Transport Layer Security (TLS) is the most important cryptographic protocol on the Internet. It is responsible for securing connections between browsers and web servers, or between web services peers. However, recent TLS history is full of new attacks, which makes it difficult do deploy applications securely.

In this training, we give an overview of the most important TLS attacks, and show how to detect these attacks with different tools. Afterwards, we present best practices to establish secure TLS connections.

Contents
Short intro into crypto
Internet protocol suite
TLS protocol
Certificates
TLS attacks
TLS implementations
Secure TLS configuration
Security evaluation with specific tools

Training attendees
The training is dedicated to server administrators as well as penetration testers.
There are no specific prerequisites for this course. However, basic knowledge of server administration or basic crypto knowledge would be of advantage.

Requirements
A laptop with a recent version of Virtual Box

The current state of updating software – be it operating systems, applications or appliances - is arguably much better than it was a decade ago, but apparently not nearly good enough to keep even the most critical systems patched in a timely manner – or at all. Official vendor updates are cumbersome, costly to apply, even more costly to revert and prone to breaking things as they replace entire chunks of a product. Enterprises are therefore left with extensive and expensive testing of such updates before they dare to apply them in production, which gives attackers an endless supply of “n-day” vulnerabilities with published exploit code.

Furthermore, for various entirely rational reasons, many organizations are using products with no security updates such as old Java runtimes, Windows XP, or expensive industry systems that still work perfectly well but are not supported any more by their vendor.

Fortunately, there is a better way to approach vulnerability patching, one that not just minimizes the risk, hassle and costs, but also allows 3rd parties with no access to source code to write a patch. It’s called micropatching and it injects or replaces tiny fractions of machine code within the memory of a running process to patch a vulnerability. (Or, why not, a functional defect in your unsupported application.)

This two-day workshop will teach you how to create a 3rd party “unofficial” micropatch for various known vulnerabilities in popular Windows software. We will start with a proof-of-concept document that triggers a vulnerability, determine the type of vulnerability (buffer overflow, use-after-free, format string…), find its root cause, and finally create a micropatch for it, which we’ll apply using the 0patch Agent.

You will learn how to approach patching of different types of security flaws, how to find a suitable patching location, and how to test a micropatch.

Attendees should have experience with reading assembly language (ideally also reverse engineering) and have their own Windows laptops with the following software installed:
- Microsoft WinDbg 32bit version x.y.z (to be defined before the workshop)
- Adobe Reader DC version x.y.z (to be defined before the workshop)
- Foxit Reader version x.y.z (to be defined before the workshop)
- 0patch Agent for Windows version x.y.z (to be defined before the workshop)
- 0patch Factory version x.y.z (to be defined before the workshop)

But also do come if you happen to have a nasty functional defect in your expensive custom application that would cost you an arm and leg to update.

This workshop is suitable for security researchers, who will learn how to write micropatches for vulnerabilities they find, as well as for software vendors, who want to avoid the costly process of rebuilding, retesting and redeploying their product every time someone finds a vulnerability in it that could be fixed with a few machine instructions.

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this two-day hands-on training!

I will discuss security bugs that I have found together with Michal Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

After completing this training, you will have learned about:

– tools/techniques for effective hacking of web applications
– non-standard XSS, SQLi, CSRF
– RCE via serialization/deserialization
– bypassing password verification
– remote cookie tampering
– tricky user impersonation
– serious information leaks
– browser/environment dependent attacks
– XXE attack
– insecure cookie processing
– session related vulnerabilities
– mixed content vulnerability
– SSL strip attack
– path traversal
– response splitting
– bypassing authorization
– file upload vulnerabilities
– caching problems
– clickjacking attacks
– logical flaws
– and more…

This hands-on training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and the government sector and it was very well-received. Recommendations can be found here (https://silesiasecuritylab.com/services/training/#opinions).

WHAT STUDENTS WILL RECEIVE

Students will be handed out a VMware image with a specially prepared testing environment to play with bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

WHAT STUDENTS SHOULD KNOW

To get the most out of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar proxies, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING

Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed).

WHO SHOULD ATTEND

Pentesters, bug hunters, security researchers/consultants

The workshop consists of several modules:

1. Linux embedded
Linux embedded is probably the most popular OS, especially in SOHO equipment, like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services...). We will open a wireless doorlock remotely, hack cameras, and take control over other devices.

2. Bluetooth Low Energy
One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks.
Using a new BLE MITM proxy tool developed by the author, we will hack various devices: smart doorlocks, mobile Point of Sale, authentication tokens, beacons, anti-thief protection and others.

3. KNX home automation
Learn how to take control over the most common home automation system: EIB/KNX.
Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses - similarly a luxury hotel in China was hacked few years back.

