DeepSec 2018 Training: Advanced Infrastructure Hacking – Anant Shrivastava

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices.

We asked Anant a few more questions about his training.

Please tell us the top 5 facts about your training.

  1. Constantly evolving course: Every year each iteration has something new added to it. (Minimum 25%, maximum 50% of the course gets an upgrade every year).
  2. Developed by Practitioners: The course is developed by regular pentesters deriving challenges from real life pen-testing scenarios. All of our trainers are full time pentesters and part time trainers.
  3. Covers a whole breadth of infrastructure: From IPv4/v6 to databases, to OSINT, Windows, Linux, and Cloud platforms; from understanding OS to restricted shell breakout AppLocker, and rbash, to name a few. We also cover active directory attacks and delegations extensively. And there is still more to it than that: We also cover specialised topics like Container breakout, docker and kubernetes, VLAN, VOIP, VPN, and cloud pen-testing, AWS, GCP, and Azure.
  4. Free 1 Month Lab Access: We believe that practice makes things easier to remember. That is why every participant gets free access to our Hacklab for one month even after the class is over.
  5. Focus on Techniques and not just tools: We don’t just ask you to type commands in metasploit and be done with it. In fact during our entire class we use metasploit for not more than 6-7 exercises (15-20% of the time). Our major focus is on understanding the technique and how it can be applied in environments.

How did you come up with it? Was there something like an initial spark that set your mind on creating this course?

Our Advanced Infrastructure Hacking Training was developed out of the need for a course which covers a wide range of techniques for pentesters. As much as specialization is required the field also needs generalized skills in all areas. This course tries to fill that gap by giving people a wide range of skills.

Why do you think this is an important topic?

Infrastructure is the core of Information Technology. It will change its shape and form but will remain the core of this field. Hence training on the nitty-gritties of it will always be required.

Is there something you want everybody to know – some good advice for our readers maybe?

Penetration testing is an extremely broad, varied and complex practice, with so many potential avenues that will need to be explored in any given environment. Whether you are an experienced pentester, just starting out, moving roles, only dabbling, a developer looking to understand vulnerabilities better, or any combination of the above or others, you will know, or very quickly realise, two truths:

First, learning techniques might be relevant to specific scenarios, but developing technique is essential to becoming a good pentester.

And second, from this day until the day you’ll retire, you must never stop learning.

At the heart of every concept of all of our courses lies the goal of understanding more – not just the steps to exploit given vulnerabilities, but the processes behind them. We have tried to take all this and build the course around this concept. Hence, if you match any of the traits described above this would be a most suitably course for you.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Infrastructure is already witnessing a major trend towards cloud. Most of what’s used to be servers are now cloud services, with more and more responsibilities handled by cloud service providers. This increases the security landscape but also the risks, cause most of the background will remain opaque to tenants and hence mistakes can lead to devastating effects. Not just data, but also money can be directly affected. As for what the future holds, we see a major uptick in cloud adoption leading to all sorts of insecure configurations left wide open on the internet and a more stringent need for professionals with an understanding of Information security. Advanced Infrastructure Hacking is our attempt to bridge that gap.

==============
Course Outline
==============

Note: This is a fast paced version of the original 4 day class, cut down to 2 days. To fit the entire training material within 2 days, some of the exercises have been replaced by demos which will be shown by the instructor. Students will receive FREE 1 month lab access to practice each exercise after the class.

While prior pentest experience is not a strict requirement, familiarity with both Linux and Windows command line syntax will be greatly beneficial. The following is the syllabus for the class:

Day 1:
* IPv4/IPv6 Basics
* Host Discovery & Enumeration
* OSINT & Asset Discovery
* Hacking Application and CI Servers
* Oracle Database Exploitation
* Windows Vulnerabilities and Configuration Issues
* Windows Desktop ‘Breakout’ and AppLocker Bypass Techniques
* A/V & AMSI Bypass Techniques
* Offensive PowerShell Tools and Techniques
* Local Privilege Escalation
* Post Exploitation Tips, Tools and Methodology
* An Introduction into Active Directory Delegation
* Pivoting, Port Forwarding and Lateral Movement Techniques

Day 2:
* Linux Vulnerabilities and Configuration Issues
* User/Service Enumeration
* File Share Hacks
* SSH Hacks
* Restricted Shells Breakouts
* Breaking Hardened Webservers
* Local Privilege Escalation
* MongoDB, TTY, Reverse tunneling
* Post Exploitation
* VLAN Hopping
* Docker breakout
* Kubernetes vulnerabilities
* Hacking VoIP
* Exploiting Insecure VPN Configurations

 

Anant Shrivastava is an information security professional with 9+ years of corporate experience and expertise in Network, Mobile, Application and Linux Security. He is the Regional Director for the Asia Pacific Area for NotSoSecure Global Services and has trained about 600 delegates at various conferences (Blackhat all 3 editions, Nullcon, g0s, c0c0n, ruxcon). Anant also leads the Open Source project Android Tamer and CodeVigilant. His work can be found at anantshri.info

DeepINTEL 2018 Talk: Cyber Threat Intelligence – The Next Era of Cyber Security? – Markus Auer

The DeepINTEL security intelligence conference focuses on threats, indicators of compromise, and strategic counter measures. Information security is more than superficial. This is why we have asked Markus Auer to hold a presentation at DeepINTEL (28 November 2018). He explains his ideas in short:

We are tired of adding new products to our ever-growing security structure. Although this has been a common practice for years, it does not bring lasting success. Attacks continue to occur – faster, more comprehensively and with much greater impact and rising costs. Despite all protection levels and measures, the current security approach fails.

