Speakers (preliminary) - DeepSec IDSC 2016 Europe
Deploying Secure Applications with TLS (closed)
Transport Layer Security (TLS) is the most important cryptographic protocol on the Internet. It is responsible for securing connections between browsers and web servers, or between web services peers. However, recent TLS history is full of new attacks, which makes it difficult do deploy applications securely.
In this training, we give an overview of the most important TLS attacks, and show how to detect these attacks with different tools. Afterwards, we present best practices to establish secure TLS connections.
Short intro into crypto
Internet protocol suite
Secure TLS configuration
Security evaluation with specific tools
The training is dedicated to server administrators as well as penetration testers.
There are no specific prerequisites for this course. However, basic knowledge of server administration or basic crypto knowledge would be of advantage.
A laptop with a recent version of Virtual Box
Dr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and co-founder of Hackmanit GmbH. He is a co-author of several TLS attacks (e.g., DROWN), and the main developer of a flexible tool for TLS analyses: TLS-Attacker (https://github.com/RUB-NDS/TLS-Attacker). He presented his work at many scientific and industry conferences, including Usenix Security, Blackhat, Deepsec or OWASP Europe.
Do-It-Yourself Patching: Writing Your Own Micropatch (closed)
The current state of updating software – be it operating systems, applications or appliances - is arguably much better than it was a decade ago, but apparently not nearly good enough to keep even the most critical systems patched in a timely manner – or at all. Official vendor updates are cumbersome, costly to apply, even more costly to revert and prone to breaking things as they replace entire chunks of a product. Enterprises are therefore left with extensive and expensive testing of such updates before they dare to apply them in production, which gives attackers an endless supply of “n-day” vulnerabilities with published exploit code.
Furthermore, for various entirely rational reasons, many organizations are using products with no security updates such as old Java runtimes, Windows XP, or expensive industry systems that still work perfectly well but are not supported any more by their vendor.
Fortunately, there is a better way to approach vulnerability patching, one that not just minimizes the risk, hassle and costs, but also allows 3rd parties with no access to source code to write a patch. It’s called micropatching and it injects or replaces tiny fractions of machine code within the memory of a running process to patch a vulnerability. (Or, why not, a functional defect in your unsupported application.)
This two-day workshop will teach you how to create a 3rd party “unofficial” micropatch for various known vulnerabilities in popular Windows software. We will start with a proof-of-concept document that triggers a vulnerability, determine the type of vulnerability (buffer overflow, use-after-free, format string…), find its root cause, and finally create a micropatch for it, which we’ll apply using the 0patch Agent.
You will learn how to approach patching of different types of security flaws, how to find a suitable patching location, and how to test a micropatch.
Attendees should have experience with reading assembly language (ideally also reverse engineering) and have their own Windows laptops with the following software installed:
- Microsoft WinDbg 32bit version x.y.z (to be defined before the workshop)
- Adobe Reader DC version x.y.z (to be defined before the workshop)
- Foxit Reader version x.y.z (to be defined before the workshop)
- 0patch Agent for Windows version x.y.z (to be defined before the workshop)
- 0patch Factory version x.y.z (to be defined before the workshop)
But also do come if you happen to have a nasty functional defect in your expensive custom application that would cost you an arm and leg to update.
This workshop is suitable for security researchers, who will learn how to write micropatches for vulnerabilities they find, as well as for software vendors, who want to avoid the costly process of rebuilding, retesting and redeploying their product every time someone finds a vulnerability in it that could be fixed with a few machine instructions.
Mitja’s last 15 years of career comprises co-leading a small security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name, and discovering vulnerability types which were previously unknown. In addition to finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he'd like to leave information security some day in a state where it'll be seriously difficult to break into a typical network deploying standard and inexpensive security solutions.
Hacking Web Applications: Case Studies of Award-winning Bugs in Google, Yahoo, Mozilla and more
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this two-day hands-on training!
I will discuss security bugs that I have found together with Michal Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.
After completing this training, you will have learned about:
– tools/techniques for effective hacking of web applications
– non-standard XSS, SQLi, CSRF
– RCE via serialization/deserialization
– bypassing password verification
– remote cookie tampering
– tricky user impersonation
– serious information leaks
– browser/environment dependent attacks
– XXE attack
– insecure cookie processing
– session related vulnerabilities
– mixed content vulnerability
– SSL strip attack
– path traversal
– response splitting
– bypassing authorization
– file upload vulnerabilities
– caching problems
– clickjacking attacks
– logical flaws
– and more…
This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and the government sector and it was very well-received. Recommendations can be found here (https://silesiasecuritylab.com/services/training/#opinions).
WHAT STUDENTS WILL RECEIVE
Students will be handed out a VMware image with a specially prepared testing environment to play with bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.
WHAT STUDENTS SHOULD KNOW
To get the most out of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar proxies, to analyze or modify the traffic.
WHAT STUDENTS SHOULD BRING
Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed).
WHO SHOULD ATTEND
Pentesters, bug hunters, security researchers/consultants
Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his security bug hunting experience in his very well-received hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), DeepSec (Vienna), 44CON (London), CanSecWest (Vancouver), Hack In Paris (Paris), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students so far include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions).
He presented his research at Security Seminar Series (University of Cambridge), HITB GSEC (Singapore), DeepSec (Vienna) and published over 20 security articles (InfoSec Institute).
Dawid Czagan is founder and CEO at Silesia Security Lab, which delivers specialised security auditing and training services. To find out the latest about Dawid Czagan’s work, you are invited to follow him on Twitter (@dawidczagan).
IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation
The workshop consists of several modules:
1. Linux embedded
Linux embedded is probably the most popular OS, especially in SOHO equipment, like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services...). We will open a wireless doorlock remotely, hack cameras, and take control over other devices.
2. Bluetooth Low Energy
One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks.
Using a new BLE MITM proxy tool developed by the author, we will hack various devices: smart doorlocks, mobile Point of Sale, authentication tokens, beacons, anti-thief protection and others.
3. KNX home automation
Learn how to take control over the most common home automation system: EIB/KNX.
Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses - similarly a luxury hotel in China was hacked few years back.
Embedded devices - popular architectures, OS-s systems
Device supply chain and why it is difficult to maintain security - BSP, ODM, OEM, SDK...
Linux embedded and its flavours, not only in SOHO devices
One binary to rule them all
Firmware analysis - binwalk & co
Scanning, sniffing - nmap, wireshark...
Exploiting known vulns: metasploit, routersploit
Default credentials lists, hydra, john...
