ROOTS Schedule almost ready, mind your DeepSec Training Tickets, DeepINTEL Schedule is coming up

Science First! rat. © 2017 Florian Stocker <fs@fx.co.at>The review process for ROOTS has been completed a few days ago. Proper reviews are hard, this is why it took a bit longer. The accepted papers will be in the schedule at the beginning of next week for we need the redacted abstracts of all presentations. The research topics are worth it, so make sure to check the schedule next week.

For all of you looking for in-depth knowledge and hands-on training – please book tickets for our trainings as soon as possible! This is not meant to rush you. We just want to make sure that you get the training you want. Booking last minute is a sure way of making it hard to plan ahead. Furthermore the first courses are filling up. You might not get a seat if you wait too long.

The DeepINTEL schedule will be sent to interested parties as of today. The topics include drone capabilities (including counter measures), „military-grade“ ICT risk management, insights into HUMINT, evaluating data to produce secure intelligence relevant information, and effects of malicious software used for actual attacks on digital communication. If you want to get a detailed peek at the presentations, please mail us.

DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak “Hello?” barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong…

Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired.

Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center, and the many lessons learned from some of the greats in IR around the company this talk will delve into:

  • Human psychological response to stressful and/or dangerous situations
  • Strategies for effectively managing human factors during a crisis
  • Polices and structures that set up incident response teams for success
  • Tools for building a healthy and happy incident response team

Effectively navigating the human element is a critical skill for anybody who may be called upon to manage or participate in a security incident. This talk is geared toward occasional or full-time responders who are looking for practical human-management skills.

It is now 3:05AM. Everything has gone horribly wrong. A room full of panicked engineers await. It is your time to sink or swim. Good luck.

But wait! Before you put on your scuba gear, you should probably read on. We asked Benjamin a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. The human mind still possesses all of the same wiring that helped our simian ancestors flee danger. Our reaction to perceived danger is often deeply rooted in this ancestral circuity.
  2. Studies have shown that lack of sleep impairs judgement as much as alcohol.
  3. People can subconsciously pick up on signs that their leader is stressed out. This causes an autonomic reaction and causes them to become stressed too.
  4. People fall back to learned, repetitive cycles when confronted with fatigue or stress. Security responders should prevent mistakes by drilling and practicing often.
  5. Your executives are people too. They may be just as, if not more, scared during a security incident as the rest of the team.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I was sitting in a meeting with executive leadership walking through a response plan. I realized that everything we were talking about was based on technology. Nobody was talking about its impact on humans. Everyone there was an individual with their own fears and skills. Security responders rarely account for people.

Why do you think this is an important topic?

Often the most critical part of successfully managing a security crisis is the rational and efficient cooperation of people. These people are often dealing with quite natural emotional responses to danger. Good security incident managers recognize this and make it a core part of their work.

Is there something you want everybody to know – some good advice for our readers maybe?

Recognize that humans are human. This means everyone, from the entry level analysts all the way up to your CEO. Security incidents can cause feelings of anger, violation, or fear. People on the team may be fatigued during times where they need to be at their best. Be aware of the state of your team.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As more companies adopt dev-ops, crisis issues will involve more people who are unaccustomed to working through tense security problems. Security professionals, especially those, whose job it is to keep the situation on track, will find themselves confronting human aspects more often.

 

 Ben Ridgway has been involved in a wide variety of projects during his security career. He started with a position at NASA looking for vulnerabilities in spacecraft control systems. Following that, he took a job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building out Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. He helped founding the security incident response team for Microsoft Azure. Over time that scope has grown across multiple online service, cloud, and machine learning technologies. Today he is the lead of the Microsoft Security Response Center – Trust and Strategy Team. This team is responsible for managing critical security incidents within Microsoft’s cloud and artificial intelligence services while preparing for the incidents of tomorrow.

Translated RadioFM4 Article: Hype about “Chinese Espionage Chips” stems from the Pentagon

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience, because the author raises some important questions.]

Radio FM4 Logo https://fm4.orf.at/In the FM4 fact check the sensational report by the business portal Bloomberg about manipulated hardware for cloud computing turns out to be almost completely fact-free. On Friday a long-awaited report from the Pentagon was released warning about electronics manufacturing in China.

by Erich Möchel for fm4.orf.at

In the US, the “Cyber Security Month” October has begun, related news come thick and fast. The documentary presented on Thursday about a Russian espionage attack that failed miserably was spectacular, but had already taken place in April. England, Holland and Canada have waited with this concerted action until charges were filed in the US – which happened also on Thursday.

This concerted cyber-strike was overshadowed by Bloomberg Business Week’s sensational report claiming that Apple, Amazon & Co.’s servers are infiltrated with Chinese espionage chips. Angry denials of Internet companies followed; in fact, the article contains not a single, tangible clue. One explanation for its release came on Friday, when the Pentagon released a long-awaited report targeting electronics manufacturing outsourced to China.

