Meltdown & Spectre – Processors are Critical Infrastructure too

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of bugs/backdoors in the Intel® Management Engine (for example, AMD™ has a similar technology) came to light. Coreboot is one way to replace the attack surface of your BIOS/UEFI firmware. These approaches can’t do much once the processor is affected.

Hindsight doesn’t help, but bugs in the processor core or its microcode have been happened before. There is the famous FDIV bug, F00F, and other CPU bugs have been around for decades. The reason is sometimes the security-performance trade-off, it may be due to an architectural design error, or just simple oversight. Debugging is hard, hence hardware. If you are lucky, you run a platform that is not vulnerable. The Raspberry Pi ARM core is not affected by Meltdown or Spectre. So if you run on Raspberrys, then you are fine. Building a cloud platform is tricky (we tried to install OpenStack on a number of Raspberry Pis, it almost worked, but 1 GB memory is barely enough for the controller node).

We haven’t even mentioned embedded devices and the notorious Internet of Things (IoT). The history of bugs is huge. Back in 2014 there was an article on how hard/impossible it is to fix this ecosystem. The recent DeepSec conference featured a talk about the Mirai botnet and possible successors. There is not much you can do about it unless you can change the design. Once upon a time there were approaches to have reduced instruction sets on processors. Inspecting all the feature sets of modern CPUs looks like a higher level language. Of course we want our code to run as fast as possible. Who wants to wait? However there are designs that take security into account, and when it comes to critical infrastructure we will have the patience. Otherwise we will have to say goodbye to the idea of a secure platform.

Let’s see how many bugs in hardware 2018 brings. If you find some, please let us know and submit a presentation. Submissions for trainings are welcome as well. The Call for Papers for DeepSec 2018 and DeepINTEL 2018 open soon.

DeepSec 2017 Presentation Slides

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do).

As for the videos, all speakers and attendees will also get a direct link with early access to the content within the next few days. You don’t have to reload our blog or Twitter feed. 😉

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early.

Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements.

We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the new ticket shop system.

Looking forward to see you (again) in 2018!

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, its updated, slightly less ugly, iteration, and, ultimately, FASO.

We’ll discuss the use cases, questionable decisions made during the planning process, the actual self-rolled, totally vulnerable, cryptography, and the even worse code architecture.

In all seriousness: The talk reflects on the design process of a SSO protocol and its first two iterations, going from a semi-functional workaround to an experimental OAuth-and-the-like alternative utilizing pre-shared keys, symmetric cryptography and implicit authentication.”


Nicolai is a security researcher at zyantific and a graduate student at Ruhr University Bochum where he’s also an avid member of the FluxFingers CTF team. He likes burgers, buffer overflows and bad crypto.

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel as well as a broadcast channel. She’ll discuss possible adversaries for this channel and proposes further work to make this channel more secure, efficient and applicable in realistic scenarios. In addition, she considers seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, denial of service attacks, determining VM co-location, malicious data injection, and side channels.

We asked Sophia a few questions about her talk.

Please tell us the top 5 facts about your talk.

  • We introduce a novel side channel across the Pipeline using Out-of-Order execution to alter and leak co-located process state.
  • We abstract out hardware side channels and apply a model to all shared hardware elements both in virtualized environments (the cloud) and on a standard computer.
  • This talk also explains some fundamental dynamic resource allocations used in the cloud that cause resource contentions.
  • From here, we theorize that optimizations are the root cause of many side channels both in the hardware and software layers.
  • We discuse several new optimizations in the x86 and ARMv8-A spec which could possibly lead to useful side channels.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Messing around with threads in university, I started to see a recordable pattern of erroneous results depending on other applications running in the background. Digging deeper into it I started learning about Out-of-Order execution, how by using it I could force a thread to receive incorrect results and how to deterministically leak system information.

Why do you think this is an important topic?

  • Shared resources in untrusted environments are becoming increasingly common. This leads to virtual allocations of physical resources and dynamic changes to resource distribution. These dynamic changes are the result of one process and may affect another process outside of its security boundary.
  • New hardware optimizations are also being introduced.

