DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton

Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. Technical knowledge is important in those systems, but on its own, it accomplishes very little — as the sorry state of the computer security in the world demonstrates. Knowing how computers work doesn’t gives us an empirical knowledge of what people do with their devices, what their job is, what context they live in, what their adversaries want from them, what their capabilities or resources are.
In this talk we will explain why listening is the most important part of practical security, and how to listen effectively and efficiently.
We will touch on practical examples from our own life experience, from helping journalists, activists, and lawyers, to students, sex workers, and survivors of partner abuse. We will explain why in the end, information security may have more in common with anthropology — investigation and analysis of practices in the real world — than it does with math and software.

We asked Raphaël and Quinn a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • More technology will not necessarily solve the problems caused by technology.
  • Information security is part of a wider culture and not an end in itself.
  • Investigating your user’s needs is the important, and understanding their context is the whole game.
  • This means good security involves anthropology.
  • Diversity of approach and background (and especially the lack of) is a limiting factor in the effectiveness of a security culture

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Both of us have worked with activists and journalists in kinetic and dangerous situations, relying on terrible technology security and security practices. Security punditry was telling them what to do, but that advice was almost never relevant. Over the years we’ve watched people jailed and driven from their homes, unable to get help from a security community that doesn’t know how to listen.

On a wider scale, we keep hearing the same stories of data leaks, system compromise, and terrible operational security that weren’t sophisticated and didn’t have to happen, if we saw the human element as part of security and not a detriment to it.

Why do you think this is an important topic?

Humans are infinitely creative. Forcing people to use specific tools or techniques will never improve security. That’s why we need a responsive security community and digital literacy education instead of more access control barriers.

Is there something you want everybody to know – some good advice for our readers maybe?

Listen to your users. Earn their trust. Meet their needs. Nothing else will keep you safe.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Less people running from one fire to the next, more communication between user and administrative communities and spreading digital literacy.

 

Quinn Norton is a writer who likes to hang out in the dead end alleys and rough neighborhood of the Internet, where bad things can happen to defenseless little packets. They are also places were new freedoms and poetries are born, and run riot over the network. She started studying hackers in 1995, after a wasted youth of Usenet and BBSing. These days, Quinn is a journalist, published in Wired, The Atlantic, Maximum PC, and more. She covers science, technology, copyright law, robotics, body modification, and medicine, but no matter how many times she tries to leave, she always comes back to hackers.

 

 

Raphaël Vinot is a security researcher at the Computer Incident Response Center Luxembourg (CIRCL) since 2012. Raphaël wants to increase the IT consciousness of the human beings populating the internet in order to make it safer for everyone. His day job is a mixture of forensic and malware analysis with a lot of Python on top of it to glue all the pieces together. He loves sharing and thinks everyone should contribute to open source projects.

DeepSec 2019 Talk: How To Create a Botnet of GSM Devices – Aleksandr Kolchanov

There are different types of GSM-devices: from GSM-alarms for homes and cars to industrial controllers, remote-controlled electric sockets and smartwatches for kids. Also, often they are vulnerable, so GSM-devices are interesting targets for hackers and pranksters. But it is easier to hack a device than to find these devices (usually, you should make a call, send SMS with a command to the phone number of this device, so it is necessary for an attacker to know or find this number).

During this talk, I will give a short overview of types of devices and common vulnerabilities, then I will tell about different methods, which can be used to find the phone number of the device. Also, I will show some funny ideas, which allows hackers to create small (or huge, who knows?) botnet of GSM-alarms and smart homes controllers.

 

Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering.

DeepSec 2019 Press Release: High-quality Randomness protects Companies

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on high-quality random numbers to protect information from attacks. This year’s DeepSec Security Conference addresses key aspects of product implementation – data protection during transport and storage.

Protecting the Digital Transformation

Whether “intelligent” bulbs and illuminants, heating or building controls, tv-sets, industrial plants or entire production lines – the digital transformation covers all areas of our lives and leads to changes.

On the one hand, digitization opens up opportunities such as the optimization of processes, the more efficient use of own and external resources, the networking of value chains or digital maintenance.

At the same time, however, there are risks that should not be underestimated. Ensuring data security and authenticity as well as compliance with required security standards present many companies with major challenges. Cryptography and the associated protection of cryptographic keys play a fundamental role – who owns the keys is in control.

