DeepSec 2018 Talk: Injecting Security Controls into Software Applications – Katy Anton

“SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from an attacker’s point of view and SQL injection is still King. Something else must be done.”, says Katy Anton.

“What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolute must-have, and which additional security measures do you need to take into account?

These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this talk to explore security vulnerabilities from a different angle. As part of this talk, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify them.

We will flip security from focusing on vulnerabilities (which are measured at the end) on focusing on techniques familiar to developers, which can be done from the beginning of the software and measured throughout SDLC.”

We asked Katy a few more questions about her topic of expertise.

 Please tell us the top 5 facts about your talk.

  1. This talk is about challenging the way we look at vulnerabilities at the moment.
  2. About extracting the security controls that help prevent these vulnerabilities,
  3. Identifying when to use these in software development lifecycle
  4. And making them part of the SDLC.
  5. This talk is about creating the foundation on which further developer education can be built on.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Last year was released OWASP Top 10 2017, where the Injection category is still at number 1, despite the fact we’ve been talking about it for the last 20 years. At that point for me it was the realisations that if we continue on the same route, we are at risk of still talking about injection for the next 20 years as well.  Something else must be done.

One of the problems is that we (the security professionals) expect developers to talk the security language. On top of their normal job of writing software, we expect them to know how to fix security vulnerabilities.

But can we, the security professionals, do something about this?  As security practitioners it is our responsibility to help developers to translate security vulnerabilities into security controls they are familiar with and they can use on a regular basis.

Why do you think this is an important topic?

Today, every company is a software company. More and more software is produced, at faster and faster rates.  The security aspect of the software is important and this importance will just increase. But we will not be able to produce secure software applications unless we evolve this methodology.

Is there something you want everybody to know – some good advice for our readers maybe?

Most cyber attacks are not that sophisticated – the attackers will use simple tools and techniques. Implementing basic security controls and do this consistently is the best way to defend against the majority of attacks.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

With an increase in security awareness, there will be an increase in frameworks with security features by default and libraries with security embedded-in, easier for developers to implement and more difficult to get it wrong.

Katy Anton is a security professional with a background in software development. An international public speaker she enjoys speaking about secure coding and how to secure software applications. In her previous roles she led software development teams and implemented security best practices in software development life cycles. As part of her work she got involved in the OWASP Top Ten Proactive Controls project where she joined as project leader. In her current role as Principal Application Security Consultant at CA Technologies | Veracode, Katy works with security teams and software developers around the world and helps them secure their software.

DeepSec 2018 Talk: New Attack Vectors for the Mobile Core Networks – Dr. Silke Holtmanns / Isha Singh

DeepSec has a long tradition of tackling the security of mobile networks and devices alike. The first DeepSec conference featured a presentation about the A5/1 crack. Later one we offered trainings covering mobile network security and weaknesses. So we are proud to announce Isha Singh’s and Silke Holtmanns’ talk about new attack vectors. Here is a brief summary:

“Roaming or being called from abroad is being something we take for granted.”, says Silke Holtmanns. “Technically it implies that large networks communicate with each other across geographical and political boundaries. Those communication and the network behind is not well known and understood by most cellular users. This network, its background, security and usage will be explained. We will highlight the attack vectors for 2G, 3G and 4G networks and give an outlook on 5G. We describe how attackers get in and what they can do. The industry has defined general and specific measures to counteract and mitigate those attacks, we will give an outlook, what can be done in practice to stop attackers.”

Structure of the talk:

  • Introduction & background
  • Introduction to interconnection network (What is it, how does it work)
  • Why is it important for all of us?
  • Where does it come from? (Basics to understand the problems)
  • Existing attacks (Focus on 3G/4G)
  • Who are the attackers?
  • What is done against them? (Focus on EU ENISA, USA FCC and GSMA work)
  • How do they get in (Real examples will be shown)
  • Attacks & Countermeasures
  • Introduction to network set-up (So the demonstration is understandable)
  • Presentation of high level attack scenarios for DoS / Fraud / Data Interception using the charging system
  • Demonstration of those attacks in testlab
  • User impacts (What do these attacks mean on a personal level?)
  • Countermeasures and fixes
  • Wrapping up
  • Outlook for 5G – Main security challenges
  • Summary
  • Q&A

Dr Silke Holtmanns is a distinguished member of technical staff and security specialist at Nokia Bell Labs. She researches new attack vectors and mitigation approaches. The creation of new and the investigation of existing security attacks using SS7, Diameter and GTP via the Interconnect lead to new countermeasures for 4G/5G networks. Her focus lies on the evolution and future of security for mobile networks. For 5G she investigates potential risk areas coming from the combination of IT security and signaling threats. As an expert on existing and future attack patterns for interconnection security, she provides advice and input to customers, standard boards, and regional and national regulating governmental bodies e.g. in US FCC and EU ENISA. She has over 18 years of experience in mobile security research and standardization with strong focus on 3GPP security and GSMA. She is rapporteur of ten 3GPP specifications and of the GSMA Interconnection Diameter Signalling Protection document. She is (co)-author of more than 70 security publications.

Publication List:
https://www.bell-labs.com/usr/silke.holtmanns

 

Isha Singh is the co-autor of the talk that will be presented at DeepSec. Isha is a masters student at Aalto University in Finland and doing her thesis research work at Nokia Bell Labs under the guidance of Dr. Silke Holtmanns. She has a Masters in Wireless Communication and Machine Learning. She has published paper on smart city environmental perception from ambient cellular signals and 5G Ubiquitous sensing. Isha is passionate about IoT devices and their security in the 5G scenario. She has experience working on embedded devices (Arduino, Raspberry Pi) for multiple projects like Analog to Digital converter used in optical communication and face recognition. Presently Isha is exploring Cybersecurity, starting from the mobile communication core network security. Testing loopholes and providing solutions using Machine Learning.


DeepSec 2018 Talk: Pure In-Memory (Shell)Code Injection in Linux Userland – reenz0h

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any trace behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?

This talk will show how to bypass execution restrictions and run code on the machine, using only tools available on the system. It’s a bit challenging in an everything-is-a-file OS, but doable if you think outside the box and use the power this system provides.