“US electronics industry disappears”

The report refers to Donald Trump’s Presidential Decree “Executive Order 13806”. It aims to secure the supply chain of all US government institutions and the military. Right at the beginning of its introduction, there’s already a clear warning that, given the current developments, entire industries in the US may soon disappear. The report paints a bleak picture of the decline in the production sector, of barely competitive supply companies, which have been hit hard by the economic policies of foreign competitors.

On the one hand, this is due to “collateral damage from globalization,” according to the report, but also to “targeted actions of major powers such as China.” In parallel with the decline of industrial production, essential skills and abilities of workers in the US are dwindling, such as, for example, “the soldering or manufacturing of computer components.” The focus of this Pentagon report is the electronics industry, which has been outsourcing its production facilities to China for the past two decades.

A Report without “when” and “where”

It’s well-known that not only the vast majority of smartphones for the entire world market is manufactured in China. What’s more, PCs are now predominantly made in China as well. The same is true for components for the server market of course, and that’s what the Bloomberg Business Week report is all about too: “The Big Hack – How China Used a Tiny Chip to Infiltrate US Firms.”

Naturally, this lurid title fits perfectly well with a study whose entire purpose it is to, at least partially, reclaim the US electronics industry outsourced to China and bring it back to the United States. What follows is a news story on the manipulation of Supermicro computer motherboards, which are installed in servers for cloud computing all around the world. It is portrayed as if such an incident has actually happened, but does not contain any information at all about “when and where”.

The same Scenario for 15 Years

Of course, such a scenario is possible. A tiny SMD [surface-mounted device] component could be integrated into the manufacturing process of the motherboard, which sits in front of the CPU, the main processor. It is also conceivable to slyly introduce damage code via this component to manipulate the CPU. And because this technical possibility certainly exists, this scenario is not new at all, but has been appearing in the media time and time again for, at least, the last 15 years.

In 2005, the acquisition of the PC division of IBM by the Chinese Lenovo Group, which had already previously manufactured and assembled the components for IBM notebooks, was blocked for months. Because, at that time, IBM supplied many US authorities and the military with notebooks and PCs, the intelligence complex intervened. Since then, this story, always citing anonymous, unspecific warnings from intelligence circles, regularly pops up in the news, most recently in regard to the Chinese manufacturers Huawei and ZTE.

For Example: Huawei and ZTE

Anonymous sources from the intelligence services had also warned against their hardware of the telecom sector for many years. But only in May 2018, all smartphones of these Chinese manufacturers were removed from the military stores and members of the US armed forces prohibited from using them. The rationale: The smartphones could contain hidden components allowing for the complete surveillance of users. However, in no case such a compromised port of the hardware could be further identified or found.

That’s the way it has been for 15 years and this case is really a protopypical example. Bloomberg mentions the manufacturer Supermicro, but not which series of motherboards are affected. An animation to show where these chips, “the size of a pencil tip”, are built in Supermicro motherboards is based on a symbolic photograph. In addition to two CPUs without any label there is a marked dot, that’s all. And if, let’s say, in the manufacturing process, instead of a simple pass-through capacitor for signal smoothing, a somewhat more intelligent micro component would be used, which incidentally has a few circuits and thus computing power – Well, what would happen?

Billions of Stock Market Value destroyed

The Bloomberg report also leaves this question unanswered. Of course, it is possible that a second part of the report will be published on this subject, which will provide the relevant facts that are completely lacking in the first one. For example, when did these hardware infiltrations happen? And were there any specific incidents after that? Bloomberg will have to present the facts about this – if there are any – because its story has caused enormous financial damage. The stock price of the motherboard manufacturer Supermicro was almost halved, about 500 million dollars in stock market value were lost.

As a result, even completely uninvolved hardware manufacturers from China faced huge loses at the stockmarket. Lenovo, for example, noted on Friday a minus of 15 percent. Several billion dollars of stock market value went down the big data stream altogether, although first Supermicro, then Amazon and Apple had denied the allegations in sharp terms. These denials were followed by yet another one, this one by Bloomberg itself, right at the bottom of the article: “Bloomberg LLP is also a Supermicro customer. According to a company spokesman, no evidence has been found that the hardware used by Bloomberg has such problems as described in the article. “

Epilogue and Outlook

The British National Cyber Security Center – part of the military intelligence service GCHQ – has sided with Apple and Amazon this weekend. One sees no reason for the assumption that the hardware inside the servers of these companies is compromised, they said. Why this Bloomberg story was published on the day when NATO, in a long-planned concerted action, went public, revealing the biggest embarrassment of the Russian foreign intelligence service GRU since the end of the Soviet Union, remains puzzling.

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

DeepSec and Privacy Week highlight consequences of backdoors in IT

Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators.

