DeepSec 2016: Social Engineering remains the most dangerous Threat to Companies – DeepSec offers a Workshop on the Defence of social Manipulation as part of IT

If you follow the news on information security, you see superlative after superlative. Millions of passwords were stolen. Hundreds of thousands of cameras suddenly became tools for blackmail. Countless data got copied unauthorized. Often, after a few paragraphs, your read about technical solutions that should put a stop to these burglaries. Therefore one forgets that nowadays hermetically locked doors can be easily opened just by a telephone call or an e-mail message. According to a publication of the British Federation of Small Businesses, almost 50% of attacks are social engineering attacks, which means attacks through social manipulation.Thus, investments in technical defense measures remain completely ineffective.

Mere security awareness does not help anymore

In the past approaches to defend against attacks on the weak spot human being have focused on awareness trainings. But in our modern business world awareness is not enough. The knowledge of the dangers of social engineering aka social manipulation is already available. Countermeasures must now become much more concrete. Employees must be able to understand, recognize and independently avert the methods of their adversaries. This competency can not be achieved only through security awareness. Let’s use the analogy of fire-fighting to underline this point:

The knowledge about a possible fire in the workplace is of little help if nobody is able or allowed to use a fire extinguisher in the event of a crisis. All classic trainings focusing on the defense against social engineering only deal with the topic up to a certain point. Unfortunately, what has to be done after the fire spot has been discovered is often no matter of discussion. But exactly at this point, training has to become tangible, otherwise it does not contribute to the protection of a company.

Social engineering, the poor relation of information security

The serious implications of attacks against the psyche of employees are strongly underestimated. While technical solutions, due to their inscrutable complexity, seem to be highly effective, the studies of habits, communication styles, absences, internal company celebrations, daily lunches or after-work activities seem almost banal. But each piece of seemingly banal information is a building block in the attacker’s plan. This is easier said than done, but you must build counter-measures as a complete campaign. Many companies have guidelines for dealing with strangers and sensitive information. Their IT departments are also inaugurated.

But one has to connect the individual parts to form a network to protect the weak points of human communication in office life, otherwise the best fire protection system will not suffice. Do not consider your personnel as a potential risk, but as an vital part of your security architecture. Everyone can fall victim to social engineering attacks; there is no shame in that. It is therefore crucial to offer ways to your employees to report weaknesses anonymously. If all shall pull together, the threshold for co-operation must be as low as possible, especially when it comes to security.

Hands-on workshop with practical exercises, based on examples from the real world

One of the focus points of the 10th DeepSec In-Depth Security Conference will be social engineering and how to defend yourself against it. The conference program includes not only lectures on the subject but also a training conducted by two experts in this field. In a two-day workshop, Cyni Winegard and Bethany Ward will present real-world scenarios and enact them with their participants. The course aims not only to create awareness, but to use practical examples and role playing for participants to gain experiences that can be incorporated into their own habits. All examples will be tailored to the abilities of the participants – and to the weaknesses of their professional environment.

When it comes to defense, it has to acknowledge and withstand the ability of your opponents. The workshops Penetration Testing Humans helps to create a real defense of the human psyche. The trainers bring their experiences from many years of safety tests and confront the participants with real dialogues and actions from successful attacks.

The complete program of the DeepSec Conference is available at

https://deepsec.net/schedule.html

The workshops will be held on the 8/9 November 2016.

The conference takes place on 10/11. November.

Workshop & Conference Venue: The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk.

IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security

FH St. Pölten
Matthias Corvinus-Straße 15
3100 St. Pölten

DeepSec2016 Talk: Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets – Gerhard Klostermeier

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening.

At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.

We recommend this talk to anyone still using old-fashioned input devices for creating content.

gerhard_klostermeier_small

Gerhard is interested in all things concerning IT security – especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester. Gerhard was speaker at GPN 2013 – a conference organized by the Chaos Computer Club (CCC) in Karlsruhe – where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.

DeepSec 2016 Talk: Assessing the Hacking Capabilities of Institutional and Non-institutional Players – Stefan Schumacher

Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Given the correct context, using cyber has merits. However Cyber-Headlines are full with Cyber-Reports about Cyber-Incidents, Cyber-Hacking and Cyber-Cyber in general. However, that whole discussion does not only suffer from sensationalism of journalists and bloggers, there are also some fundamental problems, says Stefan Schumacher. We are still lacking useful definitions for modern IT security threats and we still have to think about the assessment of capabilities in the IT field.Besides institutional actors like states and their military and intelligence community we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime.

