Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

PDF document symbol.Do you fear reading the news? Fancy some facts? Well, we have something different for you to read. We have collected presentation slides from DeepSec 2018 and put the first batch online. You can find them in this rather nostalgic directory listing. We have renamed the files with their title and the name of the presenters. They are mostly PDF, but two presentations consist of a HTML slideshow. We have created a PDF document containing the link to the original presentation for your convenience. The directory will be filled with the remaining documents as soon as we get them.

Thank you all for attending and speaking at DeepSec 2018!

Stickers at the DeepSec registration desk, courtesy of Florian Stocker <fs@fx.co.at>.

At the registration desk.

DeepSec 2018 is over. Thank you for attending and presenting at our conference! Without your interest and your configuration there would be no talks, no workshops, and no one else present.We had a great time, and we hope you enjoyed everything. We are now dealing with the administrative backlog, the metric ton of receipts, the post-processing of the video recordings, and lots of other things. Among the tasks is the feedback you gave us. We will try to improve, so the next DeepSec conference will feature some or all of your suggestions.

Dates for DeepSec and DeepINTEL 2019 will be available soon. We will publish this information on Twitter, on our web site, and on our blog.

As for the video recordings, please give us some time. The post-production has to deal with the lighting conditions at the hotel (which will improve for the next conference, promised).

Opening & Keynote – DeepSec 2018 has started

So, now is the opening and the keynote presentation by the magnificent Peter Zinn. This means that DeepSec 2018 has officially started. Since we do not live stream the talks, we will be away from the blog and mostly from Twitter until the end of the conference. Communication in meatspace has full priority. In case of urgent messages, use the contact information on our web site. We still use telephones, you know.

In case you are at DeepSec and wish to comment on content, discussions, or summarise a presentation, please do. Post it on Twitter and mention us (or use a meaningful hashtag), we will retweet and pick up your thoughts later on the blog.

Enjoy the conference!

Discussing Threat Intelligence in the City of Spies – DeepINTEL 2018 has started

Le cabinet noir ou: les pantins du 19eme siècle; source: https://en.wikipedia.org/wiki/File:Bodleian_Libraries,_Le_cabinet_noir_ou-_les_pantins_du_19eme_si%C3%A8cle.jpg

1815 caricature of the cabinet noir, Bodleian Libraries.

What’s the best place to discuss security and threat intelligence? Well, according to Austrian investigative journalist Emil Bobi there are over 7,000 spies living and working in Vienna. To quote the article: „Austria has been an international spy hub since the late 19th Century, when people from all parts of the Austro-Hungarian empire flocked to the city.“ Basically it’s ancient tradition going back to the 19th century. During DeepINTEL we will discuss modern threats – advanced, persistent, networked, or otherwise. The focus will be on indicators of suspicious behaviour, the human component of information security, challenges by drone technology, and how to protect sources of information.

 

ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

On Linux, most—if not all—debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.

Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.

We show how plutonium-dbg’s design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

We asked Tobias, Philipp and Fabian a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • We implemented a debugger using existing linux kernel infrastructure
  • Alternative to ptrace API (the usual debugging interface), which has several design flaws
  • Use of modern kernel features (uprobes, kprobes, etc.)
  • Resists most approaches to detect debuggers
  • Compatible to existing Debugger frontends (GDB) and their plugins (pwndbg)

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We encountered a program which ptraced itself, to detect the presence of a debugger. To allow for dynamic analysis, we asked ourselves if we could avoid this well-known mechanism.

Why do you think this is an important topic?

Some Malware also uses this trick to avoid analysis by security researchers and analysis tools in general. Thus, we aim for minimal interference with the target process, which also allows for other kinds of debugging. For example, we can investigate so-called Heisenbugs (bugs that occur in production only, not in debugging).

Is there something you want everybody to know – some good advice for our readers maybe?

Ptrace has major drawbacks, the biggest is that every target can be debugged by only one debugger. Others include the destruction of process order, poor performance in accessing memory and a non-intuitive API.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Our approach removes obvious detection possibilities in what we believe to be an arms race of debugger detection and debugger stealthiness. Therefore we expect malware authors to develop new evasion techniques, which we will counter, as we think our capabilities are not maxed out yet.