Kick down doors with Horses

© 2018 Florian Stocker <fs@fx.co.at>In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is the desired goal, because this type of communication uses networks that are not trustworthy or public, such as the Internet. There is no other way to communicate securely in these environments. End-to-end encryption is without alternative. This is also proven by history. Legislation requiring communications service providers to grant government agencies access to users’ communications led to the development of Pretty Good Privacy (PGP) software in the 1990s. The clashes at the time therefore bear the name Crypto Wars in the English-speaking world.

One meets the hurdles of mathematics with ancient means. Backdoors or Trojan horses, i.e. embedded software for reading messages before encryption, should be used directly on terminals in order to be able to read along at the source. In terms of security, however, backdoors represent a weak point in hardware or software. For the use of Trojan horses, a vulnerability must be present in order to be able to surreptitiously install the application. Both approaches are diametrically opposed to information security.

Built-in Abuse

Even if authorities should use the so-called state trojans only for the investigation of drug offences or similar serious cases, it’s conceivable that such an interception software escapes and is put to another purpose. The wire-tapping affair in Greece in 2004 is a real example (also known as the Athens Affair). At that time, telephone calls and messages from Greek government and government officials were recorded via the lawful interception interfaces in the mobile network. The attackers exploited the existing interfaces. Kostas Tsalikidis, the mobile operator’s network planning manager, was found dead in his home two days after the security gap was revealed. The perpetrators of the monitoring scandal were never found despite years of investigation.

Although, in software, no built-in interfaces for monitoring are active per se or provided for, there are prerequisites that must be fulfilled. With a state trojan, sometimes called a federal trojan, the state actively exploits vulnerabilities in computer programs or apps in smartphones to monitor individuals. Often the state itself even buys these weaknesses on the black market with taxpayers’ money and deliberately does not inform the development companies about the vulnerabilities it then knows about, in order to keep the security gaps open as long as possible for its own purposes. In doing so the security of all people and computer systems is put at risk. At a meeting in August 2018, the Department of Cyber Security and IT Security of the Federal Ministry of the Interior confirmed that the knowledge of unknown security vulnerabilities has been held back to a certain extent and not made public in order to attack digital systems.

Close Gaps instead of exploiting them

From the very start the DeepSec security conference has been dealing with security issues. In recent years, the security of mobile networks, Internet infrastructure, mobile devices, all kinds of applications, software components of operating systems and much more has been analysed in detail. Vulnerabilities are not suitable as a foundation on which to build a house safely. Security researchers worldwide agree that only the publication of mistakes (in collaboration with interested manufacturers) leads to their correction. In times of discussion about campaign manipulation, threats to critical infrastructures, increasing networking in sensitive industries and military use of software, the highest possible level of information security is more important than ever. Therefore, the DeepSec conference again will feature presentations and trainings on this topic in November of this year. Especially recommended are the lectures, which specifically deal with the perpetrators. Edith Huber and Bettina Pospisil will present the results of their research on profiles of perpetrators and victims of cybercrime. Dr. Silke Holtmanns will discuss the state of the art in terms of security in mobile networks in her lecture, as well as the challenges for 5G. Mark Baenziger will take the tensions between supervisors and supervised as an opportunity to illuminate the activities in an IT security team from both points of view.

Lectures on the Topic at Privacy Week

There are two lectures on the subject of State Trojans at PrivacyWeek. In his presentation, Andre Meister, longtime editor at netzpolitik.org, gives an overview of the state of the art used in state trojans, the laws, which allegedly regulate them and the numerous problems in their implementation. His presentation bears the title of the topic – “State Trojan”. Lukas Gahleitner of Amnesty International Austria gives a lecture entitled “The Protective Duties of States regarding Human Rights, or What do marine mines off the Albanian coast have to do with the state Trojan horse?”, which will illustrate the international legal dimension of the topic. Ultimately, vulnerabilities are a threat to a states own infrastructure and citizens. So what should be done if a state knows about vulnerabilities? In this regard Lukas Gahleitner has suggestions to make and puts them up for discussion.

Program and Booking

The DeepSec conference takes place on the 29th and 30th of November. The trainings take place on the two previous days, the 27th and 28th of November.

Training & Conference venue: The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can find the current program under the link: https://deepsec.net/schedule.html

Tickets for the DeepSec conference and trainings can be ordered via the link https://deepsec.net/register.html.

The Privacy Week will take place from the 22nd to the 28th of October 2018 at the Folklore Museum in the 8th district of Vienna.

The program can be found at https://fahrplan.privacyweek.at/.

The tickets for the Privacy Week can be ordered online via https://privacyweek.at/tickets/.

DeepSec 2018 Talk: A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter – Dr.-Ing Ashar Javed

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts.

The tour guide will convoy you through 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter.

This briefing will conclude on: classical XSS is here to stay while Redmond’s outbreak “… was like a storm. But storms, they can come back. Can’t they? The question is, if they come back, is it the same storm, or has something changed?”

Please tell us the top 5 facts about your talk.