Anyone interested in offensive security should find the talk sexy, says reenz0h, especially since it’s not theoretical mumbling but a demo-rich journey through the inner workings of Linux and some old-school hacks.

We asked reenz0h a few more questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

My talk is about injecting code, either in a form of a shellcode or an entire ELF object, into a process memory running under Linux. There are some known ways to do it and various methods were developed throughout the years. LD_PRELOAD is a trick known for decades. Memory-only remote execution was described in Z0MBiE’s “In-Memory PE EXE Execution” in 29A zine back in 2002. Also we had the famous “Remote LibraryInjection” by skape & jt, “Userland Exec” by the grugq or “Advanced Antiforensics” by Pluf & Ripe, posted in Phrack 63 in 2005. So, my research takes the next step on this journey, or, as Isaac Newton would say: “We stand on the shoulders of Giants”.

In my talk I’m focusing on injection done locally or remotely without any high level privileges and, most importantly, without storing a payload on a disk. To achieve that I utilize any tools available on the system. Also, these techniques can be used to bypass ‘noexec’ flags set on partitions.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Actually I don’t remember what started it. I have a very long list of things I want to research and it keeps growing and growing. I always add something to it when I see or hear something interesting and my brain just makes the right”connection” inside my head .

And stimulus doesn’t has to come from or has to be related to the field of information security. It can come from anything like biology, physics, history, or sci-fi books, or movies. I read a lot and am interested in many areas so these things happen spontaneously. Recently, for example, I’ve been refreshing my understanding of microbiology and genetics, and studying how DNA is replicated initiated interesting connotations with regard to how similar mechanisms could be used in malware. Actually, this is my current field of research.

So if you’re looking for an inspiration, go out and meet and talk to smart people. It helps tremendously. Events like DeepSec, hacker spaces, collaborative communities, hackathons, and sharing and discussing is what makes the world move forward. I guess it’s called progress 🙂

Why do you think yours is an important topic?

It’s not distinctive per se, rather part of the never ending battle between offense and defense. Someone creates better shields so the other can start crafting new swords. And this cycle is endless.

I wanted to show that there are some areas in *NIX land where anyone can find something interesting and sexy. *NIX is a huge universe with many faces and flavors, ready to be explored and conquered.

With regards to code injection it’s not particularly a novel technique. We had great research on this topic in the past but *NIX is a living thing and new opportunities pop up. I just took the effort to look at where we are, reshape it and move forward. As (allegedly) Mark Twain used to say:”History does not repeat itself, but it rhymes”, I made another round in this cycle.

Is there something you want everybody to know – some good advice for our readers maybe?

I’m a huge proponent of a sort of MacGyver-style approach to anything, especially in information security. When I was a kid I used to watch this TV-series with Richard Dean Anderson a lot in the 1990s. This guy was THE GUY, my hero of the day , even if I knew most of what he did was BS.

But if you think more broadly you come to the conclusion that this approach makes sense. We constantly reinvent the wheel while available tools are not utilized 100%. Let’s take penetration testing as an example. We have great attack frameworks out there allowing you to do magic with just a few keystrokes, especially with post-exploitation activities. But once you’re on the box, you can do most of them with tools which are already on the system, often native ones. Persistence, lateral movement, screenshots, process dumping or exfil to name a few.

So my advice to all would be to know the system as much as possible to make it serve you, not constrain you. This was the true hacking spirit back in 1980s and 1990s.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I’d say it’s the “same old, same old story” all the time. The race between attackers and defenders and new “next gen solutions” awaiting to “solve” the problems of the past and bring new ones for the future. Halvar Flake is right preaching all over the globe that introducing more code (that is: more attack surface) takes us nowhere. The complexity of our systems is constantly growing and I don’t see anything on the horizon that would change that.

Additionally we live in a more dangerous world. It’s not that keeping our data in a cloud or the “everything connected” attitude is a bad thing. These are just technologies agnostic to our decisions. The intention standing behind is what might turn them against us. Like any other tool. A knife can be used for chopping a carrot or stabbing someone.

And if you look into recent attacks on ICS, Triton/Trisis specifically, you might start wondering where’s the line it’d stop. Triton was designed to disable Safety Instrumented System which protects human life from disasters happening in critical infrastructure (I guess Joe Slowik will cover this malware in detail during his talk). If someone releases such a tool, it means they target human life. And that really sucks. Nationstate adversaries push the line further and further until something really bad happens.

Of course Triton is not an apocalyptic malware which will send us all to hell. It’s tailored to a very specific SIS, configuration and setup, so it won’t spread everywhere like Conficker. But I hope you get my point.

Interestingly, international community and policy makers are silent on this topic. The critical infrastructure in the Ukraine is being attacked for the last few years and we still don’t see any reaction from either NATO, UN, EU or US. This means something.

But to wrap up on a positive note: Don’t be afraid of the surrounding world but realize what’s going on and act accordingly. Learn and share, keep hacking and grow, be good, not an a**hole. As a Mandarin curse says: “May you live in interesting times”. You bet we are… 😉

 

Geek by passion, engineer by profession since the last millennium. For many years he’s been working in global red teams, simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon – IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.

DeepSec 2018 Talk: Orchestrating Security Tools with AWS Step Functions – Jules Denardou & Justin Massey

Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released. Jules Denardou and Justin Massey wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one Lambda function: a trigger, processing and analysis, and output. The plugins, such as static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda.

The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas.

In this talk you’ll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to easily deploy complex serverless systems and step functions for your own automated tooling.

We asked Jules and Justin a few more questions about their topic of expertise.

Please tell us the top 5 facts about your talk.

  • AWS Step Functions are amazing!
  • This project will be open-sourced after our talk.
  • We first attempted to recreate the wheel because we were not aware of AWS Step Functions. Don’t make the same mistake as us!
  • We will show you how you can integrate an entire workflow: from opening a pull request, to scanning the source code with “github.com/securego/gosec”, then commenting on a pull request.
  • Justin has never been to Austria (or even Europe) before. Make sure to buy him an Austrian beer!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We were in the process of designing and creating multiple tools to support application security efforts and quickly realized that they shared many similar features. We needed a middle layer that contained a framework necessary for communicating with our CI/CD pipeline and a modular framework that would allow us to iterate more quickly and future-proof our security testing as the company scales up.