Unlike the assessment of classic military strength (eg. fighting power or Kriegsstärkenachweise), assessing the capabilities and powers of actors in the IT field is much more complicated and complex.In his talk Stefan will introduce the first tools, methods and statistics to compare hacking capabilites and assess the »cyber fighting power« of different actors. He will look into the capabilities of state actors and their agencies as well as the capabilities of their economies and how well they can be translated into IT security.

Additionally, Stefan Schumacher will try to assess the capabilities of independent groups like organised cyber crime, terrorists and hacking groups. Their capabilities are much harder to assess, so he will look also into their history, culture and ethics to find answers. Finally, Stefan will introduce some tools from IO psychology that can be used to assess the technical capabilities of organisations and the motives and motivations of their members.

stefan-schumacherStefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive.
Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and  involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

DeepSec 2016 Talk: Why Companies Must Control Their Data in the Era of IoT – and How To – Kurt Kammerer

In his talk Kurt Kammerer addresses any company’s dilemma: The need for data sharing in the era of IoT while at the same time controlling access and ownership. In order to succeed in business, it is imperative to make data available to customers, suppliers and business partners. However, the explosion and the proclaimed free flow of data can turn against an organisation and threaten its very existence, if not professionally controlled. We asked Mr. Kammerer a few questions beforehand.

Please tell us the top 5 facts about your talk.

  1. The relevance of “data” increases by the day and “data” is imperative to compete. Therefore, it is an asset companies must control.
  2. Data ownership is increasingly being challenged in the era of cloud/IoT (who created the data and who actually owns it?)
  3. Not exercising enough control over your data will dilute your business model.
  4. Data privacy and data ownership are cornerstones for any IoT use case
  5. IoT will control you (rather than the other way round) unless you take data governance, ownership and control seriously.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

My talk addresses the major “data dilemma” that enterprises have to face:

  • On the one hand, data has emerged as the strongest competitive asset that a company has. Limiting access to such data is vital for the survival of any company.
  • On the other hand, only if you share and publish data within your commercial ecosystem, you can have commercial success.

Reconciling these contradictory requirements in daily business life requires full dedication, skill and discipline from all stakeholders of an organisation or ecosystem. At the same time, consumers must be aware of this in order to make informed decisions about with whom they want to share which data.

Why do you think this is an important topic?

In the era of IoT, data is king!

Is there something you want everybody to know – some good advice for our readers maybe?

Whoever is in control of your data, will be able to control your destiny.

A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Being in control means being in control of your critical data, and not all data available. We will see gigantic “big data” initiatives fail due to the daunting and cumbersome task to identify “the needles in the haystack” if the haystack experiences explosive growth. In contrast, we will see “smart data” solutions succeed that do not bet on sheer processing power, but also take relevance into account. Therefore, keeping your “haystack” at a size that fits your barn by filtering out the noise will remain critically important.

kurt-kammerer

Kurt is CEO and co-founder of regify, a software company that focuses on trusted e-communications. As a serial entrepreneur, Kurt has established several software and communication businesses. From 2003 to 2008, he led the growth of US-based VI Agents, a pioneer in business applications delivered as a service. From 1996 to 2002, Kurt served as CEO of living systems AG, an international supplier of e-commerce software which he had co-founded in 1996.

Kurt holds a Business and IT degree from the University of Karlsruhe, Germany. He was honored as a “Technology Pioneer” by the World Economic Forum. He also received awards from the Asia-Europe Young Entrepreneurs Forum in Singapore and the Wharton Infosys Business Forum.

Why you should attend DeepSec 2016 – Last Call

There are many reasons to go to DeepSec this year. It doesn’t matter if you worked on your presentation slides on the way to work, got hacked by a nation state, own a smart device, defused cyber weapons, or simply fight the T-Virus in a hospital. The DeepSec conference is the place to be for exchanging war stories (hey, everyone is at cyber war with someone these days) or talking about ideas to do the next project right. Plus we have to celebrate 10 years of DeepSec conferences!

Tickets are still available via our online booking service. In case you have problems booking online, please get in contact with us. We can work something out.

Looking forward to see all of you in Vienna next week!

Posted in Conference. 5 Comments

FHOÖ supports DeepSec 2016 Conference!

We are glad to announce that the University of Applied Sciences Upper Austria supports the DeepSec 2016 conference! Their motto teaching and learning with pleasure – researching with curiosity fits perfectly to information security. Their courses cover more than just computer science. If you are interested in engineering, economics, management, media, communications, environment, or energy, then you should take a look at their courses.

University of Applied Sciences Upper AustriaYou can talk to students and staff at their booth. They will show your a selection of projects from the field of information security. Don’t hesitate, ask them with curiosity!