  1. Share my experience of participation in Microsoft’s bug bounty program. As a bug hunter, what was my expectation from a company like Microsoft, and, at the end of day, what did I actually get…
  2. This talk will show simple Cross-Site Scripting (XSS) vulnerabilities in Microsoft’s flag-ship product i.e, Office 365. But wait …. what’s “simple”? Is it even possible that simple XSS issues are lurking there still, even though they had a red, blue and dedicated team of pentesters? One more thing, please don’t forget that customized automation vulnerabilities finding tools are also at Microsoft’s disposal.
  3. Why is it real hard to fix XSS in Office 365? We will try to figure out the answer in our talk.
  4. To be precise, as of now 118 bounty qualified submissions.
  5. XSS is here to stay…

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The rough idea was to end up somewhere on the list of Top 100 security researchers published by Microsoft every year. Currently I am at #1 on the list of Microsoft’s Top 100 security researchers of 2018. Needless to say that one aspect I had in my mind was definitively financial gain.

Why do you think this is an important topic?

Bug bounties and the discussions around them are always interesting and spark further debate.

Is there something you want everybody to know – some good advice for our readers maybe?

Come and meet the number one security researcher on the list of Microsoft’s Top 100 security researchers of 2018.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The team behind secure@microsoft.com will receive more reports in particular regarding the Office 365. I believe that hundreds of Cross-Site Scripting issues are still not “unearthed” in Office 365. It may be your turn to find the needle.

 

Ashar Javed currently works on penetration testing, source code review and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting. He has a passion for XSS and lives and breathes in XSS. Last but not the least, thanks to XSS, Ashar is at #1 spot in Microsoft’s Security Response Center (#MSRC) Top 100 Security Researchers List of 2018. 

DeepSec 2018 Talk: Leveraging Endpoints to Boost Incident Response Capabilities – Francisco Galian, Mauro Silva

The information technology world is full of terms and acronyms. You got servers, nodes, clients, workstations, mobile devices, lots of stuff talking via the network to even more stuff. And then you got security breaches. How do you detect the latter? Well, you look for things out of the ordinary. Error messages, anomalies in behaviour, activity outside the usual time slots as system is being used, and the like. What’s the best place to look? Answer: The systems directly in touch with all the interactions attackers are interested in – endpoints.
Most organisations fail to properly detect or even respond to incidents. A factor that significantly contributes to this fact is the lack of visibility on endpoints. That being said, endpoint logging can be very noisy and most organizations don’t have infrastructure to cope with the volume. The aim of this talk is to help blue teams understand which logs give you the most benefit for the least investment. That will help improve detection mechanisms while also helping to trace back any breach, thus, improving incident response.
In order to achieve this we built a lab that represents a common Windows based business. We then reproduced some common attacks and techniques that we have worked on, from Threat Financial groups to Advanced Persistent Threats (APTs), and investigated the logs generated from it to analyse what the best indicators were.

Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments. 
Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes.

 

 

 

Mauro Silva’s interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can.

In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting).
In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team’s work by automating everything that can be automated. He’d also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.

 

DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018:

Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system.

Another trait of this malware that stands out is its infection of the MBR, Master Boot Record. It overwrites the MBR and the adjacent sectors with its kernel code. When an infected system is restarted, instead of loading Windows or Linux operating system, it will start its kernel code and holds your whole computer for ransom. And if you decide to pay, you need to have another machine to access the online payment system and put the generated unique code taken from the infected machine.

In this presentation, we are going to look into how Petya, a ransomware that overwrites an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API.

We are also going to see how we can use a combination of different tools to figure out how ransomware can infect the very first sector of a hard disk. Tools such as Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course x64dbg and ollydbg for debugging the ransomware on application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its kernel code.

Using Bochs, debugging the boot sector gives us full control over the execution of the initial kernel code. In this case, we can deep dive into Petya’s kernel to understand how native code execution works. Petya’s kernel code give us an idea on how a boot sector or a simple operating system works.

Analyzing Petya gives us the ability to analyze malware or ransomware that infects and overwrites a boot sector. It also gives us an understanding on how malware can still infect a boot sector even with new technologies such as UEFI and GPT. And it can also give us an idea on how to analyze future malware that has the same intent as Petya.

 

Raul Alvarez is a Senior Security Researcher/Team Lead at Fortinet. He’s a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.  Raul has presented at different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, and HackInParis. He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.

DeepSec 2018 Talk: Uncovering Vulnerabilities in Secure Coding Guidelines – Fernando Arnaboldi

Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.

Fernando’s talk will expose multiple underlying exploitable vulnerabilities in the secure code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities due to a lack of proper analysis.

Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.