Why do you think this is an important topic?

Integrating security fluidly into the developers’ workflows is imperative to run a successful application security program. Finding vulnerabilities is only the only the first step in the process to secure an application. Everybody in the development workflow must work together and this should involve developers as early as possible. Developer and security departments working together as a team is the key to success. The tooling discussed during this talk will bridge the gap between development and security teams.

Is there something you want everybody to know – some good advice for our readers maybe?

Want to bridge the gap between developers and security? Security needs to start giving immediate feedback to the developers. To make this scalable, security tooling that provides actionable results during the development process is necessary.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As more companies embrace modern development practices, we think the need for security testing and tooling that provides actionable feedback early in the development process will continue to grow. Security teams will never scale the same as engineering teams and cannot manually review all code before it is deployed to production – automation and enabling developers is the key to growth in this area.

Jules Denardou is a Security Engineer at Datadog. He got his MS Degree in Computer Science at Ecole Centrale Paris in France, before joining the company in New York City. He especially focuses on integrating security into the developers workflow rather than blocking it. Blue teaming during the week, he is also a CTF Player on weekends.

 

 

 

 

Justin Massey is a Security Engineer at Datadog. His background in managing the technical operations of an MSP led him to discovering weaknesses in many businesses’ networks and applications. After leaving the MSP, he transitioned into the role of penetration tester to identify the weaknesses before the attackers. Justin’s current focus is to discover new ways to ensure product security, while maintaining developers efficiency and happiness.

DeepSec 2018 Talk: Without a Trace – Cybercrime, Who are the Offenders? – Edith Huber & Bettina Pospisil

Cybercrime is a worldwide and diverse phenomenon, which needs multidisciplinary and global prevention and intervention strategies. Regarding the situation in Austria, no evidence-based scientific analysis exists that depicts the bright field of Cybercrime. Therefore an interdisciplinary research group investigated the phenomenon cybercrime regarding the questions – Edith Huber and Bettina Prospisil will present their findings at DeepSec 2018.

We asked them a few questions about their talk:

Please tell us the top 5 facts about your talk.

We will talk about cybercrime, offender profiling, the typical modus operandi and successful methods to apprehend offenders.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Cybercrime is a worldwide and diverse phenomenon, which needs multidisciplinary and global prevention and intervention strategies. Regarding the situation in Austria, no evidence-based scientific analysis exists that depicts the bright field of Cybercrime. Hence a research group planned study focuses on central questions:

  1. Who are the offenders and the victims?
  2. Which initiation and realisation strategies of Cybercrime can be identified?
  3. Which offender-structure can be found?
  4. Which investigation methods, performed by the police, can be identified as useful and what can be said about the further prosecution of the identified offenders?

Why do you think this is an important topic?

The topic is more topical than ever as the number of cyber attacks increases. Therefore, there is an urgent need to better understand the logic of crime in order to improve investigation methods.

Is there something you want everybody to know – some good advice for our readers maybe?

Cybercrime is by no means a purely technical phenomenon. It requires a legal, technical, sociological and psychological view. Criminology is still in its infancy here and must take this interdisciplinary approach into account.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The exciting thing about cyberattacks is that you don’t know exactly what will come next. Probably the area of I-o-T [Internet of Things] and white-collar crime will increase in this context.

Edith Huber is a Senior Researcher in the field of Security Research. Her research focuses on Cyber Security, CERTs, Information Security, Communication, Cybercrime, Cyberstalking, New Media, Social Science and Criminology. In 2009, she received the federal security prize of Austria. She has a lot of publications and experience in international research projects.

 

 

 

 

Bettina Pospisil received the B.A. and also the M.A. degree in sociology from the University of Vienna (2014, 2017). In 2015 she was Research Assistant with the Institute of Instructional and School Development at the University of Klagenfurt and at the Institute for Information Management and Control at the Vienna University of Economics and Business. Since 2017 she works as Junior Researcher in different KIRAS and FWF funded projects at the Faculty of Business and Globalization at the Danube University Krems. 2017 she and her colleague received the Innovation Award of the Danube University Krems for the project called “CERT-Kommunikation II”. By now Bettina Pospisil is the co-author of different papers and presented academic lectures at criminological and technical conferences. Her research interest includes the topics Cybersecurity and Crime Studies.

DeepSec 2018 Talk: Left of Boom – Brian Contos

By Brian Contos, CISO of Verodin:

“The idea for my presentation “Left of Boom” was based on conversations I was having with some of my co-workers at Verodin. Many people on our team are former military and some served in Iraq and Afghanistan where they engaged in anti-IED (Improvised Explosive Device) missions. During these conversations I first heard the term, Left of Boom, and the more we discussed it, the more I found similarities with cybersecurity.

Left of Boom was made popular in 2007 in reference to the U.S. military combating improvised IED used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we strive to increase the incident prevention capabilities of our security tools and where we can’t prevent attacks, augment prevention with incident detection and response tools.

There is an urgent need for evidence in cybersecurity regarding the effectiveness of specific systems as well as the overall security systems of systems. Are my security tools preventing, detecting, logging, correlating, and alerting? Does the new configuration, patch, rule, or signature result in what was intended? Are systems that were working before still working or have they drifted from a known good state? Without evidence about our security effectiveness, how can we ever empirically answer these questions and get our organizations to the Left of Boom?

Studies across endpoint, network, email, and cloud security tools have established that, on average, we’re only getting about 15-25% effectiveness out of our incident prevention security tools. When it comes to incident detection, it’s as low as 25-35% effectiveness. And for SIEMs, their ability to effectively correlate and alert ranges between 0-45%. We haven’t put a big enough dent in our risk profile and we’re wasting time, money, and resources by not getting value from these security tools. In most cases, the problem isn’t that we have bad technology or ineffective security teams. Instead, it’s an inability to effectively measure, manage, improve, and communicate the security effectiveness of our security tools in a scalable manner that results in actionable evidence.

From a leadership perspective, we’re not able to communicate our security effectiveness to executives based on evidence because we don’t have the evidence. This is devastating, as cybersecurity isn’t about cyber risk – it’s about the financial and operational risk from cyber. Without evidence, executive decision makers can’t do their jobs effectively when it comes to protecting shareholder value, revenue, and reputation.