 

Tobias Holl is a computer science student at TUM with a passion for reverse engineering and IT security. By day, he develops high-performance parallel software in C++, with a focus on computer vision and machine learning.

 

 

 

 

 

 

Philipp Klocke is a hacker, nerd and tech-enthusiast. He occasionally plays CTF and pursues a B.Sc. at the Technical University of Munich.

 

 

 

 

 

 

 

 

Since 2018 Fabian Franzen is a PhD student and researcher at the Chair of IT-Security of the Technical University of Munich (TUM). When he is not trying to teach his students the foundations of IT security, he is interested in various research topics. More specifically, these are reverse engineering, binary exploitation, Android security and improving systems security by introducing additional features to the Linux Kernel.

DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov

I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts:

First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones).

During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I will refer to were found in systems of mobile operators from Russia and the Ukraine. I will speak about the classical vulnerabilities I found (XXS, CSRF and HTTPS issues) that allow attackers to gain access to subscribe accounts through a mobile operators site or an application.
Also, I will talk about authorisation issues (SMS codes, bruteforce, etc). Then I will tell you about new attack vectors (or very rare ones): attacks via IVR (at call centers), problems in operator services, that allow to send SMS from user numbers, and problems in operator applications (which allow attackers to intercept calls and SMS). I also will speak about attacks on SIM-card change systems (how I can gain access to information that I can use to change SIM-cards and gain access to calls and SMS). Of course, I will show demos and PoC (images, video or real-time demonstration) of some attacks.

In the final part of the talk I will talk about post-exploitation. The main idea of this part is to show how I can use the vulnerabilities, addressed in the second part of my talk, to gain access to private data (including SMS-content), intercept calls and SMS, send fake SMS, gain access to email, messenger, and social networks accounts (using restore via SMS), to steal money from bank accounts (using account restore or SMS banking) and for some other ideas.

We asked Aleksandr a few more questions about his talk.

Please tell us the top 5 facts about your talk.

I think, that these facts are most interesting:

  • Mobile operators are interesting targets for hackers. If somebody hacks them, he will be able to easily hack many other services.
  • I will tell you about simple attacks. Any hacker can use these attacks without special equipment and knowledge.
  • I researched mobile operators from Russia and Ukraine and discovered that they are not protected against simple attacks.
  • In some cases, a simple call will be enough for an attacker to hack victims accounts. Do you want to know more? Just come and listen.
  • Some simple attacks are effective against IoT devices and devices for children.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Usually you read about cutting edge researches and attacks (like attacks on modern networks, 5G and LTE), but it is necessary to realize that for most people these researches are not very relevant (these attacks require special equipment and knowledge). Of course, these studies are extremely important, and the attacks they’re examine are dangerous. But I became interested in attacks that do not require special devices or special knowledge. And I realized that these attacks are also dangerous, and, what’s more, almost anyone can carry them out.

Why do you think this is an important topic?

Nowadays mobile operators are not protected enough, so even simple attacks are very effective. I want to draw the attention of the community and mobile operators to this problem to improve the situation.

Is there something you want everybody to know – some good advice for our readers maybe?

If you are interested in the security of the mobile operator that you use, I would advise you to look for information about the available services. Mostly I will talk about the security of IVR systems, personal accounts, SMS and call forwarding.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think, that in the future hackers will still attack mobile operators and customers. Different services, like email, messengers and social networks become more and more secure, but mobile operators are not so protected. Usually it is more easy to hack an operator and use intercepted code to restore an e-mail account than to directly hack the e-mail account.

 

Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs – PayPal, Facebook, Yahoo, Coinbase, Protonmail, Telegram, etc., and holds the first place the Privatbank bug bounty program (one of biggest banks in the Ukraine). Aleksandr also won the “Hack Internet-Bank” competition of PromSvazBank, Russia. 
He’s interested in uncommon security issues, telecom problems, airline security and social engineering.

(Almost) (Pretty) Final ROOTS 2018 Schedule (last beta version) published!