Web interface attacking - Burp Proxy
Identifying serial port and connecting to device's boot
Analyze firmware images
Locate hidden URLs
Authentication bypass - open wireless doorlock
Excessive services, debug interfaces
Cracking hardcoded telnet root password
RCE - get remote shell in a router
Attack proprietary remote access protocol
Analysis of Mirai botnet and example affected devices
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Central vs peripheral device
GATT - services, characteristics, descriptors, handles
Security features - pairing/encryption, whitelisting, MAC randomization
Security in practice: own crypto in application layer
Tools and hardware
Reversing communication - mobile application analysis
BlueZ command-line tools
Sniffing soft- & hardware - ubertooth, adafruit, bluehydra...
What can you do with just BT4 USB dongle?
Analysis - hcidump, Android btsnoop log, BLE-replay
BLE MITM - GATTacker, BtleJuice
MAC address cloning
Tips & tricks for MITM attacks
Other tools, PoCs, research...
BLE beacons spoofing - get rewards & free beer
Abuse proximity autounlock of a padlock
Inject arbitrary commands into car unlocking device communication protocol
Spoof encrypted status of a smart doorlock and home automation devices
Intercept indication of "one-time-password" hardware token and authenticate to a bank
Hijack a mobile Point-of-Sale display
Abuse excessive services (e.g. module's default AT-command interface)
Intercept static authentication password of a padlock
Abusing flaws of custom challenge-response authentication
Attacking encrypted (bonded) connections
A glimpse at a source code - why the vulnerabilities appear?
Troubleshooting and debugging
Takeaway - hackmelock (mobile application + simulated device) to practice BLE hacking at home
Home automation standards review - wired, wireless
KNX/EIB - history, protocol basics
Group address, device address
ETS configuration suite
KNXd (former eibd) and command-line tools
Scanning for KNX-IP gateway from local network
Detecting publicly exposed gateways
Monitor mode - sniffing
KNX security features
Device authentication keys
BONUS TRACK (possible to do at home):
Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.
Slawomir Jasek is an IT security consultant with over 10 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics and loves to hack home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting and the designing of secure solutions for various software and hardware projects, protection during all phases - starting from a scratch.
Offensive iOS Exploitation
This is an exercise-driven training course that uses detailed tutorials to guide the attendee through all the steps necessary to exploit a real iOS application, and in the process, provide an understanding of the modern attacker's mind-set and capabilities. This course will cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. At its conclusion, the course will have imparted the information necessary to develop secure and robust applications.
This is a technical course suitable for those interested in mobile application security. The training does not require any prior security knowledge in order to benefit fully from the course, as the content covers all of the basics necessary to understand advanced concepts. However, a working knowledge of iOS is a prerequisite and it is recommended that attendees are familiar with the syntax and structure of an iOS application.
In addition, this workshop will use MWR's newly released tool "Needle" to identify and exploit common mobile application security flaws, over and above the OWASP Mobile Top Ten. Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.
Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
Even if a device isn't essential, as practical examples will be delivered by the Instructors, we recommend you to bring your own jailbroken iOS device (running iOS >= 8.4) to fully enjoy the course, as these won't be provided.
* Analysing iOS Applications
- Overview of the iOS ecosystem
- iOS testing environment
- Analysing iOS Applications
- Objective-C overview
* iOS Security Model
- Secure boot chain
- Application code signing
- Application sandbox (Seatbelt profiles, Entitlements)
- Anti-exploitation mechanisms (ASLR, W^X, Canaries)
* Data Security
- Data-at-rest encryption
- Data protection API
- Storage types (Keychain, NSUserDefaults, other data storages)
- Caching (Application Backgrounding, Keyboard Caching, HTTP Response Caching)
- System Log
- Inter-Process Communication (IPC)
* Runtime and Binary Protections
- Understanding the security relevance of running an application in a jailbroken device
- Understanding the concept of Instrumentation
- Understanding how to protect applications with binary protections
- Binary protections: detection and bypass
- Other Security Controls (securing the Runtime, tamperproofing, anti-debugging protections)
* Transport Security
- Network Communications in iOS
- Different ways to man-in-the-middle iOS connections
- SSL/TLS- Intercepting communications (HTTP/S)
WHO SHOULD TAKE THIS COURSE
* Security professionals who want to get a deeper understanding of the security implications of the iOS platform and of the techniques that can be used to perform security assessments of iOS applications
* Developers who want to write better (secure) code
* Anyone who wants to learn to use Needle proficiently
WHAT STUDENTS SHOULD BRING
* 1 jailbroken iOS device running iOS >= 8.0 (8.X preferred)
* 1 USB Lightning cable* Laptop running Linux or OSX (With 20 GB minimum free space)
* Virtualization software capable of running VMDKs (.ova)
* A text editor you are comfortable writing in (instructors recommend Sublime Text 2 or Vim)
* Setup instructions will be sent to the students prior to the class
Marco Lancini is a Security Consultant at MWR InfoSecurity in the UK, specialising in mobile applications. He works assessing apps and device configurations for a number of large organisations including banking, financials, telco, and energy providers. He holds a Master's Degree in Engineering of Computing Systems from the Politecnico di Milano University, and international certifications such as OSCP.
He has previously presented at Black Hat, DeepSEC, Bsides, ACSAC, CCS, and NATO's CYCON. He is a contributor of the OWASP Project and a Technical Reviewer of some IEEE Journals.
Hands on Hacking with the WiFi Pineapple, USB Rubber Ducky and LAN Turtle (closed)
From wireless fundamentals to physical access security, man-in-the-middle attacks and precision WiFi exploitation, this workshop builds the competence to effectively exploit a range of Hak5 developed penetration testing tools.
Learn directly from the developers of the WiFi Pineapple, USB Rubber Ducky and LAN Turtle to get the most from these leading penetration testing platforms. Lectures and hands-on exercises emphasize responsible best practices and integration with popular penetration testing workflows.
Provided in this class are a WiFi Pineapple NANO, LAN Turtle, USB Rubber Ducky along with ISO/VM and course material. Students must bring a notebook computer capable of booting a USB live Linux OS or Virtual Machine.
About the Tools:
The WiFi Pineapple is the gold standard rogue access point. Capable of mimicking any hot-spot, this honeypot is highly effective at auditing modern WiFi devices. Managed in person or remotely through a simple web interface, the operator is uniquely poised as a man-in-the-middle enabling intelligence gathering, host redirection, credential capturing and so much more.
The USB Rubber Ducky is the original Keystroke Injection Attack tool. Posing as a generic USB Drive it's a social engineer's best friend. The open source tool is easily programmed allowing it to deliver automated keystrokes capable of gathering intelligence, installing backdoors, exfiltrating data and more - all while bypassing most prevention measures.
The LAN Turtle is a covert Systems Administration and Penetration Testing tool providing stealth remote access, network intelligence gathering, and man-in-the-middle monitoring capabilities. Housed within a generic "USB Ethernet Adapter" case, the LAN Turtle’s covert appearance allows it to blend into many IT environments.
