In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously.
Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number.
But Inseung will not only talk about recent trends of obfuscated malicious android apps in Korea, he’ll also explain various mobile protection techniques to prevent you from obfuscation, packing and anti-debugging and other methods used to obstruct the detection and analysis of malware.
Inseung Yang is a member of the Analysis Team at KrCERT/CC, KISA.
Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche.
At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem.
Marcus answered a few questions beforehand:
It’s all about management cost.
Marcus J. Ranum works for Tenable Security, Inc. and is a world-renowned expert on security system design and implementation. He has been involved in every level of the security industry from product coder to CEO of a successful start-up. He is an ISSA fellow and holds achievement and service awards from several industry groups.
In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL.
Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries.
TLS-Attacker is an open source tool, and is currently being deployed for internal tests in Botan and MatrixSSL. We asked Juraj Somorovsky some questions about his matter of interest.
In the recent years we could observe many vulnerabilities in important TLS implementations. We saw attacks targeting improper encryption algorithms and configurations, complex state machine attacks, or buffer overflows and overreads. This motivated us to create a tool that allows security researchers to easily implement proof-of-concept attacks, or execute fuzzing and find such attacks automatically.
TLS is arguably the most important cryptographic protocol. We use it every day in our browser to login on our favourite web sites or to execute secure payments. Its security evaluation is therefore of a huge importance.
This talk is for everybody who is interested in TLS and secure crypto protocols. As a security researcher or pentester you will learn how to execute specific attacks like padding oracles. As a security developer you will learn how to evaluate the security of your TLS servers.
The new TLS 1.3 standard is being developed. This standard will be integrated into new TLS libraries, including further novel TLS features and extensions. These new implementations will lead to novel security bugs and problems. We hope that with a careful systematic TLS fuzzing and testing new security problems can be eliminated.
Dr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and co-founder of Hackmanit GmbH. He is a co-author of several TLS attacks (e.g., DROWN), and the main developer of a flexible tool for TLS analyses: TLS-Attacker (https://github.com/RUB-NDS/TLS-Attacker). He presented his work at many scientific and industry conferences, including Usenix Security, Blackhat, Deepsec or OWASP Europe.
Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved in the first and, who would have guessed, second penetration test against the “Smart Sheriff” app, will share their findings. Maybe everything went allright, maybe the million kids forced to have this app run on their devices are safe. Maybe. But if so would there be a talk about it?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the “security” of this ecosystem and show examples about the “comprehensive” vendor response, addressing “all” the findings impeccably. This talk is a great example of how security research concerning a serious political decision and mandatory measures might achieve nothing at all – or of how a simple pentest together with excellent activist work may spark a political discussion and more.
Abraham was an honors student in Information Security at university. From 2000 until 2007 his work experience was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with a special focus on web app security. He is a senior member of the Cure53 team, and a senior consultant for Version 1 – the top IT consultancy in Ireland. Abraham is also the creator of “Practical Web Defense” – a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on http://7-a.org or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.
Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security and started to seriously get into it after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice.
Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification.
Contrary to Abraham, Fabian cannot grow a full beard.
The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk.
IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security
FH St. Pölten
Matthias Corvinus-Straße 15
3100 St. Pölten
Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening.
At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.
We recommend this talk to anyone still using old-fashioned input devices for creating content.
Gerhard is interested in all things concerning IT security – especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester. Gerhard was speaker at GPN 2013 – a conference organized by the Chaos Computer Club (CCC) in Karlsruhe – where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.
Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Given the correct context, using cyber has merits. However Cyber-Headlines are full with Cyber-Reports about Cyber-Incidents, Cyber-Hacking and Cyber-Cyber in general. However, that whole discussion does not only suffer from sensationalism of journalists and bloggers, there are also some fundamental problems, says Stefan Schumacher. We are still lacking useful definitions for modern IT security threats and we still have to think about the assessment of capabilities in the IT field.Besides institutional actors like states and their military and intelligence community we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime.