Science First! rat. © 2017 Florian StockerWe have rearranged the ROOTS 2018 schedule to its final form. You may have noticed that it is more condensed. We thought it would be easier to connect, to discuss, and to exchange ideas without the stretch over two days. Furthermore it is easier to have sessions with a specific focus when there is more unallocated time to use. ROOTS 2018 will get its own keynote presentation, too. We are currently sorting out the details.

You may wonder why there are so many empty slots. The reason is simple. ROOTS is an academic workshop. All presentations must be submitted formally correct. Then they are reviewed by the programme committee. The submitted content is graded according to the scientific methods used, research topic, evaluation of the results, the conclusion, and so on. After that there is a vote from members of the committee. All submissions which pass with a sufficient number of „accepted“ votes get, well, accepted. If the submitted research does not get enough supporters among the reviewers, then it is declined. There were some pretty interesting submissions among the ones that didn’t make it. So to all of you out there working in really interesting stuff: Please, please do it properly! Life is too short for reading the documentation of sloppy work. Make sure that yours is good. If you have doubts or like to get some feedback from the world of academic research, then do not hesitate to reach out to us. The ROOTS chair is happy to point you into the right direction. Time constraints do not allow for mentorship, but you don’t get anywhere if you don’t ask questions.

DeepINTEL 2018 Talk: Framing HUMINT as an information gathering technique – Ulrike Hugl

NATO defines human intelligence (HUMINT) or hyoo-mint as “a category of intelligence derived from information collected and provided by human sources” (NATO Glossary of terms and definitions, APP-6, 2004) focusing on different kinds of information, for example data on things related to a human, information about a human’s specific knowledge of a situation, and other issues.

HUMINT is differentiated into several categories like clandestine and overt collection.
And: It is one of several other traditional intelligence collection disciplines, so called INTs; examples are SIGINT (signals intelligence), OSINT (open source intelligence), MASINT (measurements and signatures intelligence), GEOINT (geospatial intelligence), TECHINT (technical intelligence), SOMINT (social media intelligence), FININT (financial intellicence, gathered from analysis of monetary transactions), as well as CYBINT/DNINT (cyber intelligence/digital network intelligence, gathered from cyberspace).

Intelligence Services deal with the analysis and collection of traces left everywhere by relevant target groups. For this purpose, HUMINT generally focuses on the gathering of political or military intelligence through secret agents (operations officers), whereby intelligence can be defined as the analysis of reliable and accurate information in the context of the military and government as well as business affairs. As one of the basic HUMINT operations human source screening builds the starting point, involving the selection of persons who may be sources of meaningful HUMINT (e.g.based on a potential level of cooperation and knowledgeability). Screening is followed by the (positively) identification of selected targets (e.g. by biometrical data like fingerprints, iris scans, etc.), as well as the conduction of interviews of diverse types (from pure information seeking to other forms of dialogue). Interviews are an intimate act and, often, they have the dynamic of a psychotherapeutic relationship (concept of transference and countertransference), and, for example, insights from argumentation theory are used. Anyhow, different types of human targets will share information involuntarily or voluntarily. An interrogator builds up a relationship with the target person. Such a relationship can be based on fear, trust, friendship, or other emotions – hence, principles and methods of questioning will vary.

Beside already mentioned aspects of HUMINT, this presentation will address the Scharff technique as a non-coercive and non-invasive interview approach based on the establishment of an interpersonal connection with the target. Finally, the talk will highlight some snapshots regarding the relevance of HUMINT in the business context.

Professor Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is member of various scientific committees of international conferences and reviewer of several journals. Her research mainly focuses on new technologies with impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

 

Special Offer for “Mastering Web Attacks with Full-Stack Exploitation” Training – get 3 for the Price of 1

HTML meta tags. Source: https://www.flickr.com/photos/128629824@N06/26972283316The DeepSec training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan has some seats left. Dawid has agreed to give away free access to two of his online courses for everyone booking tickets until Wednesday, 21 November 2018 (2359 CET). This gives you a perfect preparation for penetration testing, software development, and an edge for any bug bounty programmes out there. You can get a glimpse of the online trainings, well, online of course.

Every penetration test and every attempt to defend your own assets can’t do without knowledge of web technologies. Since the Web has evolved from being simple HTML content, you absolutely have to know about all layers modern web applications use. The training will give you the means to understand what’s going on, to find bugs, and to align your defence with the threats being thrown against you.