DeepSec 2016 Talk: Insider Threat: Profiling, Intent and Motivations of White Collar Offenders – Ulrike Hugl

Malicious insider threat is not only a security- or technical-oriented issue, mainly it’s a behavioural one, says Prof. Ulrike Hugl. Insiders are so-called ‘trusted’ or privileged employees, very often with legitimate access to the organization’s systems, and they are hard to catch. Furthermore, it is difficult to find appropriate predictive factors and prevention and detection measures.

In fact, based on new technical developments and opportunities, data theft has become much easier these days: Mobile trends like BYOD, the increased ability to work from home, access to the organization’s systems when on the road, cloud services with related security vulnerabilities for example, as well as more and more malware opportunities have increased the potential of related attacks. Other main security obstacles and trigger factors inside and outside an organization may be, to name a few, a companies poor market performance and fear of job loss, internal (security-related) budget constraints, the complexity of the internal (IT) environment, competing priorities, a lack of top-level direction and leadership, as well as a lack of awareness training, … the list goes on and on.
Anyway, current studies in the field show that malicious insider threat is an increasing crucial issue for companies and governmental institutions. Beside the mentioned dependence on ICT, new attack forms and collaborations with third parties (for example social engineers and/or hackers) are on the rise.

In her talk Professor Hugl will focus on the current state of insider threat,on motivational and behavioural aspects as well as on current profiles of malicious insiders based on the newest available data. The emphasis on characteristics of malicious insiders is crucial, but one should also be aware of the fact that in many cases of attacks boundaries between insiders and outsiders are blurred. Her talk will close with some starting points for organizational insider threat prevention management. We asked Prof.  Hugl some questions beforehand.

Please tell us the top 5 facts about your talk.

  • Insider threat seems to be a hidden risk within organizations.
  • Nevertheless, current studies show that companies estimate they are at risk.
  • When it comes to Insider threat various motivational issues and (sometimes) also neutralization strategies play a crucial role on the personal level; on the organizational level we have to consider opportunity factors, the ‘tone at the top’ and its misuse, which negativly supports sub cultures.
  • New technological developments are triggering organizational vulnerabilities 
  • And: Boundaries of insiders and outsiders are becoming blurred in many cases of current attacks.

 How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

An initial point was my work at the University of St. Gallen. There, I think it was about in 2002, first initiatives in the field of Internet of Things(IoT)-applications and related IoT-research labs came up. At that early state of research, in my impression, the focus of thoughts was mainly on the technological side and what’s achievable in developing new business models with sustainable profit. To me IoT was more than impressing, but also triggering many open questions: What does IoT mean for business, for individuals, for society? How will it change our world? My impression was that most researchers did not really think about aspects like privacy-by-design for consumers/users or even information security-related aspects for organizations. For me this was the starting point for research in the field of new or (potentially) upcoming technologies, related aspects of data protection and (potential) impacts on the whole field of organizational information security.

Why insider threat? First, it’s related to organizational information security. Second, it’s a very interesting topic because diverse fields are involved: from technology, personnel management (like trainings, leadership, and behavior of peers), the organizational structure (f.ex. internal whistleblowing systems, counterespionage departments, coordination and control), the external environment of an organization (market development, etc.), to interesting theories and research results from criminology and others disciplines. All in all, and that’s a big point, a human’s behavior is hard to predict. Humans do have their characteristics, their personal environment and their own specific situation inside the organization – and such issues can play a triggering role in conducting misuse.
To summarize, insider threat is – depending on your point of view and the topic you are looking on – blurring the boundaries between various scientific disciplines. Therefore, for me, dealing with this topic is fascinating!

 Why do you think this is an important topic?

As just mentioned, to protect an organization’s intellectual property and crucial assets, diverse factors have to be considered: personal, organizational, and behavioral factors or indicators to find useful starting points for the prevention and detection of malicious acting of so-called ‘trusted employees’. Current studies show a clear tendency: Insider threat continues to pose the most crucial threat to organizations everywhere. In 2015, more than the half or even up to 60 percent of all attacks were carried out by malicious insiders. And, as many cases show, such offenders may cause substantial reputational or financial losses.

 Is there something you want everybody to know – Some good advice for our readers maybe?

It’s hard to think of your staff as a potential ‘threat’. Nevertheless, we have to learn that not all our employees have only good intentions. These days we know about diverse starting points, which enable us more and more to ‘walk in an offender’s shoes’. Furthermore, we know about various individual motivational factors as well as organizational and environmental triggers for fraud and misconduct.

I am looking forward to give you an impression of the current state of research and threat potential in the field, but also perhaps some new thoughts and ideas to implement some measures inside your organization.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

From the organizational point of view, in the field of insider threat, the crucial challenge is to find a balance between trust and suspicion when building up related counter-measures. This is sometimes hard and seems like ‘crying for the moon’. But, we all know things are in progress and will further develop.