Darren Kitchen is the founder of Hak5, an Internet television show inspiring hackers and IT pros since 2005. Breaking out of the 1990s phone phreak scene, Darren has continued to foster his passion for information security throughout his career as a systems administrator, presenter and creator of best selling penetration testing tools.
Sebastian Kinne is the lead developer of the WiFi Pineapple. Prior to hacking fruits, he reverse engineered MMORPG network protocols while completing his BSc in Computer Science. As a continuous presenter at the DEFCON Wireless Village and B-Sides London, he has probably tracked your smartphone's WiFi in a demo or two.
Hacker, coder, climber. Co-founder of SteelCon, author of many tools, always trying to learn new things.
Offensive PowerShell for Red and Blue Teams (closed)
Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disks, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.
PowerShell has changed the way Windows networks are attacked - it is Microsoft’s shell and scripting language available by default in all modern Windows computers and can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teams to learn PowerShell.
This training is aimed towards attacking Windows networks using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment with a detailed discussion and the use of custom PowerShell scripts during each phase. Here's a list of some of the techniques, implemented using PowerShell, which will be used in the course (scroll to "course content" for more details):
- In-memory shellcode execution using client side attacks.
- Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
- Using Metasploit payloads with no detection
- Active Directory trust mapping, abuse and Kerberos attacks.
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
- Network relays, port forwarding and pivots to other machines.
- Reboot and Event persistence
- Bypass security controls like Firewalls, HIPS and Anti-Virus.
This training aims to change how you test a Windows based environment.The course is a mixture of demonstrations, exercises, hands-on and lecture, focusing more on methodology and techniques than tools. After this training you'll be able to write own scripts and customize existing ones for security testing. Additionally, attendees will get free access to a complete Active Directory environment that lasts for one month.
Day1 – PowerShell Essentials and Getting a Foothold
- Introduction to PowerShell
- Language Essentials
- Using ISE
- Help system
- Syntax of cmdlets and other commands
- Variables, Operators, Types, Output Formatting
- Conditional and Loop Statements
- PowerShell Remoting and Jobs
- Writing simple PowerShell scripts
- Extending PowerShell with .Net
- WMI with PowerShell
- Playing with the Windows Registry
- COM Objects with PowerShell
- Recon, Information Gathering and the likes
- Vulnerability Scanning and Analysis
- Exploitation – Getting a foothold
- Exploiting MSSQL Servers
- Client Side Attacks with PowerShell
- PowerShell with Human Interface Devices
- Using Metasploit and PowerShell together
Day 2 – Post Exploitation and Lateral Movement
- Post-Exploitation – What PowerShell is actually made for
- Enumeration and Information Gathering
- Privilege Escalation
- Dumping System and Domain Secrets
- Kerberos attacks (Golden, Silver Tickets and more)
- Backdoors and Command and Control
- Pivoting to other machines
- Poshing the hashes™
- Replaying credentials
- Network Relays and Port Forwarding
- Achieving Persistence
- Detecting and stopping PowerShell attacks
- Quick System Audits with PowerShell
- Security controls available with PowerShell
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation, and is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs at http://www.labofapenetrationtester.com/
Fundamentals of Routing and Switching from a Blue and Red Team Perspective (sold out)
In this intense 2 day workshop, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs, students will receive practical experience with routing and switching technologies including a detailed discussion on how to attack and defend the network infrastructure. Students will leave the class with a good understanding of how to configure and operate routing and switching protocols as well as how to attack and defend the control, management and data planes in their organization networks.
Paul Coggin is an information Security Engineer. His expertise includes tactical, service provider, and ICS\SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks.
Penetration Testing Humans (closed)
Social engineering is quickly becoming more prevalent in the infosec industry. Users are becoming more educated about social engineering attempts, but they still fall victim to attacks. Why? Well, like all technology, with great improvement to technology comes great improvement to exploitation, and maybe not so great improvement to security. This presentation explores the subtleties involved in wordcrafting, tone of voice, and adaptability during dreaded human interaction.
Cyni Winegard is currently an information security analyst with TraceSecurity. Starting her career as a systems administrator, she has moved into the information security industry and fallen in love with pen testing and social engineering. Cyni has a Bachelor of Science degree in history with a minor in anthropology from Florida A&M University and is currently working on a Masters in Cyber Security, as well as a Graduate Certificate in Terrorism and Homeland Security. She enjoys applying anthropological concepts to social engineering projects, and is passionate about compromising users. If not lost in cyberspace, Cyni can most likely be found practicing krav maga or seeking her soulmate (in the form of pizza).
Bethany Ward is an Information Security Analyst with TraceSecurity, LLC. In this role she performs pentests, security assessments, IT audits, and social engineering engagements. She has a B.S. in Computer Science from the University of Arkansas. In addition to her technical skills, Bethany is an avid lover of writing, acting, and psychology, and enjoys applying her liberal arts skills to her technical pursuits. Bethany has spoken on social engineering at multiple conferences, including HackMiami and DEF CON. When not being fascinated by security, Bethany enjoys antiquing and playing video games.
Secure Web Development (closed)
This training focuses on how to attack and defend websites from the perspective of a Web developer. As a long lasting penetration tester and web security trainer, Marcus will show you known and sometimes unknown attack techniques (and bugs).
- Basic knowledge
-- HTTP, HTML, CSS, XML, and DOM
- Social Engineering and Information Disclosure
- Logical Flaws
- Same-Origin Policy
- Cross-Site Request Forgery
- Cross-Site Scripting
-- Reflective XSS
-- Stored XSS
-- DOM-based XSS
-- Self XSS
-- Mutation-based XSS
- Session Hijacking and Session Fixation
- UI Redressing and Clickjacking
- File Inclusions and Path Traversal
- Remote Command and Code Execution
- SQL Injections
- Secure Coding
-- DOCTYPE Switch
-- HTTP Parameter Pollution
-- Content Security Policy
-- Burp Suite
-- Security Requirements
Every participant needs an Internet connection and a laptop with Firefox. You will learn a lot - maybe you should bring some headache pills with you.
WHO SHOULD ATTEND
You should definitely attend if you are a web developer. Depending on the level of knowledge, this workshop might also be interesting for penetration testers and security researchers (especially day 2!).
Marcus Niemietz is a co-founder of Hackmanit and security researcher at the Ruhr-University Bochum in Germany. He focuses on web security related stuff like HTML5 and especially UI redressing. Marcus has published a book about UI redressing and clickjacking for security experts and web developers in 2012. Beside that he works as a security consultant and gives security trainings for well-known companies. Marcus has spoken on a large variety of international conferences.
10 Years of DeepSec In-Depth Security Conference.
Keynote: Security in my Rear-View Mirror
Everything that's old is new again, and if you work in security long enough, you'll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. I'll talk about some of that, and make a few wild guesses for where this may wind up. Spoiler alert: security will not be a "solved" problem.