At this year’s DeepSec Security Conference in Vienna, experts from sematicon AG are ready to show the risks and dangers of current implementations. In addition, they will use practical examples to prove that there are suitable and simple solutions and tools for all areas of this new technology in order to drastically increase security through the use of strong cryptography. Such implementations don’t have to pass up on usability or maintainability. As a side effect, properly implemented solutions even increase speed and save power, which is of great interest for decentralized, battery or solar powered systems.

Why you should leave IT Security to Chance

Since Edward Snowden’s reports on the pervasiveness of communications surveillance, the use of encryption on the Internet has greatly increased. Hardly a well-known website still does without it. Encryption is also indispensable today for systems beyond the desktop, from intelligent sensors to large industrial plants. These keys must be generated randomly, so they can not be easily guessed. High quality random numbers are necessary. Randomness is not a “function” of a software solution, but uses special physical effects to ensure a high quality of the random numbers. If they could be guessed or comprehended the calculation of the key is not far away. The generation of the keys worth protecting is based on the principle of qualitative randomness – also known as entropy. If you need a lot of keys or you want to increase their quality, you are looking for suitable sources such as hardware security modules, also known as hardware security modules (HSMs).

At this year’s DeepSec Security Conference in Vienna, in cooperation with the Munich-based company sematicon AG, it will be shown that there are suitable solutions for all areas of technology, and that the fear of using it in one’s own company is unfounded.

Side Channel Attacks – or how to extract Crypto Keys from protected Hardware

During the DeepSec conference sematicon AG will show, among other things, how easy it is to gain access to entire company networks with Microsoft® Windows on-board tools and an incorrectly configured PKI, or how to extract cryptographic keys from supposedly protected IoT or embedded devices and thus can manipulate the firmware. In this way simple household appliances such as incandescent lamps become a gateway for hackers. It will also briefly be discussed how secrets of industrial equipment can be obtained if security has not been properly implemented from the beginning. These are by no means specially prepared systems, but rather classical implementations as they are found in the economy. It is not about “live hacking”, but about the technical expertise of crypto experts who have been working in the industry for many years and have a wealth of experience. This demonstration is intended for anyone who needs to install secure data transmission in their own infrastructure, no matter at what level.

Cryptography made easily accessible

Despite the thematic part of higher mathematics, the DeepSec Conference and the sematicon AG are concerned to communicate the importance of the methods and technologies used for practical use to a broad professional audience. The demonstrations and lectures are aimed not only at technicians, but also at project managers, managers and designers of products. All levels should be integrated as information security is an interdisciplinary undertaking. Fear of the matter is therefore completely unfounded. The lectures and events during the conference offer several ways to get started and to further training through exchange with experts. Take advantage of this opportunity.

Schedule and Booking

The DeepSec 2019 conference takes place on 28 and 29 November. The two-day DeepSec trainings will take place on the two preceding days, 26th and 27th November.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Tickets for the DeepSec conference itself and the trainings can be ordered at any time at https://deepsec.net/register.html.

DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it’s possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

We asked Guillaume a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The vulnerability presented is really easy to exploit
  • Client side issues are not dead in 2019!
  • It seems nobody cares about losing money in the game industry…
  • Very few vendors fixed their implementation
  • Real vulnerable applications will be presented during the talk 🙂

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

At BSides Lisbon, in 2017, I was following a talk from Jérémy Matos about abusing an Android In-app Billing feature thanks to a misunderstood integration. In his talk, he presented an Android app (PandaPop if I remember correctly) having a misconfiguration on the Play Billing implementation. It was possible to bypass the payment by using specific test keywords, normally reserved when developing the application. From this point on I started digging on how the Google Play billing API was working and found that in fact many Android apps implement The Google Play Billing in an unsecure way.

Why do you think this is an important topic?

First, because payment transactions are important. If an attacker can easily bypass payments in order to obtain the product, it is basically game over for your app. Then, it shows that access control performed on the client side can not be trusted and should be prevented.

Is there something you want everybody to know – some good advice for our readers maybe?

Don’t trust the client! If your security relies on control implemented on the client side, it’s going to be breached at some point.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I hope Google is going to review the Google Play Billing API in order to prevent people implementing security protections locally.

 

Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently he’s working as a Senior Penetration Tester at RandoriSec and also as a member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.