Another last aspect: Some research is done in all mentioned scientific fields, but more effort is needed to deal with it in a more systematic way and we need much more researchers dealing with this topic. In economic and social sciences, the topic is not really known and far from ‘mainstream’. Within these disciplines traditional research is currently mainly still focused on established and traditional fields of expertise, often with a narrow research focus. However, insider threat and related issues like economic crime and industrial espionage should also be taken into account and being established inside traditional research institutions. They should be treated as very relevant issues for further theoretical innovation and specific managerial implications.

 

hugl1Prof. Ulrike Hugl is senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is a member of various scientific committees of international conferences and reviews several journals. Her research mainly focuses on new technologies and their impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

DeepSec2016 Workshop: IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation – Slawomir Jasek

“The ongoing rise of the machines leaves no doubt – we have to face them”, says Slawomir Jasek, and adds: “It is hard not to agree with one of the greatest military strategists Sun Tzu: “If you know your enemies and know yourself, you will not be put at risk even in a hundred battles”. Right now it is about time to fill that gap in your skills by confronting the devices, learning their flaws, catalog ways to defeat them, and – above all – develop means to reduce the risk and regain control.” Slawomir’s training consists of several modules:

1. Linux embedded
Linux embedded is probably the most popular OS, especially in SOHO equipment like routers, cameras, smart plugs, alarms, bulbs, home automation, and even wireless rifles. Based on several examples, you will learn about the most common flaws (auth bypass, command injection, path traversal, backdoor services…). We will open a wireless doorlock remotely, hack cameras and take control over other devices. You will also interact with representative specimens which took part in recent DDoS events.

2. Bluetooth Low Energy
One of the most sought after IoT technologies. Learn how it works, about risks and possible attacks. Using among others new BLE MITM proxy tool developed by the author, we will hack various devices: 5 different smart locks, mobile Point of Sale, authentication token, beacons, anti-thief protection and others.

3. KNX home automation
Learn how to take control over the most common home automation system: EIB/KNX.
Following the introduction on the system basics, we will hack the provided demo installation, abusing common misconfiguration weaknesses – in a similar way a luxury hotel in China was hacked a few years back.

Do you want to know more? We asked Slawomir a few more questions about his workshop.

Please tell us the top 5 facts about your talk.

  • The training consists of several unique cutting-edge topics.
  • Focused on practical exercises we will hack multiple real devices.
  • All participants will receive a Raspberry Pi and 2 BT4 dongles – A beginner’s hardware lab for BLE.
  • It will be possible to further practice BLE hacking at home, with a specially designed Bluetooth Smart HackmeLock, a vulnerable hardware lock,  software- simulated, consisting of a mobile application.
  • Regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time.

How did you come up with it? Was there something like an initial spark that set your mind on creating this Workshop?

I was always interested in taking control over surrounding devices. I got my Msc degree in Automatics and Robotics, and for a while I designed secure Linux embedded appliances for national agencies. That is why current vendors’ irresponsibility and insecurity level of most routers, cameras, home automation etc. constantly boggles me. I understand the market demands features produced at low cost, but I believe it is possible to integrate security into the development process. The world won’t change with a snap of one’s fingers, for now we will have to deal with what we have. So I decided to share my collection of hillariously vulnerable devices – the ease of exploitation should be an eye-opener – along with a few -not always straightforward – hacks on how to patch them on your own.

The “initial spark” that led me to more comprehensive Bluetooth Smart research was a local “hacking competition”: the goal was to steal a car protected by an BLE unlocking device. I pointed out several vulnerabilities in the mechanism, which allow you to take full control over it. For that I designed novel attack scenarios and tools, which I presented this year at BlackHat USA (more details: www.gattack.io).

And KNX home automation – I created my own super-smart home installation. Well, in the beginning it was far from perfect, especially for my non-smartphone wife, who could not switch the light on without my help. But I got to know the systems inside-out (including its Achilles’ heel), and recently also organized an online KNX hacking challenge.

Why do you think this is an important topic?

I think a quick scroll through the recent headlines will do as an sufficient answer. Of course the media often overestimate the real risk, but you just can’t ignore the fact anymore that the devices are increasingly surrounding us and are often used as a weapon against us.

Is there something you want everybody to know – some good advice for our readers maybe?

Did I mention the free Raspberry and other goodies already?

A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your workshop?

They rapidly grow in numbers, processing power and network bandwidth. Machines control more and more of our life. No doubt, they will strike again. Next time you better be ready.