Marcus J. Ranum works for Tenable Security, Inc. and is a world-renowned expert on security system design and implementation. He has been involved in every level of the security industry from product coder to CEO of a successful start-up. He is an ISSA fellow and holds achievement and service awards from several industry groups.
Advanced Concepts for SMM Malware
Hiding malware inside the BIOS/UEFI of a computer has long been deemed a theoretical threat rather than an actual attack vector. Implementation seemed too difficult and the benefits for malicious actors aiming for quick profits were considered negligible. However, with the recent rise of Advanced Persistent Threats (APTs) and state-sponsored attacks, sophisticated targeted attacks are now considered a realistic threat. For skilled attackers seeking for high stealth and persistence rather than widespread infection, the BIOS/UEFI of a computer provides an ideal target. The System Management Mode (SMM) is a legacy mode of operation available in x86 and x86-64 CPUs. Originally, SMM was intended to be used for maintenance tasks such as power and thermal management. It is a highly privileged mode of operation which has free I/O access, can directly interact with memory and has no hardware memory protections enabled.
Our talk starts with a historical overview on previous SMM-based attacks. Most existing approaches are simple proof-of-concept implementations that do not explore the potential of threats stemming from SMM malware. In response to this deficit we present novel, advanced concepts for SMM malware, focussing on stealth, portability (including full Intel 64-bit support), and OS (memory layout) awareness of malware. Our talk aims at encouraging further research into the threat of SMM malware and enables the development of practical countermeasures against BIOS/UEFI malware.
Sebastian Schrittwieser (1st speaker):
Sebastian Schrittwieser heads the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (https://www.jrz-target.at) and is a lecturer for IT security at the University of Applied Sciences St. Pölten, Austria. He received a doctoral degree in informatics with focus on information security from the Vienna University of Technology in 2014. Sebastian’s research interests include, among others, network analysis, digital forensics, binary analysis, and mobile security. Furthermore, Sebastian is a senior expert at Kibosec GmbH.
Julian Rauchberger (2nd speaker)
Julian Rauchberger is a master student in the Information Security program and research assistant at the St. Poelten University of Applied Sciences. From 2014 to 2015 he worked in the Usable Privacy Box (https://www.upribox.org) project at the university. In the past, Julian was part of several research projects on the stealth of malware and possible detection methods. His research interests include, among others, system security, malware, and privacy.
When your Firewall turns against you
This talk will demonstrate how attackers can compromise a company's network via their firewall system. It's a common misbelieve that security tools are always secure. The aim of this talk is to show the audience the difference between a secure and a security product. First we discuss how we can remotely detect and identify the firewall system within the target internal network. After that we start a brute-force attack from the internet via the victim's browser against the internal firewall. We will show how an attacker can bypass different used CSRF protections to trigger actions on the firewall system. Finally, we are going to exploit a memory corruption bug (type confusion bug which leads to a use after free vulnerability) in the PHP binary on the firewall to spawn a reverse root shell.
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, DeepSec, 31C3 and NorthSec. He also presented talks about application whitelisting at CanSecWest, DeepSec, IT-SeCX, BSides Vienna, QuBit, NorthSec and Hacktivity.
Brace Yourselves - Exploit Automation is Coming!
After W^X/DEP was widely adopted, taking away the fun of simple code injection attacks, return-oriented programming (ROP) has become the cornerstone of modern, low-level, memory-corruption exploits. ROP relies on short, existing code fragments called "gadgets", which are arranged in a specific way so they execute consecutively. This is a cumbersome process: gadgets have to be found, categorized, their usefulness assessed, intertwined with data, and chained together. Many tools that support this process exist, but they are often outdated, not supporting modern 64-bit platforms, and usually limited to gadget discovery, making exploit developers sift through tens of thousands of gadgets. Some tools claim they can automate the full process of building ROP chains, however, their search algorithms are simple, pattern-based, and if a specific gadget is not present, the whole process fails. Academic tools only work on synthetic examples but not on real binaries. Overall, ROP exploit development is a predominantly manual task.
In this talk, I will review the basic concept of ROP, give an overview over tools that assist ROP exploit development, and show what they can do - and especially what they cannot do. Afterwards, I will discuss what kinds of features would be useful in such tools and present a tool our research group has developed. It greatly assists ROP exploit development and provides two distinct features: semantic gadget summaries, which show the effects of a gadget on registers and memory in a condensed way; and an auto-ropping engine that actually works, which automatically builds a ROP chain to invoke an arbitrary API with arbitrary parameters. Lastly, I will give an outlook on future mitigations and attacks, discussing state of the art research.
Andreas Follner received his Master's degree in IT security from the University of Applied Sciences Technikum Wien in 2012. He is currently working towards his PhD at TU Darmstadt (Germany), where his key research interests are exploitation, exploit mitigation and binary analysis. As the main author of three peer-reviewed publications, he likes research that is not purely academic and has a practical impact.
Why Companies Must Control Their Data in the Era of IoT - and How To
Any company's dilemma is the need for data sharing in the era of IoT while at the same time controlling access and ownership. In order to succeed in business, it is imperative to make data available to customers, suppliers and business partners. However, the explosion and the proclaimed free flow of data can turn against an organisation and threaten its very existence, if not professionally controlled.
Kurt is CEO and co-founder of regify, a software company that focuses on trusted e-communications. As a serial entrepreneur, Kurt has established several software and communication businesses. From 2003 to 2008, he led the growth of US-based VI Agents, a pioneer in business applications delivered as a service. From 1996 to 2002, Kurt served as CEO of living systems AG, an international supplier of e-commerce software which he had co-founded in 1996.
Kurt holds a Business and IT degree from the University of Karlsruhe, Germany. He was honored as a "Technology Pioneer" by the World Economic Forum. He also received awards from the Asia-Europe Young Entrepreneurs Forum in Singapore and the Wharton Infosys Business Forum.
Go Hack Yourself…Or Someone Else Will
Regardless of what type of programming language you work with, business flaws that could expose unauthorized data will always be hard to mitigate. Depending on the business, an issue for one company could in fact be a feature for another. Frans Rosén, a successful white hat hacker, will explain how to find and test for these kind of business critical issues with examples from real life, such as Twitter, Facebook and Google.
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Knowledge Advisor at Detectify, a security service for developers. He's a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne.
Frans was recently featured as #2 on Hackread's list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica and SC Magazine.
Frans is a sought-after speaker in the field of web security. He combines concrete knowledge and security tool-kits with entertaining stories about his findings and white hat hacking.
HSTS and Cookie Side-Channels: Stealing Browser History
In this talk we show that HSTS headers and
long-term cookies (like those used for user tracking) are so prevailing that they allow a malicious Wi-Fi operator (or any other MiTM attacker) to gain significant knowledge about the past browsing history of users.