ROOTS 2019 Talk: Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors – Fabricio Ceschin

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company (ENDGAME Inc.) has launched a public challenge to encourage researchers to bypass their (three) ML-based static malware detectors. Our research group teamed to participate in this challenge in August/2019 and accomplishing the bypass of all 150 tests proposed by the company. To do so, we implemented an automatic exploitation method which moves the original malware binary sections to resources and includes new chunks of data to it to create adversarial samples that not only bypassed their ML detectors, but also real AV engines as well (with a lower detection rate than the original samples). In this talk, we detail our methodological approach to overcome the challenge and report our findings. With these results, we expect to contribute to the community and provide better understanding on ML-based detectors weaknesses. We also pinpoint future research directions toward the development of more robust malware detectors against adversarial machine learning.

Fabrício Ceschin is a Ph.D. student and master’s degree in informatics at Federal University of Parana, Brazil (UFPR). Currently interested in machine learning and deep learning applied to security. Supported student by the program Google LARA (Latin America Research Awards) 2017.

 

ROOTS 2019 Talk: RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly – Marcus Botacin

Malware analysis is a key process for knowledge gain on infections and cyber security overall improvement. Analysis tools have been evolving from complete static analyzers to partial code decompilers. Malware decompilation allows for code inspection at higher abstraction levels, facilitating incident response procedures. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others.

In this talk, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges.

We name this approach “DoD—debug-oriented decompilation”, in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tools, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time de-compilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered “clean” by all VirusTotal’s AVs.

Marcus is a Computer Engineer (UNICAMP, Brazil), Master in Computer Science (UNICAMP, Brazil) and CS PhD Student (UFPR,Brazil). His research interests are reverse engineering, malware analysis and systems security.

 

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both Windows and Linux client, we’ll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.  Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

  • Intro to threat hunting

  • Threat hunting and the IR process

  • Understanding the requirements

  • Backend Tools

  • Detection/Reporting tools like Mitre ATT&CK and Sigma

  • Endpoint tools: osquery and sysmon

  • Hands on exercise will be spread across the 2 days

Participant Requirements

  • Working knowledge of Windows (no OSQuery experience required);

  • Working knowledge of the Linux shell (no OSQuery experience required);

  • Basic SQL,

  • Laptop with a SSH client

We asked Thomas and Craig a few more questions about their training.

Please tell us the top 5 facts about your training.

The training will provide the participant a forum to learn:

  • Some basic foundations of incident response versus threat hunting setting the picture for the days activities
  • Basics of what is key to building an incident response and threat hunting programme
  • Understanding of the importance of TTPs, IOCs and frameworks like ATT&CK
  • The open source tools that available for gathering data to start the hunting process
  • Deep dive into tools including osquery to gather and find threats

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

The original thought process started with both Thomas’ and Craig’s personal desire to learn about opensource tools that were becoming more common in the incident response field and to get more hands on experience. Both Thomas and Craig work in the field of incident response and regularly have to see what tools are available to improve workflows. The focus was on tools being promoted by organisations like SANS as well as tools developed by large companies like OSQuery.

Why do you think this is an important topic?

There is an increasing presence of sophisticated attacks in the wild from either criminal organisations or state actors. More and more attacks are hitting organisations and they need to be able to deal with this. Multiple reports have highlighted that over 60% of victims may not detect intrusion from 90 days to months and attackers can remain undetected for as many as 99 days if not more. So organisations need to find the right tools that fit their environment to be able to deal with intrusions and reduce the time to detect and how long organisations dwell in the infrastructure.

Is there something you want everybody to know – some good advice for our readers maybe?

There are many tools out there including some very expensive commercial ones. Press and marketing reference EDR as the way forward, this training takes a slightly different approach and looks at opensource tools or simple solutions that can help you improve your incident response posture.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise the topic of your training in particular?

As the level of attacks get more frequent and more complex, we are going to see a drive towards more and more automation. If you can leverage automated response for the known-knowns, you will be able to drive faster containment. At the same time allowing your SOC analysts, responders and threat hunters to concentrate on the more dangerous and advanced attacks. An important part of that strategy will be the endpoint whether the user’s computer or a server in your data centre or a cloud solution.