DeepSec 2018 Talk: RFID Chip Inside the Body: Reflecting the Current State of Usage, Triggers, and Ethical Issues – Ulrike Hugl

Chipping humans can be seen as one of the most invasive biometric identification technologies. RFID (Radio Frequency Identification) as the key technology in the field of the Internet of Things produces many applications.

For example, human implants are used by scientists in the fields of cyborgism, robotics, biomedical engineering and artificial intelligence, by hobbyists for identification reasons to start their computers, cars, for smart home applications or to pay by credit card, by hospitals for the control of human biological functions of patients, but also by companies to tag their employees for security reasons and workplace surveillance.

All in all, worldwide human implants are mainly used for security, healthcare, and private (individual) reasons. Beside some positive individual or organizational outcomes, implants may compromise privacy and raise manifold ethical questions.

For example, research in the field of information security has shown that RFID implants can be hacked to gain sensitive data stored on such chips. From an ethical point of view, other questions refer to its influence on a person’s identity and body, as well as to how individuals are probably able to resist such a surveillance technology against the background of felt pressure in an organizational or societal environment.

This talk focuses on the current state of the discussion and the applications of human implants, used for various reasons. It discusses triggers mainly from an individual and organizational point of view, and analyzes some already existing and upcoming ethical-, legal- and privacy-related aspects in the field. We will present results from a qualitative study with managers in Austria and close the talk with some theses for future research, applications and related individual and societal outcomes.

We asked Ulrike Hugl a few more questions about her talk.

Please tell us the top 5 facts about your talk.

All throughout history, humans have tried to transcend boundaries, to exceed borders. In the case of RFID chips the borders of the body are being crossed in a very invasive way. Humans implant chips for private reasons, to connect with smart home applications for example, or just for fun, to try how life is as a cyborg. In such cases, people actively want to transform themselves. In other cases, like the use of human implants for security reasons to open doors and gain access to high security areas inside a company, I guess people do not feel the need for ‘body transformation’ before they are chipped.

The first fact: RFID chips are coming up in both, the private and the corporate sector.

Second, because of an extensive use of mobile devices, including different forms of wearables, like smart watches, medical biometric (support) devices and others, nowadays many individuals feel much closer to something like a human-machine interface. I think, from a mental and societal point of view, crossing the body border with a chip implant is much easier now than it was about ten or fifteen years ago.

Third, diverse triggers came up within the last years: The comprehensive worldwide chipping of stock and pets, a tendency towards cashless payment in many countries (as an application of human implants in the private life of chipped people), furthermore human/body enhancement, and also other aspects are starting points to reduce fear of such applications.

Fourth, there are powerful industrial and partially also political players in the field trying to bring up the topic.

Fifth, we have to be aware that such crossing of the body border also comes with ethical-, legal-, and privacy- as well as also security-related aspects, for both, the private and the corporate environment. In the latter case, I was interested in opinions of potentially concerned employees and managers; on that front estimations and results based on a qualitative study in Austria will be presented.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

In the early 2000s, at the MIT and also at a few European universities so-called Mobile Labs came up to figure out potential business applications in the field of the Internet of Things. At that time, I learned a lot about applications regarding personalization, e.g. personalized cost accounting for different business purposes, but also about RFID-, GPS-based tracking, profiling and monitoring, and I often wondered why all the scientific work was only focused on the business background and ignored the potential impact on individuals, users, or consumers. To me, this was the starting point to deal with diverse forms of upcoming new technologies and related issues of privacy and security. Among others, I started to write about chipped humans in about 2004 and I am still interested in the topic.

Why do you think this is an important topic?

First, chip implants can be seen as an ‘insideable’ technology and seems to be one of the most invasive forms of current tech-development. As mentioned above, the body as ‘normal border’ is being crossed. This development – especially if applications in the field of RFID chipping further increase in private use, biomedical implants, health services and the security-related corporate background – holds manifold societal, individual and corporate consequences.

Is there something you want everybody to know – some good advice for our readers maybe?