Is there something you want everybody to know – some good advice for our readers maybe?


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

In the future we’ll see more hardware solutions to software side channels. Case in point, recently ARM released extensions to the architecture for the purpose of mitigating cryptographic side channels in the multiply function. It is called Data Independent Timing and forces the upper bound execution time for all instructions (example: multiplications) when a specific flag is set. This means that 1×1 will take the same time as 2546483×245303. I think we will see more solutions like this to other security problems – not just side channels.

The implementation of these solutions may not be perfect however, and either may not completely solve the problem or introduce new vulnerabilities. For instance, this ARM constant time instruction flag does not enforce constant time loads and stores, depending on the memory being accessed. This could possibly be abused to bypass the solution.


Sophia d’Antoine is a senior security researcher at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using program analysis. She spends too much time playing CTF and going to noise concerts.


DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security system components for coordinated information exchange and orchestrating incident response action.

Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He’s also a developer at the Estonian eHealth Foundations, “Kickstarting” in-house development team. Tarmo’s creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He’s Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE, creating new tools and implementing existing to understand what is going on in networks. Tarmo’s detecting and mitigating cyberattacks, analysing malware, planning and executing public awareness raising campaigns and supporting building trusted information security community network.

System administrator at Tele2 & Trigger Software, Converting legacy systems to modern, expandable high availability systems. Coding in PHP, C. Looking for and eliminating performance bottlenecks. Supporting development infrastructure.


ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigated the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages. We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.

We asked Dennis a few questions about his topic of choice.

Please tell us the top 5 facts about your talk.

  • In our talk we present our research on the new JavaScript Object Signing and Encryption (JOSE) standards, which were created to apply cryptographic mechanisms directly in JSON messages to protect integrity, authenticity and confidentiality of sensitive data.
  • We investigated the applicability of known attacks ranging from simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages.
  • We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.
  • We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed open source Burp Suite extension, which performs (semi-)automatic security checks on targeted applications and aids in manual manipulation and inspection.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk summarizes the results of our research, which was conducted as a Master’s thesis at the Ruhr University in Bochum in cooperation with the CSPi GmbH. The Extensible Markup Language (XML) already enjoys great popularity and allows for cryptographic mechanisms by applying the XML Signature and XML Encryption standards. XML implementations already suffered from several practically applicable attacks and we wanted to check whether JOSE implementations are more secure.

Why do you think this is an important topic?

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web and is used for application configuration, cross- and same-origin data exchange, as well as Single Sign-On (SSO) protocols such as OpenID Connect. Thus, JOSE implementations are used for sensitive processes and data, such as authentication mechanisms, password resets, confidential storage and sensitive data transfer. If those implementations contain weaknesses that allow for any bypass, this probably results in a compromise of user accounts, personal data or full systems.

Is there something you want everybody to know – some good advice for our readers maybe?

Usually, it’s not a good idea to implement your own cryptography. Most weaknesses in the field of cryptography result from implementation issues and missing knowledge of known and possible attacks. Especially companies should invest a lot more in security analyses and audits.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

There exist more known attacks against cryptographic systems and possible pitfalls. Such attacks are, for example, adaptive chosen-ciphertext attacks on the CBC mode and invalid curve attacks. With respect to future work, the analysis of such attacks on JOSE is considered essential. Furthermore, the usage of JOSE in complex systems like JSON-based web services and protocols like OpenID Connect should be in the scope of further researches. Similar to the security analysis of XML-based services an in-depth evaluation could lead to the discovery of completely new attacks. Additionally, JOSE’s advantages of being simple, self-contained and designed for usage in space constrained environments opens future use-cases in the field of the Internet of Things and Industry 4.0.


Dennis has a Master’s degree of IT security from the Ruhr-University Bochum and works as a penetration tester at the CSPi GmbH in Cologne. He has an avid interest in web, network and industrial security and loves to research and hunt for bugs.

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you’ll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.