We want to stop the expansion and purchase of more reactive products that are targeted to the recent attack. Instead, security operations should be improved by aligning existing security technologies and teams and using the information across teams. What sounds simple, however, is difficult. Most organizations have Incident Response-, Security Operations Center-, Risk and Vulnerability Management-, Endpoint Protection- and Perimeter-Teams, and maybe more. Each of these teams relies on a specific combination of different point products, each with its own intelligence. They also subscribe to various threat feeds from commercial sources, open source, industry, government and existing security vendors to be fully informed.

However, security teams and their security systems are organized in such a way that information silos are formed. This means that they operate from an information system that is not able to work and communicate with other similar systems, although the same goal is pursued. Using potential synergies seems almost impossible.

We understand that the timely exchange of accurate and relevant threat information between these teams and the tools they use is the key to shorter detection and response time – not the next “Silver Bullet” security technology or another threat feed. However, this requires a change and optimization of existing workflows and processes.

The key to improving the security structure is to establish connections between the individual teams and separated solutions to avoid information silos. In this way, information about attacks can be immediately shared and responded to. The knowledge that resides within each of these teams represents the most valuable and actionable threat intelligence available to the enterprise – and that knowledge would be wasted if it were not harnessed.

 

Markus Auer (45) is a technology evangelist and security sales professional and joined ThreatQuotient as Regional Sales Manager in April 2018 where he is responsible for market development in Central Europe. He brings with him over 20 years of experience in IT Security.

Prior to that, Mr. Auer held other positions at ForeScout Technologies, Q1 Labs (now IBM) SourceFire (now Cisco), netForensics and MessageLabs (now Symantec). In addition to his training as Industrial Manager at Siemens AG Munich, Mr. Auer worked as a freelance consultant for Novell and Microsoft. 

 

DeepINTEL 2018 Security Intelligence Event – Preliminary Schedule is available

Common raven. Source: Zion National Park, https://www.nps.gov/zion/learn/nature/raven.htmIt took us longer than anticipated, but the schedule for DeepINTEL 2018 is final and available. The topics covered are ICT risk assessment in interconnected and complex environments, drone threats (to critical infrastructure), drone countermeasures, assessment of digital black markets (you can call them darkweb/crypto markets if you must), live threats to the information industry (based on finding and working with reliable sources in the field), framing HUMINT as an information gathering technique, and how to get started in modern cyber threat intelligence. The speakers will bring in-depth examples from their field of expertise. Given the format of DeepINTEL, the presentation are meant to turn into dialogues where you can directly ask questions and hopefully get answers helping you to understand how to detect and counter threats, and how to collect meaningful data for intelligence purposes. The idea is to discuss realistic scenarios, real events, and practices found in existing organisations and companies. Finding needles in haystacks is easy in times of Big Data and almost endless computing power. Security intelligence is all about finding the right needle in your haystacks. This requires more than algorithms and systems producing sensor data. You need the experience, and our invited speakers have them.

Since DeepINTEL is a closed event we kindly ask you to get into contact with us via email. We will in turn send you the schedule. Public keys for encrypted emails are published, don’t forget to send us your key for answers. Early birds and interested parties will be offered a discount code from our sponsor Digital Guardian. Don’t waste any time! Write us!

DeepSec 2018 Talk: Suricata and XDP, Performance with an S like Security – Eric Leblond

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection.

We asked Eric a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • Packet loss really matters. A threat detection engine like Suricata is losing 10% of IDS alerts if it misses 3% of traffic. And there are 10% of incomplete file extraction with only 0.3% of packet loss.
  • The quantity of data seen on network is exploding, the complexity of threats is increasing, forcing threat detection systems to do more in-depth analysis. All that makes it really difficult for network intrusion detection systems to keep up to speed. But if you consider that there is some traffic that you don’t really want to see like encrypted traffic, maybe there is hope. If you manage to selectively get rid of this traffic, you can really lower the load. Suricata is implementing a generic bypass mechanism but it requires implementation at the capture level to be really efficient.
  • eXtreme Data Path is a new promising technology that allows user code to be run at the network driver level or even, for some devices, in the network card itself. It is a solution to a lot of problems where standard operating system limits are reached, like blocking distributed denial of services. Blocking traffic really early changes the balance between attackers and defenders.
  • Suricata is using XDP to provide a really efficient bypass mechanism for the standard Linux raw capture method.
  • But XDP is not just about dropping packets because it can be used for wire speed packet transfer. Suricata, for example, is using this feature to provide driver to driver packet routing when used in level 2 IPS mode.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

It did start when I heard too many people complaining about Suricata performance in IPS mode when working on top of Netfilter. It made me think about implementing flow bypass in Netfilter queue mode. The concept is really simple but the performance boost was impressive. I did present this at Netdev 1.1 in 2015, and since then I did work on extending this to other capture methods supported by Suricata. I did not think the evolution of Linux kernel would permit me to reach my goals, but I was really excited when I first heard about the extended Berkeley Packet Filter and even more when I discovered the XDP initiative a bit later on. I’ve followed the progress made in this fields  and implemented new features in Suricata when they were reaching the stable Linux kernel.

