other network connections are absolutely just simulated. As a result of this “cheat”: the C&C servers and the bot think they have the ability to spread the spam emails. In real, all the messages, and any other network actions, are just emulated (not threaten the world) and the only result of their activities is that we will have all the spams and all the malware variants they try to spread during the champagnes.

With observation and monitoring a working botnets you can gain more knowledge and information about it. We will get everythink, not just the spam samples they are trying to send but, the C&C network they are using, and you are able to collect information about other victims (tipically, infected sites) which are used by the botnets. With this intel you can easily eliminate the damage of the botnet, and you could help others in the world – if you share the information with others. ☺
Most of the cases, a spam message has a link to somewhere but these links usually points not to the destination address directly but to a legitimate and (!)infected site to make the detection harder and the reaction slower. The spammers also use URL-sorter services to hide the real destination of the link. With analysing the spam messages (extract the link, follow the destination) we can disclosure the final destination, thus we can easily collect all the victim server URLs and all the malicious sort-links. With this information we can alert the victims and we can bolck the malicious addresses as well.

During the presentation we also walk through a quick guide how to set up a trap like this, which free tools can be used to handle the problem of the network sandboxing and the network service emulation.
I will also share the statistic result of the uses of this trap which can provide a real life information about the spam botnets and the activities of them. As a sneak peek: only (!)one spam bot can spread almost 800K message a week and each of them are a little bit different, but if we had all the spam messages and all the new malware variants at the same minute as it would start to spread, I think, we would be in a good position. This is the purpose of this research.

Educational value of the topic:
The audience will see:
- how a typically spam-bot works
- how the bad guys spread spam (advertising) messages and malicious files as well through the botnet
- how they spread the malware to keep the network alive and growing
- how often release a new polimorf version and how often release a realy new one
- which is the relation with spams and infected sites
- I will demonstrate, how to set up a trap, which free tools can be used in this project
- I will share the collected and summarized statistic data with audience about the activities of the bot (the current dataset was generated in 10 days but it is still working and available so, it is still growing)

Technical level of the topic:
It is likely every IT security professional (technical expert and manager as well) will understand what I am speaking about. The logic of the trapping concept is quite simple and the gaming with virtual machines is nowadays a kind of ordinary thing. The network sandboxing is also easily understandable.

Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for almost a decade on special information security tasks occuring within the Special Service for National Security. After then he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he work for the SophosLab as a Senior Threat Researcher.
He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented on may security conferences including Hacker Halted, DeepSEC, AusCERT, Troopers, and Ethical Hacking.

CERT.at's Daily Business in a Nutshell

Christian Wojner, Alexander Riepl (cert.at)

This talk provides exclusive insights in the daily business of the national computer emergency response team (CERT) of Austria - CERT.at. One learns about what a national CERT really does, how it's done, and provides answers to questions like what is nationally relevant and what is not, how to find the most appropriate point of contact, or even how many people it takes. Hence this talk dives deep into the specific details even explaining the actually used tools - publicly available ones as well as homebrewn software.

Christian Wojner is one of the core team members of the national and governmental computer emergency response team of Austria (CERT.at). In this respect he is responsible for malware analysis, reverse engineering and forensical investigations on Microsoft Windows boxes. Furthermore Christian is author of various articles, technical papers, software tools, and frequently gives talks specifically focusing malware analysis.

Alexander Riepl is member of the actual incident handler team of the national and governmental computer emergency response team of Austria (CERT.at).

Cloud-based Data Validation patterns… We need a new approach!

Geoffrey Hill (Artis-Secure Ltd.)

Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. This talk discusses a methodology to encapsulate the validation at the object level, thus allowing each object to have validated or sanitised data at any given point in time.

Two kinds of patterns will be discussed, a validated object pattern and a tokenised object pattern. Examples of use-cases will be detailed for the delegates.

Advantages and possible pitfalls of these patterns in security design will also be reviewed.

Examples will be given in several main programming languages.

Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City.  Since then he has worked as a senior developer of quantitative finance applications in Nomura Finance (New York), Mitsukoshi Finance (Japan), Macquarie Finance (Australia) and NatWest Bank (UK).
From 2007 - 2011, Geoffrey was the custodian of the Security Development Lifecycle (SDL) initiative in the Services organization at Microsoft, with endorsement by the Microsoft Trustworthy Computing Initiative Group.  He was responsible for the Security Engineering of several high-profile Microsoft Services projects, including the British Telecom pay-per-view Vision service and the United Nations World Economic Forum Collaboration Service.
Geoffrey was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development lifecycles of client organizations.  He was leading the software security initiative at a major phone manufacturer and a major central European bank over the course of the last three years.

