DeepSec 2016 Talk: Brace Yourselves – Exploit Automation is Coming! – Andreas Follner

Sanna/ October 12, 2016/ Conference, Development, Security

Automating tasks is not only the domain of system administrators. We use computers for a lot of dull and boring processes. This enhances productivity and enables us to focus on problem solving. That’s good news. The bad news is that your adversaries can do this, too. While there are still more than enough hand-crafted attacks Out There™, there are classes of exploits that follow a certain pattern. So if you want to find out how this auto0wning works, you should listen to the presentation by Andreas Follner. Gone are the days of simple stack smashing and code injection (thanks, DEP / W^X!), says Andreas Follner. Today, return-oriented programming (ROP) is the foundation of exploitation. Most ROP exploits are created as follows: you use a tool to dump all gadgets in a binary to the disk, grep specific

Read More

DeepSec Talk 2016: Inside Stegosploit – Saumil Shah

Sanna/ October 7, 2016/ Conference, Pictures, Security

Stegosploit creates a new way to encode “drive-by” browser exploits and delivers them through image files. Using current means these payloads are undetectable. In his talk Saumil Shah discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded. This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome. The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall

Read More

DeepSec 2016 Talk: Social Engineering The Most Underestimated APT – Hacking the Human Operating System – Dominique C. Brack

Sanna/ October 5, 2016/ Conference, Security

Social Engineering is an accepted Advanced Persistent Threat (APT) and is going to stay according to Dominique C. Brack of the Reputelligence, Social Engineering Engagement Framework (SEEF). Most of the high-value hacking attacks include components of social engineering. Understanding the behind the scene methods and approaches of social engineering will help you make the world a safer place. Or make your attack plans more successful! Social Engineering is a topic that does not really fit into technical hacking and is also underestimated by security professionals. There are no tools or hardware you can buy to prevent Social Engineering attacks. But Social Engineering is an APT to be taken seriously, because most attacks consist partly of it and its attack execution and prevention needs training and skills. Social Engineering has progressed and professionalized more than you think. It is disastrously effective.

Read More

DeepSec2016 Talk: Behavioral Analysis from DNS and Network Traffic – Josh Pyorre

Sanna/ October 4, 2016/ Conference, Internet, Security

What’s in a name? A rose? The preparation for an attack? Or simply your next web page you will be looking at? The Domain Name System (DNS) has gone a long way from replacing text lists of hosts to a full directory service transporting all kinds of queries. DNS even features a security protocol for cryptographically signed zone data. In order to balance the load, name resolution has caches that temporarily store DNS information. Usually organisations run their own DNS resolvers as caches for their infrastructure. Even if it’s just a flat network with local clients all DNS requests are channelled to hit your resolvers. Before applications open a data connection, they will query the local resolver to get address data or other hints on how to contact the other endpoint of the communication.

Read More

CERT.at supports the DeepSec 2016 Conference

René Pfeiffer/ September 27, 2016/ Conference, Security

We welcome the Computer Emergency Response Team Austria as a support of DeepSec 2016! CERT.at is the primary contact point for IT-security in a national context. CERT.at will coordinate other CERTs operating in the area of critical infrastructure or communication infrastructure. When it comes to incident response, the coordination of any information regarding the event is crucial. CERT.at fulfils this role since 2008. In addition CERT.at is actively involved in security research. Minibis is a tool for automatically building an automated malware analysis station based on a concept introduced in the paper “Mass Malware Analysis: A Do-It-Yourself Kit”. Have a chat with them during the conference. They will host demonstrations and let you see their software tools in action. Of course, in case you ever have to handle incidents you should talk to them

Read More

DeepSec2016 Talk: Cover Your SaaS: Protecting Your Cloud With Analytics and Machine Learning – Ian Thornton-Trump

Sanna/ September 24, 2016/ Conference, Security, Security Intelligence

Some people call military intelligence an oxymoron. This usually happens when something goes wrong. It might be due to sloppy reconnaissance, operations, or simply bad luck. While it’s always good to have someone or something to blame, things are not so easy in modern „cyberspace“. Improving your security means to have something to base this improvement on. Despite the fact that being lucky is never a bad thing, the selection of your defences and the assessment of the threats you are facing need to be based on something more solid. IT departments have been mining logs and other kind of raw materials that produce metrics for decades. Every once in a while there is a new trend. Now that we can store enormous amounts of data and can access it, we have a lot

Read More

DeepSec 2016 Talk: Fuzzing Remote Interfaces for System Services in Android – Alexandru Blanda

Sanna/ September 23, 2016/ Conference, Security

When in doubt, go for the core. This statement is true for most Star Wars films. It is also valid for any kind of security research. Modern software has tons of dependencies, metric or otherwise. In addition, most platforms provide a set of basic components accessible by API. The wheel has been invented already. So if you look for weaknesses, addressing these fundamentals is a good idea. Why start at the outer shell, when you can directly go to the foundation of the walls. Siege warfare used to be like that. What happens when you combine the technique of fuzzing with accessible interfaces will be explained by Alexandru Blanda in his presentation at DeepSec 2016. System services represent one of the core components in Android, implementing many fundamental Android features such as media playback,

Read More

DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin

Sanna/ September 22, 2016/ Conference, Security

The blue/red pill analogy has been used a lot when it comes to hypervisor security and virtualisation. While there are reliable ways to determine if your code runs in a hypervisor or not, the underlying problem still persists. How do you know if the platform your code runs on watches every single move, i.e. instruction or data? Given the discussion of backdoors in hardware, this threat is real. Mikhail Utin discussed his findings at DeepSec 2014. He discovered manipulation of the BIOS in certain server systems. The hardware was probably affected, too. Two years later he presents his research covering the detection of malicious hypervisors in parts of your infrastructure where they should not be. Utilizing the definition of vulnerability as “inability to resist a threat” we want to update our consideration of three