 Please tell us the top 5 facts about your talk.

At a certain organizational size, you might (very likely) need a dedicated security team – but you shall never think of security as a team. You’ll need to consider the boundaries of responsibility for that team, or you won’t be able to scale. The way to get your products and users more secure, is through making security part of your company’s (engineering) culture. You want your teams across the org to work together, because they care about a common cause, and be happy doing so. There’s nothing magical-unicorn-y around security, and we should actively make people stop thinking that security engineers are more special than other people.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I often receive the same questions again and again from people (think VP of engineering more than security lead) working at other organizations, not about vulnerabilities or tools or some sort of snakeoil they might have heard of, but about how we managed to get our teams to work together as they do, and deliver the results they do. I figured I’d put the common questions (minus everything about compliance) into one handy talk.

Why do you think this is an important topic?

Because people >> technology, and we should talk more about how we meet what’s expected of us today with the teams we get to build.

Is there something you want everybody to know – some good advice for our readers maybe?

If I wanted attendees to at least remember one single thing from my talk, it would be: Hire people with empathy, not 0days.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I’m afraid I don’t have an answer to that 😉

Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she’s grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this frontier. She works as the Director of Security at SoundCloud’s Berlin headquarters, overseeing the Security, User Auth, Anti-Abuse, and Corporate IT teams.


Notes on the ROOTS Schedule and the Conference

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule.

All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy!

See you at DeepSec!

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you:

A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists.

FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years and excels at circumventing access controls. He has held positions in his career such as Senior Penetration Tester as well as Head of Social Engineering and Physical Assessments for renowned penetration companies. As Head of Cyber Research for Raytheon Missile Systems, and having worked closely alongside intelligence agencies, he has cemented both his skillset and knowledge as well as helped steer governments take correct courses of action against national threats.

As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices and government facilities in the UK and Europe. His work demonstrating weaknesses in physical, personnel and digital controls assists organisations to improve their security. He is motivated by a drive to make individuals, organisations and countries more secure and better-able to defend themselves from malicious attack.

Now Co-Founder and Head of Ethical Hacking at Redacted Firm, he continues to perform valuable research into vulnerabilities. His client list involves major high-street banks in the UK and Europe, FTSE100 companies and multiple government agencies and security forces. FC frequently gives talks at corporate events, security conferences, universities and schools and focuses on teaching people of all ages the art of security in an engaging and impactful way. He co-founded the Surrey and Hampshire Hackspace as well as Defcon 441452. He has co-hosted many podcasts, been featured in the press and regularly writes articles for journals and blogs.

Screening of “The Maze” at DeepSec 2017

We have some news for you. Everyone attending DeepSec 2017 will get a cinematic finish on the last day of the conference. We will be showing The Maze by Friedrich Moser. For all who don’t know Friedrich’s works: He is the director of A Good American which was screened at DeepSec 2015. The Maze is a documentary covering terrorism, counter-terrorism, surveillance, business, and politics. So it’s basically information security in a nutshell. Right after the closing of DeepSec you can enjoy The Maze – with popcorn and hopefully everyone who is attending DeepSec. We have seen the documentary before, and we highly recommend it!

The Maze from Friedrich Moser on Vimeo.

DeepSec 2017 Workshop: Smart Lockpicking – Hands-on Exploiting Contemporary Locks and Access Control Systems – Slawomir Jasek

You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities – such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way. Smart lockpicking is something to scare you, not just on Halloween.



We asked Slawomir a few questions about his training:

Please tell us the top 5 facts about your workshop.

  • Focused on hands-on, practical exercises with real devices
  • Lots of various topics and technologies covered
  • Regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time
  • Many exercises designed as “homework”, possible to repeat later at home
  • Includes hardware pack (about 100€ value) for each student, consisting of Raspberry Pi, NFC board, and Bluetooth Low Energy sniffer. The hardware will allow you to crack and clone NFC cards, sniff and analyse Bluetooth Low Energy connections


How did you come up with it? Was there something like an initial spark that set your mind on creating this Workshop?