SYLLABUS:

1.)LINUX EMBEDDED
Theory introduction
Embedded devices – popular architectures, OS-s systems
Device supply chain and why it is difficult to maintain security – BSP, ODM, OEM, SDK…
Linux embedded and its flavours, not only in SOHO devices
One binary to rule them all
Firmware images
Tools
Firmware analysis – binwalk & co
Scanning, sniffing – nmap, wireshark…
Exploiting known vulns: metasploit, routersploit
Default credentials lists, hydra, john…
Web interface attacking – Burp Proxy
Practical exercises
Identifying serial port and connecting to device’s boot
Analyze firmware images
Locate hidden URLs
Authentication bypass – open wireless doorlock
Excessive services, debug interfaces
Cracking hardcoded telnet root password
Abusing backdoors
RCE – get remote shell in a router
Attack proprietary remote access protocol
Analysis of Mirai botnet and example affected devices

2.)BLUETOOTH SMART
Theory introduction
What is Bluetooth Smart/Low Energy/4.0, how it is different from previous Bluetooth versions?
Usage scenarios, prevalence in IoT devices
Protocol basics
Advertisements, connections
Central vs peripheral device
GATT – services, characteristics, descriptors, handles
Security features – pairing/encryption, whitelisting, MAC randomization
Security in practice: own crypto in application layer
Tools and hardware
Reversing communication – mobile application analysis
BlueZ command-line tools
Sniffing soft- & hardware – ubertooth, adafruit, bluehydra…
What can you do with just BT4 USB dongle?
Analysis – hcidump, Android btsnoop log, BLE-replay
BLE MITM – GATTacker, BtleJuice
MAC address cloning
Tips & tricks for MITM attacks
Other tools, PoCs, research…
Practical exercises
BLE beacons spoofing – get rewards & free beer
Abuse proximity autounlock of a padlock
Inject arbitrary commands into car unlocking device communication protocol
Spoof encrypted status of a smart doorlock and home automation devices
Intercept indication of “one-time-password” hardware token and authenticate to a bank
Hijack a mobile Point-of-Sale display
Abuse excessive services (e.g. module’s default AT-command interface)
Intercept static authentication password of a padlock
Abusing flaws of custom challenge-response authentication
PRNG weaknesses
Attacking encrypted (bonded) connections
A glimpse at a source code – why the vulnerabilities appear?
Troubleshooting and debugging
Takeaway – hackmelock (mobile application + simulated device) to practice BLE hacking at home

3.)EIB/KNX
Theory introduction
Home automation standards review – wired, wireless
KNX/EIB – history, protocol basics
Group address, device address
Typical topology
KNX/IP gateways
Tools
ETS configuration suite
KNXd (former eibd) and command-line tools
knxmap
nmap scripts
Practical exercises
Scanning for KNX-IP gateway from local network
Detecting publicly exposed gateways
Monitor mode – sniffing
Reading/writing
Brute-force addresses
KNX security features
Device authentication keys
KNX Secure

BONUS TRACK (possible to do at home):
Reversing binary protocol and hijacking communication of mobile application controlling HVAC system.

STUDENT REQUIREMENTS:

– Laptop which can run Kali Linux (as virtual machine or natively – e.g. from USB)
– Smartphone with Android > 4.3 will be helpful
– You can bring your own Linux embedded or Bluetooth Smart device
– Basic pentesting and scripting skills – Kali Linux, Burp proxy, nmap, mobile app analysis/decompilation, bash, python, node.js etc. – will be helpful, but are not essential.

slawomir_jasekSlawomir Jasek is an IT security consultant with over 10 years of experience. He participated in many assessments of systems’ and applications’ security for leading financial companies and public institutions, including a few dozen e-banking systems. Also, he developed secure embedded systems certified for national agencies. Slawomir has an MSc in automation&robotics and loves to hack home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting and the designing of secure solutions for various software and hardware projects, protection during all phases – starting from a scratch.

DeepSec2016 Talk: Abusing LUKS to Hack the System – Interview with Ismael Ripoll & Hector Marco

Please tell us the top facts about your talk.

  • It discloses a vulnerability that affects Linux systems encrypted with Luks, and how it can be abused to escalate privileges: CVE-2016-4484
  • Includes a sketch of the boot sequence with a deeper insight into the initrd Linux process
  • A brief discussion about why complexity is the enemy of security: The whole system needs to be observed.
  • A practical real working demo attack will be presented.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Well, this is a difficult question. Basically, it is an attitude in front of the computer. When we start a research line, we don’t stop digging until the ultimate doubt and question is addressed. After the GRUB 28 bug, we keep reviewing the rest of the Linux boot sequence.

Why do you think this is an important topic?