We demonstrate how to combine both into a history stealing
attack by including specially crafted references into a captive
portal or by injecting them into legitimate HTTP traffic.
Captive portals are used on many Wi-Fi Internet hotspots to
display the user a message, like a login page or an acceptable
use policy before they are connected to the Internet. They are
typically found in public places such as airports, train stations, or
restaurants. Such systems have been known to be troublesome for
Adrian Dabrowski is researcher at SBA Research and lecturer at TU Wien. Besides playing CTFs his main topics are RFID and mobile phone access network security.
Systematic Fuzzing and Testing of TLS Libraries
We present TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries.
Based on TLS-Attacker, we first developed a two-stage TLS fuzzing approach. Our approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed us to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL.
Our findings encourage the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. We used TLS-Attacker to create such
a test suite framework, which finds further problems in TLS libraries.
TLS-Attacker is an open source tool, and is currently being deployed for internal tests in Botan and MatrixSSL.
Dr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and co-founder of Hackmanit GmbH. He is a co-author of several TLS attacks (e.g., DROWN), and the main developer of a flexible tool for TLS analyses: TLS-Attacker (https://github.com/RUB-NDS/TLS-Attacker). He presented his work at many scientific and industry conferences, including Usenix Security, Blackhat, Deepsec or OWASP Europe.
Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets
Wireless desktop sets consisting of a wireless mouse, a wireless keyboard, and a USB dongle have become more popular and more widespread in the last couple of years. Seen as potential target, those radio-based devices are of more interest to people with malicious intentions than their wired counterparts, due to the fact that they can also be attacked remotely from a safe distance via radio signals.
As wireless desktop sets represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords, they have been frequently analyzed for security vulnerabilities and were successfully attacked in the past. One well-know example for exploiting vulnerabilities in wireless keyboards is the open source wireless keyboard sniffer KeyKeriki by Dreamlab Technologies. The first version was presented back in 2009 for Microsoft keyboards using the 27 MHz ISM band. The second version also supported wireless keyboards using the 2.4 GHz ISM band and was presented in 2010. In 2015, Samy Kamkar published an Arduino-based wireless keyboard sniffer for Microsoft keyboards with known security weaknesses that extended the work of the KeyKeriki v2.0 project and of Travis Goodspeed's research concerning Nordic Semiconductor's transceiver family nRF24. And in spring 2016, a collection of security vulnerabilities found in USB dongles of wireless desktop sets of different manufacturers was released by Bastille Networks Internet Security under the name of MouseJack, which allowed keystroke injection attacks.
SySS GmbH started a research project about the security of modern wireless desktop sets using AES encryption in 2015, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Up to now (May 2016), several security vulnerabilities in modern wireless desktop sets of different manufacturers, like Microsoft, Cherry, Logitech, and perixx, have been found and reported in the course of our responsible disclosure program.
The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys, which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks, due to insecure implementations of the AES encrypted data communication.
The results of our research shows that the security levels of modern wireless desktop sets of different manufacturers are not equal and that some devices are more secure than others. Still, so far there has been no wireless desktop set without any security issues.
In this talk, I will present the results of our research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.
Gerhard is interested in all things concerning IT security - especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester. Gerhard was speaker at GPN 2013 - a conference organized by the Chaos Computer Club (CCC) in Karlsruhe - where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.
Fuzzing Remote Interfaces for System Services in Android
System services represent one of the core components in Android, implementing many fundamental Android features such as media playback, graphics or network connectivity. The fact that the large majority of system services exposes a remote interface that can be called by other unprivileged applications or services makes them an excellent attack vector. From a system security perspective this task makes even more sense since most of the components and processes executed behind each system service run with high or increased privileges.
The presentation will focus on a fuzzing approach that can be used for testing system services in Android, providing in-depth information about the implementation of the tools developed to accomplish this task and examples of actual vulnerabilities that were discovered in the latest versions of Android.
Alexandru Blanda is a software security engineer, part of the Open Source Technology Center at Intel Corporation. He is currently working on projects related to the overall security of the Android OS, mainly focusing on methods to improve the efficiency of fuzzing techniques inside this environment and discovering ways to uncover vulnerabilities inside different components of the operating system.
I Thought I Saw a |-|4><0.-
Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does this really mean? And what real impact does it have on the security team?
Can we use threat hunting to provide a process to better detect and understand when you've been breached?
More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?
What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.
In this talk, we will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large data sets. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process.
With over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management, secure development, Incident response and forensics. Thomas has held roles varying from security architect in large fortune 500 companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian.
Thomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.
badGPO - Using GPOs for Persistence and Lateral Movement
Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.
Yves and Immanuel are both penetration testers at Oneconsult AG.
Their daily business is to build and deconstruct things.
Yves works as a security consultant at Oneconsult, focusing on penetration tests,
security consulting and training. He was promoted to team leader and branch manager Bern
a year ago. As a former system and network engineer he managed several servers,
applications and networks including systems at a large Swiss university, financial services
and public administration among other industries.
Immanuel worked several years as a system administrator at a university.
When moving to another higher education institution he was appointed head of the internal
IT services department. His work at Oneconsult is focused on penetration tests and
Security and Privacy in the Current E-Mobility Charging Infrastructure
Smart and electric mobility is an emerging market and thus an interesting area of research and development. Already multiple different solutions have been implemented, but neither any clear market player, nor any proven and widely adopted standards or best-practice exist today.
This talk will focus on the security and privacy aspects of e-mobility charging infrastructure. From the authentication process to reserve or start a charging process to billing and fraud-detection. It will further give an overview on how current ICT solutions (OCPP, OICP, OCPI, ISO 15118, ...) handle those requirements and what could be done to improve the current situation.
Achim Friedland has a degree in computer science from the Technical University of Ilmenau, Germany. He has a strong interest in computer networking and security and published several papers in this field. He left academia to lead r&d in two data driven startups (graph databases and renewable energy). Now he has started his own company in the field of smart mobility, Open Data and privacy.
DROWN: Breaking TLS using SSLv2
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections.
We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 2^50 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse.
For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU - fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack.
We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 2^17 SSLv2 connections and 2^58 offline work.
We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.
Nimrod Aviram received a B.Sc. in Mathematics and Computer Science from Tel Aviv University. He is now a PhD student at The Department of Electrical Engineering at Tel Aviv University. Nimrod's research interests include various topics in applied cryptography and Internet traffic. He recently co-published the DROWN attack against TLS.