I wanted to focus on devices everyone can encounter, yet common sense is that we can trust their security. Practical exercises debunking your „comfort zone“, performed hands-on yourself, are in my opinion one of best ways to effectively learn a given topic. Also, once you master assessment of the ones supposed to be most secure, other IoT devices will seem to you even more giant „jar of bugs”.

So, smart locks, electronic safety and access control systems were the natural choice here. Vendors’ claims on the security rendered them even more attractive for the task. And it soon turned out that in so many cases „the king is naked”. A significant number of such devices have serious security flaws that can be exploited even by non-highly skilled intruder. And as a result cause serious loss.

Why do you think this is an important topic?

I think a quick scroll through the recent headlines will do as an sufficient answer. Of course the media often overestimate the real risk, but you just can’t ignore the fact anymore that the smart devices are increasingly surrounding us, and their security level is usually still far from acceptable.

I am very enthusiastic about new technologies, but on the other hand I think before entrusting our lives to them, we should first understand and mitigate the associated risks.

Is there something you want everybody to know – some good advice for our readers maybe?

Did I mention the free Raspberry and other goodies – for NFC card cloning and BLE sniffing already?

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your training?

The digital revolution will not stop. And unless you hide in a cave, you will encounter the new smart devices responsible for your safety. Don’t let them catch you by surprise.

Slawomir is an IT security consultant with over 10 years of experience. He participated in many assessments of systems’ and applications’ security for leading financial companies and public institutions across the world, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics and loves to hack various devices, gadgets, home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting secure solutions for various software and hardware projects. Speaker at BlackHat USA (new Bluetooth Smart Man-in-the-middle proxy tool), Appsec EU (insecurity of proprietary network protocols), HITB (HCE contactless payments), Confidence (IoT), Devoxx and other conferences for developers (SDLC, mobile application security). Trainer at Deepsec, Appsec EU, HackInParis, HackInTheBox, Confidence.


The only responsible Encryption is End-to-End Encryption

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for how long the Crypto Wars have been raging. The call for backdoors and structural weaknesses in encryption was never silenced. Occasionally the emperor gets new clothes, but this doesn’t change the fact that some groups wish to destroy crypto for all of us. The next battle is fought under the disguise of responsible encryption. Deputy Attorney General Rod J. Rosenstein invented this phrase to come up with a new marketing strategy for backdoors.

Once you have backdoors in any technology, it ceases to be secure. Technology companies, academics, and information security researchers have all worked to improve hardware and software we use on a daily basis. Even governments rely on secure applications and protocols. It is technically impossible to have security in anything that is backdoored. It is really that simple. The discussion has been raging since the ill-advised Clipper Chip, basically ever since strong encryption was available for businesses and private persons in the world of IT.

Kurt Opsahl wrote an analysis which we highly recommend. In case you hear someone mumbling about responsible encryption, please make sure that you explain to this someone that strong crypto is the correct answer. Anyone not believing this should attend DeepSec. We love to discuss and analyse all different approaches. Warning: The discussion will probably get really short.

Update: Dear journalists, please refrain from using the terms responsible encryption and going dark as actual technologies of information technology. Always use quotes („“ or “”) to mark these terms as vague. It makes the job of the security researchers much easier. Thank you!

DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini

Encryption and ways to break it go hand in hand. When it comes to the digital world, the method of rapidly using different keys may lead to success, provided you have sufficient computing power. The graphics processing units (GPUs) have come a long way from just preparing the bits to be sent to the display device. Nowadays GPUs are used for a lot of computational expensive tasks. At DeepSec 2017 you will hear about keys, encryption, and storage encryption – all with the use of GPUs, but forthe purpose of cracking keys.

BitLocker (formerly BitLocker Drive Encryption) is a full-disk encryption feature available in recent Windows OS (Vista, 7, 8.1 and 10). It is designed to protect data by providing encryption for several types of memory units like internal hard disks or external removable memory devices (BitLocker To Go feature), offering a number of different authentication methods, like Trusted Platform Module, Smart Key, Recovery Key, password, and the like.