Why do you think this is an important topic?

Suricata usage of XDP provides interesting features regarding the project, but XDP could be used by itself to address other existing issues. Yes, we are talking about high performance networks, so IoT and most home network are out of scope, but if you take a project like Cilium that addresses inter VMs filtering via XDP there is a huge play field.

Is there something you want everybody to know – some good advice for our readers maybe?

The Security community should interact more with the community of Linux developers and even more so in the case of the networking. There are crazy things going on there and the Security community should take their share of fun and profit 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

XDP is seen by Internet giants like Facebook or Google as a way to run their own protocol independently of the Linux kernel. The risk is that we may see a big part of the traffic switch to custom protocols, which are evolving really fast. In term of security, it means passive analysis tools will not manage to keep up to the pace of evolution, and the visibility of internet traffic, already lowered by encryption, will get even lower. Be prepared to be blind and start looking for alternatives like internal traffic analysis.

 

 Eric Leblond is an active member of the open source community. Since 2009 he works on the development of Suricata, the open source IDS/IPS, and he is currently one of the Suricata core developers. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

DeepSec2018 Talk: Manipulating Human Memory for Fun and Profit – Stefan Schumacher

Manipulating the Human Memory for Fun and Profit, or: Why you’ve never met Bugs Bunny in DisneyLand

Hacking is not limited to technical things — like using a coffee machine to cook a soup — but also makes use of social engineering. Social engineering is the (mis)use of human behaviour like fixed action patterns, reciprocity or commitment and consistency. Simple social engineering attacks like phishing mails do not require much preparation, but more complex ones do so. Especially when one wants to set up some kind of advanced persistent threat in the psychological domain. So, besides the psychological fundamentals of social engineering we also did research on human memory, how it works, how it pretty much fails to store what really happened, and how it can be misused for a sinister purpose. The fundamental research for this topic comes from forensic psychology, were court-appointed psychologists have to examine the credibility of witness reports and ranges to experiments were manipulated photos changed the memory of subjects. This talk will summarise the current state of the research and show ways to conduct very advanced social engineering attacks and how we can recognise and counter them. As technical hacking gets more and more complex and advanced over time, the psychological domain of IT security will also advance.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. 
Ever since, he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of  Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. 
He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

DeepSec 2018 Talk: Mapping and Tracking WiFi Networks / Devices without Being Connected – Caleb Madrigal

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, Kismet, et al. But what if you just want to view a list of all networks in your area along with all the devices connected to them? Or maybe you want to know who’s hogging all the bandwidth? Or what if you want to know when a certain someone’s cell phone is nearby? Or perhaps you’d like to know if your Airbnb host’s IP Camera is uploading video to the cloud?

For all these use-cases, I’ve developed a new tool called “trackerjacker”. In this talk we’ll use this tool to explore some of the surprisingly informative data floating around in radio space, and you’ll come away with a new skill or two adding to your radio hacking skill tree, as well as a new magical weapon… I mean tool.

We asked Caleb a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. You’ll learn how easy it is to track people or be tracked yourself.
  2. You’ll learn the scary amount of information leaked by encrypted wifi networks.
  3. You’ll learn how you can detect when nearby wireless security cameras detect motion (even if they are not your cameras, and even if you aren’t on the same wifi network).
  4. You’ll learn about a new WiFi hacking tool.
  5. You’ll learn more about how WiFi works.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

My initial problem was that I was trying to get my security alarms to turn on if one of my security cameras detected motion, but the camera and security system didn’t speak to one another. From this problem, I developed the trackerjacker tool. In other words, I way over-solved my particular problem 🙂

Why do you think this is an important topic?

IoT stuff is continually growing in popularity, and IoT devices are being used for more and more important things. Many IoT devices work over wifi, and all of those are susceptible to some of the problems I’ll be addressing in this talk. There are serious implications regarding your privacy and security here.

Is there something you want everybody to know – some good advice for our readers maybe?

Encrypted wifi leaks surprisingly interesting information, regardless of encryption algorithm or security mode.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

What would be concerning is if an attacker could weaponise some of these techniques – especially if they were able to remotely infiltrate wifi devices (like IoT devices) and use them to launch such attacks.

 

Caleb is a programmer who enjoys hacking and mathing. He is a member of the Mandiant/FireEye advanced research team, where he researches and builds sweet incident response software. Lately he’s mostly been hacking with Python, Jupyter, C, and Machine Learning. Though only recently getting into it professionally, Caleb has been into security for a while – in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of “informal pen testing”. These days, he has fun doing a lot of Radio/Wireless hacking, and using Machine Learning/Math to do cool security-related things.