He is currently starting up his own security consulting company called Artis-Secure. It is focused on making security development frameworks better integrated with business processes.

As for hobbies… he's currently planning a massive fancy-dress gathering next year in an Irish castle.

Why Antivirus Software fails

Daniel Sauder

Based on my work about antivirus evasion techniques (see link below), I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these.

A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.
Further test techniques I developed are, for example:
- Windows API calls
- using enhanced CPU features, as FPU, MMX registers etc.
- 64bit payloads

At the time of this writing I developed 36 different techniques as proof of concept code and tested them against 8 different products. More techniques and engines are pending.
Together with documentation, papers and talks from other researchers, this gives a deeper understanding for the functionality of antivirus software and shows, where it is failing generally and in particular.

Daniel Sauder, OSCP, SLAE, CCNA, CompTIA Security+ and MCP has about 10 years experience in the IT business. Currently working as a penetration tester with a
focus to Web Application Testing, Mobile Application Testing and IT Infrastructure Testing, he also has a strong background in Windows, Linux and Network

Creating a kewl and simple Cheating Platform on Android

Milan Gabor & Danijel Grah (Viris)

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust
mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal
information to different servers. Sometimes when communication between mobile application and server is encrypted we
have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make
our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be
discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach
is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods,
instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on
non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an
application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case
Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this
method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new
possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to
see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications.
With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.

Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security.
He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker
on information security. He has previously been invited to speak at various events at different
IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does
trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.

Memory Forensics and Security Analytics : Detecting Unknown Malware

Fahad Ehsan (UBS AG)

The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. I will show a demo of this solution, and how it can be used to find 'unknown' malware. This solution is based on my personal research. The idea is to spend 20 mins on the presentation piece and 10-15 minutes on the demo. Leaving 5-10 minutes on the Q&A.

I will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques.

Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools.

While each of these tools have their strengths, I would like to show how open source tools like 'Volatility' can be utilized to extract memory fragments automatically and feed this data to an analytics engine. My analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs.

Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs : I will simulate a Threat Intelligence feed, and show how my solution can be used to detect malware based on data received from OpenIOC or Cybox.

Approach Two - Finding Malware by benchmarking your environment: I will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state.

This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons.

I will end the presentation with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.

Fahad works with UBS AG, where he is a lead architect with the Security Analytics team. His other areas of expertise include Malware Reverse Engineering and Memory Forensics. He recently delivered a Vulnerability Management Platform, which is widely used within the Bank. Throughout his 7-year career, he has held various roles in Security Research & Engineering, Consultancy, SOC and C#/SQL dev teams.

Security Operations: Moving to a Narrative-Driven Model

Josh Goldfarb (FireEye)

The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.

Josh (Twitter: @ananalytical) is an experienced security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as the Chief Security Strategist of the Enterprise Forensics Group at FireEye. Until its acquisition by FireEye, Josh served as Chief Security Officer for nPulse Technologies. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Political Solutions to Technical Challenges

Linus Neumann (Chaos Computer Club e. V.)

Since Edward Snowden's revelations, no longer are only large corporations and conspiracy theorists interested in IT security: Security has gained popular interest and is discussed at the societal level. Not only the marketing and sales armies of European corporations, but also our politicians are now braced for action. There is no doubt that we are in the middle of a catastrophe, but are their plans going to help us? In order to understand which steps are now necessary on a political level, we should first understand how it could ever come this far.

Linus is a psychologist, cyclist, podcaster, blogger, anarchist, and hacker.
He is a proud member of the Chaos Computer Club, for which he does presswork and – from time to time – gives expert testimonies to the German government.
His professional focus is on mobile network insecurities.

Introduction to and survey of TLS Security

Aaron Zauner

This talk gives an introduction to the TLS protocol, basic understanding of cryptography and security principles which TLS relies on and surveys attacks and protocol flaws on TLS over the last two decades. Upcoming security and privacy enhancements to TLS will be discussed as well as mitigation of various attack vectors and upcoming TLS standards.