Human vs Artificial intelligence – Battle of Trust
• Application with workflows
• Asynchronous injections across critical functions
• Role based violations and escalations
• Access to un-authenticated resources via hidden logic
• Third party posting, injection and streaming
• Customize protocol handling and exploitation
• Sensitive information going out via Analytics calls
• Logical abuse in forgot/reset passwords
• HTML5 Local storage weaknesses
• Exploiting XSS to write in to application local storage in mobile
Hemil Shah, Co-CEO and Director at Blueinfy, is responsible for customer engagement, assessment implementation and customer communication. He focuses on development and continuous up-gradation of assessment processes and systems to ensure delivery of best-in-class assessment quality. He is very much a hands-on person who works very closely with teams to ensure that customer applications are assessed accurately with maximum coverage in width and depth. He also contributes regularly to Blueinfy’s blog. Saumil has more than 15 years of experience in the software security industry. Prior to joining Blueinfy, Hemil worked for HBO and KPMG, where he was a key member of their internal software security team. Before he also worked for IL&FS and Net-Square, being involved with software security assurance and assessment respectively. Saumil has delivered talks and/or trainings on mobile and application security at various respected conferences, such as HiTB, OWASP Europe, InfoSec World, DeepSec, SyScan InfoSecWorld and BreakPoint to name a few. He is one of the founders of eSphere Security and mentor at ExtenedITArms.
This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome.
The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique. Further reading: http://stegosploit.info/
Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like BlackHat, RSA, CanSecWest, 44CON, Hack.lu, Hack-In-The-Box, NoSuchCon, REcon and others. Saumil has been the co-developer of the wildly successful "Exploit Laboratory" courses that he teaches all over the world. He has also authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".
Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.
Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor
In our 2014 presentation we proved that the threat of Malicious Hypervisor (MH) is a technical reality. The question is not whether it can be implemented - In our opinion it has been implemented and in use since 2007 – 2008 and, in all likelihood, another instance has been developed around 2009 – 2010- The question is when it will become available for real cyber terrorism attacks. We have not seen such an attack yet. More likely MH has been used to collect important information in silence very effectively. However, we cannot control the underground exploitation of software development and an MH attack may happen any time.
As we stressed in our 2014 presentation, there is no effective method to discover MH. So, since we said A, by doing our first MH research, we considered it as our obligation to say B, dedicating the next phase of our research to the development of methods and tools to catch the MH.
Our presentation will basically cover our research and the development process, outlining some important ideas and findings and providing results proving that our methods and software work and can reliably be used to discover MH.
However, we do not consider it as productive to simply provide the exact information about the research and the development. We want to avoid “copy-cat” processes and would like to encourage security researchers and organizations to conduct independent research and development work using our “milestones”.
From our point of view, we achieved our goal – we have the methods and we have a tool utilizing these methods. We have both a demo and production version of the Hypervisor Catcher tool which can discover MH in a computer system with 99.99% reliability and within a very reasonable time frame.
We do not think that we will be able to prevent MH attacks if they happen in the near future. However, at least we are now able to identify the silent deployment of such an devastating attacking tool.
During the presentation I will briefly introduce the audience to the most important information and conclusions of the research of our Phase 1 (as discussed at DeepSec 2014). We will also discuss our analysis of methods used in the traditional research concerning the “rootkit hypervisor” to catch hypervisor activity. Then we will move on to our proposed methods and results. We will also give the audience some statistical information proving our case. However, during our one and a half year long research we gathered a lot of testing information which we simply cannot discuss within our presentation without killing any interest in our findings. We will try to balance all what we mentioned here to keep the audience happy and interested in the discussion.
Mikhail A. Utin completed his basic engineering education in 1975 in Computer Science and Electrical Engineering. His career in Russia included working for several research and engineering organizations. Doctorate / PhD in Computer Science (1988) from the then called Academy of Science of the USSR. In 1988 he founded and until 1990 leaded an information technology company and successfully worked in the emerging private sector of Russia. Mikhail held several USSR patents and published numerous articles.
He migrated to the US with his family in 1990 to escape from political turmoil, hoping to continue his professional career. In the US he worked for numerous companies and organizations in information technology and information security fields including contract work for the US government DoN and DoT. Together with colleagues Mikhail formed the private company Rubos, Inc. for IT security consulting and research in 1998 and worked as a (ISC)2 certified professional for 9 years. He published articles on the Internet and in professional journals, and is a reviewer of articles submitted to the (ISC)2 Information Security Journal: A Global Perspective.
His current research focuses on information security governance, regulations and management, and the relationship between regulations, technology, business activities and businesses' security status. Most of his research is pioneering work and an exploration of complex security problems outside of information securitys mainstream or on problems considered impossible to resolve.
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java.
Several vulnerabilities and gadgets discovered by Code White will be shown as case studies including a new 0day.
Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, VMware, SAP, Symantec, Apache, Adobe, etc. Currently, he has a good time researching Java deserialization vulnerabilities but also looking into COM.
TLS 1.3: Lessons Learned from Implementing and Deploying the Latest Protocol
Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS. TLS was last changed in 2008, and a lot of progress has been made since then. CloudFlare will be the first company to deploy this on a wide scale, and we’ll be able to discuss the insights we gained while implementing and deploying this protocol. This talk will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption. We’ll also demonstrate an attack on the way some browsers have chosen to implement TLS 1.3.
Nick Sullivan is a leading cryptography and security technologist. At CloudFlare, a top Internet performance and security company, Nick is responsible for overseeing all cryptographic products and strategies. Previously, he held the prestigious title of “Mathemagician” at Apple, where he encrypted books, song, movies and other varieties of mass media.
The Perfect Door and The Ideal Padlock
You have spent lots of money on a high-grade pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they're right. But... the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself!
This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your doors and padlocks -- the most fundamental part of your physical security -- can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door and acquire ideal padlocks... if you're willing to learn and understand the problems that all doors and padlocks tend to have.
While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. At multiple annual security conferences Deviant runs the Lockpick Village workshop area, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking
In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play and compromised web servers.
This talk will handle recent trends of obfuscated malicious android apps in Korea. And explain various mobile protection techniques for obstructing analysis of malware such as obfuscation, packing and anti-debugging.
Analysis Team at KrCERT/CC, KISA (6 years)
Machine Duping: Pwning Deep Learning Systems
Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked about and least well understood branch of machine learning. Successful applications of deep learning in image and speech recognition have kickstarted movements to integrate it into critical fields like medical imaging, and selfdriving cars.  In the security field, deep learning has shown good experimental results in malware/anomaly detection,  APT protection, spam/phishing detection and traffic identification. However, most deep learning systems are not designed with security and resiliency in mind, and can be duped by any attacker with a good understanding of the system. 
The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. In this talk, we will dive into popular deep learning software and show how it can be tampered with to do what you want it do, while avoiding detection by system administrators. Besides giving a high level overview of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show real weaknesses in critical systems built with it. In particular, this demodriven session will be focused on manipulating an image recognition, speech recognition and phishing detection system built with deep learning at the core.
By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security and look towards a more resilient future of this technology where developers can more safely use it in critical applications.