Unlike the assessment of classic military strength (eg. fighting power or Kriegsstärkenachweise), assessing the capabilities and powers of actors in the IT field is much more complicated and complex.In his talk Stefan will introduce the first tools, methods and statistics to compare hacking capabilites and assess the »cyber fighting power« of different actors. He will look into the capabilities of state actors and their agencies as well as the capabilities of their economies and how well they can be translated into IT security.
Additionally, Stefan Schumacher will try to assess the capabilities of independent groups like organised cyber crime, terrorists and hacking groups. Their capabilities are much harder to assess, so he will look also into their history, culture and ethics to find answers. Finally, Stefan will introduce some tools from IO psychology that can be used to assess the technical capabilities of organisations and the motives and motivations of their members.
Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive.
Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.
In his talk Kurt Kammerer addresses any company’s dilemma: The need for data sharing in the era of IoT while at the same time controlling access and ownership. In order to succeed in business, it is imperative to make data available to customers, suppliers and business partners. However, the explosion and the proclaimed free flow of data can turn against an organisation and threaten its very existence, if not professionally controlled. We asked Mr. Kammerer a few questions beforehand.
My talk addresses the major “data dilemma” that enterprises have to face:
Reconciling these contradictory requirements in daily business life requires full dedication, skill and discipline from all stakeholders of an organisation or ecosystem. At the same time, consumers must be aware of this in order to make informed decisions about with whom they want to share which data.
In the era of IoT, data is king!
Whoever is in control of your data, will be able to control your destiny.
Being in control means being in control of your critical data, and not all data available. We will see gigantic “big data” initiatives fail due to the daunting and cumbersome task to identify “the needles in the haystack” if the haystack experiences explosive growth. In contrast, we will see “smart data” solutions succeed that do not bet on sheer processing power, but also take relevance into account. Therefore, keeping your “haystack” at a size that fits your barn by filtering out the noise will remain critically important.
Kurt is CEO and co-founder of regify, a software company that focuses on trusted e-communications. As a serial entrepreneur, Kurt has established several software and communication businesses. From 2003 to 2008, he led the growth of US-based VI Agents, a pioneer in business applications delivered as a service. From 1996 to 2002, Kurt served as CEO of living systems AG, an international supplier of e-commerce software which he had co-founded in 1996.
Kurt holds a Business and IT degree from the University of Karlsruhe, Germany. He was honored as a “Technology Pioneer” by the World Economic Forum. He also received awards from the Asia-Europe Young Entrepreneurs Forum in Singapore and the Wharton Infosys Business Forum.
There are many reasons to go to DeepSec this year. It doesn’t matter if you worked on your presentation slides on the way to work, got hacked by a nation state, own a smart device, defused cyber weapons, or simply fight the T-Virus in a hospital. The DeepSec conference is the place to be for exchanging war stories (hey, everyone is at cyber war with someone these days) or talking about ideas to do the next project right. Plus we have to celebrate 10 years of DeepSec conferences!
Looking forward to see all of you in Vienna next week!
We are glad to announce that the University of Applied Sciences Upper Austria supports the DeepSec 2016 conference! Their motto teaching and learning with pleasure – researching with curiosity fits perfectly to information security. Their courses cover more than just computer science. If you are interested in engineering, economics, management, media, communications, environment, or energy, then you should take a look at their courses.
You can talk to students and staff at their booth. They will show your a selection of projects from the field of information security. Don’t hesitate, ask them with curiosity!
Malicious insider threat is not only a security- or technical-oriented issue, mainly it’s a behavioural one, says Prof. Ulrike Hugl. Insiders are so-called ‘trusted’ or privileged employees, very often with legitimate access to the organization’s systems, and they are hard to catch. Furthermore, it is difficult to find appropriate predictive factors and prevention and detection measures.
In fact, based on new technical developments and opportunities, data theft has become much easier these days: Mobile trends like BYOD, the increased ability to work from home, access to the organization’s systems when on the road, cloud services with related security vulnerabilities for example, as well as more and more malware opportunities have increased the potential of related attacks. Other main security obstacles and trigger factors inside and outside an organization may be, to name a few, a companies poor market performance and fear of job loss, internal (security-related) budget constraints, the complexity of the internal (IT) environment, competing priorities, a lack of top-level direction and leadership, as well as a lack of awareness training, … the list goes on and on.
