DeepSec2016 Talk: Java Deserialization Vulnerabilities – The Forgotten Bug Class – Matthias Kaiser

Sanna/ October 13, 2016/ Conference, Development, Security

Most programming languages and frameworks have support for serialization of data. It’s quite handy for storing things to disk (or other media) and transporting them around a network for example. The process can be reversed, aptly called deserialization, in order to obtain the original pieces of data. Great. Even though this process sounds simple, there is a lot that can go wrong. First of all data can be manipulated. Subtle modifications can cause havoc when the data is touched. There is a lesser known class of bugs around deserialization and serialization techniques. Matthias Kaiser has some insights to share. Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the last ten years, still the bug class is fairly unknown. Early 2015 Chris Frohoff and Gabriel

Read More

DeepSec 2016 Workshop: Fundamentals of Routing and Switching from a Blue and Red Team Perspective – Paul Coggin

Sanna/ October 12, 2016/ Security, Training

Penetrating networks has never been easier. Given the network topology of most companies and organisations, security has been reduced to flat networks. There is an outside and an inside. If you are lucky there is an extra network for exposed services. Few departments have retained the skills to properly harden network equipment – and we haven’t even talked about the Internet of Things (IoT) catastrophe where anything is connected by all means necessary. Time to update your knowledge. Luckily we have just the right training for you! In Paul Coggins’ intense 2 day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs they will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network

Read More

DeepSec 2016 Talk: Brace Yourselves – Exploit Automation is Coming! – Andreas Follner

Sanna/ October 12, 2016/ Conference, Development, Security

Automating tasks is not only the domain of system administrators. We use computers for a lot of dull and boring processes. This enhances productivity and enables us to focus on problem solving. That’s good news. The bad news is that your adversaries can do this, too. While there are still more than enough hand-crafted attacks Out There™, there are classes of exploits that follow a certain pattern. So if you want to find out how this auto0wning works, you should listen to the presentation by Andreas Follner. Gone are the days of simple stack smashing and code injection (thanks, DEP / W^X!), says Andreas Follner. Today, return-oriented programming (ROP) is the foundation of exploitation. Most ROP exploits are created as follows: you use a tool to dump all gadgets in a binary to the disk, grep specific

Read More

DeepSec2016 Talk: The (In)Security or Sad State of Online Newspapers – Ashar Javed

Sanna/ October 8, 2016/ Conference, Internet, Press

Web sites are simply, one might think. The client requests a page, the server sends it, the layout is applied, and your article appears. This is a heavy simplification. It worked like this back in 1994. Modern web sites are much more complex. And complexity attracts curious minds. Usually that’s what gets you into trouble. Now content management systems serve the web page of the 1990s with a lot of queries, executable code, and from different servers. The ever changing Top 10 list of mistakes from the Open Web Application Security Project can show you the tip of the iceberg. Ashar Javed took a closer look at online newspapers, and he found some scary stuff. The goal of his talk is to raise awareness about the (in)securities of online newspapers. Ashar Javed hopes that their

Read More

DeepSec Talk 2016: Inside Stegosploit – Saumil Shah

Sanna/ October 7, 2016/ Conference, Pictures, Security

Stegosploit creates a new way to encode “drive-by” browser exploits and delivers them through image files. Using current means these payloads are undetectable. In his talk Saumil Shah discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded. This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome. The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall

Read More

DeepSec 2016 Talk: Social Engineering The Most Underestimated APT – Hacking the Human Operating System – Dominique C. Brack

Sanna/ October 5, 2016/ Conference, Security

Social Engineering is an accepted Advanced Persistent Threat (APT) and is going to stay according to Dominique C. Brack of the Reputelligence, Social Engineering Engagement Framework (SEEF). Most of the high-value hacking attacks include components of social engineering. Understanding the behind the scene methods and approaches of social engineering will help you make the world a safer place. Or make your attack plans more successful! Social Engineering is a topic that does not really fit into technical hacking and is also underestimated by security professionals. There are no tools or hardware you can buy to prevent Social Engineering attacks. But Social Engineering is an APT to be taken seriously, because most attacks consist partly of it and its attack execution and prevention needs training and skills. Social Engineering has progressed and professionalized more than you think. It is disastrously effective.

Read More

DeepSec2016 Talk: Behavioral Analysis from DNS and Network Traffic – Josh Pyorre

Sanna/ October 4, 2016/ Conference, Internet, Security

What’s in a name? A rose? The preparation for an attack? Or simply your next web page you will be looking at? The Domain Name System (DNS) has gone a long way from replacing text lists of hosts to a full directory service transporting all kinds of queries. DNS even features a security protocol for cryptographically signed zone data. In order to balance the load, name resolution has caches that temporarily store DNS information. Usually organisations run their own DNS resolvers as caches for their infrastructure. Even if it’s just a flat network with local clients all DNS requests are channelled to hit your resolvers. Before applications open a data connection, they will query the local resolver to get address data or other hints on how to contact the other endpoint of the communication.

Read More