We asked Fernando a few questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

  1. Secure coding guidelines may introduce vulnerabilities.
  2. Insecure practices range from insecure configurations to insecure implementations.
  3. Insecure recommendations are published by government, private and public organizations.
  4. The unwanted behaviours are a consequence of insecure and complex functionalities in software.
  5. Not all of the vulnerabilities will be detected by static source code analysers.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Last year I analyzed how applications could defend themselves from attacks. To expose how the most secure applications could use an approach like this, I analyzed if it could be implemented on secure coding guidelines. When presenting my embedded defense talk at Ruxcon (2017) and OWASP (2018), I exemplified how attackers could bypass secure code snippets from secure coding guidelines.

Why do you think this is an important topic?

It is a funny oxymoron that there are vulnerabilities in the recommendations of secure coding guidelines.

Is there something you want everybody to know – some good advice for our readers maybe?

We need to start to perform peer reviews on the secure coding guidelines that we use and restrict insecure functionalities in software.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Programming languages will start including less insecure functionalities. Restricting the existence of potential vulnerabilities and insecure functions will be more effective than analyzing what not to do.

 

Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on how programming languages can be used to exploit vulnerabilities and defended applications. He has presented his findings at security conferences such as Black Hat USA & Europe, DEF CON, OWASP AppSec USA & Europe, Ruxcon and HITB.

DeepSec 2018 Talk: Security as a Community Healthcare: Helping Small Non-Profit Organisations Stay Secure – Eva Blum-Dumontet

This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation.

Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence services to phishing attacks, hacking team-type of malware, … etc. Yet the advice they have received so far has been solely focused on end users, not organisations. This talk will highlight our journey towards challenging this situation and our take on attempting to help small organisations with network security.

We asked Eva a few more questions about her talk.

Please tell us the top 5 facts about your talk.

  1. This talk is about the real experience of security: What does security look like on the ground for small NGOs in the Global South?
  2. This talk is given by a non-technical person, who had to learn how each employee in an organisation can work on making their organisation more secure.
  3. This is about our journey on how we came to approach security through trial and errors and we are brutally honest about it.
  4. We will present Thornsec, our response to organisational security challenges.
  5. We are not here to provide definitive answers. Many of you in this room will understand security better than we do and we hope you will help us to grow!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Too often we see security being discussed in the abstract, without understanding a threat model but also without understanding the reality of people’s lives and how they are affected by infosec practices. At Privacy International, we deal with those real life stories on a daily basis within our network of organisations and we thought it was important to tell these stories and explain what led us to approach security the way we do. It’s not perfect, we are still learning and we hope that participating in conferences like DeepSec will be an opportunity for us to improve.

Why do you think this is an important topic?

Organisational security affects NGOs, who are defending our rights, all over the world. They have limited resources and are often at risk regarding very specific threat models. We need to engage the security community to find solutions for them beyond the “Use PGP/use Tor” trainings that have historically been provided. Offering solutions that work for small NGOs also means finding solutions that could be applied to many other small businesses, making our whole society more secure.

Is there something you want everybody to know – some good advice for our readers maybe?

People who are joining in should definitely check out Thornsec on GitHub.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

With the development of internet of things and the reliance on “bring your own device” policies, the risks for organisations will multiply. At the moment we know printers are still a massive vulnerability for a lot of small organisations, yet more and more objects will now be connected to the internet and become new vulnerabilities.

 

Eva Blum-Dumontet has been a researcher at Privacy International since 2014. She is leading a project on gender and privacy, exploring the impact of corporate, government and societal surveillance on women and gender non-conforming individuals. She is the author of a report on smart cities and their impact on the right to privacy. Her work has largely focused on the Global South and she conducted a number of investigations on government surveillance in various countries, including Egypt and Thailand.

DeepSec 2018 Training: Malware Analysis Intro – Christian Wojner

With malware (malicious software) featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. We asked Christian a few more questions about his talk.

Please tell us the main facts about your training.

This training is for every IT (Security) person who wants/needs to have their first encounter with the stunning field of malware analysis.

On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will…

  • learn how easy it is to get infected by malicious software,
  • form a sense to assess what’s possible and what isn’t,
  • gain a comprehensive overview of the various malware categories and their according specifics,
  • learn about the individual phases of malware analysis and according tools including hands-on experience,
  • find out what malware analysts (are able to) do,
  • develop and hence understand typical strategic concepts and tactics in reverse engineering,
  • build a basic understanding of typical activities when dealing with cyber security incidents,
  • develop a realistic perspective regarding possibly upcoming malware incidents regarding their company,
  • learn a lot about the “hidden” gears under the hood of Microsoft Windows and modern operating systems in general and accordingly locate and fill gaps in their knowledge,
  • gather/train their abilities to deal with unforeseeable and even chaotic situations in a flexible and constructive manner thinking outside the box, and last but not least
  • build a stable foundation and therefore an ideal “trampoline” for next steps and further advancement in malware analysis.

How did you come up with it? Was there something like an initial spark that set your mind on creating this course?