Anyway, current studies in the field show that malicious insider threat is an increasing crucial issue for companies and governmental institutions. Beside the mentioned dependence on ICT, new attack forms and collaborations with third parties (for example social engineers and/or hackers) are on the rise.
In her talk Professor Hugl will focus on the current state of insider threat,on motivational and behavioural aspects as well as on current profiles of malicious insiders based on the newest available data. The emphasis on characteristics of malicious insiders is crucial, but one should also be aware of the fact that in many cases of attacks boundaries between insiders and outsiders are blurred. Her talk will close with some starting points for organizational insider threat prevention management. We asked Prof. Hugl some questions beforehand.
An initial point was my work at the University of St. Gallen. There, I think it was about in 2002, first initiatives in the field of Internet of Things(IoT)-applications and related IoT-research labs came up. At that early state of research, in my impression, the focus of thoughts was mainly on the technological side and what’s achievable in developing new business models with sustainable profit. To me IoT was more than impressing, but also triggering many open questions: What does IoT mean for business, for individuals, for society? How will it change our world? My impression was that most researchers did not really think about aspects like privacy-by-design for consumers/users or even information security-related aspects for organizations. For me this was the starting point for research in the field of new or (potentially) upcoming technologies, related aspects of data protection and (potential) impacts on the whole field of organizational information security.
Why insider threat? First, it’s related to organizational information security. Second, it’s a very interesting topic because diverse fields are involved: from technology, personnel management (like trainings, leadership, and behavior of peers), the organizational structure (f.ex. internal whistleblowing systems, counterespionage departments, coordination and control), the external environment of an organization (market development, etc.), to interesting theories and research results from criminology and others disciplines. All in all, and that’s a big point, a human’s behavior is hard to predict. Humans do have their characteristics, their personal environment and their own specific situation inside the organization – and such issues can play a triggering role in conducting misuse.
To summarize, insider threat is – depending on your point of view and the topic you are looking on – blurring the boundaries between various scientific disciplines. Therefore, for me, dealing with this topic is fascinating!
As just mentioned, to protect an organization’s intellectual property and crucial assets, diverse factors have to be considered: personal, organizational, and behavioral factors or indicators to find useful starting points for the prevention and detection of malicious acting of so-called ‘trusted employees’. Current studies show a clear tendency: Insider threat continues to pose the most crucial threat to organizations everywhere. In 2015, more than the half or even up to 60 percent of all attacks were carried out by malicious insiders. And, as many cases show, such offenders may cause substantial reputational or financial losses.
It’s hard to think of your staff as a potential ‘threat’. Nevertheless, we have to learn that not all our employees have only good intentions. These days we know about diverse starting points, which enable us more and more to ‘walk in an offender’s shoes’. Furthermore, we know about various individual motivational factors as well as organizational and environmental triggers for fraud and misconduct.
I am looking forward to give you an impression of the current state of research and threat potential in the field, but also perhaps some new thoughts and ideas to implement some measures inside your organization.
From the organizational point of view, in the field of insider threat, the crucial challenge is to find a balance between trust and suspicion when building up related counter-measures. This is sometimes hard and seems like ‘crying for the moon’. But, we all know things are in progress and will further develop.
Another last aspect: Some research is done in all mentioned scientific fields, but more effort is needed to deal with it in a more systematic way and we need much more researchers dealing with this topic. In economic and social sciences, the topic is not really known and far from ‘mainstream’. Within these disciplines traditional research is currently mainly still focused on established and traditional fields of expertise, often with a narrow research focus. However, insider threat and related issues like economic crime and industrial espionage should also be taken into account and being established inside traditional research institutions. They should be treated as very relevant issues for further theoretical innovation and specific managerial implications.
Prof. Ulrike Hugl is senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is a member of various scientific committees of international conferences and reviews several journals. Her research mainly focuses on new technologies and their impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.