Having a clear picture of the organisation’s assets is going to be a big priority. Solutions that allow you to discover all of the organisation’s assets including those that are not managed will become an important part of the ability for InfoSec teams to respond.

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

 

Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.​@albanwr​​​

DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser

[Editorial note: Cryptography is one of our favourite topics. This is why we invited experts from sematicon AG to show some of their skills and help you navigate through the jungle of false promises by vendors, magic bullets, and misuse of the word „crypto“.]

A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected. In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner. Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as at desktops and embedded solutions like industrial equipment or IoT-Devices.

Afterwards you can visit us at our booth to see market leading HSMs in action and you will have the possibility to discuss features and functions with long-term crypto experts.

We asked Michael a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • Isolate keys and secrets from users
  • always isolate keys from applications and firmware
  • operate with keys only in isolated environments
  • take care about standards
  • encryption is not an universal problem-solver

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

After more than a decade in the IT-Security Business with strong focus on cryptography it is still an unpleasant truth, that most people do not care about crypto-keys at all. Everybody knows that encryption is important but it is curious that the job seems to be done when the data is encrypted. Crypto-Keys are most of the time stored in software represented by a key file that can be easily copied and lost. These keys are copied every day in backups and are distributed all over the infrastructure.
The reason is simple: they must be available to access the encrypted data for work.

Why do you think this is an important topic?

The biggest breaches in the last years did not happened because something was “hacked”. The reality is that something was “lost” most probably the key to the data. It is if you have the best alarm-system and somebody just steals the key to open the front door. It is important that people start thinking about the fact that the key  represents the value of the data and there is a need for strong protection.

Is there something you want everybody to know – some good advice for our readers maybe?

There are solutions to answer the question about how to protect keys and keep them available. It does not matter where: Cloud, IT, IoT or Industrial Systems. There are many types of hardware security modules to use. It just depends on the use case you will have. It is not a rocket science but a question of the right tools available.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Crypto is very much complex when it comes to practical use cases. This is the reason why there are so many easy-to-use tools (including HSMs) do exist for the IT-Industry. But what about industrial systems and IoT-solutions? We do our best to provide the same toolset also for embedded and industrial systems. I really hope, that making things easier will bring more people and engineers on track with strong authentication and cryptography.

Michael Walser is a member of the executive board and CTO of the Munich based security company sematicon AG. In this function, he is responsible for the company’s technical business strategy and advises customers how to securely implement the digital transformation in industry and IT.
After graduating in electrical engineering, he was working as a consultant and advisor on successful IT security and digital payment projects – always focusing on cryptography – for many years. He supported many customers worldwide and was also responsible for the projects’ implementation.

sematicon AG is a Munich-based company specialised in IT security and cryptography. We support our customers in mastering digital transformation successfully and securely in their operations. With a focus on IT, industry and electrical engineering, we offer highly specialised security solutions, which have been developed on the basis of industrial and IoT requirements. For example, our solution for secure and isolated remote access to industrial plants and systems has been declared to be innovative by our customers. Furthermore, we support and advise you in the planning and implementation processes of your security concepts. In our in-house training centre – the sematicon academy – we aim at qualifying employees in all relevant IT security areas. Thus, we offer comprehensive security services for the industrial and electronics sectors from a single source.

 

ROOTS 2019 Talk: Automatic Modulation Parameter Detection In Practice – Johannes Pohl

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on nearly arbitrary frequencies, but they output sine waves that have to be demodulated. This demodulation process slows down security investigations because it forces researchers to start on the physical layer while the real reverse-engineering is performed on the logical layer.

We contribute an auto-detection system that estimates all demodulation parameters of a wireless signal and, additionally, explicitly returns all these parameters so that they can be fine-tuned afterwards. This allows security researchers to skip the physical layer and work with the bits and bytes instead of sine waves. The contributed system is evaluated with both simulated signals and ten real-world signals captured from various IoT devices with SDRs. Furthermore, we show how parameters can be estimated during recording time and evaluate this technique by attacking an AES secured wireless door lock. Our solution is available as part of the open source software Universal Radio Hacker and follows the ergonomic philosophy of the main application.

 

Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.

ROOTS 2019 Talk: Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing – Katharina Bogad

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The software development kits (SDKs) for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.

In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Roller’s general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.

We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.