During this talk Elena will describe how the password authentication method works and the algorithms used during the decryption procedure; she’ll give an insight into the complex architecture of BitLocker’s keys, analyzing BDE format and metadata structures of an encrypted volume.

Finally Elena will present BitCracker, that is the first open source password cracking tool for memory units encrypted with BitLocker using the password authentication method. It aims at finding the right password doing a dictionary attack by means of GPUs. BitCracker is able to process up to 1400 passwords/second (about 2.900.000.000 SHA-256/second) on a NVIDIA GPU Tesla P100.

Currently, BitCracker is the OpenCL BitLocker format of John the Ripper, but there is also a standalone CUDA implementation available.

Elena Agostini received her PhD in Computer Science from the University of Rome “La Sapienza” in collaboration with the National Research Council of Italy. The main topics of her research are GPUs used both for cryptanalysis or communications and wireless network protocols.

Massimo Bernaschi is the second author of the talk Elena is going to present at DeepSec. He has been 10 years with IBM working in High Performance Computing. Currently he is with the National Research Council of Italy (CNR) as Chief Technology Officer of the Institute for Computing Applications. He is also an adjunct professor of Computer Science at “Sapienza”
University in Rome.

DeepSec 2017 Talk: Who Hid My Desktop – Deep Dive Into hVNC – Or Safran & Pavel Asinovsky

Seeing is believing. If you sit in front of your desktop and everything looks as it should look, then you are not in the Matrix, right? Right? Well, maybe. Manipulating the surface to make something to look similar is a technique also used by phishing, spammers, and social engineers. But what if the attacker sitting on your computer does not need to see what you see? Enter hidden virtual network computing where malicious software controls your system, and you don’t know about it.

Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts. Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate account holders is based on detecting whether the transaction is made from the legitimate user’s machine or from an untrusted endpoint.

Going back 10 years, and still today, some checks are based on the IP/Geolocation of the machine performing the transaction and comparing it with the user’s typical whereabouts. In order to overcome this identifier, malware authors easily turned the user’s machine into a proxy, making the transaction appear to originate from the same IP address.

Device identification became increasingly sophisticated over the years, adding many parameters of the user’s environment to fingerprint trusted devices. But cybercrime is an arms race, and malware developers did not stay behind. To completely disregard device fingerprinting, they have devised their own circumvention technique: hidden VNC (Virtual Network Computing) that enables them to commit the fraudulent transaction from the user’s own machine without ever being noticed.

In this lecture, Or and Pavel will talk about hVNC in general, but also present and demo the specific use case of Gozi’s proprietary hVNC tool which we reversed and broke in our labs. Gozi is one of the most advanced financial crime tools. It is operated by a cyber gang and sees constant innovation and upgrades.

In their talk at DeepSec 2017, Pavel and Or will elaborate on the following subjects:

  • What is VNC and its inherently legal uses?
  • What is hVNC and why is it used in crime?
  • Which financial malwares use hVNC?
  • Show some of the hVNC dirty tricks and explain them.
  • Explain the reversing of Gozi ISFB’s hVNC module (architecture & structure).
  • Live Demo [1/2] – execute the hVNC module and present a live session.
  • Live Demo [2/2] – Seeing the actual fraudster session (the hidden part) – script and demo.
  • Provide audience with detection/Mitigation advice.

This session is best suited for stakeholders who work in the anti-fraud departments of their organizations, malware researchers, analysts, and cybercrime investigators. The session requires basic understanding of what banking Trojans are, but does not require specific technical knowledge beyond an information security background.

Pavel Asinovsky is a malware researcher at IBM Trusteer for more than two years. Prior to that Pavel worked as a malware researcher for F5 networks
and as a malware analyst at RSA-EMC. Pavel has a wide experience and interest in malware analysis.





Or Safran has been a malware researcher at IBM Trusteer for three years and holds a Bachelor of Science degree in Computer Software Engineering. Or has keen interest in hardware and software reverse engineering.