Currently we live in a world of ‘transgression’. The whole field of cyborgism is more and more coming up. Hereof, human chip implants are just one piece of a bigger human computer interaction- or human machine interface-puzzle. I will try to give you (hopefully) interesting insights into the development of human implants, current applications, managers’ (non-)acceptance as well as upcoming tech- and other developments in the field.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

There exist well-known medical in-body-technologies like heart pacemakers and cochlear and brain implants. At the same time, body hackers try to figure out novel capabilities for themselves, often during a special social chipping event, so-called implant parties. All in all, trends of human enhancement, in my opinion, should focus on a debate about the future of society. What will be (at) the end of body and human (performance) enhancement? Currently, in Germany we have a political and ethical discussion about (predictive) diagnostic analysis during pregnancy and the question of inviolability of an individual’s dignity in cases of trisomy 21. Or: What would we do and feel if politicians would decide to implement human chipping in the working environment or for the overall population? In a broader sense, debates about the future of society should consider the potential of cyborgism as well as robotics with the potential of replacing humans. According to Stephen Fox, in the future we will have to focus on questions like mass paradigms, technology domestication, and cultural capital; and to balance the huge implications: E.g. opportunity versus exploitation? Utopia versus dystopia? Emancipation versus extermination? Perhaps it will be like squaring the circle.

Professor Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is member of various scientific committees of international conferences and reviewer of several journals. Her research mainly focuses on new technologies with impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

ROOTS 2018 Talk: The Swift Language from a Reverse Engineering Perspective – Malte Kraus & Vincent Haupert

Over the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and “class-dump”.

In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are not known statically. This type information is rich enough to allow an almost full recovery of the definition of most Swift data types, e.g. including even the names and offset of the members of compound data types.

Based on these findings, we introduce the open source swift-frida library for iOS built on top of the Frida instrumentation framework. It provides this information about all public and many private Swift data types in a process. It allows transparent read/write access to Swift variables and their data members with known type and memory location.

We asked Malte and Vincent a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • Frida is a popular tool for dynamic analysis of iOS apps
  • Yet, Frida lacked support for Swift, which is the preferred way of developing iOS apps today
  • We present internals of Swift binaries and show how to leverage these insights for dynamic analysis
  • As opposed to Objective-C, Swift binaries store very detailed metadata about the types used in them
  • We also introduce ‘swift-frida’, a work-in-progress developed on Github, which already offers basic support for instrumentation of Swift apps using Frida

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We wanted to trace function parameters in an app written in Swift, but had the problem that barely any tooling for that use-case existed. That lead to the question to what extent it is possible to recover high-level information from Swift binaries.

Why do you think this is an important topic?

The iOS ecosystem is one of the most popular computing platforms, and Swift is being adopted by more and more developers for their apps. Accordingly, knowledge about how to reverse Swift programs is important.

Is there something you want everybody to know – some good advice for our readers maybe?

Swift binaries store information like type and member names and memory layout for user-defined types that can be of great help when reverse engineering them. Today, there are no public tools to strip or obfuscate this data.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

We will likely see the emergence of the typical arms race between obfuscation and reverse engineering techniques. However, most of the data that can be useful for reverse engineering is actually required at runtime for some language or library features. Therefore, the extent to which obfuscation of this data is possible still remains to be seen.

 

Vincent Haupert is a research fellow and PhD candidate at the IT Security Infrastructures Lab of the Friedrich-Alexander University Erlangen-Nürnberg (FAU) in Germany. His main interests are authentication, system security and software protection of mobile devices. Particularly the security of FinTechs and mobile banking is one of his major research subjects.

 

 

 

 

Malte Kraus recently graduated with a M.Sc. in computer science from Friedrich-Alexander University Erlangen-Nuremberg. He likes to build things that break other things and has been playing CTFs since 2013.

Last Call for your Web Application Security Training – Break all teh Web and enjoy it!

Drawn spider web. Source: https://torange.biz/The Internet is full of web applications. Sysadmins used to joke that HTTP is short for Hypertext Tunnelling Protocol, because anything but web content is transported via HTTP these days. It’s the best way to break out of restricted environment, too. So the chances are good that you will need the skills for dealing with all kinds web. Fortunately our training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation conducted by Dawid Czagan has a few seats left. Don’t get distracted by the title. Focus on the phrase full-stack exploitation. It’s not just about sending HTTP requests and seeing what the application does. It’s all about using the full spectrum of components and technologies used for modern web applications.