DeepSec 2018 Talk: Drones, the New Threat from the Sky – Dom (D#FU5E) Brack

I will talk about drones (not military ones). Drone risks and countermeasures. Drones have become an inherent risk not just for critical infrastructure, but also public events (sports, concerts) and privacy. I will speak about the exclusive risk catalogue I have developed for a small highly specialised start-up called DroneGuard. The catalogue contains over 140 detailed drone related risks. From payload of drones (explosives, chemical etc.) to cyber risks like Signal Hacking & Disruption (WiFi, GSM, Bluetooth, RFID, etc.). Since Deepsec is a more technically oriented event I will highlight the risk management frame work, my experience with our personal payload drone and the cyberrisks. This talk will help you if you have to protect critical infrastructure from a physical perspective, or if you have to protect yourself or your company from privacy implications.

Please tell us the top 5 facts about your talk.

  • Fact 1: You will learn everything feasible about drones, in order to enable you to assess the threat for your particular field of work, might that be cyber, critical infrastructure, datacenter operation, public service, etc.
  • Fact 2: The presented DroneGuard risk catalogue contains over 140 risks; and I am sure you haven’t seen them all. Your knowledge about drone risks will be greatly expanded.
  • Fact 3: You will learn that drone detection is not drone defence. You will hear about market leaders in drone detection and what type of detection/ defence possibilities exist, and can be used legally if you are not police or military.
  • Fact 4: Learn how to handle captured/ landed drones, and how to pick them up without slicing yourself like a cucumber. I’ll show you what drone blade injuries look like.
  • Fact 5: See how easy it is to release payload and drop it on a selected target.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

About a year ago we were approached by the government to develop new topics of future emerging risks. Since we are working in the strategic/ methodical field of cybersecurity, handling cyber and also physical risks (like IoT and autonomous vehicles etc.) we started this project about drones. Drones where also used in combination with our infrastructure (telco) and we have been involved in PoCs for hospital transport. Working on the topic of drones (UAVs, RPAS) we soon figured out that there was no structure to it. It’s mostly driven by innovation but without considering the risks that come with it. This is why we started our DroneGuard risk catalogue. The catalogue has subsequently been used in discussions with critical infrastructure operators, event organizers and local police forces as well as large private sector companies. We figured out there is a huge gap between the perception of the risk of drones and the reality. Our catalogue contains around 140 risks of drones. Some of them seem farfetched, like theft and robbery for instance, but just recently we have learned about the theft of a statue from a VIP property by using a drone. This shows how the fast progress of risks related to drones; cybercriminals just started to learn about the capabilities drones have to offer.

Why do you think this is an important topic?

Because it poses a deep security risk for particular situations. Defence capabilities need to be planed accordingly and the risks for each situation assessed. The private sector and the public sector need to include drone risks in their risk framework. There also have been the first ransomware cases putting the public in danger. A drink water supply for a small city has been threatened to be poisoned by a drone using chemical agents.

Is there something you want everybody to know – some good advice for our readers maybe?

Come to my talk… about drones of course 😊. For sure you will learn many new things about drones and the risks they can pose. You might also learn how you can extend your business to assess drone risks. After all a drone is just a flying IoT device – with all its implications.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Swarm attacks, crime scene destruction as-a-service and emerging terrorist threats (drones are even cheaper than cars, tricks etc.).

 

Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles, confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly – inspire and empower action.

ROOTS Schedule almost ready, mind your DeepSec Training Tickets, DeepINTEL Schedule is coming up

Science First! rat. © 2017 Florian Stocker <fs@fx.co.at>The review process for ROOTS has been completed a few days ago. Proper reviews are hard, this is why it took a bit longer. The accepted papers will be in the schedule at the beginning of next week for we need the redacted abstracts of all presentations. The research topics are worth it, so make sure to check the schedule next week.

For all of you looking for in-depth knowledge and hands-on training – please book tickets for our trainings as soon as possible! This is not meant to rush you. We just want to make sure that you get the training you want. Booking last minute is a sure way of making it hard to plan ahead. Furthermore the first courses are filling up. You might not get a seat if you wait too long.

The DeepINTEL schedule will be sent to interested parties as of today. The topics include drone capabilities (including counter measures), „military-grade“ ICT risk management, insights into HUMINT, evaluating data to produce secure intelligence relevant information, and effects of malicious software used for actual attacks on digital communication. If you want to get a detailed peek at the presentations, please mail us.

Tags: , ,
Posted in Administrivia Conference. Comments Off on ROOTS Schedule almost ready, mind your DeepSec Training Tickets, DeepINTEL Schedule is coming up

DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak “Hello?” barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong…

Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired.

Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center, and the many lessons learned from some of the greats in IR around the company this talk will delve into:

  • Human psychological response to stressful and/or dangerous situations
  • Strategies for effectively managing human factors during a crisis
  • Polices and structures that set up incident response teams for success
  • Tools for building a healthy and happy incident response team

Effectively navigating the human element is a critical skill for anybody who may be called upon to manage or participate in a security incident. This talk is geared toward occasional or full-time responders who are looking for practical human-management skills.

