Defense & Management Day 2

TROOPERS16 offered many different speakers from around the globe. Below are three different talks from the afternoon of Day 2’s Defense and Management Track. 


The TROOPERS16 talk “Attacking & Protecting Big Data Environments” presented the research of Birk Kauer and Matthias Luft, (ERNW) in which they showed how enterprise-grade “big data” environments, based on e.g. HortonWorks or Cloudera, comprising of components such as HDFS, Yarn, Hue, Flume, Hive, Spark, Sentry/Ranger could be attacked. These environments typically process huge amounts of data. The data is either stored in a cluster file system or streamed into clusters. The processing of these datasets are done by jobs, and these jobs can be arbitrary code execution.

The two researcher gave a detailed overview how these environments handle the huge amounts of data as well as which tasks the different components have, and how they communicate with each other.

Besides the theoretical technical stuff and technical definitions, they also showed some demos. The demos gave quite a good impression for how the processing of the datasets can be abused, either by accessing arbitrary data or gaining access to the underlying operating system of a cluster.

At the end of the talk the researchers also described the relevant hardening measures and architectural considerations to prevent the demonstrated attacks.

Please click for Slides and Video


The talk “How to Implement an SDL in a Large Company” gave an inside overview about implementing a secure development lifecycle (SDL) from the perspective of Arne Lüdtke and his colleagues at Bosch. SDL is a software development process that should help software developers build more secure software and address security compliance requirements while reducing development cost.

The speaker discussed many real life examples which he and his team were faced with during the whole process. At the same time he tried to explain that the word “security” can be interpreted in different ways, depending on who is currently involved. So, in addition to the defining process of technical standards, it’s also a lot about creating security awareness by the different involved persons.

Please click for Video


The talk “Russian attack: Live demos of their steps, tools, techniques” described the basic steps of Russian crimeware, including the tools and used techniques. The talk didn’t cover the basics like what’s an exploit, what are exploit kits, what are TDSs, etc… but focused more on understanding the process behind the crimeware.

The two researchers Sun Huang and Wayne Huang are from the company Proofpoint. They presented a very detailed overview how the thread actors work and what they are capable of. The talk almost contains the complete toolchain in source format. Which was very insightful, especially the fact that they currently are not capable of developing exploits themselves. They are completely dependent on known exploit kits.

But what they have obviously understood well, is how to build a reasonable and manageable business model around this topic. Exploited machines as a services :).

Please click for Video


Thanks for reading and see you at TROOPERS17

Dominik Phillips