The training is not only suited for information security researchers. The course addresses REST APIs, AngularJS-based application hacking, DOM-based exploitation, how to bypass the Content Security Policy of a web site, server-side request forgery, browser-dependent exploitation, all kinds of attacks against databases (SQL and NoSQL alike), exploiting type confusion vulnerabilities in code, exploiting race conditions, path-relative stylesheet import vulnerabilities, subdomain takeover, and more; just to name a few attack vectors. This is highly important for anyone doing software development. It is basically the „what can possibly go wrong version?“ of a secure coding workshop. So you should not only think in terms of finding high valuable bugs, instead think of the training as quality assurance for your development team. Furthermore Dawid will show you how to correctly use tools and techniques against your code.

The training is a hands-on experience. This means you will actually get to find bugs in software applications. Bring your own laptop. Dawid has conveniently compiled packages for you to install. You will be able to get right to the point of analysing security. Seats are still available in our ticket shop.

ROOTS 2018: How Android’s UI Security is Undermined by Accessibility – Anatoli Kalysch

Android’s accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications.

This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features. Starting with an app store centered overview of how accessibility services are used we will continue with currently unpatched flaws in the accessibility design of Android discovered during our assessment. These flaws and vulnerabilities allow information leakages and denial of service attacks up until Android 8.1. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android’s own lock screen.

To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25% of them to be vulnerable to at least one of the attacks covered in this talk. In the end possible countermeasures are discussed and we shed some light on the reporting process of Android vulnerabilities.

We asked Anatoli a few more questions about his talk.

Please tell us the top 5 facts about your talk.

The talk will feature some new Android vulnerabilities and possible mitigation techniques, insights about Android’s accessibility system and probably interesting trivia about vulnerability disclosure.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

As part of the preparation for a live hacking event we once decided to venture into Android UI security and see what attacks we could come up with. This essentially yielded the vulnerabilities that were disclosed to Google. During the live hacking event itself we only presented already known UI vulnerabilities.

Why do you think this is an important topic?

Our vulnerability analysis of available application shows that most developers are not aware of the presented security issues and it is probably unclear of whether AOSP maintainers or developers should be in charge of addressing them.

Is there something you want everybody to know – some good advice for our readers maybe?

Accessibility and UI security seem to be a vastly underestimated attack vector for the Android ecosystem.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

New UI features often seem to undermine Androids UI security concepts, e.g., the introduction of overlays, or the new picture in picture feature. New releases of Android should always be assessed regarding which security assumptions still hold.

 

Anatoli Kalysch is a PhD student in IT Security at Friedrich-Alexander University Erlangen-Nürnberg (FAU). His research interests include reverse engineering and program analysis, obfuscation techniques, and Android security with a focus on malware analysis, and UI security. Selected projects are available on ‘https://github.com/anatolikalysch/‘.

DeepINTEL 2018 Talk: Risk Management in Complex Scenarios – Oscar Serrano

ICT risk management is a well-stabilized practice and as such is supported by international security standards and guidelines. But, despite advances in the legal and policy areas and the maturation of standardized frameworks for efficient risk management, it has still not become a controlled, systematic process in the cyber security domain of most organizations. One of the problems preventing organizations from having an enterprise approach to cyber security risk management is that these efforts have not been supported by commensurate investment to produce robust, technical implementations of suitable risk management methodologies and supporting systems. Although some tools do exist, such as PILAR, CRAMM, Ebios, Mehari, or Octave, they all implement different risk management methodologies and all of them are implemented to satisfy the need of specific users. None of them is a truly enterprise system able to model how a complete organization works or improve enterprise awareness. Moreover the existing methodologies are easily applicable to simple systems, but they fail to provide support to complex scenarios.

In his talk Oscar Serrano will introduce why ICT Risk management is important for all organizations and provide guidance that can be used to manage risks in highly complex interconnected environments. Guidance that could be applicable to major international organizations.

We asked Oscar Serrano a few more questions about his talk.

Please tell us the top 5 facts about your talk.