Although we will present how to abuse the system thought a cryptography service, the root of the problem is the “complexity”: The idea of complexity is not limited to difficult mathematical algorithms or advanced data structures, but also the combination of subsystems increases the overall complexity. The vulnerability that will be presented is a good example of how the addition of new features (in this case, security features) may weaken the system by creating new faults.

Is there something you want everybody to know – some good advice for our readers maybe?

Our talk will show that it is not necessary to use complex exploits or advanced USB hacking devices to hack the system. Knowledge is the only necessary tool. Do you remember the GRUB 28 bug? This time it is a little bit more complex but the result is… surprising.

A prediction for the future – What, do you think, will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Thanks to the advances in mitigation techniques (ASLR, NX, SSP, CFI,etc..) and better software engineering methods, the number of exploitable faults may be reduced (as far as the programmers for the IoT do apply those technologies). A more dangerous type of vulnerabilities are those caused by the interaction of two or more systems which work correct when used separately.

On the other hand, cryptography will always be a hot topic. As far as crypto algorithms become outdated by the advances in computer power and crypto analyses, crypto suites must be updated. And new code means new bugs.

 

ismaelIsmael Ripoll received his PhD in computer science from the Universitat Politecnica de Valencia in 1996, where he is professor of several cybersecurity subjects in the Department of Computing Engineering. Before working on security he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques (SSP and ASLR) and software diversification. Ismael Ripoll is a Cybersecurity researcher at UPV Cybersecurity group.

 

hmarco_newHector Marco-Gisbert has received his Ph.D. degree in computer science, CyberSecurity in 2015. Initially, he participated in several research projects where the main goal was to develop a hypervisor for the next generation of space crafts for the ESA (European Space Agency). He contributed to extend his scope of projects and to include security aspects using the MILS (Multiple Independent Levels of Security/Safety) architecture. Currently, Hector Marco is a lecturer in Cyber Security and Virtualisation at the University of the West of Scotland. His research aims to identify and thwart critical security threats focusing on servers and smartphone platforms. His interests includes the study and design of new low level attacks and protection mechanisms. He revisited mature and well known techniques like SSP (Stack Smashing Protection) and ASLR (Address Space Layout Randomization), and was able to make substantial contributions e.g. in the form of RenewSSP and ASLR-NG. Hector received awards and recognitions from Google and Packet Storm Security for his security contributions to the Linux kernel.

DeepSec 2016 Talk: I Thought I Saw a |-|4><0.- Thomas Fischer

Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. “But what does this really mean?”, asks Thomas Fischer. “And what real impact does it have on the security team? Can we use threat hunting to provide a process to better detect and understand when you’ve been breached?”

More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?

What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.

In his talk Thomas Fischer will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large sets of data. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process. We asked him some questions beforehand.

Please tell us the top 5 facts about your talk.

Threat Hunting is the new thing to detect malicious activities in your environment. In the talk we look at what it takes to do threat hunting, the challenges in putting into place, and how to deal with the volume of data. While most threat hunting pitches talk about using network based data, this talk looks at what kind of end point data can be used, the impact it can have on data volumes and what to look for to start the hunt.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk is essentially a story about how to analyse a ton of data and what methods can help. It was born from my own experience into looking at what trends in IR are going on.

Why do you think this is an important topic?

It’s important because current automated solutions no longer suffice in detecting the “bad guys”. We need better methods and processes to combat these creative attackers.

Is there something you want everybody to know – some good advice for our readers maybe?

In this talk, I share some experiences in what and how to look at threat hunting as a method for detecting malicious activities. Threat hunting is becoming the current in-thing for marketing – hopefully this talk will clear up what threat hunting really means for incident response.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Machine learning will play an important part of IR in the near future. As humans we won’t be able to process the volume of data being generated for IR. So machine learning is the natural next step to highlight “things” that need to be responded to…

tfheadshotWith over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management, secure development, Incident response and forensics. Thomas has held roles varying from security architect in large fortune 500 companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital GuardianThomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.

 

DeepSec2016: 0patch – Self-healing Security Updates. DeepSec and ACROS Security Introduce a Platform for Micropatches

As soon as a security gap in an computer application is made public the anxious wait begins. Whether it is software for your own network, online applications or apps for your mobile devices, as a user you will quickly become aware of your own vulnerability. The nervousness increases. When will the vendor publish the security update? In the meanwhile is there anything you can do to reduce the risks? Alternatively, how long can you manage without this certain software?

To provide answers to these questions is the central point of security management. Some vendors have fixed dates for security updates. However, occasionally unscheduled updates take place, while some vendors wait quite a few years before they release another update. And this is only true for applications that are still in production or come with a support contract. What happens to programs no longer supported? One possible answer is 0patch, a platform for so-called micropatches in live mode.