Please tell us the top facts about your talk.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Well, this is a difficult question. Basically, it is an attitude in front of the computer. When we start a research line, we don’t stop digging until the ultimate doubt and question is addressed. After the GRUB 28 bug, we keep reviewing the rest of the Linux boot sequence.
Why do you think this is an important topic?
Although we will present how to abuse the system thought a cryptography service, the root of the problem is the “complexity”: The idea of complexity is not limited to difficult mathematical algorithms or advanced data structures, but also the combination of subsystems increases the overall complexity. The vulnerability that will be presented is a good example of how the addition of new features (in this case, security features) may weaken the system by creating new faults.
Is there something you want everybody to know – some good advice for our readers maybe?
Our talk will show that it is not necessary to use complex exploits or advanced USB hacking devices to hack the system. Knowledge is the only necessary tool. Do you remember the GRUB 28 bug? This time it is a little bit more complex but the result is… surprising.
A prediction for the future – What, do you think, will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
Thanks to the advances in mitigation techniques (ASLR, NX, SSP, CFI,etc..) and better software engineering methods, the number of exploitable faults may be reduced (as far as the programmers for the IoT do apply those technologies). A more dangerous type of vulnerabilities are those caused by the interaction of two or more systems which work correct when used separately.
On the other hand, cryptography will always be a hot topic. As far as crypto algorithms become outdated by the advances in computer power and crypto analyses, crypto suites must be updated. And new code means new bugs.
Ismael Ripoll received his PhD in computer science from the Universitat Politecnica de Valencia in 1996, where he is professor of several cybersecurity subjects in the Department of Computing Engineering. Before working on security he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques (SSP and ASLR) and software diversification. Ismael Ripoll is a Cybersecurity researcher at UPV Cybersecurity group.
Hector Marco-Gisbert has received his Ph.D. degree in computer science, CyberSecurity in 2015. Initially, he participated in several research projects where the main goal was to develop a hypervisor for the next generation of space crafts for the ESA (European Space Agency). He contributed to extend his scope of projects and to include security aspects using the MILS (Multiple Independent Levels of Security/Safety) architecture. Currently, Hector Marco is a lecturer in Cyber Security and Virtualisation at the University of the West of Scotland. His research aims to identify and thwart critical security threats focusing on servers and smartphone platforms. His interests includes the study and design of new low level attacks and protection mechanisms. He revisited mature and well known techniques like SSP (Stack Smashing Protection) and ASLR (Address Space Layout Randomization), and was able to make substantial contributions e.g. in the form of RenewSSP and ASLR-NG. Hector received awards and recognitions from Google and Packet Storm Security for his security contributions to the Linux kernel.
Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. “But what does this really mean?”, asks Thomas Fischer. “And what real impact does it have on the security team? Can we use threat hunting to provide a process to better detect and understand when you’ve been breached?”
More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?
What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.
In his talk Thomas Fischer will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large sets of data. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process. We asked him some questions beforehand.
Threat Hunting is the new thing to detect malicious activities in your environment. In the talk we look at what it takes to do threat hunting, the challenges in putting into place, and how to deal with the volume of data. While most threat hunting pitches talk about using network based data, this talk looks at what kind of end point data can be used, the impact it can have on data volumes and what to look for to start the hunt.
This talk is essentially a story about how to analyse a ton of data and what methods can help. It was born from my own experience into looking at what trends in IR are going on.
It’s important because current automated solutions no longer suffice in detecting the “bad guys”. We need better methods and processes to combat these creative attackers.
In this talk, I share some experiences in what and how to look at threat hunting as a method for detecting malicious activities. Threat hunting is becoming the current in-thing for marketing – hopefully this talk will clear up what threat hunting really means for incident response.
Machine learning will play an important part of IR in the near future. As humans we won’t be able to process the volume of data being generated for IR. So machine learning is the natural next step to highlight “things” that need to be responded to…
With over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management, secure development, Incident response and forensics. Thomas has held roles varying from security architect in large fortune 500 companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. Thomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.