 Ashlee Vance. 2015. The First Person to Hack the iPhone Built a SelfDriving Car. In His Garage.
 Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. DroidSec: deep learning in android malware detection.
SIGCOMM Comput. Commun. Rev. 44, 4 (August 2014), 371372. DOI=http://dx.doi.org/10.1145/2740070.2631434
 Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2016. Practical BlackBox Attacks against Deep Learning Systems using Adversarial Examples. (arXiv:1602.02697v2)
Clarence Chio graduated with a B.S. and M.S. in Computer Science from Stanford, specializing in data mining and artificial intelligence. He currently works as a Security Research Engineer at Shape Security, building a product that protects high valued web assets from automated attacks. At Shape, he works on the data analysis systems used to tackle this problem. Clarence spoke on Machine Learning and Security at DEFCON 24, PHDays, BSides Las Vegas and NYC, Code Blue, SecTor, and Hack in Paris (2015,2016). He has been a community speaker with Intel, and is also the founder and organizer of the ‘Data Mining for Cyber Security’ meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.
Exploiting First Hop Protocols to Own the Network
This talk will focus on how to exploit a network by targeting the various first hop protocols. Attack vectors for crafting custom packets as well as a few of the available tools for layer 2 network protocols exploitation will be covered. Defensive mitigations and recommendations for adding secure visualization and instrumentation for layer 2 will be provided.
Paul Coggin is an information Security Engineer. His expertise includes tactical, service provider and ICS\SCADA network infrastructure attacks and defenses as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis and penetration testing engagements for critical infrastructure and tactical networks.
AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That
In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.
AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.
Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI?
The talk will be full of live demonstrations.
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients, which include many global corporate giants. He is also a member of the Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. Nikhil is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and of Nishang, a post exploitation framework in PowerShell. In his spare time, he researches on new attack methodologies and updates his tools and frameworks.
He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs on http://www.labofapenetrationtester.com/
CSP Is Dead, Long Live Strict CSP!
Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.
In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about how we automatically bypassed the CSP of more than 95% of ~1.6 Million domains, e.g., by showing how easy it is to defeat the whitelist-based model with some juicy bypasses, thanks to JSONP endpoints for example, by abusing a CDN and loading outdated versions of AngularJS.
Finally, I present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.
We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well CSP is keeping up with modern web technologies, and how to break it.
Lukas Weichselbaum is an Information Security Engineer at Google. He’s currently working, among other stuff, on researching security enhancements and mitigations for web applications. Lukas graduated from Vienna University of Technology in Austria where he worked on dynamic analysis of Android malware. He also founded Andrubis – one of the very first large scale malware analysis platforms for Android applications.
802.11 Complexity. An Introduction to 802.11 Protocol Chaos
Over the last few years, IEEE 802.11 standard for wireless connectivity usage has turned massive. Wireless devices are everywhere, from your smartphone to the printer that is in your office. As a matter of fact, all connected devices have proliferated at an incredible rate.
IEEE 802.11 standard has many versions and 3rd party extensions bringing new features that add complexity to the protocol. This complexity makes platform implementations and drivers more intricate, opening opportunities for attackers.
This presentation will show how attackers could use these features to fingerprint devices, abuse bad implementations to access devices with no credentials and how researchers could analyze 802.11 implementations on platforms such as Android and iOS for bug hunting.
Andrés Blanco is an independent researcher. His interests and expertise include network security, hardware, reverse engineering and privacy. He has presented at Defcon, Black Hat USA Arsenal, Hack.lu and Ekoparty.
Behavioral Analysis from DNS and Network Traffic
Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus and log analysis. But the majority of these use signatures, looking for already known events and they typically require some level of human intervention and maintenance.
However,using behavioral analysis, it's possible to observe and create a baseline of average behavior on a network, enabling intelligent notification of anomolous activity. This talk will demonstrate methods of performing this activity in any environment. Attendees will learn new methods which they can apply to further monitor and secure their networks.
Josh is a security researcher with OpenDNS. Previously, he worked as a threat analyst with NASA, where he was part of the team to initially help build out the Security Operations Center. He has also done some time at Mandiant.
His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.
Josh hosts a podcast looking at the most notable topics in security. It's called Root Access.
Productivity- and Security Tipps for SSH
Tips and tricks for a more efficient and more secure usage of ssh(d). We will touch on config file options, crypto settings, 2 factor authentication, ProxyCommands with bastion hosts, server key rotation and much more.
SSH (Secure Shell) is a must have tool to remotely connect to servers for administrative purposes or file copying. Most users only use a tiny subset of the features modern OpenSSH versions offer. So will try to demonstrate some of the more "obscure" but often very handy options you may not have looked into, yet.
The “Waldorf and Statler” of system administration.
We'll give you a more palatable bio once we came up with one.
Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved in the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share their findings. Maybe everything went allright, maybe the million kids forced to have this app run on their devices are safe. Maybe. But if so would there be a talk about it?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research concerning a serious political decision and mandatory measures might achieve nothing at all - or of how a simple pentest together with excellent activist work may spark a political discussion and more.
Abraham was an honors student in Information Security at university. His work experience from 2000 until 2007 was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 onwards Abraham focused more on the offensive side of security with special focus on web app security.
He is a senior member of the Cure53 team, and a senior consultant for Version 1 - the top IT consultancy in Ireland. Abraham is also the creator of “Practical Web Defense” - a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader. He sometimes writes on http://7-a.org or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.
Previous presentations and some recordings can be found here:
Protecting Against Tomorrow's Adversaries - Post-Quantum Cryptography
Quantum Computers could endanger almost all cryptosystems that are in use today. While it's unclear if large scale Quantum Computers will ever be built, some researchers see them happening within the next 10 or 15 years.
Post-Quantum Cryptography is trying to investigate new cryptographic mechanisms that can protect communication from quantum computer attacks. While some algorithms exist that can provide this protection they suffer from either being impractical or being too new to be
trustworthy. However the field is getting a lot of attention lately and Google has started using post quantum algorithms for some TLS connections.
Hanno Böck is a freelance journalist and hacker who is trying to make the Internet safer.
Social Engineering The Most Underestimated APT – Hacking the Human Operating System
The content I am going to share is brand-new and has been developed over the past years based on experience as an international consultant (Big 4, KPMG, Deloitte, Australia, China, Switzerland, Singapore, Malaysia, etc.) by myself and my colleague and not been presented anywhere else. At this conference I will share the work results for the first time publicly and exclusively. Just recently we decided to open source our knowledge by sharing the content of our Social Engineering Engagement Framework (SEEF). It offers a brand new point of view:
Until now most Social Engineering frameworks were based on technical tools but rarely focused on the business and risk side of social engineering. On a corporate level there was no methodology making Social Engineering engagements plannable, secure and the achieved results comparable as well as repeatable.