This presentation will demonstrate automated methods to mitigate these problems. It will identify approaches that you can apply to improve the effectiveness of your security tools, security teams, and processes. Following this presentation, you’ll be able to develop your own strategy to get Left of Boom. If you feel that you don’t have the cybersecurity evidence to know, empirically, what’s working, what’s not, how to fix it, how to verify the fix worked, and how to make sure it stays working across your security tools, your people, and the processes they follow, this presentation is for you.”

Brian Contos is the CISO & VP Technology Innovation at Verodin. He is a seasoned executive with over two decades of experience in the security industry, board advisor, entrepreneur and author. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks.
Brian has worked in over 50 countries across six continents. He has authored several security books, his latest with the former Deputy Director of the NSA, spoken at leading security events globally, and frequently appears in the news. He was recently featured in a cyberwar documentary alongside General Michael Hayden (former Director NSA and CIA).

Translated Press Release: Bug Bounty Programs – Vulnerabilities as a worthwhile Investment

DeepSec Conference offers trainings for security researchers

Vienna (pts010 / 04.09.2018 / 08:30) – This year, in addition to lectures about the failing of security measures, the DeepSec In-Depth Security Conference will offer a workshop for finding vulnerabilities. Unfortunately the testing of software in the context of quality assurance is no longer sufficient in the modern, networked world. The prefix “Smart” does not change anything about existing weaknesses. The training is therefore aimed at professionals, already working in development, and at security experts, to specifically strengthen the development of safer products in industry and companies.

Complex Technologies and their Susceptibility to Errors

Not only since the birth of the Internet of Things modern products can’t manage without software. If you add networking and the high level of complexity of individual parts, this is a sure recipe for mistakes. Of course, there is often quality assurance and testing for the most important functions, but the consequence of serious malfunction due to the size of the lines of code is a matter of statistics. How can manufacturers and developers help themselves? If you look at the mathematical game theory, the answer is: Bounty for Bugs – Bug Bounties as a reward.

Organized Hunt for Software Errors

The Bug Bounty Programs were established as a permanent institution several years ago to, on the one hand, give security researchers the opportunity to get credit for their work of finding and locating errors. On the other hand, such a program automatically regulates the process of how critical errors are reported, documented, reproduced and corrected by the responsible developers. Unfortunately, there are still many manufacturers who do not respond to reported bugs and do not provide updates. Offering bug bounties therefore speaks for the commitment of a company and ensures the quality of its own products. On top of that, you do not learn about the failure of your own product from the press or the Internet.

The big advantage of Bug Bounty Programs is the good quality of the bug reports. Finding software bugs is the daily bread of software development, but critical vulnerabilities that pose a security issue are often not immediately recognized. Information security is an interdisciplinary field of computer science, which requires skills in software development, mathematics, reverse engineering (i.e. the reconstruction of an application or a protocol) and a lot of patience. This requires in-depth knowledge, sufficient experience and a targeted training, which not all of those, who are part of a companies development team may have acquired.

The bug bounty programs are very well received. HackerOne, a platform for the coordinated publication of vulnerabilities, keeps a record of bug bounty initiatives. Currently, over $20 million has been disbursed to researchers from various companies. The stated goal is to reach $100 million by 2020.

Training as a Bug Bounty Hunter

This year’s DeepSec Security Conference offers a two-day Bug Hunting course. Coach Dawid Czagan, who’s among the Top 10 of HackerOnes Bug Hunter List, has developed a curriculum to teach advanced users with knowledge of software development practices the approaches and thinking of security experts. Participants learn how the many parts of modern applications interact, where to enter for analysing protocols and what to look out for. It’s not just about bounty hunting: Since a lot of work now takes place via web interfaces, be it visible to the user or invisible behind the scenes, web technology will be the focus of the training.

And this workshop offers more than just dry theory. Dawid Czagan has prepared case studies from productive environments to illustrate the various classes of errors. The complete training is a mixture of short explanatory lectures followed by practical exercises to consolidate the newly acquired knowledge. The skills taught are a valuable addition to any quality assurance and a sought-after training for developers. The training is targeted at security researchers, penetration testers, consultants, software development project leaders / developers, and IT architects, who design the basic designs, applications and systems are built on.

The attackers already have these means. It’s about time you catch up. Networked systems never sleep.

Schedule and Booking

The DeepSec conference takes place on the 29th and 30th of November. The trainings take place on the two preceding days, the 27th and 28th of November.

Training and conference venue:
The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Here’s the link to the current program: https://deepsec.net/schedule.html

Tickets for the conference and trainings can be ordered via: https://deepsec.net/register.html

The conference blog with news and background information about the lectures and workshops can be found at the address: https://blog.deepsec.net/

Translated Press Release: Intelligence Agencies want to abolish Information Security

https://www.pressetext.com/news/deepsec-konferenz-veroeffentlicht-programm-fuer-2018.html

DeepSec Conference criticizes the open Attack on secure End-to-End Encryption

Vienna (pts014/21.08.2018/09:25) – Ever since security measures have been in existence, there have been discussions about their benefits and their strength. In digital communication, the topic of back doors keeps coming up. In the analog world high quality locks are desired to protect against theft. In the digital world this may now change. The Five Eyes (i.e. the intelligence services of the United States, the United Kingdom, Australia, New Zealand, and Canada) want to force all countries around the world to implement duplicate keys, thus to implement back doors, in their encrypted communication. For this purpose, at the end of August, a meeting of the Five Eyes Ministers of the Interior took place in Australia. This proposal has serious disadvantages for the economy and national security of each state.

Messenger instead of Mobile Radio

As the mobile phones began their triumph, there were only unencrypted short messages (also known as SMS, Short Message Service). Before the era of smartphones, some manufacturers have developed their own proprietary formats to protect the content of messages. In recent years, there has been a shift towards messenger apps that use the Internet for messaging. Thus developers could and can use open standards with strong encryption, which are not subjected to the legally prescribed interfaces for telecommunication monitoring in the mobile radio networks. This telecommunication surveillance (also internationally called Lawful Interception) is an integral part of the network infrastructure and constantly records location data, logins, operating hours, addresses, mobile radio identifications and other data. Modern messengers therefore usually use the principle of end-to-end encryption, where only the communicating terminals have the keys to the message. The network does not know these keys and can not see the content of the messages. This is only possible via mobile data access, ie Internet access.