It is now 3:05AM. Everything has gone horribly wrong. A room full of panicked engineers await. It is your time to sink or swim. Good luck.

But wait! Before you put on your scuba gear, you should probably read on. We asked Benjamin a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. The human mind still possesses all of the same wiring that helped our simian ancestors flee danger. Our reaction to perceived danger is often deeply rooted in this ancestral circuity.
  2. Studies have shown that lack of sleep impairs judgement as much as alcohol.
  3. People can subconsciously pick up on signs that their leader is stressed out. This causes an autonomic reaction and causes them to become stressed too.
  4. People fall back to learned, repetitive cycles when confronted with fatigue or stress. Security responders should prevent mistakes by drilling and practicing often.
  5. Your executives are people too. They may be just as, if not more, scared during a security incident as the rest of the team.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I was sitting in a meeting with executive leadership walking through a response plan. I realized that everything we were talking about was based on technology. Nobody was talking about its impact on humans. Everyone there was an individual with their own fears and skills. Security responders rarely account for people.

Why do you think this is an important topic?

Often the most critical part of successfully managing a security crisis is the rational and efficient cooperation of people. These people are often dealing with quite natural emotional responses to danger. Good security incident managers recognize this and make it a core part of their work.

Is there something you want everybody to know – some good advice for our readers maybe?

Recognize that humans are human. This means everyone, from the entry level analysts all the way up to your CEO. Security incidents can cause feelings of anger, violation, or fear. People on the team may be fatigued during times where they need to be at their best. Be aware of the state of your team.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As more companies adopt dev-ops, crisis issues will involve more people who are unaccustomed to working through tense security problems. Security professionals, especially those, whose job it is to keep the situation on track, will find themselves confronting human aspects more often.

 

 Ben Ridgway has been involved in a wide variety of projects during his security career. He started with a position at NASA looking for vulnerabilities in spacecraft control systems. Following that, he took a job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building out Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. He helped founding the security incident response team for Microsoft Azure. Over time that scope has grown across multiple online service, cloud, and machine learning technologies. Today he is the lead of the Microsoft Security Response Center – Trust and Strategy Team. This team is responsible for managing critical security incidents within Microsoft’s cloud and artificial intelligence services while preparing for the incidents of tomorrow.

Tags: , , , , ,
Posted in Conference Security. Comments Off on DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway

Translated RadioFM4 Article: Hype about “Chinese Espionage Chips” stems from the Pentagon

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience, because the author raises some important questions.]

Radio FM4 Logo https://fm4.orf.at/In the FM4 fact check the sensational report by the business portal Bloomberg about manipulated hardware for cloud computing turns out to be almost completely fact-free. On Friday a long-awaited report from the Pentagon was released warning about electronics manufacturing in China.

by Erich Möchel for fm4.orf.at

In the US, the “Cyber Security Month” October has begun, related news come thick and fast. The documentary presented on Thursday about a Russian espionage attack that failed miserably was spectacular, but had already taken place in April. England, Holland and Canada have waited with this concerted action until charges were filed in the US – which happened also on Thursday.

This concerted cyber-strike was overshadowed by Bloomberg Business Week’s sensational report claiming that Apple, Amazon & Co.’s servers are infiltrated with Chinese espionage chips. Angry denials of Internet companies followed; in fact, the article contains not a single, tangible clue. One explanation for its release came on Friday, when the Pentagon released a long-awaited report targeting electronics manufacturing outsourced to China.

“US electronics industry disappears”

The report refers to Donald Trump’s Presidential Decree “Executive Order 13806”. It aims to secure the supply chain of all US government institutions and the military. Right at the beginning of its introduction, there’s already a clear warning that, given the current developments, entire industries in the US may soon disappear. The report paints a bleak picture of the decline in the production sector, of barely competitive supply companies, which have been hit hard by the economic policies of foreign competitors.

On the one hand, this is due to “collateral damage from globalization,” according to the report, but also to “targeted actions of major powers such as China.” In parallel with the decline of industrial production, essential skills and abilities of workers in the US are dwindling, such as, for example, “the soldering or manufacturing of computer components.” The focus of this Pentagon report is the electronics industry, which has been outsourcing its production facilities to China for the past two decades.

A Report without “when” and “where”

It’s well-known that not only the vast majority of smartphones for the entire world market is manufactured in China. What’s more, PCs are now predominantly made in China as well. The same is true for components for the server market of course, and that’s what the Bloomberg Business Week report is all about too: “The Big Hack – How China Used a Tiny Chip to Infiltrate US Firms.”

Naturally, this lurid title fits perfectly well with a study whose entire purpose it is to, at least partially, reclaim the US electronics industry outsourced to China and bring it back to the United States. What follows is a news story on the manipulation of Supermicro computer motherboards, which are installed in servers for cloud computing all around the world. It is portrayed as if such an incident has actually happened, but does not contain any information at all about “when and where”.