SYLLABUS:

1.)LINUX EMBEDDED
Theory introduction
Embedded devices - popular architectures, OS-s systems
Device supply chain and why it is difficult to maintain security - BSP, ODM, OEM, SDK...
Linux embedded and its flavours, not only in SOHO devices
One binary to rule them all
Firmware images
Tools
Firmware analysis - binwalk & co
Scanning, sniffing - nmap, wireshark...
Exploiting known vulns: metasploit, routersploit
Default credentials lists, hydra, john...
Web interface attacking - Burp Proxy
Practical exercises
Identifying serial port and connecting to device's boot
Analyze firmware images
Locate hidden URLs
Authentication bypass - open wireless doorlock
Excessive services, debug interfaces
Cracking hardcoded telnet root password
Abusing backdoors
RCE - get remote shell in a router
Attack proprietary remote access protocol
Analysis of Mirai botnet and example affected devices

2.)BLUETOOTH SMART
Theory introduction
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Protocol basics
Advertisements, connections
Central vs peripheral device
GATT - services, characteristics, descriptors, handles
Security features - pairing/encryption, whitelisting, MAC randomization
Security in practice: own crypto in application layer
Tools and hardware
Reversing communication - mobile application analysis
BlueZ command-line tools
Sniffing soft- & hardware - ubertooth, adafruit, bluehydra...
What can you do with just BT4 USB dongle?
Analysis - hcidump, Android btsnoop log, BLE-replay
BLE MITM - GATTacker, BtleJuice
MAC address cloning
Tips & tricks for MITM attacks
Other tools, PoCs, research...
Practical exercises
BLE beacons spoofing - get rewards & free beer
Abuse proximity autounlock of a padlock
Inject arbitrary commands into car unlocking device communication protocol
Spoof encrypted status of a smart doorlock and home automation devices
Intercept indication of "one-time-password" hardware token and authenticate to a bank
Hijack a mobile Point-of-Sale display
Abuse excessive services (e.g. module's default AT-command interface)
Intercept static authentication password of a padlock
Abusing flaws of custom challenge-response authentication
PRNG weaknesses
Attacking encrypted (bonded) connections
A glimpse at a source code - why the vulnerabilities appear?
Troubleshooting and debugging
Takeaway - hackmelock (mobile application + simulated device) to practice BLE hacking at home

3.)EIB/KNX
Theory introduction
Home automation standards review - wired, wireless
KNX/EIB - history, protocol basics
Group address, device address
Typical topology
KNX/IP gateways
Tools
ETS configuration suite
KNXd (former eibd) and command-line tools
knxmap
nmap scripts
Practical exercises
Scanning for KNX-IP gateway from local network
Detecting publicly exposed gateways
Monitor mode - sniffing
Reading/writing
Brute-force addresses
KNX security features
Device authentication keys
KNX Secure

BONUS TRACK (possible to do at home):
Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.

This is an exercise-driven training course that uses detailed tutorials to guide the attendee through all the steps necessary to exploit a real iOS application, and in the process, provide an understanding of the modern attacker's mind-set and capabilities. This course will cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. At its conclusion, the course will have imparted the information necessary to develop secure and robust applications.

This is a technical course suitable for those interested in mobile application security. The training does not require any prior security knowledge in order to benefit fully from the course, as the content covers all of the basics necessary to understand advanced concepts. However, a working knowledge of iOS is a prerequisite and it is recommended that attendees are familiar with the syntax and structure of an iOS application.

In addition, this workshop will use MWR's newly released tool "Needle" to identify and exploit common mobile application security flaws, over and above the OWASP Mobile Top Ten. Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. 

Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.

Even if a device isn't essential, as practical examples will be delivered by the Instructors, we recommend you to bring your own jailbroken iOS device (running iOS >= 8.4) to fully enjoy the course, as these won't be provided.


SYLLABUS
* Analysing iOS Applications
- Overview of the iOS ecosystem
- iOS testing environment
- Analysing iOS Applications
- Objective-C overview

* iOS Security Model
- Secure boot chain
- Application code signing
- Application sandbox (Seatbelt profiles, Entitlements)
- Anti-exploitation mechanisms (ASLR, W^X, Canaries)

* Data Security
- Data-at-rest encryption
- Data protection API
- Storage types (Keychain, NSUserDefaults, other data storages)
- Caching (Application Backgrounding, Keyboard Caching, HTTP Response Caching)
- Keybags
- System Log
- Inter-Process Communication (IPC)

* Runtime and Binary Protections
- Understanding the security relevance of running an application in a jailbroken device
- Understanding the concept of Instrumentation
- Understanding how to protect applications with binary protections
- Binary protections: detection and bypass
- Other Security Controls (securing the Runtime, tamperproofing, anti-debugging protections)