The dangers of the interfaces of mobile radio networks have been illustrated by the published documents of Edward Snowden in 2013 and the Greek wiretapping scandal (also known at the Athens Affair) in 2004 and 2005. As early as 2015, James Bamford, an American journalist and intelligence expert, gave the opening speech of the DeepSec conference, explaining how the Greek government’s mobile phones were being tapped by strangers via legally required backdoors. Costas Tsalikidis, the responsible network officer, committed suicide days after the monitoring configurations became known. The perpetrators of the wire-tapping campaign were never traced, despite the most lengthy investigations.

In Australia Mathematics is not legally binding

Security researchers and engineers are well aware of the dangers of poorly implemented and insecure communications. For this reason, at the latest since the Snowden revelations, strong cryptography and secure communication are pushed ahead by technology companies and developers. The Institute of Electrical and Electronics Engineers (IEEE) and the Internet Engineering Task Force (IETF) have standardized protocols in all standards of recent years that contain neither backdoors nor deliberately weakened algorithms. The modern Internet, and thus our present communication society, is based on these standards. The technicians are trying to create the counterpart to safe bridges, which must also have no predetermined breaking point. Infrastructure must be reliable. One must not forget that not only telephone calls and messages are affected by the legal weaknesses. Demands for key escrow concern financial transactions, the complete World Wide Web, all applications on smartphones, the Internet of Things, all smart technologies, in short, all companies and markets worldwide.

Former Australian Prime Minister Malcolm Turnbull has given the highest priority to the demands of the enabling to read all communications worldwide, everywhere. In July this year he stated that the Australian Code of Law is above mathematics. He referred to the criticism of researchers in cryptography, which is a branch of mathematics. This logic is questionable, because no one has previously declared gravity to be illegal in order to prevent accidents at work or to climb mountains more easily. The only question is whether you want real security or not. Fire protection is a good analogy. No one wants protection against fires that do not always work. Likewise, nobody wants to use electronic means of payment, which are only safe until further notice.

National security is abolished internationally

The demand of the Five Eyes can also be rephrased. Since their services also use mathematics to protect their countries, they would have to weaken themselves. This would particularly concern industrial espionage, which often crosses national borders. Complete destruction or sabotage of important information security components is a short-sighted reflex. It’s not just about the flagship companies of Silicon Valley. Backdoors and duplicate keys endanger all communications, from trade secrets to the secure electronic communication of lawyers with the judiciary and public authorities.

It should not be forgotten that this demand will not only be made by the Five Eyes, should it be implemented by governments. The United Nations currently has a list of 206 member states. The demands of the Five Eyes will then be requested by the “206 Eyes”. Political leaders are very well advised not to ignore the warnings of experts. If one agrees with the demand for backdoors, the Five Eyes must then also reveal their own national (secret) communication to Europe, Russia, China and North Korea, to put it bluntly. This has nothing to do with reality, and certainly not with information security.

Sources, Schedule, and Booking

The DeepSec conference takes place on the 29th and 30th of November. The trainings take place on the two previous days, the 27th and 28th of November.

Training & Conference venue:
The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can find the current program under the link: https://deepsec.net/schedule.html

James Bamford has summarized his talk in the publication “In-Depth Security – Proceedings of the DeepSec Conferences Volume 2” as an article entitled “A Death in Athens – The Inherent Vulnerability of Lawful Intercept. ” The book is available in stores and via the DeepSec conference (it can be ordered directly from DeepSec GmbH). His talk can be viewed online here: https://vimeo.com/150691584

Tickets for the conference and trainings can be ordered via the link: https://deepsec.net/register.html

Whatever happened to CipherSaber?

KY-68 voice encryption system on on display at the National Cryptologic Museum in 2005. Photographed by Austin Mills. Source: https://commons.wikimedia.org/wiki/File:KY-68.nsa.jpgSome of you still know how a modem sounds. Back in the days of 14400 baud strong encryption was rare. Compression was king. Every bit counted. And you had to protect yourself. This is where CipherSaber comes into play. Given the exclusive use of strong cryptographic algorithms by government authorities, the CipherSaber algorithm was meant to be easy enough to be memorised, and yet strong enough to protect messages from being intercepted in clear. It is based on the RC4 algorithm. According to the designer CipherSaber can be implemented in a few lines of code. Basically you have crypto to go which cannot be erased from the minds of the public, because it is readily available. That’s where the name came from. It is modelled after the light sabers found in the Star Wars universe. CipherSaber’s web site claims, that „…Jedi Knights were expected to make their own light sabers. The message was clear: a warrior confronted by a powerful empire bent on totalitarian control must be self-reliant.“ It is obvious that the algorithm has its roots in the crypto-anarchism movement (also connected to the cypherpunk advocates which are still alive and kicking).

RC4 and CipherSaber haven’t aged well. RC4 is obsolete. Both have disadvantages and are prone to several cryptographic attacks. The state of the art has moved. Modern algorithms are much more complex. It’s hard to implement anything from the pool of strong algorithms in a few lines of code these days. Furthermore modern processors have taken a beating by design flaws such as Spectre and Meltdown. The ecosystem of communication has changed. Sending messages is becoming more and more centralised. Social Media platforms and their messenger apps rule. Alternative messengers often have a centralised approach, too. The computing platforms are pushed into Walled Gardens of Proprietary Delight. Of course you can still write code and run it, but the underlying layer is controlled by someone else. At DeepSec we have seen our share of malicious hypervisors and operating systems (modified or unmodified by adversaries).

The reason for the creation of CipherSaber is still there. The Crypto Wars are still raging. The battlefield has shifted. The reason against introducing any weakness in algorithms, using key escrow, or implementing backdoors has not changed. Either you want a secure system or you don’t. There is no middle ground. Mathematics does not offer a compromise. On the technical side messengers such as Signal and Threema are very popular (among people who care about secure communication; and yes, the list is quite incomplete). The problem is that you have to register your device with an app store. The device needs to be a smartphone which in turns give you a lot more (surveillance) than just secure communication. Decentralised networks are still in development phase. The only widespread decentralised messaging network is email which in turn is being strongly connected to big companies who do email hosting (and sometimes develop smartphone operating systems).