The same Scenario for 15 Years

Of course, such a scenario is possible. A tiny SMD [surface-mounted device] component could be integrated into the manufacturing process of the motherboard, which sits in front of the CPU, the main processor. It is also conceivable to slyly introduce damage code via this component to manipulate the CPU. And because this technical possibility certainly exists, this scenario is not new at all, but has been appearing in the media time and time again for, at least, the last 15 years.

In 2005, the acquisition of the PC division of IBM by the Chinese Lenovo Group, which had already previously manufactured and assembled the components for IBM notebooks, was blocked for months. Because, at that time, IBM supplied many US authorities and the military with notebooks and PCs, the intelligence complex intervened. Since then, this story, always citing anonymous, unspecific warnings from intelligence circles, regularly pops up in the news, most recently in regard to the Chinese manufacturers Huawei and ZTE.

For Example: Huawei and ZTE

Anonymous sources from the intelligence services had also warned against their hardware of the telecom sector for many years. But only in May 2018, all smartphones of these Chinese manufacturers were removed from the military stores and members of the US armed forces prohibited from using them. The rationale: The smartphones could contain hidden components allowing for the complete surveillance of users. However, in no case such a compromised port of the hardware could be further identified or found.

That’s the way it has been for 15 years and this case is really a protopypical example. Bloomberg mentions the manufacturer Supermicro, but not which series of motherboards are affected. An animation to show where these chips, “the size of a pencil tip”, are built in Supermicro motherboards is based on a symbolic photograph. In addition to two CPUs without any label there is a marked dot, that’s all. And if, let’s say, in the manufacturing process, instead of a simple pass-through capacitor for signal smoothing, a somewhat more intelligent micro component would be used, which incidentally has a few circuits and thus computing power – Well, what would happen?

Billions of Stock Market Value destroyed

The Bloomberg report also leaves this question unanswered. Of course, it is possible that a second part of the report will be published on this subject, which will provide the relevant facts that are completely lacking in the first one. For example, when did these hardware infiltrations happen? And were there any specific incidents after that? Bloomberg will have to present the facts about this – if there are any – because its story has caused enormous financial damage. The stock price of the motherboard manufacturer Supermicro was almost halved, about 500 million dollars in stock market value were lost.

As a result, even completely uninvolved hardware manufacturers from China faced huge loses at the stockmarket. Lenovo, for example, noted on Friday a minus of 15 percent. Several billion dollars of stock market value went down the big data stream altogether, although first Supermicro, then Amazon and Apple had denied the allegations in sharp terms. These denials were followed by yet another one, this one by Bloomberg itself, right at the bottom of the article: “Bloomberg LLP is also a Supermicro customer. According to a company spokesman, no evidence has been found that the hardware used by Bloomberg has such problems as described in the article. “

Epilogue and Outlook

The British National Cyber Security Center – part of the military intelligence service GCHQ – has sided with Apple and Amazon this weekend. One sees no reason for the assumption that the hardware inside the servers of these companies is compromised, they said. Why this Bloomberg story was published on the day when NATO, in a long-planned concerted action, went public, revealing the biggest embarrassment of the Russian foreign intelligence service GRU since the end of the Soviet Union, remains puzzling.

Tags: , , , , , , , , , ,
Posted in Discussion High Entropy Press Security. Comments Off on Translated RadioFM4 Article: Hype about “Chinese Espionage Chips” stems from the Pentagon

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

DeepSec and Privacy Week highlight consequences of backdoors in IT

Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators.

Kick down doors with Horses

© 2018 Florian Stocker <fs@fx.co.at>In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is the desired goal, because this type of communication uses networks that are not trustworthy or public, such as the Internet. There is no other way to communicate securely in these environments. End-to-end encryption is without alternative. This is also proven by history. Legislation requiring communications service providers to grant government agencies access to users’ communications led to the development of Pretty Good Privacy (PGP) software in the 1990s. The clashes at the time therefore bear the name Crypto Wars in the English-speaking world.

One meets the hurdles of mathematics with ancient means. Backdoors or Trojan horses, i.e. embedded software for reading messages before encryption, should be used directly on terminals in order to be able to read along at the source. In terms of security, however, backdoors represent a weak point in hardware or software. For the use of Trojan horses, a vulnerability must be present in order to be able to surreptitiously install the application. Both approaches are diametrically opposed to information security.

Built-in Abuse

Even if authorities should use the so-called state trojans only for the investigation of drug offences or similar serious cases, it’s conceivable that such an interception software escapes and is put to another purpose. The wire-tapping affair in Greece in 2004 is a real example (also known as the Athens Affair). At that time, telephone calls and messages from Greek government and government officials were recorded via the lawful interception interfaces in the mobile network. The attackers exploited the existing interfaces. Kostas Tsalikidis, the mobile operator’s network planning manager, was found dead in his home two days after the security gap was revealed. The perpetrators of the monitoring scandal were never found despite years of investigation.