* Transport Security
- Network Communications in iOS
- Different ways to man-in-the-middle iOS connections
- SSL/TLS- Intercepting communications (HTTP/S)
- TLS certificate pinning (and bypass)- Javascript to Objective-C bridging in UIWebView

WHO SHOULD TAKE THIS COURSE
* Security professionals who want to get a deeper understanding of the security implications of the iOS platform and of the techniques that can be used to perform security assessments of iOS applications
* Developers who want to write better (secure) code
* Anyone who wants to learn to use Needle proficiently


WHAT STUDENTS SHOULD BRING
* 1 jailbroken iOS device running iOS >= 8.0 (8.X preferred)
* 1 USB Lightning cable* Laptop running Linux or OSX (With 20 GB minimum free space)
* Virtualization software capable of running VMDKs (.ova)
* A text editor you are comfortable writing in (instructors recommend Sublime Text 2 or Vim)
* Setup instructions will be sent to the students prior to the class

From wireless fundamentals to physical access security, man-in-the-middle attacks and precision WiFi exploitation, this workshop builds the competence to effectively exploit a range of Hak5 developed penetration testing tools.

Learn directly from the developers of the WiFi Pineapple, USB Rubber Ducky and LAN Turtle to get the most from these leading penetration testing platforms. Lectures and hands-on exercises emphasize responsible best practices and integration with popular penetration testing workflows.

Provided in this class are a WiFi Pineapple NANO, LAN Turtle, USB Rubber Ducky along with ISO/VM and course material. Students must bring a notebook computer capable of booting a USB live Linux OS or Virtual Machine.

About the Tools:

The WiFi Pineapple is the gold standard rogue access point. Capable of mimicking any hot-spot, this honeypot is highly effective at auditing modern WiFi devices. Managed in person or remotely through a simple web interface, the operator is uniquely poised as a man-in-the-middle enabling intelligence gathering, host redirection, credential capturing and so much more.

The USB Rubber Ducky is the original Keystroke Injection Attack tool. Posing as a generic USB Drive it's a social engineer's best friend. The open source tool is easily programmed allowing it to deliver automated keystrokes capable of gathering intelligence, installing backdoors, exfiltrating data and more - all while bypassing most prevention measures.

The LAN Turtle is a covert Systems Administration and Penetration Testing tool providing stealth remote access, network intelligence gathering, and man-in-the-middle monitoring capabilities. Housed within a generic "USB Ethernet Adapter" case, the LAN Turtle’s covert appearance allows it to blend into many IT environments.

Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disks, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.
PowerShell has changed the way Windows networks are attacked - it is Microsoft’s shell and scripting language available by default in all modern Windows computers and can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teams to learn PowerShell.
This training is aimed towards attacking Windows networks using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment with a detailed discussion and the use of custom PowerShell scripts during each phase. Here's a list of some of the techniques, implemented using PowerShell, which will be used in the course (scroll to "course content" for more details):

- In-memory shellcode execution using client side attacks.
- Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
- Using Metasploit payloads with no detection
- Active Directory trust mapping, abuse and Kerberos attacks.
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
- Network relays, port forwarding and pivots to other machines.
- Reboot and Event persistence
- Bypass security controls like Firewalls, HIPS and Anti-Virus.

This training aims to change how you test a Windows based environment.The course is a mixture of demonstrations, exercises, hands-on and lecture, focusing more on methodology and techniques than tools. After this training you'll be able to write own scripts and customize existing ones for security testing. Additionally, attendees will get free access to a complete Active Directory environment that lasts for one month. 

Course Content

Day1 – PowerShell Essentials and Getting a Foothold
- Introduction to PowerShell
- Language Essentials
- Using ISE
- Help system
- Syntax of cmdlets and other commands
- Variables, Operators, Types, Output Formatting
- Conditional and Loop Statements
- Functions
- Modules
- PowerShell Remoting and Jobs
- Writing simple PowerShell scripts
- Extending PowerShell with .Net
- WMI with PowerShell
- Playing with the Windows Registry
- COM Objects with PowerShell
- Recon, Information Gathering and the likes
- Vulnerability Scanning and Analysis
- Exploitation – Getting a foothold
- Exploiting MSSQL Servers
- Client Side Attacks with PowerShell
- PowerShell with Human Interface Devices
- Using Metasploit and PowerShell together

Day 2 – Post Exploitation and Lateral Movement
- Post-Exploitation – What PowerShell is actually made for
- Enumeration and Information Gathering
- Privilege Escalation
- Dumping System and Domain Secrets
- Kerberos attacks (Golden, Silver Tickets and more)
- Backdoors and Command and Control
- Pivoting to other machines
- Poshing the hashes™
- Replaying credentials
- Network Relays and Port Forwarding
- Achieving Persistence
- Detecting and stopping PowerShell attacks
- Quick System Audits with PowerShell
- Security controls available with PowerShell

In this intense 2 day workshop, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs, students will receive practical experience with routing and switching technologies including a detailed discussion on how to attack and defend the network infrastructure. Students will leave the class with a good understanding of how to configure and operate routing and switching protocols as well as how to attack and defend the control, management and data planes in their organization networks.