The future of CipherSaber replacements lies in open standards which are free to use. As a consequence of Edward Snowden’s global surveillance disclosures (which was no surprise for any self-respecting cypherpunk and serves as a proof for the suspicions of the CipherSaber designers) the tech world has reacted. The Internet Engineering Task Force (IETF) has declared pervasive monitoring as an attack. The Institute of Electrical and Electronics Engineers (IEEE) has adapted its position on security. The IEEE Board of Directors adopted a position statement in support of strong encryption for confidentiality and data integrity. The standardisation process of the new Transport Layer Security (TLS) version 1.3 has fought attempts to weaken the security. The tools have changed, but the goal of having strong security as a component for information security as a whole has not changed.

DeepSec 2018 Training: Attacking Internet of Things with Software Defined Radio – Johannes Pohl

In Johannes Pohls training participants will learn how to reverse engineer the wireless communication between Internet of Things (IoT) devices with Software Defined Radios (SDR) using the Universal Radio Hacker (URH). The workshop covers required HF (high frequency) basics such as digital modulations and encodings and shows how to reveal the protocol logic step by step and, finally, how to develop attacks against devices. For demonstration they will investigate and attack a wireless socket and a smart home door lock.

During the course of the workshop the communication of the two devices will be analyzed and reverse engineered. In conclusion, attacks on both devices will be developed. By the end of the workshop participants will be able to switch the socket and open the door lock with SDRs.

This of course requires knowledge in the field of modulation, coding and log formats, which will be practically conveyed during the workshop. “Learning by doing” is the motto. For this to work, the participants need their own computer to operate the software (Universal Radio Hacker) which will be used to analyse the signals and bring them back in.

If attendees already own a software defined radio (f.ex.HackRF), they can record the signals and attack the devices themselves. If that’s not the case, Johannes can make the signals available online so participants can download and import them into the Universal Radio Hacker.

We asked Johannes a few more questions about his training.

Please tell us the top 5 facts about your training.

  • Software Defined Radios offer great flexibility when investigating wireless communications. You can send and receive on nearly arbitrary frequencies.
  • It is a fascinating process to reverse engineer a wireless protocol and, step by step, find out what the data actually means.
  • Normally, you would need deep knowledge about digital modulations and encodings to work with SDR. The Universal Radio Hacker abstracts most of this and allows us to focus on the logical level. Furthermore, we can craft attacks on stateless and stateful protocols with it. We will explore the features of this tool.
  • You will learn the theory behind digital modulations and encoding, so you also have a good understanding what URH does behind the scenes.
  • We will hack two smart home devices together. The first one is a high priced wireless socket, the second one a wireless door lock. We will go from capturing the raw signals over reverse engineering the protocols to crafting attacks on these devices so you see the whole process in action.

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I had a chat with Markus Robin at a security conference in Stralsund where we talked about the Universal Radio Hacker and Wireless Security and he pointed out that the topic might be very interesting for DeepSec.

Why do you think this is an important topic?

The Internet of Things in general and Smart Homes in particular bring great comfort but also potential threats. Imagine an attacker who monitors when a victim leaves its home based on the wireless communication of smart home devices. When the right moment comes, the attacker breaks the wireless door lock of the victims home without even touching it and leaves no trace apart from the missing valuables.

Is there something you want everybody to know – some good advice for our readers maybe?

Every radio device you own is a risk for your privacy and security. Be especially aware when you see someone with a Software Defined Radio sneaking around your neighbourhood.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

I think the topic will become more and more relevant in the next years, as the Internet of Things is rapidly evolving and we see serious vulnerabilities leading to stolen cars or broken door locks. Manufacturers will have to protect their devices better, since Software Defined Radios combined with suited software allow performing attacks with a low budget and low effort.

 

Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.

DeepSec Training: Bug Bounty Hunting – How Hackers Find SQL Injections in Minutes with Sqlmap

';--have i been pwned? by Troy Hunt.In a previous article we talked about the Bug Bounty Hunting training by Dawid Czagan at DeepSec 2018. In case you do now know what to expect, there is a little teaser consisting of a full blown tutorial for you. Dawid has published as video tutorial that shows you how to use Sqlmap in order to find SQL injections. It serves as a perfect example of what to expect from his two-day training and what you absolutely need to play with for preparation. DeepSec trainings are in-depth, not superficial. Dawid’s training will go into much deeper detail. Software developers are well advised to use attack tools against their own creations. It helps to understand what error conditions your code might be in and what you have to do when sanitising data.

SQL injection attacks have been around for over 15 years. They still exist. Given the widespread use of databases, they will stay for a while longer. The bug has even entered mainstream (nerd) culture, so make sure you know what it is all about.

DeepSec 2018 Talk: Cracking HiTag2 Crypto – Weaponising Academic Attacks for Breaking and Entering – Kevin Sheldrake

HiTag2 is an Radio-Frequency Identification (RFID) technology operating at 125KHz.  It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all.  As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2; in 2016 Garcia et al presented a further attack in ‘Lock It and Still Lose It’.  They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools.  Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but until recently none had been forthcoming.

In my talk I explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The second, third and fourth attacks use time/memory trade-off brute force, cryptanalytic attacks and a fast correlation attack to recover the key, such that the contents of the read-protected pages can also be accessed. The attacks are weaponised and permit cloning of tags, and are available on the RFIDler github: https://github.com/ApertureLabsLtd/RFIDler

In order to implement these attacks I first had to understand them; a large part of my talk will be focused on explaining how the pseudo-random number generator (PRNG) and system initialisation works.  The PRNG is based on a 48 bit linear feedback shift register (LFSR) which is tapped at 16 points to generate the feedback bit that is inserted when the register shifts; and is further tapped at 20 points and fed through a few functions to generate the output bit for each state.  Each tag within a system and each reader within the same system will contain the same shared secrets – there is insufficient power (and probably a lack of will) to perform asymmetric crypto verification, such as Diffie-Hellman or RSA, hence symmetric encryption and therefore shared secrets.  As such breaking any one component of a system will reveal the shared secrets that apply to the whole system.