Read More

DeepSec2016 Workshop: Secure Web Development – Marcus Niemietz

Sanna/ September 21, 2016/ Development, Security, Training

The World Wide Web is everywhere. It has become the standard protocol for transferring data, accessing applications, configuring devices, controlling software, or even multimedia streaming. Most software development can’t be done without web applications. Despite the easy concept the technologies used in „HTTP/HTTPS“ have grown in very complex beasts. Few get it right, lots of developers make mistakes and end up at the wrong side of a security presentation at a conference. Fortunately there is help. We offer you a workshop at DeepSec 2016 to make your web software development great again! The “Secure Web Development” training by Marcus Niemietz systematically covers the OWASP Top 10 threats as well as threats, which may be important in the future (e.g. HTML5 and AngularJS attacks). At the end of the training each attendee will be able to create her/his

Read More

DeepSec 2016 Talk: 802.11 Complexity. An Introduction to 802.11 Protocol Chaos – Andrés Blanco

Sanna/ September 20, 2016/ Conference, Internet, Security

Do you remember the days of Wired Equivalent Privacy (WEP)? One might almost say security design was bad back then. The question is: Has it really improved? Proper encryption and authentication is only a part of the design. In the case of wireless networking there is a whole lot more to consider. Shooting clients off the network is still possible. Penetration testers can tell you much more about the quirks and weaknesses of wireless protocols. This is why we asked Andrés Blanco to give a presentation about the state of wireless affairs. WiFi is everywhere and everyone is using it everyday. Employees connect to enterprise networks using their mobile devices, and later the same day to a WiFi network at a coffee shop or their home network. WiFi networks give users mobility and wire-less

Read More

Firmware Threats – House of Keys

René Pfeiffer/ September 10, 2016/ Discussion, Security

SEC Consult, our long-term supporter, has updated a report on the use of encryption keys in firmware. These hardcoded cryptographic secrets pose a serious threat to information security. The report features 50 different vendors and has some interesting statistics. The results were coordinated with CERT/CC in order to inform the vendors about the problem. The highlights of the research includes: 40% increase in devices on the web using known private keys for HTTPS server certificates 331 certificates and 553 individual private keys (accessible via Github) some crypto material is used by 500,000 and 280,000 devices on the web as of now The recommendations are crystal clear: Make sure that each device uses random and unique cryptographic material. If operating systems can change account passphrases after initialisation, so can your device. Take care of management

Read More

DeepSec 2016 Workshop: Deploying Secure Applications with TLS – Juraj Somorovsky

Sanna/ September 9, 2016/ Security, Training

Cryptography is all around us. It has become something like the background radiation of the networked world. We use it on a daily basis. Since nothing usually comes into existence by mistake, there must be someone responsible for deploying this crypto stuff. You are right. Software developers, mathematicians, engineers, system administrators, and many more people are involved to make encryption happen. The hard part is to get it right. The mathematics involved is hard. A lot can go wrong. This is why we have a workshop for you at DeepSec 2016! Have you (or your manager) ever wondered why your server is getting bad grades from SSL labs? Or are you interested in improving the performance of your TLS server? If you answer one of these question with “yes”, you should consider to take part in the

Read More

DeepSec2016 Talk: badGPO – Using GPOs for Persistence and Lateral Movement – Yves Kraft & Immanuel Willi

Sanna/ September 7, 2016/ Conference, Development, Security

System administration has evolved a lot during the past decades. Instead of enjoying long walks through the forests of servers and clients, the modern sysadmin controls the whole infrastructure by policies. Most operating systems can take advantage of this technology. As with software upgrades, these tools can make your life easier – or help an intruder to get a firm hold onto your infrastructure. Malicious activity can exploit your management networks/systems. Once this happens, you are in deep trouble. We have invited two security experts who created a demonstration. They used the Microsoft® Windows platform in combination with native tools: Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application, and user settings. Group Policy is simply the easiest way to reach out and configure computer

Read More

DeepSec 2016 Talk: Machine Duping – Pwning Deep Learning Systems – Clarence Chio

Sanna/ September 6, 2016/ Conference, Security

Give a man a computer, and you 0wn him for a day. Teach a man to employ machine learning, and he will have to battle Skynet for a lifetime. This quote might not be the exact copy of the original, but it will do. Machine now learn stuff. Hence the are of machine learning is the new playground for start-ups, old school companies, researchers, and hackers, of course. A new era of sapiosexual attraction to artificial minds has begun. Information security is not spared. Algorithms have long been a part of defence. Now they are being used with machine learning. Since algorithms and machines run on networked computers, they can be attacked. At DeepSec 2016 Clarence Chio will explain to you how it can be done. Deep learning and neural networks have gained incredible

Read More

DeepSec 2016 Workshop: Penetration Testing Humans – Bethany Ward & Cyni Winegard

Sanna/ September 3, 2016/ Conference, Security, Training

Do you know the film where the victim gets an unsuspecting phone call and dies three days later? No? Relax, it happens in the real world, too. The difference is that you get a quite normal phone call at the office and three days later some of your data has been copied. The technical term is leaked, also known as stolen. All your security measures will be untouched. Why break into a firewall or into servers when you get the access credentials by phone? Social engineering is an advanced and very persistent threat. You probably get phone calls and emails every day. You may often interact with people you have never seen or met before. Given the right approach they will make you and your employees believe anything. In turn this technique is very

Read More