 

There’s nothing much to say about myself, I’ve spent my school years hacking and reverse engineering Pokemon games instead of paying attention in geography, later found out that people actually have hacking competitions where one can capture flags and started participating. Currently I’m pursuing my master’s degree in computer science at TUM and doing what some people apparently call „research“ 😉 as a research assistant at Fraunhofer AISEC.

DeepSec 2019 Talk: 30 CVEs in 30 Days – Eran Shimony

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.

Some things never die. In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.

Our mindset was – choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We’re only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

We asked Eran a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • It is an innovative look into vulnerability searching.
  • Almost anyone with some Windows internals knowledge can do it.
  • Exploit code is straightforward to develop.
  • A lot more than 30 vulnerabilities where discovered, more like 60.
  • There is a blog series in https://www.cyberark.com/threat-research-blog/ that showcases the research.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Logical bugs were always an interest of me. So after discovering several vulnerabilities in products with a similar nature, I tried to generalize the issue by creating an automated system.

Why do you think this is an important topic?

Having privilege escalation vulnerabilities often  means an attacker can abuse the domain environment\personal computer as much as he wants since security products are very permissive regarding privileged users.

All the vulnerabilities that were discovered in the research are about escalating your privileges on the Windows platform using security holes in drivers, services, and installers.

Is there something you want everybody to know – some good advice for our readers maybe?

Think before doing every privileged file operation on Windows. There might be a chance it would allow an attacker to escalate her/his privileges. Sometimes getting CVEs and bounty rewards are not that difficult 🙂

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I believe many vulnerabilities similar in nature will pop up soon, hoping it will cause vendors to improve their security standards.

Eran Shimony is a security researcher at CyberArk
Eran has an extensive background in security research, that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities he has made lots of disclosures across multiple vendors.

DeepSec 2019 Talk: S.C.A.R.E. – Static Code Analysis Recognition Evasion – Andreas Wiegenstein

Andreas Wiegenstein has expert advise for software security:

Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?

The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?

This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.

On a technical level, the following concepts are covered

  • covert data flow
  • deep call stacks
  • circular calls
  • source mining
  • counter-encoding
  • data laundering

Based on this, I will provide some code snippets as proof of concept for the audience to test at home.

This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.

We asked Andreas a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk explains how SCA tools technically work and which compromises vendors have to make.
  • The talk points out general weaknesses in SCA algorithms.
  • The talk does not intend to point the finger at specific vendors.
  • I will show multiple code examples in different languages that trick scanner logic.
  • I will also show how to trick human code reviewers.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I am engaged in malware research in SAP environments. Since most code in SAP is source code, I came up with the challenge to hide malware from code scanners. Later I expended these techniques to other programming languages.

Why do you think this is an important topic?

Many companies have to deal with vast amounts of source code and limited security budget. They rely on automated code analysis and are therefore vulnerable to SCA evasion techniques.

Is there something you want everybody to know – some good advice for our readers maybe?

If your application security defenses are based on Static Code Analysis alone, you have a problem.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Next generation malware will be able to trick / bypass code scanners.

Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. His current research is focused on malware.

DeepSec 2019 Talk: Security Analytics and Zero Trust – How Do We Tackle That? – Holger Arends

For many years we’ve all been in an arms race, fighting daily against new malware varieties and new attack techniques that malicious actors use to fool us and compromise our systems. Many of us rely on state of the art safeguards and have invested tremendous amounts in defending our systems and networks, yet even so, important data is still leaked or important systems are compromised.

Firewalls, IDS, IPS or SIEM systems are often unable to prevent or detect attacks. Questions are often raised: “why?” and “how?” is it possible these attacks stay undetected for long periods of time, considering the significant investments into cyber security. And so it seems obvious to say that with the introduction of IoT devices, unmanaged BYOD, combined with legacy systems and end to end encryption, the future will be a difficult place to stay safe and secure in.

In late 2017, we asked ourselves the following questions. Is it possible to defend our networks and systems by relying mainly on traffic-related analytics and related prevention? Are we able to achieve knowledge and certainty about endpoints and their associated technologies? Furthermore, does this allow us to distinguish attacks and/or malicious activities from benign activities, even on encrypted channels? We also explored if it was possible for a Telco / Enterprise to integrate such analytics, considering high traffic throughput, into traditional security defences. These questions were and are our motivation to run the project for the last 2 years and we would like to share our insights here at Deepsec 2019.