Social engineering is quickly becoming more prevalent in the infosec industry. Users are becoming more educated about social engineering attempts, but they still fall victim to attacks. Why? Well, like all technology, with great improvement to technology comes great improvement to exploitation, and maybe not so great improvement to security. This presentation explores the subtleties involved in wordcrafting, tone of voice, and adaptability during dreaded human interaction.

This training focuses on how to attack and defend websites from the perspective of a Web developer. As a long lasting penetration tester and web security trainer, Marcus will show you known and sometimes unknown attack techniques (and bugs).

DAY 1:
- Basic knowledge
-- HTTP, HTML, CSS, XML, and DOM
- Social Engineering and Information Disclosure
- Logical Flaws
- Same-Origin Policy
- Cross-Site Request Forgery
- Cross-Site Scripting
-- Reflective XSS
-- Stored XSS
-- DOM-based XSS
-- Self XSS
-- Mutation-based XSS
- Session Hijacking and Session Fixation

DAY 2:
- UI Redressing and Clickjacking
- File Inclusions and Path Traversal
- Remote Command and Code Execution
- SQL Injections
- Secure Coding
-- Fonts
-- DOCTYPE Switch
-- HTTP Parameter Pollution
-- Content Security Policy
-- Burp Suite
-- Security Requirements

REQUIREMENTS
You should know the basics about HTML, JavaScript, and SQL.
Every participant needs an Internet connection and a laptop with Firefox. You will learn a lot - maybe you should bring some headache pills with you.

WHO SHOULD ATTEND
You should definitely attend if you are a web developer. Depending on the level of knowledge, this workshop might also be interesting for penetration testers and security researchers (especially day 2!).

Opening Ceremony.

Everything that's old is new again, and if you work in security long enough, you'll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. I'll talk about some of that, and make a few wild guesses for where this may wind up. Spoiler alert: security will not be a "solved" problem.

Hiding malware inside the BIOS/UEFI of a computer has long been deemed a theoretical threat rather than an actual attack vector. Implementation seemed too difficult and the benefits for malicious actors aiming for quick profits were considered negligible. However, with the recent rise of Advanced Persistent Threats (APTs) and state-sponsored attacks, sophisticated targeted attacks are now considered a realistic threat. For skilled attackers seeking for high stealth and persistence rather than widespread infection, the BIOS/UEFI of a computer provides an ideal target. The System Management Mode (SMM) is a legacy mode of operation available in x86 and x86-64 CPUs. Originally, SMM was intended to be used for maintenance tasks such as power and thermal management. It is a highly privileged mode of operation which has free I/O access, can directly interact with memory and has no hardware memory protections enabled.

Our talk starts with a historical overview on previous SMM-based attacks. Most existing approaches are simple proof-of-concept implementations that do not explore the potential of threats stemming from SMM malware. In response to this deficit we present novel, advanced concepts for SMM malware, focussing on stealth, portability (including full Intel 64-bit support), and OS (memory layout) awareness of malware. Our talk aims at encouraging further research into the threat of SMM malware and enables the development of practical countermeasures against BIOS/UEFI malware.

This talk will demonstrate how attackers can compromise a company's network via their firewall system. It's a common misbelieve that security tools are always secure. The aim of this talk is to show the audience the difference between a secure and a security product. First we discuss how we can remotely detect and identify the firewall system within the target internal network. After that we start a brute-force attack from the internet via the victim's browser against the internal firewall. We will show how an attacker can bypass different used CSRF protections to trigger actions on the firewall system. Finally, we are going to exploit a memory corruption bug (type confusion bug which leads to a use after free vulnerability) in the PHP binary on the firewall to spawn a reverse root shell.

After W^X/DEP was widely adopted, taking away the fun of simple code injection attacks, return-oriented programming (ROP) has become the cornerstone of modern, low-level, memory-corruption exploits. ROP relies on short, existing code fragments called "gadgets", which are arranged in a specific way so they execute consecutively. This is a cumbersome process: gadgets have to be found, categorized, their usefulness assessed, intertwined with data, and chained together. Many tools that support this process exist, but they are often outdated, not supporting modern 64-bit platforms, and usually limited to gadget discovery, making exploit developers sift through tens of thousands of gadgets. Some tools claim they can automate the full process of building ROP chains, however, their search algorithms are simple, pattern-based, and if a specific gadget is not present, the whole process fails. Academic tools only work on synthetic examples but not on real binaries. Overall, ROP exploit development is a predominantly manual task.