I wanted to create a massively interactive beginners training, bundling the steps of malware analysis and the ones regarding the usually preceding incident response together. Something to start from, delivering useful knowledge for everyone that might get in touch with malware-driven incidents, especially if they are going to be a one-(wo)man-show. Beyond that, interested people can use it to get a basic overview and gut-feeling helping them to make their decision if the topic is worth to make a deeper dive into by visiting one of those “highly compressed information tsunamis”.

Why do you think this is an important topic?

Today’s cyber attacks targeting companies (apart from DOS) as well as cyber crime per se sooner or later introduce malicious or at least unwanted software. Executables aren’t mysterious things! Basic skills how to handle and analyze them will not only get one out of paralysis, but even enable them to learn about the core aspects and goals of the attack.

Is there something you want everybody to know – some good advice for our readers maybe?

Don’t be afraid of or stunned by executables (Portable Executable, PE file) in general! Think of them like MS Word or PDF documents – in terms of their basic nature that’s just what they are, with a special fetish of being bundled up with a certain amount of processable instructions (machine-code). Just like “normal documents” they have their master/core application that’s needed to initiate and process them, in terms of PE files it’s called “Loader”.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise/the topic of your training in particular?

To be honest, it’s Microsofts “Feature Update” approach that worries me a bit. These updates are not just tiny patches, but rather comparable to full service packs – twice a year now. In these terms we’ve already seen a bunch of unintended impacts especially on memory forensics tools like Volatility. Tools like the latter are algorithmically bound to kernel structures and their according fields and sizes. If such a structure changes chances are high that those tools will fail, at least to some extent. It’s hard for the community to keep up with those changes cause it takea a lot of effort. In the worst case the consequence is that one has to do memory forensics on a system that has just been updated, hence outdating their toolset, actually. In this case one would have to wait for an updated profile which can easily take multiple weeks. So, from that point of view, is it better for customers to have the latest updates installed, or not? I think we are going to see some murmurs and movements in this respect. In which direction? We’ll see.

 

Christian Wojner is one of the core team members of the national and governmental computer emergency response team (CERT) of Austria (CERT.at/GovCERT Austria). Apart from his classical IT security incident handling and response duties, he particularly specializes in computer forensics with a very strong focus on analysis and reverse engineering of (malicious) software on Microsoft Windows based systems. In this respect, Christian is the author of various technical articles and papers, frequently gives talks specifically focusing on malware analysis, and supports the IT security community with his contributions in terms of forensical software tools, a lot of them as part of forensics software compilations like SANS’ specialized Linux distributions for reverse engineering (REMnux) and computer forensics (SIFT). One of his most popular projects however, is ”ProcDOT“, which gave behaviour-based malware analysis a massive boost in terms of efficiency and simplicity due to its visual approach using animated, interactive behaviour graphs. Besides being featured in many articles, ProcDOT was the 2nd place winner of Russ McRee’s Toolsmith ”Tool of the Year Award“ in 2013.

DeepSec 2018 Training: ERP Security: Assess, Exploit and Defend SAP Platforms – Pablo Artuso & Gaston Traberg

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

Gaston’s and Pablo’s training empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.
It provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps. You will understand why even strict user roles and profiles are not enough to protect a SAP system, and how malicious attackers could break into the system anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn the key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAPWeb Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more! You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit – the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, pro-actively protecting your business-critical platforms. Previous SAP expertise is NOT required!

We asked Pablo and Gaston a few more questions about their training.

Please tell us the top 5 facts about your training.

  • Hands-on training (25+ exercises)
  • One of a kind (there’s no other training about ERP security)
  • 0 SAP knowledge is required
  • Open source penetration testing framework will be used
  • Let’s think like an attacker… latest exploits related to SAP will be covered

How did you come up with it? Was there something like an initial spark that set your mind on creating this course?

We started giving this training almost 10 years ago, when nobody was talking about this topic. At that time, speaking about security in SAP systems was basically speaking about SoD. Since then, we started not only to deliver this training at security conferences, but also to give talks, doing webcasts, research, and more, with the goal of raising awareness and spreading knowledge. A couple of years ago (and still) people didn’t know how to interact with this type of systems. That’s why, one of the main goals of this training, is to get yourself acquainted with the different layers of security inside the SAP world, get to know the most important vulnerabilities, the most critical configurations, how they can be abused and how they should be protected.

Why do you think this is an important topic?

ERP security has been growing during the last years. In 2016, the Department of Homeland Security (DHS) released the first-ever alert related to SAP security, which was the outcome of a combined project with Onapsis. In 2018, they came up again with another news story, stressing that companies are still under attack and they must take care of it. Based on our experience, attacks on ERP platforms, which hold the most important assets of companies, are increasing year by year. Due to the complexity of SAP system, administrators don’t realize that sometimes their own systems are exposed to the internet. Knowing how to properly secure and defend your systems from these kind of attacks is definitely a must.

Is there something you want everybody to know – some good advice for our readers maybe?

