Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.
Penetration testing is much more than trying a couple of attacks and be done with it. The results matter, and you have to prepare them in a fashion they can be used afterwards. Putting defences to the test is not a matter of „yes, it works“ or „no, it doesn’t“. There are expectations of the customer. Furthermore you will run into situations which might not have been anticipated. Then there is the Art of Communication™. Missing means of communication or misuse of known means is widespread. At his presentation at DeepSec 2013 Alexey Kachalin put reporting and penetration testing into perspective. Listen to his talk and let himexplain you what’s hot and what’s not.
Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put
Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.
Cell phones, especially the smart ones, become more and more part of your company’s infrastructure. These devices accumulate software (a.k.a. „apps“), authentication tokens, passwords, and a lot of data worthy of protection. While smartphone systems have their own protection mechanisms, not every one of them might work reliably. Chris John Riley explains in his presentation held at DeepSec 2013 why „secure“ containers on Android phones might not be as secure as advertised. Please make sure that you show this presentation to anyone riding the „BYOD“ train. You might want to rethink what you let your users put on their phones.
System administrators and information security researcher often have to deal with appliances. Almost every organisation and company has a couple of magical black boxes sitting around. Usually they are connected to the network, and they do important stuff (such as filtering things, checking content, and the like). In the old days testing these appliances for their security record was hard. You had to open it, do a lot of tedious reverse engineering in order to understand how it works, and then conduct your tests to do your analysis. Fortunately the future is here, and so is a new form factor: virtual appliances! At DeepSec 2013 Stefan Viehböck of SEC Consult will talk about the advantages of having a virtual appliance to deconstruct. Virtual appliances aren’t very different from their embedded cousins, judged from the
Bluetooth has been around for a while. Hackers and security researchers (such as trifinite.org and others) immediately investigated the weaknesses of protocol and implementations – The specifications have evolved, but so has the proliferation of Bluetooth-capable devices. Smartphones, dumb phones, computers, bulletin boards, media players, tablets, game consoles, headsets, and many more support Bluetooth wireless communication. Even though bugs of the past were fixed, the widespread capabilities of devices allow for a lot of creative use by adversaries. At DeepSec 2013 Verónica Valeros and Garcia Sebastian will give you an update about Bluetooth hacking and your exposure to attackers. When we think about our own privacy, we usually think of our private data, passwords, personal stuff, web pages we have accessed or phone calls we have made. Information about our behaviour in real life (where
Since one of the focus topics of DeepSec 2012 deals with mobile computing and devices, we asked Andreas Kurtz to elaborate on his presentation about pentesting iOS apps: „Apple’s iPhone and iPad are quite trendy consumer devices, and have become increasingly popular even in enterprises nowadays. Apps, downloaded from the AppStore or developed in-house, are supposed to completely change and optimize the way of work. Suddenly, managers have access to business intelligence information, data warehouses and financial charts on their mobile devices: Apps are used as front ends to executive information systems and, thus, are carrying around loads of sensitive data. At a first glance it seems, that there’s nothing new on it. Indeed, it is quite common to remotely access critical business data. However, the popularity of mobile devices, combined with the sensitive
Your SAP installation is probably the most critical system in your company’s infrastructure. At the same time the informations accessed and processed by SAP systems origin from many sources. Securing infrastructure with this complexity is not an easy task, and testing your security measures requires a great deal of knowledge and training. In addition your will probably run web services talking to your SAP system – which is quite handy for attackers. In case you are short on knowledge about your own SAP deployment, there’s help. There will be an SAP security workshop at DeepSec 2012! The SAP Security In-Depth training will show you how to find out if your SAP infrastructure is secured. Knowing about segregation of duties and securing roles and profiles is fine in theory, but you have to make sure
If eyes are the window to your soul, then web applications are the gateways to your heart. Of course this is only a figure of speech, but once you take a look at security incidents and the role of web applications, then you get the idea of the analogy. Web applications are everywhere. It’s not always about your favorite intranet application. A lot of devices run web applications, too. And there are portals which really give you access to a whole variety of information and services. Speaking of services, you can have application programming interfaces (APIs), too. APIs usually do not talk to humans, but maybe they can be automated to do Bad Things™. This is where penetration testing comes in. Ari Elias-Bachrach will teach you how to approach web applications in the context
DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺ SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to
SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected
Metasploit is one of the major tools used by security researchers and security administrators when it comes to testing security or verifying the operation of intrusion detection/prevention systems. It is also used by penetration testers when trying to circumvent defences and to insert payloads into compromised systems. Everyone dealing with the implementation of security measures is well advised to learn how Metasploit works, how it can be extended and how it can be used to its full potential. Point and click is a nice theory, but when it comes to information security you probably want to know what you are really doing. We therefore invite you to take a look at this workshop held at DeepSec 2012: In the Penetration Testing with Metasploit training you will learn hands on skills that come in to
I watched „Bolt“ with my daughter yesterday. She’s still young and needed some time to distinguish fiction from reality, just like Bolt himself. If you regularly use (security) tools, then you might get a bit jealous about all these super-science skills and gadgets. This is especially true when it comes to the toys of James Bond. These questions arise: Does your software think it has super-powers, and when do we get these cineastic power tools on steroids just like in the films? Kizz MyAnthia of Halock Security Labs will address both questions in his talk at DeepSec 2011. There’s no doubt about it, you want these super-tools. We all do. So when do we get them? Well, soon or maybe never, but if you deal with information security (or vice versa) you have to
Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for