In this talk, I will review the basic concept of ROP, give an overview over tools that assist ROP exploit development, and show what they can do -  and especially what they cannot do. Afterwards, I will discuss what kinds of features would be useful in such tools and present a tool our research group has developed. It greatly assists ROP exploit development and provides two distinct features: semantic gadget summaries, which show the effects of a gadget on registers and memory in a condensed way; and an auto-ropping engine that actually works, which automatically builds a ROP chain to invoke an arbitrary API with arbitrary parameters. Lastly, I will give an outlook on future mitigations and attacks, discussing state of the art research.

Any company's dilemma is the need for data sharing in the era of IoT while at the same time controlling access and ownership. In order to succeed in business, it is imperative to make data available to customers, suppliers and business partners. However, the explosion and the proclaimed free flow of data can turn against an organisation and threaten its very existence, if not professionally controlled.

Regardless of what type of programming language you work with, business flaws that could expose unauthorized data will always be hard to mitigate. Depending on the business, an issue for one company could in fact be a feature for another. Frans Rosén, a successful white hat hacker, will explain how to find and test for these kind of business critical issues with examples from real life, such as Twitter, Facebook and Google.

In this talk we show that HSTS headers and
long-term cookies (like those used for user tracking) are so prevailing that they allow a malicious Wi-Fi operator (or any other MiTM attacker) to gain significant knowledge about the past browsing history of users.
We demonstrate how to combine both into a history stealing
attack by including specially crafted references into a captive
portal or by injecting them into legitimate HTTP traffic.

Captive portals are used on many Wi-Fi Internet hotspots to
display the user a message, like a login page or an acceptable
use policy before they are connected to the Internet. They are
typically found in public places such as airports, train stations, or
restaurants. Such systems have been known to be troublesome for
many reasons.

We present TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries.

Based on TLS-Attacker, we first developed a two-stage TLS fuzzing approach. Our approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed us to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL.

Our findings encourage the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. We used TLS-Attacker to create such
a test suite framework, which finds further problems in TLS libraries.

TLS-Attacker is an open source tool, and is currently being deployed for internal tests in Botan and MatrixSSL.

Wireless desktop sets consisting of a wireless mouse, a wireless keyboard, and a USB dongle have become more popular and more widespread in the last couple of years. Seen as potential target, those radio-based devices are of more interest to people with malicious intentions than their wired counterparts, due to the fact that they can also be attacked remotely from a safe distance via radio signals.

As wireless desktop sets represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords, they have been frequently analyzed for security vulnerabilities and were successfully attacked in the past. One well-know example for exploiting vulnerabilities in wireless keyboards is the open source wireless keyboard sniffer KeyKeriki by Dreamlab Technologies. The first version was presented back in 2009 for Microsoft keyboards using the 27 MHz ISM band. The second version also supported wireless keyboards using the 2.4 GHz ISM band and was presented in 2010. In 2015, Samy Kamkar published an Arduino-based wireless keyboard sniffer for Microsoft keyboards with known security weaknesses that extended the work of the KeyKeriki v2.0 project and of Travis Goodspeed's research concerning Nordic Semiconductor's transceiver family nRF24. And in spring 2016, a collection of security vulnerabilities found in USB dongles of wireless desktop sets of different manufacturers was released by Bastille Networks Internet Security under the name of MouseJack, which allowed keystroke injection attacks.

SySS GmbH started a research project about the security of modern wireless desktop sets using AES encryption in 2015, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Up to now (May 2016), several security vulnerabilities in modern wireless desktop sets of different manufacturers, like Microsoft, Cherry, Logitech, and perixx, have been found and reported in the course of our responsible disclosure program.

The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys, which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks, due to insecure implementations of the AES encrypted data communication.

The results of our research shows that the security levels of modern wireless desktop sets of different manufacturers are not equal and that some devices are more secure than others. Still, so far there has been no wireless desktop set without any security issues.

In this talk, I will present the results of our research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.

System services represent one of the core components in Android, implementing many fundamental Android features such as media playback, graphics or network connectivity. The fact that the large majority of system services exposes a remote interface that can be called by other unprivileged applications or services makes them an excellent attack vector. From a system security perspective this task makes even more sense since most of the components and processes executed behind each system service run with high or increased privileges.

The presentation will focus on a fuzzing approach that can be used for testing system services in Android, providing in-depth information about the implementation of the tools developed to accomplish this task and examples of actual vulnerabilities that were discovered in the latest versions of Android.

Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does this really mean? And what real impact does it have on the security team?
Can we use threat hunting to provide a process to better detect and understand when you've been breached?