How much do you know about ERP security? Have you ever heard of it? Let’s think about it for a second. How critical is the data that is actually stored in these systems? Do you know how to protect it? Attackers are starting to realise that people are not protecting them, which opens a huge window of opportunities. Exploits and techniques to abuse misconfigurations are going public faster each time. Don’t you think it’s time to take action?

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Year by year, ERP security is gaining more respect, as the amount of attacks keep increasing. Companies can’t keep overlooking it, cause their most important assets are at risk. On the other hand, attackers are getting more into the world of SAP and they’re starting to exploit and abuse vulnerabilities and misconfigurations which are publicly known. The time of ERP security has come, and everybody needs to be aware of it.

 

Pablo Artuso is a security researcher at the Onapsis Research Labs. His work is focused on the research and detection of vulnerabilities in SAP systems. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as HANA, Netweaver, etc. Moreover, Pablo works closely with the Innovation team contributing to the development of cutting-edge technologies to boost Onapsis products. 

 

 

 

 

Gaston Traberg is a security researcher at Onapsis. After many years working as a researcher and pentester, Gaston became part of Onapsis focusing his work on ERPs security. As result of his research, he has reported and published several vulnerabilities in SAP and Oracle products. He also contributes to the development of cutting-edge technologies to boost Onapsis products.

DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober

Eggplants © by Fructibus - https://commons.wikimedia.org/wiki/File:Four_eggplants_2017_A.jpgThe Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics.

Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first held in 2007, just like DeepSec!). The conference explores the impact of sex on technological innovation and adoption – which is right up our alley, too. Werner Schober from SEC Consult has investigated „smart“ sex toys. The work was done as his master thesis in computer science. The results are scary, because Werner found multiple vulnerabilities in sex toys which can connect to your smartphone via an app(lication). The list is impressive.

  • Exposed administrative Interfaces on the Internet
  • Cleartext Storage of Passwords
  • Unauthenticated Bluetooth® LE Connections
  • Insufficient Authentication Mechanism
  • Insecure Direct Object Reference
  • Missing Authentication in Remote Control
  • Reflected Cross-Site Scripting

The devices combine a set of different technologies. One crucial part is the network protocol. The Bluetooth® SIG highly recommends version 4.2. Some of the toys use 4.0/4.1, thus allowing for a weaker key exchange. The hardware of the product is capable of using 4.2. By choice it was not used in order to be able to connect to older phones. The other weaknesses are straight from the tutorials of How Not To Code Securely.

The implications for violation of privacy are severe. Due to the public database disclosure in one product, the whole Internet could access information such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, and more. This is a nightmare for customers and, in some cases, a great opportunity for people earning their money by blackmail. Given the fact that the phone app connects to its own social network platform, the nature of the social graph is definitely sensitive information.

The lack of authentication (Bluetooth® no pairing mode) is deliberate and activated by default. The reason are some use cases of the sex toy which require involve full access by random individuals. Even the new firmware will default to this mode, so authentication will stay opt-in. From the viewpoint of information security this is a bad choice.

Don’t get distracted by the nature of these devices. Teledildonics and the porn industry are the trailblazers for new technologies. Virtual reality is extensively being tested and developed, but not for computer games or office applications. The same is true for many other devices, code, and algorithms. The common denominator is access to the Internet. Ubiquitous connectivity must not lead to arbitrary access of data and management consoles. Web application learned this lesson the hard way – and are still vulnerable. The Industry of Things has to learn this lesson fast!

The full technical advisory is published. In addition you can read Werner’s own blog article about his findings.

DeepSec 2018 Talk: Global Deep Scans – Measuring Vulnerability Levels across Organizations, Industries, and Countries – Luca Melette & Fabian Bräunlein

Metrics are plentiful, but they are hard to come by when it comes to meaningful numbers. This is why we were amazed by the submission of Luca Melette and Fabian Bräunlein. Why? This is why:

“We introduce global deep scans that provide insights into the security hygiene of all organizations exposed to the Internet. Our presentation discusses vulnerability levels across different groups of organizations and points out differences in the underlying maintenance processes. We find that different industries have a lot to learn from each other and provide the necessary measurements to start these dialogues.”

We asked Luca and Fabian a few more questions about their talk.

Please tell us the top 5 facts about your talk.

1. Come
2. Watch
3. Our
4. Talk
5. You’ll see results from a global vulnerability scan across thousands of companies in dozens of industries and you’ll be invited to be part of our journey of analyzing the data.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We have been curious for a long time about which companies, industries, and regions are better or worse when it comes to security. Who can learn from whom on which topics? Since no public information of this kind is available, we started scanning the Internet ourselves and created a weighted vulnerability score to compare and contrast vulnerability levels.

Why do you think this is an important topic?

Vulnerability information today is mostly available in pockets: Many companies know about their vulnerability level, but they do not know how they rank among others. Researchers often know about the prevalence of a few vulnerabilities, but do not have an overview of issues outside their special field. Our presentation provides this additional visibility and creates awareness about vulnerability levels on the Internet. Researchers and corporates will be stimulated to look at internet exposure in different ways and find weak spots that need attention. Our goal is to show who can learn from whom.