Micropatches as emergency management

Contrary to popular belief patches can not only be provided by a software’s vendor. It is possible to change applications both at runtime and during a short interrupt. Since publicly disclosed vulnerabilities are already thoroughly documented by security researchers, micro-patches can be created on the basis of this information, serving directly to eliminate the vulnerabilities in question. This system is called 0patch. It has been developed by security experts who have been penetrating networks for more than 15 years. In such attacks, you must also inject code, thus apply micropatches. Every exploitation of vulnerabilities is based on this principle. Simply put, 0patch is the opposite of an exploit.

“Our technology called 0patch is a result of the frustration about the fact that its just as easy to break into networks as it was 15 years ago,” says Mitja Kolsek, Managing Director of ACROS Security. With the micropatch platform, there is an incentive for researchers to document vulnerabilities and design patches to fix them. In return they get a compensation from the users of these micropatches.

Patching software might not sound very innovative, nevertheless, this very process is still one of the biggest sore points of IT security

And there are further extension possibilities: In IT security research concepts are tested, which automatically find gaps in code and propose corresponding micro-patches. Such technologies could also be incorporated into Quality assurance processes.

Modern protection for legacy systems

One does not like to talk about it, but in almost every infrastructure there are legacy systems in the form of old applications or software packages, which are no longer supported. In the times of mainframes code has simply been taken along with compatibility layers. This is still happening today, but now without space-filling computers. The 0patch platform is especially interesting for these applications. With the help of micropatches, vulnerabilities can be closed even without the support of a vendor. A far more beneficial option than to wait and hope that lightning will strike somewhere else.

European Premiere: Workshop 0patch platform for users

As part of its 10th anniversary, the DeepSec In-Depth Security Conference offers high-caliber trainings to its participants. Among other things, there is the workshop “Do-It-Yourself Patching: Writing Your Own Micropatch”, held by Mitja Kolsek and other developers of 0patch. It is a training with practical examples from the working world. You learn how to create unofficial micropatches based on real vulnerabilities and to apply them correctly, even during runtime. The workshop focuses on software for Microsoft® Windows, but it will provide examples for all platforms. The content is intended for security researchers as well as users from IT departments. Software developers are also welcome to participate and get to know the system. After all, a micropatch can help both vendors and customers to save precious time and avoid uncertainties.

Annual meeting of international renowned security experts in Vienna

The topics of this year’s DeepSec trainings range from WLAN attacks, patches, cryptography, targeted attacks on Apple’s iPhone and IoT devices, Windows PowerShell for attackers, network technology for secure web application development to social engineering. International trainers bring their expertise to the heart of Europe, thereby providing you with a unique training opportunity.

And then there’s the two-day conference filled with lectures from all areas of IT Security. The keynote will be given by Marcus Ranum, who set up the first e-mail server for whitehouse.gov, and will reflect upon over 30 years of IT security.

The complete conference program is available on:
https://deepsec.net/schedule.html

The workshops will be held on the 8th / November 2016
The conference takes place on 10/11. November
Venue: The Imperial Riding School Vienna – A Renaissance Hotel
Ungargasse 60
1030 Vienna.

DeepSec2016 Talk: AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That – Nikhil Mittal

In his talk Nikhil Mittal will focus on AMSI: In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common.

AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t matter if the code comes from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently Windows Defender uses it on Windows 10.

Has Microsoft finally killed script-based attacks? Or are there even ways to bypass AMSI? We asked Nikhil Mittal a few questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk is about AMSI (Antimalware Scan Interface), an interface present by-default on Windows 10 machines which can work with antivirus on a machine.
  • AMSI enables the scanning of a script through an antivirus present on the machine, regardless of the input method (memory, disk or manual) used for loading the script.
  • AMSI steps in when a script is submitted to the corresponding script host – which makes bypass techniques like obfuscation less effective.
  • Even if PowerShell scripts are executed without using powershell.exe. AMSI can still catch the scripts.
  • Fellow researchers have already discovered, bypasses/avoidance for AMSI. It is still dependent on the signature based detection of the antivirus.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I use PowerShell a lot in during penetration testing engagements and while testing one of my PowerShell scripts on a Windows 10 machine, I noticed that it was being blocked even when loaded from memory. On investigation, I stumbled upon AMSI (Antimalware Scan Interface), the Microsoft technology enabled by default on Windows 10 machines, which is designed to stop script based attacks which utilize PowerShell, VBScript, JScript etc. This talk is a result of my and other hackers’ experiments with AMSI.

Why do you think this is an important topic?