More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?

What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.

In this talk, we will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large data sets. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process.

Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.

Smart and electric mobility is an emerging market and thus an interesting area of research and development. Already multiple different solutions have been implemented, but neither any clear market player, nor any proven and widely adopted standards or best-practice exist today.

This talk will focus on the security and privacy aspects of e-mobility charging infrastructure. From the authentication process to reserve or start a charging process to billing and fraud-detection. It will further give an overview on how current ICT solutions (OCPP, OICP, OCPI, ISO 15118, ...) handle those requirements and what could be done to improve the current situation.

We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections.

We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 2^50 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse.

For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU - fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack.

We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 2^17 SSLv2 connections and 2^58 offline work.

We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.

In this era of complex evolution, application technologies have adapted HTML5, WebSockets, APIs, Frameworks, Dynamic code generation, mobile and many other stacks. Application architecture also adds complexity concerning integration with other applications, mobile integrations, JavaScript usage, and many other communication channels. Automated approaches with artificial intelligence of security reviews are having their own limitations in capturing some unique and critical issues across applications. Automation can attack and discover vulnerabilities, which are more signature-based or with predicted behavior. Automation's failure and limitations generate false negatives and applications get pushed into production with these vulnerabilities. These vulnerabilities get exploited by attackers to breach systems from the application layer. This talk will present some unique issues, which are possible to discover by human intelligence but may get missed by automation. For example,

• Application with workflows
• Asynchronous injections across critical functions
• Role based violations and escalations
• Access to un-authenticated resources via hidden logic
• Third party posting, injection and streaming
• Customize protocol handling and exploitation
• Sensitive information going out via Analytics calls
• Logical abuse in forgot/reset passwords
• HTML5 Local storage weaknesses
• Exploiting XSS to write in to application local storage in mobile

Stegosploit creates a new way to encode "drive-by" browser exploits and delivers them through image files. Using current means these payloads are undetectable. This talk discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome.

The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique. Further reading: http://stegosploit.info/

In our 2014 presentation we proved that the threat of Malicious Hypervisor (MH) is a technical reality. The question is not whether it can be implemented -  In our opinion it has been implemented and in use since 2007 – 2008 and, in all likelihood, another instance has been developed around 2009 – 2010- The question is when it will become available for real cyber terrorism attacks. We have not seen such an attack yet. More likely MH has been used to collect important information in silence very effectively. However, we cannot control the underground exploitation of software development and an MH attack may happen any time.
As we stressed in our 2014 presentation, there is no effective method to discover MH. So, since we said A, by doing our first MH research, we considered it as our obligation to say B, dedicating the next phase of our research to the development of methods and tools to catch the MH.
Our presentation will basically cover our research and the development process, outlining some important ideas and findings and providing results proving that our methods and software work and can reliably be used to discover MH.
However, we do not consider it as productive to simply provide the exact information about the research and the development. We want to avoid “copy-cat” processes and would like to encourage security researchers and organizations to conduct independent research and development work using our “milestones”.
From our point of view, we achieved our goal – we have the methods and we have a tool utilizing these methods. We have both a demo and production version of the Hypervisor Catcher tool which can discover MH in a computer system with 99.99% reliability and within a very reasonable time frame.
We do not think that we will be able to prevent MH attacks if they happen in the near future. However, at least we are now able to identify the silent deployment of such an devastating attacking tool.

During the presentation I will briefly introduce the audience to the most important information and conclusions of the research of our Phase 1 (as discussed at DeepSec 2014). We will also discuss our analysis of methods used in the traditional research concerning the “rootkit hypervisor” to catch hypervisor activity. Then we will move on to our proposed methods and results. We will also give the audience some statistical information proving our case. However, during our one and a half year long research we gathered a lot of testing information which we simply cannot discuss within our presentation without killing any interest in our findings. We will try to balance all what we mentioned here to keep the audience happy and interested in the discussion.

Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java.
Several vulnerabilities and gadgets discovered by Code White will be shown as case studies including a new 0day.

Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS. TLS was last changed in 2008, and a lot of progress has been made since then. CloudFlare will be the first company to deploy this on a wide scale, and we’ll be able to discuss the insights we gained while implementing and deploying this protocol. This talk will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption. We’ll also demonstrate an attack on the way some browsers have chosen to implement TLS 1.3.

You have spent lots of money on a high-grade pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they're right. But... the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself!

This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your doors and padlocks -- the most fundamental part of your physical security -- can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door and acquire ideal padlocks... if you're willing to learn and understand the problems that all doors and padlocks tend to have.

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play and compromised web servers.

This talk will handle recent trends of obfuscated malicious android apps in Korea. And explain various mobile protection techniques for obstructing analysis of malware such as obfuscation, packing and anti-debugging.

Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked ­about and least well­ understood branch of machine learning. Successful applications of deep learning in image and speech recognition have kickstarted movements to integrate it into critical fields like medical imaging, and self­driving cars. [1] In the security field, deep learning has shown good experimental results in malware/anomaly detection, [2] APT protection, spam/phishing detection and traffic identification. However, most deep learning systems are not designed with security and resiliency in mind, and can be duped by any attacker with a good understanding of the system. [3]

The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. In this talk, we will dive into popular deep learning software and show how it can be tampered with to do what you want it do, while avoiding detection by system administrators. Besides giving a high level overview of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show real weaknesses in critical systems built with it. In particular, this demo­driven session will be focused on manipulating an image recognition, speech recognition and phishing detection system built with deep learning at the core.

By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security and look towards a more resilient future of this technology where developers can more safely use it in critical applications.


Citations:
[1] Ashlee Vance. 2015. The First Person to Hack the iPhone Built a Self­Driving Car. In His Garage.
http://www.bloomberg.com/features/2015­george­hotz­self­driving­car/
[2] Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid­Sec: deep learning in android malware detection.
SIGCOMM Comput. Commun. Rev. 44, 4 (August 2014), 371­372. DOI=http://dx.doi.org/10.1145/2740070.2631434
[3] Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2016. Practical Black­Box Attacks against Deep Learning Systems using Adversarial Examples. (arXiv:1602.02697v2)

This talk will focus on how to exploit a network by targeting the various first hop protocols. Attack vectors for crafting custom packets as well as a few of the available tools for layer 2 network protocols exploitation will be covered. Defensive mitigations and recommendations for adding secure visualization and instrumentation for layer 2 will be provided.

In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.

AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.

Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI?

The talk will be full of live demonstrations.

Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling.

In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about how we automatically bypassed the CSP of more than 95% of ~1.6 Million domains, e.g., by showing how easy it is to defeat the whitelist-based model with some juicy bypasses, thanks to JSONP endpoints for example, by abusing a CDN and loading outdated versions of AngularJS.

Finally, I present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3.

We hope that after attending this talk you will understand how tricky it can be to deploy an effective CSP policy and what are the common mistakes to avoid, and as an attacker you will get resources and pointers on how well CSP is keeping up with modern web technologies, and how to break it.

Over the last few years, IEEE 802.11 standard for wireless connectivity usage has turned massive. Wireless devices are everywhere, from your smartphone to the printer that is in your office. As a matter of fact, all connected devices have proliferated at an incredible rate.

IEEE 802.11 standard has many versions and 3rd party extensions bringing new features that add complexity to the protocol. This complexity makes platform implementations and drivers more intricate, opening opportunities for attackers.

This presentation will show how attackers could use these features to fingerprint devices, abuse bad implementations to access devices with no credentials and how researchers could analyze 802.11 implementations on platforms such as Android and iOS for bug hunting.

Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus and log analysis. But the majority of these use signatures, looking for already known events and they typically require some level of human intervention and maintenance.
However,using behavioral analysis, it's possible to observe and create a baseline of average behavior on a network, enabling intelligent notification of anomolous activity. This talk will demonstrate methods of performing this activity in any environment. Attendees will learn new methods which they can apply to further monitor and secure their networks.

Productivity- and Security Tipps for SSH

--

Tips and tricks for a more efficient and more secure usage of ssh(d). We will touch on config file options, crypto settings, 2 factor authentication, ProxyCommands with bastion hosts, server key rotation and much more.

SSH (Secure Shell) is a must have tool to remotely connect to servers for administrative purposes or file copying. Most users only use a tiny subset of the features modern OpenSSH versions offer. So will try to demonstrate some of the more "obscure" but often very handy options you may not have looked into, yet.

Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games?

Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!

Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved in the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share their findings. Maybe everything went allright, maybe the million kids forced to have this app run on their devices are safe. Maybe. But if so would there be a talk about it?

We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?

Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research concerning a serious political decision and mandatory measures might achieve nothing at all - or of how a simple pentest together with excellent activist work may spark a political discussion and more.

Quantum Computers could endanger almost all cryptosystems that are in use today. While it's unclear if large scale Quantum Computers will ever be built, some researchers see them happening within the next 10 or 15 years.

Post-Quantum Cryptography is trying to investigate new cryptographic mechanisms that can protect communication from quantum computer attacks. While some algorithms exist that can provide this protection they suffer from either being impractical or being too new to be
trustworthy. However the field is getting a lot of attention lately and Google has started using post quantum algorithms for some TLS connections.