The tag and the reader communicate when introduced in order to initialise their PRNGs to the same point.  This is based on an initialisation process involving the tag’s unique ID, the shared secrets and a nonce, randomly generated by the reader. The reader encrypts the nonce and transmits it to the tag, that simultaneously decrypts it and further randomises its PRNG state.  From this point onwards, when one party wishes to send encrypted data to the other, they simply extract a series of random bits from their PRNG (equal to the length of the data to send) and XOR this with the data to encrypt it. The receiving party extracts the same number of bits from its PRNG (equal to amount of encrypted data received) and XORs this with the encrypted data to decrypt it. This is essentially a stream cipher and only works because the PRNGs were initialised to the same state and remain in-step throughout the communication.

Unfortunately, as is the case with the vast majority of crypto systems, this system has a number of flaws. The first is that all the entropy within a communication comes from the reader in the form of the encrypted nonce.  By eavesdropping on a communication and then emulating the reader it is possible to repeatedly initialise a tag to the same configuration by replaying the same encrypted nonce. Coupled with abuse of an integrity protection, this allows the generated key stream for the session to be extracted and then used to encrypt and decrypt communications with the tag.

Taking this further, the same process can be used to generate a large amount of key stream (2048 bits, for example).  By generating a large table of PRNG states and the key stream they would generate (1.5TB in size) it is possible to look up the key stream in the table and find the matching PRNG state.  From here it is then possible to roll the PRNG backwards and recover the secrets that were used to initialise it.

A problem related to the distribution of the taps for the output bits allows an attacker to reduce the complexity of the problem of brute forcing the secrets from 2^48 down to 2^35, making the problem achievable in ~16 minutes. This approach uses a correlation whereby earlier bits of the decrypted nonce affect the decryption of the later bits of it; tables of potential partial keys can be generated and enumerated quickly. This approach only attacks the reader without requiring a valid tag from the system, as long as the reader will respond to an attacker supplied tag (e.g. isn’t white-listed on tag UID).

Garcia et al’s later ‘fast correlation’ attack uses probability to guess the most likely partial PRNG states to generate the known output during the initialisation phase.  This process starts with all guesses for the first 16 bits of the key and then expands each guess with a 0 and with a 1. All the guesses are ranked for how well they produce the expected output and are sorted such.  Each is then expanded and the process repeated.  When the number of guesses in the system exceeds a chosen limit (say 500,000) only the best guesses remain (250,000  in this case), each to be expanded into two new guesses for the next round. This approach uses far fewer traces of eavesdropped tokens and achieves its results in around 1 minute.  Where it fails (as all probabilistic approaches will at times) the attack can be rerun with either more tokens (to provide better information for the engine) or with a larger table (so that more guesses remain in the system for longer).

While the above described attacks are all available on the RFIDler github, there are two further attacks that are worth a mention. Immler’s Breaking HiTag2 Revisited (2012) described a GPU brute force that can be implemented with relative ease.  Almost the entire OpenCL kernel is provided in the annex so the attacker/researcher only needs to develop the kernel despatch code and fill in the obvious gaps in the kernel.  In 2017, Benadjila et al converted Immler’s single-GPU on a single host approach into a multiple-GPU on multiple hosts approach and reduced the running time from 11 hours to 15 minutes, using Amazon’s EC2 infrastructure.

There are lots of interesting crypto attacks in the academic world and we would do well to understand them.

Kevin Sheldrake is a penetration tester and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and system administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. His current interests lies in tool development for better penetration testing, and he has specialised in IoT and crypto for a number of years.

He has a Masters degree, is a Chartered Engineer and, in the past, has been a CHECK Team Leader, a CISSP and held CLAS.

Kev has presented at 44CON, Troopers, DEFCON 4420, 441452 and 441392 on RFID crypto (Cracking HiTag2 Crypto); EMF Camp, DEFCON 4420 and 441452 on hacking embedded devices (Inside our Toys); presented on building debuggers for embedded devices at Securi-Tay (Phun with Ptrace()); and also presented a lengthy take down on the use of NLP in Social Engineering at DEFCON 4420 (Social Engineering LIES!). He has also presented regularly at his employer’s internal security conference, winning best talk in 2014 for ‘Embedded Nonsense’, a talk about hacking an IoT device and reversing its crypto, which he subsequently presented at Cyber Security Challenge.

Translated Press Release: DeepSec Conference releases Schedule for 2018

Focusing on the Insecurity of Things and infrastructure

Vienna (pts014 / 21.08.2018 / 09:25) – This year’s DeepSec In-Depth Security Conference will focus on the topic of Insecurity of Things (IoT) and components of everyday infrastructure. The ever-advancing networking opens up completely new ways for attackers – faster than developers and manufacturers can fix bugs. Instead of using secure design for products and code, machine learning and artificial intelligence are integrated – unfortunately, implemented using convenient statistics and the algorithm of the week from the daily menu of the development kit. The presentations at the DeepSec conference will therefore put the alleged technologies of the future to the test. Mobile networks, the Internet of Things, collaboration platforms in the cloud, customer relationship management systems and the human factor are in the cross-hairs.

Smart is the new Cyber

Information technology has a legitimate reputation for constantly inventing new terms and acronyms for make-believe solutions to technical problems. Mostly, this is a pure hide and seek game, very well illustrated by the keywords Cyber, Cloud and Virtual. Behind the scenes, some terms are justified, but hardly anyone checks up on what is really hidden behind a product. The best example for this right now is the trend to make everything smart, no matter if security was a design criterion or not in the first place. The power supply should become a smart grid, questionnaires should turn into Smart Assistants, etc.

A look inside reveals components that are often just somehow linked together, without any concept of security. The best examples are smartphones, which have mutated into an universal key. On a single device you have a variety of accesses that require specific apps. Thus, these items automatically become a sought-after target. The Mobile App Attacks 2.0 workshop will demonstrate how to use apps and the smartphone platform as a basis for successful attacks. Furthermore, a workshop on mobile security is also part of the conference programme. The coach David Burgess is a veteran in this field. In 2009, he’d already discovered and documented serious security vulnerabilities in mobile networks at DeepSec. This year he’s back and can also tell us something about the new standards.