Script based attacks are widely used both by the good and by the bad guys. Scripts like those for PowerShell are generally hard to detect because of various functionalities available in PowerShell, which allow the scripts to be loaded from memory and not from disk. AMSI is an important step towards thwarting such script based attacks because it has the capability to detect malicious scripts even from memory.

Is there something you want everybody to know – Some good advice for our readers maybe?

Spread awareness about abuse of legit functionality of office software, scripts, email clients etc. among your family and your organization. More people and organizations get hacked through the abuse of functionalities than by an 0-day.

A prediction about the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I am quite sure Microsoft is taking note of the developments related to AMSI. I expect the cat and mouse game to continue. There will be more fixes and more bypasses. But ultimately, the overall security of Windows boxes is definitely going to improve with AMSI.

nikhil_mittal_Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients, which include many global corporate giants. He is also a member of the Red teams of selected clients.

He specializes in assessing security risks at secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. Nikhil is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and of Nishang, a post exploitation framework in PowerShell. In his spare time, he researches on new attack methodologies and updates his tools and frameworks.

He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs on http://www.labofapenetrationtester.com/

 

DeepSec 2016 Talk: TLS 1.3 – Lessons Learned from Implementing and Deploying the Latest Protocol – Nick Sullivan

Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS. TLS was last changed in 2008, and a lot of progress has been made since then. CloudFlare will be the first company to deploy this on a wide scale. In his talk Nick Sullivan will be able to discuss the insights his team gained while implementing and deploying this protocol. Nick will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges his team faces around securely implementing new features such as 0-RTT resumption. He’ll also demonstrate an attack on the way some browsers have chosen to implement TLS 1.3.  We asked Nick some questions about his topic of interest.

Please tell us the top 5 facts about your talk.

  • You’ll learn about the process of defining an IETF standard
  • We’ll explore why AEAD is one of the most important terms in transport security
  • I’ll demonstrate how to share connections between C and Go processes
  • I’ll share real world data about the benefits of TLS 1.3
  • We’ll explore the term “DJB all the things”

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I’ve been working with my team on building a TLS 1.3 implementation for most of the year and thought DeepSec would be a great venue to showcase our work.

Why do you think this is an important topic?

TLS is often the last defence for data sent on the Internet, fixing it and raising the profile of the new version are very important for the future of security online.

Is there something you want everybody to know – Some good advice for our readers maybe?

Cryptography protocols and best practices are constantly changing, it’s easy to configure them insecurely.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I hope TLS 1.3 gets adopted quickly. The performance gain will be a strong motivator for that. But that also means that TLS 1.3 is probably the last update to TLS that brings something significant other than security benefits, so hopefully we got the security right.

 

nick-sullivanNick Sullivan is a leading cryptography and security technologist. He currently works on cryptographic products and strategy for CloudFlare. Previously, he held the prestigious title of “Mathemagician” at Apple, where he encrypted books, songs, movies and other varieties of mass media.

DeepSec 2016 Talk: Where Should I Host My Malware? – Attila Marosi

The growth of IoT devices continues to raise questions about their role and impact on cybersecurity. Badly or poorly configured devices are easy targets for malicious actors. At first glance launching an attack against IoT devices seems challenging due to the diversity of their ecosystem, but actually an attack is very easy to execute. In his talk Attila Marosi will explain why the IoT is a cybercriminal’s paradise:

“In our SophosLabs research, we focused on a very generic attack scenario that would affect almost any device using FTP services – Your router or network-attached storage (NAS) for example. These attacks typically exploit the level of trust people place on any content hosted on internal network shares. A successful attacker would abuse or compromise a default FTP guest account, place a “Trojan horse” in a visible file share and rely on human curiosity for the rest to happen. In many cases, root folders for FTP and WWW services are the same, a fact which makes it even easier for the attacker. Since many of the IoT devices publicly expose FTP services world-wide, this fairly unsophisticated attack can result in a large number of infected “things” and provide great value to cybercriminals.

To assist our research, we developed an IoT scanning framework (“ScanR”) which is able to perform large scale network probes to assess the state of open FTP services and identify how many of them have been compromised . In our latest test, we utilized ScanR against 3 million open FTP servers to determine the type of the device and the state of its security. The results are far worse than we’d expected.

Over 90% of the unprotected devices were found to be infected with at least one Malware threat or exhibiting the signs of an attack. In this talk, we’ll reveal the results of the research, exposing the number of vulnerable devices and gigabytes of storage now freely available to attackers.
We’ll also share the technical results of the malware analysis.

In summary, this talk will provide an insight into how very old Internet protocols are being exploited via modern internet connected “things”, explain the risks for home and corporate users and suggest recommendations on how businesses and private users could better protect themselves  against these unsophisticated, but dangerous and highly successful attack scenarios.

attila-marosiAttila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.

Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.