Although, in software, no built-in interfaces for monitoring are active per se or provided for, there are prerequisites that must be fulfilled. With a state trojan, sometimes called a federal trojan, the state actively exploits vulnerabilities in computer programs or apps in smartphones to monitor individuals. Often the state itself even buys these weaknesses on the black market with taxpayers’ money and deliberately does not inform the development companies about the vulnerabilities it then knows about, in order to keep the security gaps open as long as possible for its own purposes. In doing so the security of all people and computer systems is put at risk. At a meeting in August 2018, the Department of Cyber Security and IT Security of the Federal Ministry of the Interior confirmed that the knowledge of unknown security vulnerabilities has been held back to a certain extent and not made public in order to attack digital systems.

Close Gaps instead of exploiting them

From the very start the DeepSec security conference has been dealing with security issues. In recent years, the security of mobile networks, Internet infrastructure, mobile devices, all kinds of applications, software components of operating systems and much more has been analysed in detail. Vulnerabilities are not suitable as a foundation on which to build a house safely. Security researchers worldwide agree that only the publication of mistakes (in collaboration with interested manufacturers) leads to their correction. In times of discussion about campaign manipulation, threats to critical infrastructures, increasing networking in sensitive industries and military use of software, the highest possible level of information security is more important than ever. Therefore, the DeepSec conference again will feature presentations and trainings on this topic in November of this year. Especially recommended are the lectures, which specifically deal with the perpetrators. Edith Huber and Bettina Pospisil will present the results of their research on profiles of perpetrators and victims of cybercrime. Dr. Silke Holtmanns will discuss the state of the art in terms of security in mobile networks in her lecture, as well as the challenges for 5G. Mark Baenziger will take the tensions between supervisors and supervised as an opportunity to illuminate the activities in an IT security team from both points of view.

Lectures on the Topic at Privacy Week

There are two lectures on the subject of State Trojans at PrivacyWeek. In his presentation, Andre Meister, longtime editor at netzpolitik.org, gives an overview of the state of the art used in state trojans, the laws, which allegedly regulate them and the numerous problems in their implementation. His presentation bears the title of the topic – “State Trojan”. Lukas Gahleitner of Amnesty International Austria gives a lecture entitled “The Protective Duties of States regarding Human Rights, or What do marine mines off the Albanian coast have to do with the state Trojan horse?”, which will illustrate the international legal dimension of the topic. Ultimately, vulnerabilities are a threat to a states own infrastructure and citizens. So what should be done if a state knows about vulnerabilities? In this regard Lukas Gahleitner has suggestions to make and puts them up for discussion.

Program and Booking

The DeepSec conference takes place on the 29th and 30th of November. The trainings take place on the two previous days, the 27th and 28th of November.

Training & Conference venue: The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can find the current program under the link: https://deepsec.net/schedule.html

Tickets for the DeepSec conference and trainings can be ordered via the link https://deepsec.net/register.html.

The Privacy Week will take place from the 22nd to the 28th of October 2018 at the Folklore Museum in the 8th district of Vienna.

The program can be found at https://fahrplan.privacyweek.at/.

The tickets for the Privacy Week can be ordered online via https://privacyweek.at/tickets/.

Tags: , , , , ,
Posted in Conference Discussion Press Security. Comments Off on Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

DeepSec 2018 Talk: A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter – Dr.-Ing Ashar Javed

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts.

The tour guide will convoy you through 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter.

This briefing will conclude on: classical XSS is here to stay while Redmond’s outbreak “… was like a storm. But storms, they can come back. Can’t they? The question is, if they come back, is it the same storm, or has something changed?”

Please tell us the top 5 facts about your talk.

  1. Share my experience of participation in Microsoft’s bug bounty program. As a bug hunter, what was my expectation from a company like Microsoft, and, at the end of day, what did I actually get…
  2. This talk will show simple Cross-Site Scripting (XSS) vulnerabilities in Microsoft’s flag-ship product i.e, Office 365. But wait …. what’s “simple”? Is it even possible that simple XSS issues are lurking there still, even though they had a red, blue and dedicated team of pentesters? One more thing, please don’t forget that customized automation vulnerabilities finding tools are also at Microsoft’s disposal.
  3. Why is it real hard to fix XSS in Office 365? We will try to figure out the answer in our talk.
  4. To be precise, as of now 118 bounty qualified submissions.
  5. XSS is here to stay…

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The rough idea was to end up somewhere on the list of Top 100 security researchers published by Microsoft every year. Currently I am at #1 on the list of Microsoft’s Top 100 security researchers of 2018. Needless to say that one aspect I had in my mind was definitively financial gain.

Why do you think this is an important topic?

Bug bounties and the discussions around them are always interesting and spark further debate.

Is there something you want everybody to know – some good advice for our readers maybe?

Come and meet the number one security researcher on the list of Microsoft’s Top 100 security researchers of 2018.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The team behind secure@microsoft.com will receive more reports in particular regarding the Office 365. I believe that hundreds of Cross-Site Scripting issues are still not “unearthed” in Office 365. It may be your turn to find the needle.