In our talk, we will brief you about our lessons learned, and discuss

  • Which technologies and practices work well in combination, and where it makes sense to introduce log-less and agent-less security analytics
  • How it looks to combine deep protocol analytics, big data, polyglot persistence and machine learning and what challenges we faced
  • How well the detection and mapping of technologies works on different protocol layers and encrypted sessions
  • What interesting insights we gained about attackers, their tools, tactics and how they utilised infrastructure for their attacks
  • How often a simple handshake reveals the nature of any following data stream
  • What kind of defensive capabilities and safeguard improvements / tunings can be achieved

Finally, we would like to speak about ethics; discussing the potential of DPI and what this means for all of us, ranging from privacy concerns to potential misuse of such technologies against a free society.

Being a lifelong enthusiast for computer security and emerging technologies, Holger started his IT Security career in the German army in 1997. Since then, Holger has continued to strengthen his professional skill set by being involved in many security projects around the globe. While working with industry leaders such as Microsoft, he’s had several years of experience running his own IT Security business. Holger has always been passionate about innovating and developing new security solutions, and this has led him to Telstra where he is the Principal Security Domain Cyber Security expert at the Centre of Excellence, Technology & Innovation. His current role focuses on futuristic and real-world security analytics solutions in the fields of IoT and Cyber Security.

Deconstruction and Analysis of modern IT Threats – DeepINTEL Security Intelligence Conference disenchants Complexity of Security Threats

The modern digital world is constantly threatened. Unfortunately, only a few understand what this actually means. Information security is always presented in distorting stereotypes that have nothing to do with reality. No attack is hammered into a keyboard in minutes. The most dangerous threats can not be detected by watching out for guys in hooded shirts or face masks. Nothing in the digital world can be defused with a simple click. The opposite is the case because domestic and foreign policy have global implications for the digital infrastructure of all organizations. The DeepINTEL Security Intelligence Conference, which takes place every year in Vienna, therefore aims to provide a platform where authorities, businesses, researchers and hackers can productively discuss threats’ characteristics and countermeasures within a closed group.

Striking Examples

Economic espionage is often cited as an example of information threats. Attacks on information systems often have the goal of copying data in order to either deal with them or use them otherwise. Espionage exists at all levels. In May 2019 it became publicly known that one can infect smartphones via WhatsApp calls. Answering the call was not necessary. This vulnerability was exploited by a commercial espionage software produced in Israel. No companies were spied on, but civil rights activists in the Middle East. The software could be unleashed on business executives as well. The customers of the Israeli company are not just located in the Middle East. They are also in western states.

The sticking point is finding vulnerabilities to break or bypass the defence. The knowledge of such gaps is rewarded and traded with a lot of money. The analogy with weapons is obvious, even if there are major technological differences. Malicious code is more related to biological weapons. The attacks by the malicious software Petya and Wannacry in the years 2016 and 2017 underline this thesis, as the exploitation of the vulnerability, which both programs used to penetrate, was most likely developed by the US National Security Agency (NSA). Concrete evidence about the actual escape of the vulnerability is missing. The developed theories range from the action of a whistleblower to perpetrators from Russia. There will be no certainty.

For security officers in companies these speculations play no role. The facts show that the digital world is moving directly in geopolitical areas of tension. It is therefore high time to integrate this fact into internal processes.

Geopolitics has long been Part of corporate Decisions

The economy is often perceived as aloof from politics. This is especially true for digital services. When it comes to streaming, internal document filing, e-mail communication, social media platforms or data filing only a few organizations still have their own infrastructure. Cloudy service providers manage external digital goods. The very popular concept of digital sovereignty loses all meaning when management can no longer say where exactly all company data is located and who manages it. You can not protect anything whose whereabouts you do not know. This applies in particular to prototypes such as the Gaia-X infrastructure proposed by the German Ministry of Economic Affairs. It should provide an alternative to data storage and processing outside the borders of Europe. The core of the matter? Geopolitics has become part of everyday life in the economy. Thus, the software as well as the hardware can becoming entangled in commercial wars – or worse.