Uncertainty of Things everywhere

Vulnerabilities of devices from the Internet of Things (IoT) are also presented and analyzed in lectures and workshops. Johannes Pohl demonstrates in his training how to analyse the communication of IoT devices. This work serves as the basis for derived attacks. Few manufacturers are really able to design and implement secure communication as a protocol, regardless of whether the protocol is new or based on established standards.

In his talk, Werner Schober, security researcher of SEC Consult, presents weaknesses in “smart” sex toys. Unfortunately this is not a bad joke. All IoT devices of every industry are a danger. The original purpose of a device doesn’t matter – Attackers have already broken into casinos utilizing a networked aquarium. In addition, especially for sex toys, the discipline for regular updating the firmware is certainly lower than for “smart” TVs. Thus, these items automatically become a risk to security and privacy at the same time. Countless other things of everyday life can be enumerated that can be used to attack information systems.

The Human Factor

No matter what technology you use, the human factor remains an important part of information security. The human body gets also networked. Ulrike Hugl from the University of Innsbruck discusses implanted RFID (radio-frequency identification) chips. With such foreign bodies oneself becomes part of the questions about data security and attacks by third parties, because RFID components carry data and can be read out. In her talk Ulrike Hugl will examine the distribution, the usage of and the ethical issues surrounding RFID.

Furthermore, there are talks on threat analysis, an important part of digital defense, often carried out by automated processes. The limits of the capabilities of human experts will be examined and how they can be supported by automated systems. In his presentation, Stefan Schumacher will highlight how the human brain can be manipulated and how social engineering attacks can be implemented using methods based on this knowledge. Most successful attacks always use a component that touches the human factor.

Interdisciplinary and in touch with Research

Today, information security is not just about technology. Security problems always have to be investigated and solved in an interdisciplinary team. The DeepSec In-Depth Security Conference is meant for a spectrum of research, education, industry, government and business. Just like last year, visitors also have the opportunity to attend lectures at the parallel Reversing and Offensive-oriented Trends Symposium.

ROOTS is an academic workshop that takes place parallel to and at the same time as the DeepSec Conference. The aim is to show that the combination of science and information technology, and the combination of professional insider knowledge, academic research and practical approaches, can defend modern digital infrastructure better than ever before. Seize the opportunity.

Schedule and Booking

The DeepSec conference takes place on the 29th and 30th of November. The trainings will take place on the two preceding days, the 27th and 28th of November.

Training & Conference venue:
The Imperial Riding School Vienna – A Renaissance Hotel
Ungargasse 60
1030 Vienna
Austria

Current schedule: https://deepsec.net/schedule.html

Tickets for the conference and trainings: https://deepsec.net/register.html

DeepSec 2018 Talk: Defense Informs Offense Improves Defense – How to Compromise an ICS Network and How to Defend It – Joe Slowik

Industrial control system (ICS) attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. Yet when looking at the situation – especially recent attacks – from a defender’s perspective, nothing could be further from the truth. Initial attack, lateral movement, and entrenchment within an ICS network requires – and probably operates best – via variations of ‘pen tester 101’ actions combined with some knowledge of the environment and living off the land. Only after initial access is achieved and final targets are identified do adversaries need to enhance their knowledge of ICS-specific environments to deliver disruptive (or destructive) impacts resulting in a potentially large pool of adversaries capable of conducting operations.

Examining concrete ICS attack examples allows us to explore just what is needed to breach and impact industrial environments. More importantly, using malware and data captured from recent attacks – specifically TRISIS and CRASHOVERRIDE – defenders can identify how the attackers ‘messed up’ their attacks and why a more simplified and direct approach to achieving offensive goals might not only be more effective, but likely far more difficult for defenders to catch as well.

Following this examination, offense might be better able to attack networks but defenders will now be clear on what actions and measures are necessary to protect ICS networks from attack. Specifically, an examination of host-based approaches, network proxies for host-based logging, and architectural solutions will be covered in brief to outline the requirements for effective defense in ICS environments against even the most savvy of adversary.

Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other data available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to ‘take the fight to the adversary’ by applying forward-looking, active defense measures to constantly keep threat actors off balance.

DeepSec 2018 Talk: Can not See the Wood for the Trees – Too Many Security Standards for Automation Industry – Frank Ackermann

“Plant operators and manufacturers are currently faced with many challenges in the field of automation.”, says Frank Ackermann. “Issues such as digitization, Industry 4.0, legal requirements or complex business processes that connect IT and OT are paramount. Related security problems and risks need to be addressed promptly and lastingly. Existing and newly created industry security standards (such as 62443, 61508 and 61511, 27001, …) are designed to help to improve security. But do the different approaches of these standards fit together? Are managers of the companies and manufacturers supported or rather confused by them? The presentation provides an overview of the key security industry standards, discusses the dependency and coverage of the standards, and aims to encourage discussion about if the standards optimize general security in industrial control systems.”

We asked Frank a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • De-confuses many security standards in the automation industry
  • Discusses not only 27001
  • 62443 or Yoga does not solve your security problems in the automation environment
  • Lists pros & cons
  • Non-technical

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

By starting in the automation industry, I was heavily confronted with all the different standards and their ways on how to implement. Having in mind, that several plant responsible(s) have no background in IT/operational technology (OT) security, I realized that they might feel overrun by these requirements and standards.

Why do you think this is an important topic?

Just imagine: plants for water conditioning are manipulated or power grids are over and over instable due to ‘Cyber’ security incidents. International standards can support companies to setup their security organization and find the best processes to prevent incidents.

Is there something you want everybody to know – some good advice for our readers maybe?

First think, then act.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The future in automation becomes more and more connected. This leads to a larger attack-surface. The industry has to overthink the current operational models to become more secure – this will be accompanied by tailor-made security solutions for the automation industry.

Frank Ackermann has been active in the field of IT and information security for over 15 years. At renowned international companies, he worked in the core security team or examined the implementation of security solutions. Modern business processes today require a bridge between an industrialized automation environment (OT) and classical information technology (IT). This means that processes, organizations and technical measures should be designed holistically and inherently secure. All parties involved must work continuously on this.