Is there something you want everybody to know – some good advice for our readers maybe?

It is important for both users and companies to periodically check which of their assets are exposed on the internet and evaluate what risks are associated with them. Our research shows that some industries are more exposed to hacking than others, possibly indicating the next targets for hackers, but also great potential to learn from one another.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise/ the topic of your talk in particular?

Our observations will stimulate internet actors to learn from one another by comparing themselves to the rest of the world.

 

Fabian Bräunlein has always been curious about taking systems apart. He works as a Security Researcher and Consultant at Berlin-based hacker collective SRLabs. His previous research includes hacking payment systems (32c3), travel systems (HEUREKA) and IP cameras (DeepSec 2017).

 

 

 

 

 

Luca Melette is a security researcher with focus on all sorts of telecommunication networks. In the past years, together with Karsten Nohl, he discovered and disclosed several security vulnerabilities in mobile networks, from low-cost radio attacks to more sophisticated interconnect abuse.
Luca’s one of the maintainers of the website gsmmap.org and the related mobile app SnoopSnitch.

DeepSec 2018 Training: Professional Bug Hunting for Early Bird Millionaires – Sensitive Data Exposure

DeepSec’s Early Bird Tariff is still valid for today. If you are interested in bug hunting for money, i.e. bug bounties, then you should hurry. Dawid Czagan is conducting a training at DeepSec 2018 where you can learn all you need to get started. If you don’t know what to expect, we recommend one of Dawid’s online courses to get into the mindset. His tutorial on finding sensitive data exposure is available via his web site. In case you are interested, please head over to our ticket shop. Early bird tickets are still available until midnight!

DeepSec 2018 Training: Advanced Penetration Testing in the Real World – Davy Douhine & Guillaume Lopes

Guillaume and Davy, senior pentesters, will share many techniques, tips and tricks with pentesters, red teamers, bug bounty researchers or even defenders during a 2-day 100% “hands-on” workshop. This is the very training you’d like to have instead of wasting your precious time trying and failing while pentesting.

The main topics of the training are:

  • Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections. (A lot of pentesters don’t even know how it works. So let’s have a look under the hood);
  • Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite. (Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand);
  • Network exploitation: Manually exploit network related vulnerabilities using Scapy, ettercap and Responder. (Because it works so often when doing internal pentests);
  • Passwords: Optimize the way you attack offline and online passwords. (0day is fun, but the way attackers gain access most of the time is simply by using login/passwords);
  • Mobile app hacking: Find and exploit Android/iOS app vulnerabilities using Needle, Frida, Cycript and Hopper. (Companies move their apps into the cloud and the mobile world so pentesters have to evolve with that… or die);

We asked Davy and Guillaume a few more questions about their training.

Please tell us the top 5 facts about your training.

  1. It’s an hands-on training! Less talk and more exercises.
  2. The goal is to learn techniques that you can apply in real use cases.
  3. Know how hackers perform their attacks.
  4. A variety of subjects are reviewed!
  5. Learn the basics in order to be able to dig deeper into new subjects.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk / course?

Performing penetration tests (or pentests in short) is our daily job, but it is also a real hobby for us. We like learning new techniques, developing custom scripts or tools and also participating in Capture The Flag (CTF) sessions. After several years of pentest jobs, we found that clients are still amazed by the vulnerabilities we exploit and the techniques we use. This is not black magic! So, the idea of the course is to demystify the penetration test and show the participants how pentests are performed in the real world. In addition, we also wanted to avoid giving a training with just a list of tools and their description.

Why do you think this is an important topic?

Attacks are perform everyday against many companies and lead to data information leakage containing personal, but sometimes also financial information (i.e credit cards). Knowing the techniques allows one to understand the attacks, and, at the same time, to implement the protections to prevent them.

Is there something you want everybody to know – some good advice for our readers maybe?

Information security is evolving very fast and it is difficult to keep up to date on any and every subject. The training could be interesting for people having experience in penetration testing on a specific area (web app, mobile, etc.), or even for people who’d never performed pentests before and are willing to learn. Also, people having defensive experience could be interested to learn how hackers work.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

For many years, some have been predicting the end of pentest, arguing that it will be replaced by bug-bounties or automated security audits. Clearly that has not happened yet, the demand is stronger than ever. Artificial intelligence will surely put us out of work one day, but we’re not sure our generation will see that day.

Founder of RandoriSec, a security focused IT firm, Davy Douhine is working in the ITSec field since almost fifteen years. He has mainly worked for financial, banks and defence key accounts doing pentests and trainings to help them to improve their security.

 

 

 

 

 

Guillaume Lopes is working in the pentest field since about 10 years. He has written many ITSec articles and has attended many security conferences.