The examples illustrate conclusively that business leaders must now finally deal with issues that have hitherto occupied foreign policy and the military. IT security has long since recognized this and created the area of security intelligence. There one deals with the strategic view on threats and the abilities of the opponents against which one must defend oneself. The technical details are armoury but secondary. It is about clarifying the identities, capacities and intentions of opposing organizations that can attack your own data and your own infrastructure. Classic information security provides the tools, but analysts need to piece together the puzzle pieces correctly. This is exactly where the annual Viennese DeepINTEL conference comes in – exchange of insights in a closed group.

Exchange at the living Object

If one wants to talk about real incidents and concrete break-ins, it is advisable to do so in a focused manner within the framework of discussions among experts. The exchange of experience is invaluable and will sustainably improve your defence. The DeepINTEL is such a platform. This year’s focus is on attacks on energy suppliers, infrastructure cut-offs (networks, power), analysis of network traffic to protect autonomous systems, global network intelligence (Internet, Domain Name Service), and the detection of hidden communication channels.

The focus is on the relationships between incidents and the use of certain types of attack. For example, one usually learns from conventional reporting which malicious software has struck. But you learn very little about the actual infection routes, which parts of the infrastructure are affected and what was actually the goal. These details can best be discussed in a closed group with focus on strategy. In the digital world in particular, relationships are often difficult to recognize because the Internet is available globally. The clear classification of perpetrators – whether individuals, organizations or states – is very difficult, if not impossible. Also in these considerations, the DeepINTEL wants to give assistance to all its participants.

The necessary data for a strategic consideration of your own information technology is critical for a meaningful analysis. There are many service providers in the market that combine collected data and and complement it with sensor networks. But nobody can replace your knowledge about your own processes and internal organization. Therefore, the DeepINTEL conference will also discuss the collection, assessment and evaluation of the information already available.

Schedule and Booking

The DeepINTEL Conference will take place on November 27, 2019 in Vienna. We will gladly send you the program upon request to deepsec@deepsec.net after review. Tickets are available on the website https://deepintel.net/.

The venue for DeepSec and DeepINTEL Conference is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

The program of the subsequent DeepSec conference is available at https://deepsec.net/schedule.html. The DeepINTEL program will only be made available upon request because the DeepINTEL is a non-public conference.

Tickets for the DeepSec conference as well as for the DeepINTEL event and DeepSec trainings can be ordered at any time at https://deepsec.net/register.html or via e-mail to deepsec@deepsec.net.

DeepSec 2019 Talk: Saving Private Brian – Michael Burke

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he’s stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can’t be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings?

iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the basis of the threats that exist, how iOS malware is implanted, what its capabilities are and how it can be detected simply and quickly in future. This will increase the safety and security of the workers we rely on to make the world a better place.

We asked Michael a few more questions about his talk.

Please tell us the top 5 facts about your talk.

It’s a growing (but niche) threat; this is a way to detect it that takes no technical skill on behalf of the user; zero day exploits for iOS can sell for ~$1 million; it’s the first time I’ve given it; I’ll make it interesting!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I came up with it reading about how sophisticated iOS zero days were being used against NGO workers, dissidents, journalists and other critical roles in our society. I thought that I could devise a new and easy method of detecting something that is very hard and normally involves digital forensic labs

Why do you think this is an important topic?

Lawful and measured iOS malware implants by governments can be a valuable tool to fight crime and terrorism. There are times however that people’s lives may be put at risk from malware implanted on iPhones/iPads by rogue governments, organisations or individuals. I want to help people who are targeted by those bad actors go about their business with safety and security.

Is there something you want everybody to know – some good advice for our readers maybe?

Depending on what you are working in security you may be more likely to be targeted by this type of attack – rare as they are – and just to be aware of that possibility and to take reasonable steps to prevent it (I’m sure as an industry professional you already update your phone soon after every OS release).

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I’m hoping that Checkm8/Checkra1n is released and stable by the time of my talk – it will make jailbreaking for iOS forensics much more interesting! I foresee more talks ahead…

I am Ireland’s most active digital forensic investigator working on a wide variety of cases for Grant Thornton but specialise in MacOS and iOS forensics.
I am an external expert for the EU in cybersecurity funding decisions.
I have lectured at third level, spoken at conferences and briefed the Irish national cybercrime unit on my research in digital forensics.
I hold Masters degrees in both Forensic Computing and International Security Studies.
I am a former member of the Irish national police service as well as a reformed member of the start up world.