Most Social Engineering definitions are technically focused, while we define Social Engineering simply as “The elicitation of information from systems, networks or human beings through methods and tools”.
For this presentation I selected elements from the framework in order to show the audience how to successfully plan, document and execute a professional Social Engineering (attack).
As a successful participant of the recent Social Engineering Capture the Flag (SECTF) competition at Defcon 22 I have a lot of experience I like to share with the audience and lots of stories to tell.
Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly - inspire and empower action.
Where Should I Host My Malware?
Malicious actors always try to abuse badly configured devices, since this is the "cheapest" solution. Day by day, more and more home devices become linked to the internet (IoT) such as feature-full routers and NAS systems providing their users, and maybe some others, with data sharing services.
Recently we found interesting threats which are useing FTP services to spread. Most users trust their own devices and the files on them. They don't think that their systems could host malware inside their private network, just because default settings and handy automatic services like UPnP are used. Typically users do not even know that they're running, using services like FTP, and especially they do not know that this protocol has a built-in anonymous account.
In other cases malicious actors just put server scripts into the shared folder, hoping that the FTP folder and the web root folder are the same, and so infect the system in this very easy way. Very often they succeed.
So, what is the current state of the (open) FTP services overall?
Recently I developed a very flexible testing framework (called ScanR) to be able to answer this question:
We tested 3 million IP addresses which were released to FTP services, to get a clear picture of the state of these services and the devices which are behind them. The results are quite shocking in some aspects, and worse then we expected.
In this lecture I will present the details of this test, where the initial data and IP addresses came from, what the test system looked like, and especially the threats and hacking activities we found.
As a teaser here are some of the results:
• more then 200.000 IP-adresses can be accessed via anonymous access (this means a huge amount of private data could possibly be accessed by anyone on earth),
• more than 7.000 FTP services provide access for anonymous users,
• and here's the worst result: more than 90% percent of FTP services are infected with at least one threat
In the lecture I will share the details and technical analysis of the threats we found as well as the statistical data. After this presentation you will have a word-wide view on how a network service could look like if you left it unlocked.
What can we gain from our findings?
• I will present our findings in detail about the current state of "things". How scary it is for home user devices and even for professional network devices
• In this presentation, we will inform you about the threats which are currently active and how malicious actors can (ab)use these services to infect user devices.
Technical level of the topic
Both the core professionals and the average IT user will be able to enjoy this talk: the tricky parts will be explained in detail, the more easily understood aspects just summarized.
Attila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.
Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.
Assessing the Hacking Capabilities of Institutional and Non-institutional Players
Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now.
Despite the problem of finding useful definitions for modern IT security
threats and so much criclejerking bullshit bingo going on, we have to think about
the assessment of capabilities in the IT field.
Besides institutional actors like states and their military and intelligence
communities we also have to assess the capabilities of non-institutional actors
like terrorist groups or organised crime.
However, unlike the assessment of classic military strength, assessing the capabilities and powers of actors in the IT field is much more complicated and complex.
In this talk I will introduce the first tools, methods and statistics to compare
hacking capabilites and assess the »cyber fighting power« of different actors.
Stefan Schumacher is the president of the Magdeburg Institute for Security
Research and editor of the Magdeburg Journal for Security Research in
Magdeburg/Germany. He started his hacking career before the fall of the
Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive.
Ever since he liked to explore technical and social systems, with a focus on
security and how to exploit them. He was a NetBSD developer for some years and
involved in several other Open Source projects and events. He studied Educational
Science and Psychology, has done a lot of unique research about the Psychology of
Security with a focus on Social Engineering, User Training and Didactics of
Security/Cryptography. Currently he's leading the research project Psychology of
Security,focusing on fundamental qualitative and quantitative research about the
perception and construction of security.
He presents the results of his research regularly at international conferences like
AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp,
DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays
Luxembourg and in security related journals and books.
COVER YOUR SAAS: Protecting Your Cloud With Analytics and Machine Learning
The more intelligence you have, the greater the chance you can find your bad guy. Having spent many years working in military intelligence and law enforcement, Ian Trump, global security lead for SolarWindsMSP, will welcome you to a new world of cyber security, where machine learning and big data solutions can help you find bad guys to protect your business from harm - although justice may be elusive. Just as thousands of troops close to a counties border are disconcerting to the citizens and national leaders, identifying hostile actors inside a network is equally so. How does machine learning and big data combine to provide awareness of the threats and intentions of a hostile cyber actor? Ian will reveal how SolarWindsMPS capabilities are advancing the security where it really counts, in the small and medium enterprises which are on the front line of cyber crime. Sharing his knowledge of Advanced Persistence Threats, cyber criminal and foreign intelligence service capabilities, Ian will talk about how SolarWindsMSP is working with partners world-wide to save the internet from the bad guys through machine learning and big data analysis.
Ian Trump, CD, CEH, CPM, BA is an ITIL certified IT consultant with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Ian previously managed IT projects at the Canadian Museum of Human Rights and is currently Global Security Lead at SolarWinds MSP working across the business to define, create and execute security solutions and promote a safe, secure Internet for Small & Medium Businesses world-wide.
Abusing LUKS to Hack the System
Most security issues are carried out remotely over the network. Local attacks are less "useful" and so this is a less explored area. On the other hand, local exploitation is a typical scene of Hollywood movies: the hacker face to face with the target system (and a keyboard in between).
In this presentation we will show in action the well known principle that "complexity is the enemy of security". It is very easy to make mistakes when adding new functionality to existing systems.
Do you remember the GRUB 28 bug?. After we found that bug, we reviewed the rest of the Linux boot sequence...
Ismael Ripoll received his PhD in computer science from the Universitat Politecnica de Valencia in 1996, where he is professor of several cybersecurity subjects in the Department of Computing Engineering. Before working on security, he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques (SSP and ASLR) and software diversification. Ismael Ripoll is a Cybersecurity researcher at UPV Cybersecurity group.
Hector Marco-Gisbert have received the Ph.D. degree in computer science, CyberSecurity in 2015. Initially, he participated in several research projects where the main goal was to develop an hypervisor for the next generation of space crafts for the ESA (European Space Agency). He contributed to extend the scope of the projects to include security aspects using the MILS (Multiple Independent Levels of Security/Safety) architecture. Currently, Hector Marco is a lecturer in Cyber Security and Virtualisation at the University of the West of Scotland. His research aims to identify and thwart critical security threats focusing on servers and smartphone platforms. His interests includes study and design new low level attacks and protection mechanisms. He revisited mature and well known techniques, as SSP (Stack Smashing Protection) and ASLR (Address Space Layout Randomization), and he was able to make substantial contributions like RenewSSP and ASLR-NG. He has also received awards and recognitions from Google and Packet Storm Security for his security contributions to the Linux kernel.