 

Ashar Javed currently works on penetration testing, source code review and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting. He has a passion for XSS and lives and breathes in XSS. Last but not the least, thanks to XSS, Ashar is at #1 spot in Microsoft’s Security Response Center (#MSRC) Top 100 Security Researchers List of 2018. 

Tags: , , , , ,
Posted in Conference Security. Comments Off on DeepSec 2018 Talk: A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter – Dr.-Ing Ashar Javed

DeepSec 2018 Talk: Leveraging Endpoints to Boost Incident Response Capabilities – Francisco Galian, Mauro Silva

The information technology world is full of terms and acronyms. You got servers, nodes, clients, workstations, mobile devices, lots of stuff talking via the network to even more stuff. And then you got security breaches. How do you detect the latter? Well, you look for things out of the ordinary. Error messages, anomalies in behaviour, activity outside the usual time slots as system is being used, and the like. What’s the best place to look? Answer: The systems directly in touch with all the interactions attackers are interested in – endpoints.
Most organisations fail to properly detect or even respond to incidents. A factor that significantly contributes to this fact is the lack of visibility on endpoints. That being said, endpoint logging can be very noisy and most organizations don’t have infrastructure to cope with the volume. The aim of this talk is to help blue teams understand which logs give you the most benefit for the least investment. That will help improve detection mechanisms while also helping to trace back any breach, thus, improving incident response.
In order to achieve this we built a lab that represents a common Windows based business. We then reproduced some common attacks and techniques that we have worked on, from Threat Financial groups to Advanced Persistent Threats (APTs), and investigated the logs generated from it to analyse what the best indicators were.

Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments. 
Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes.

 

 

 

Mauro Silva’s interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can.

In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting).
In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team’s work by automating everything that can be automated. He’d also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.

 

Tags: , , , ,
Posted in Conference Security. Comments Off on DeepSec 2018 Talk: Leveraging Endpoints to Boost Incident Response Capabilities – Francisco Galian, Mauro Silva

DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018:

Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system.

Another trait of this malware that stands out is its infection of the MBR, Master Boot Record. It overwrites the MBR and the adjacent sectors with its kernel code. When an infected system is restarted, instead of loading Windows or Linux operating system, it will start its kernel code and holds your whole computer for ransom. And if you decide to pay, you need to have another machine to access the online payment system and put the generated unique code taken from the infected machine.

In this presentation, we are going to look into how Petya, a ransomware that overwrites an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API.

We are also going to see how we can use a combination of different tools to figure out how ransomware can infect the very first sector of a hard disk. Tools such as Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course x64dbg and ollydbg for debugging the ransomware on application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its kernel code.

Using Bochs, debugging the boot sector gives us full control over the execution of the initial kernel code. In this case, we can deep dive into Petya’s kernel to understand how native code execution works. Petya’s kernel code give us an idea on how a boot sector or a simple operating system works.

Analyzing Petya gives us the ability to analyze malware or ransomware that infects and overwrites a boot sector. It also gives us an understanding on how malware can still infect a boot sector even with new technologies such as UEFI and GPT. And it can also give us an idea on how to analyze future malware that has the same intent as Petya.

 

Raul Alvarez is a Senior Security Researcher/Team Lead at Fortinet. He’s a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.  Raul has presented at different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, and HackInParis. He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.

Tags: , , , , , , ,
Posted in Conference Security. Comments Off on DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

DeepSec 2018 Talk: Uncovering Vulnerabilities in Secure Coding Guidelines – Fernando Arnaboldi

Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.

Fernando’s talk will expose multiple underlying exploitable vulnerabilities in the secure code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities due to a lack of proper analysis.

Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.

We asked Fernando a few questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

  1. Secure coding guidelines may introduce vulnerabilities.
  2. Insecure practices range from insecure configurations to insecure implementations.
  3. Insecure recommendations are published by government, private and public organizations.
  4. The unwanted behaviours are a consequence of insecure and complex functionalities in software.
  5. Not all of the vulnerabilities will be detected by static source code analysers.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Last year I analyzed how applications could defend themselves from attacks. To expose how the most secure applications could use an approach like this, I analyzed if it could be implemented on secure coding guidelines. When presenting my embedded defense talk at Ruxcon (2017) and OWASP (2018), I exemplified how attackers could bypass secure code snippets from secure coding guidelines.

Why do you think this is an important topic?

It is a funny oxymoron that there are vulnerabilities in the recommendations of secure coding guidelines.

Is there something you want everybody to know – some good advice for our readers maybe?

We need to start to perform peer reviews on the secure coding guidelines that we use and restrict insecure functionalities in software.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Programming languages will start including less insecure functionalities. Restricting the existence of potential vulnerabilities and insecure functions will be more effective than analyzing what not to do.

 

Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on how programming languages can be used to exploit vulnerabilities and defended applications. He has presented his findings at security conferences such as Black Hat USA & Europe, DEF CON, OWASP AppSec USA & Europe, Ruxcon and HITB.

Tags: , , , , , , ,
Posted in Conference Security. Comments Off on DeepSec 2018 Talk: Uncovering Vulnerabilities in Secure Coding Guidelines – Fernando Arnaboldi