The content I am going to share is brand-new and has been developed over the past years based on experience as an international consultant (Big 4, KPMG, Deloitte, Australia, China, Switzerland, Singapore, Malaysia, etc.) by myself and my colleague and not been presented anywhere else. At this conference I will share the work results for the first time publicly and exclusively. Just recently we decided to open source our knowledge by sharing the content of our Social Engineering Engagement Framework (SEEF). It offers a brand new point of view:
Until now most Social Engineering frameworks were based on technical tools but rarely focused on the business and risk side of social engineering. On a corporate level there was no methodology making Social Engineering engagements plannable, secure and the achieved results comparable as well as repeatable.
Most Social Engineering definitions are technically focused, while we define Social Engineering simply as “The elicitation of information from systems, networks or human beings through methods and tools”.

For this presentation I selected elements from the framework in order to show the audience how to successfully plan, document and execute a professional Social Engineering (attack).
As a successful participant of the recent Social Engineering Capture the Flag (SECTF) competition at Defcon 22 I have a lot of experience I like to share with the audience and lots of stories to tell.

Malicious actors always try to abuse badly configured devices, since this is the "cheapest" solution. Day by day, more and more home devices become linked to the internet (IoT) such as feature-full routers and NAS systems providing their users, and maybe some others, with data sharing services.

Recently we found interesting threats which are useing FTP services to spread. Most users trust their own devices and the files on them. They don't think that their systems could host malware inside their private network, just because default settings and handy automatic services like UPnP are used. Typically users do not even know that they're running, using services like FTP, and especially they do not know that this protocol has a built-in anonymous account.

In other cases malicious actors just put server scripts into the shared folder, hoping that the FTP folder and the web root folder are the same, and so infect the system in this very easy way. Very often they succeed.

So, what is the current state of the (open) FTP services overall?
Recently I developed a very flexible testing framework (called ScanR) to be able to answer this question: 

We tested 3 million IP addresses which were released to FTP services, to get a clear picture of the state of these services and the devices which are behind them. The results are quite shocking in some aspects, and worse then we expected.

In this lecture I will present the details of this test, where the initial data and IP addresses came from, what the test system looked like, and especially the threats and hacking activities we found.

As a teaser here are some of the results:
• more then 200.000 IP-adresses can be accessed via anonymous access (this means a huge amount of private data could possibly be accessed by anyone on earth),
• more than 7.000 FTP services provide access for anonymous users,
• and here's the worst result: more than 90% percent of FTP services are infected with at least one threat

In the lecture I will share the details and technical analysis of the threats we found as well as the statistical data. After this presentation you will have a word-wide view on how a network service could look like if you left it unlocked.

What can we gain from our findings?
• I will present our findings in detail about the current state of "things". How scary it is for home user devices and even for professional network devices
• In this presentation, we will inform you about the threats which are currently active and how malicious actors can (ab)use these services to infect user devices.


Technical level of the topic
Both the core professionals and the average IT user will be able to enjoy this talk: the tricky parts will be explained in detail, the more easily understood aspects just summarized.

Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now.
Despite the problem of finding useful definitions for modern IT security
threats and so much criclejerking bullshit bingo going on, we have to think about
the assessment of capabilities in the IT field.

Besides institutional actors like states and their military and intelligence
communities we also have to assess the capabilities of non-institutional actors
like terrorist groups or organised crime.

However, unlike the assessment of classic military strength, assessing the capabilities and powers of actors in the IT field is much more complicated and complex.
In this talk I will introduce the first tools, methods and statistics to compare
hacking capabilites and assess the »cyber fighting power« of different actors.

The more intelligence you have, the greater the chance you can find your bad guy. Having spent many years working in military intelligence and law enforcement, Ian Trump, global security lead for SolarWindsMSP, will welcome you to a new world of cyber security, where machine learning and big data solutions can help you find bad guys to protect your business from harm - although justice may be elusive. Just as thousands of troops close to a counties border are disconcerting to the citizens and national leaders, identifying hostile actors inside a network is equally so. How does machine learning and big data combine to provide awareness of the threats and intentions of a hostile cyber actor? Ian will reveal how SolarWindsMPS capabilities are advancing the security where it really counts, in the small and medium enterprises which are on the front line of cyber crime. Sharing his knowledge of Advanced Persistence Threats, cyber criminal and foreign intelligence service capabilities, Ian will talk about how SolarWindsMSP is working with partners world-wide to save the internet from the bad guys through machine learning and big data analysis.

Most security issues are carried out remotely over the network. Local attacks are less "useful" and so this is a less explored area. On the other hand, local exploitation is a typical scene of Hollywood movies: the hacker face to face with the target system (and a keyboard in between). 

In this presentation we will show in action the well known principle that "complexity is the enemy of security". It is very easy to make mistakes when adding new functionality to existing systems.

Do you remember the GRUB 28 bug?. After we found that bug, we reviewed the rest of the Linux boot sequence...