The main takeaways from this talk are:

  • Security Risk management is an important process which is often ignored.
  • Current automatic tools are not prepared to cope with complex scenarios.
  • A security accreditation process is required to ensure that risk can be managed in complex scenarios.
  • The principle of self-defending nodes is a very important security safeguard to ensure the security of complex systems.
  • The separation between physical and electronic security facilitates the risk management.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

My work is to ensure the security of very complex systems. During my day to day work I have encountered situations in which we have difficulties to demonstrate the security of very complex information systems to the Operational Authorities. The suggestions that I will propose during my talk are based on the day to day best practices that I have found useful to be able to demonstrate to senior stakeholders that the risks of the systems under their control are properly managed.

Why do you think this is an important topic?

There is in general a lack of understanding in senior management about what security risk assessment is and of its importance. Most organizations are not able to maintain functioning Security Risk Management practices. My talk will give some hints about how Risk management can be simplified in some cases.

Is there something you want everybody to know – some good advice for our readers maybe?

Despite advances in the legal and policy areas and the maturation of standardized frameworks for efficient risk management, it has still not become a controlled, systematic process in the cyber security domain of most organizations. I hope that my talk helps to raise awareness and that in the future Security Risk Management can be a more controlled process.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I miss enterprise ready capabilities for Risk Management, there is a need to produce robust, technical implementations of suitable risk management methodologies and supporting systems. Although some tools do exist, such as PILAR, CRAMM, Ebios, Mehari or Octave, they all implement different risk management methodologies and all of them are implemented to satisfy the need of specific users. In addition, there is a need to move from Quantitative and Qualitative Security Risk Analysis to model based systems that can compute the risks based on well-defined security models, which take known evidence into consideration and evolve as new events are recorded. The final goal is to compute security risks with the same accuracy as it is currently done, for example, in the finance or insurance sectors, but at the moment we are far away from this goal.

 

Oscar Serrano holds PhD, master and bachelor degrees in Computer Engineering. He has worked for more than 15 years as a consultant and researcher for large international companies, including Telefonica, Vodafone, the Austrian Institute of Technology, Siemens, and Eurojust. In August 2012, he joined the North Atlantic Treaty Organization (NATO) as senior scientist in the field of Cyber Security, where he supports NATO efforts to improve the cyber security capabilities of the alliance. As one of the main experts in CIS Security Risk Management in the organization he leads the security accreditation processes of large distributed missions critical systems.His research interests include Cyber Security information sharing, detection of advanced threats, risk analysis and management, policy and governance development and cyber Law.

 

 

Binary Blob Apocalypse – Firmware + Cryptography = less Security

Copiale Cipher. Source: https://en.m.wikipedia.org/wiki/File:Copiale-cipher09s.pngA couple of years ago we had a chat with one of our sponsors, Attingo. They are specialised in data recovery from all kinds of media and in all kinds of conditions. Since vendors keep secrets from the rest of the world, the data rescuers do a lot of reverse engineering in order to decode the mysteries of firmware blobs. Guess what they recommend: Don’t trust important tasks to firmware code! It’s the worst software written on this planet. If software gets something wrong, firmware is the best candidate for big SNAFUs. Solid state disks (SSDs) have recently joined the gallery of failures.

Carlo Meijer and Bernard van Gastel have published an article titled Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs). They analysed the implementation of hardware full-disk encryption of several SSDs. What they found is no surprise to the connaissuers of firmware. The code has critical weaknesses that allow the extraction of „protected“ data even without knowledge of the key(s). The actual secret key is not derived from tge chosen password for the device. What’s worse is the use of Bitlocker on top of these SSDs. If the storage hardware advertises encryption capabilities, then Bitlocker will happily delegate these tasks to the hardware/firmware and do nothing of its own. The standard Opal from the Trust Computing Group doesn’t help, because it is not correctly implemented in the storage media.

So short of implementing your own crypto, do not rely on a single layer of protection. If you delegate all the solutions of your problems to a binary firmware blog, then you are lost. Apart from the fact that firmware is usually never updated, it may contains more bugs and design flaws than anything piled on top. Use an extra layer of crypto such as LUKS or VeryCrypt. Better safe than $INSERT_FAVOURITE_VENDOR_TECHNOLOGY_HERE.