TROOPERS16 was packed with epic talks from around the world, an unknown evil twin brother appearing, hands-on trainings, and a legendary year for our TROOPERS Charity efforts! If you were there you might be wondering to yourself how could they possibly top it? Well, I am going to let you in on a little secret: Next year is the 10th edition of TROOPERS. One DECADE of TROOPERS, and we are pulling out all the stops! Starting with the announcement of the first 5 talks!
Mikhail Egorov FIRST TIME TROOPERS SPEAKER: Unsafe JAX-RS: Breaking REST API
Using RESTful web services for building web application’s API is a common thing nowadays. Java EE includes JAX-RS API for building RESTful web services. There are several JAX-RS implementations exist. The most popular are RESTEasy, Jersey, and Apache CXF.
The author inquired security of RESTEasy, Jersey, and Apache CXF JAX-RS implementations and figured out weaknesses and vulnerabilities which lead to practical attacks against JAX-RS applications. RedHat Product Security assigned CVE-2016-7050, CVE-2016-6346, CVE-2016-6345, CVE-2016-6348, CVE-2016-6347 IDs for vulnerabilities found in RESTEasy during the research. Research cover entity provider selection confusion attacks, CSRF attacks, DoS attacks, Information disclosure attacks, XSS attacks, and more. As the result of the research, the author developed extension “Unsafe JAX-RS” for Burp Suite which helps to identify vulnerabilities in JAX-RS applications.
BIO: Mikhail Egorov is an independent security researcher, bug hunter, conference speaker. His main interests lay in web application security, mobile security, practical cryptography and reverse engineering. Acknowledged by Adobe, Oracle, Red Hat for finding vulnerabilities in their products. Had talks on Hack In The Box, Zero Nights, and PHDays security conferences.
Mikhail graduated from Moscow State Technical University n.a. Bauman with master degree in information security. Has about ten years of working experience in information security and programming. Now he works for Ingram Micro as the application security engineer.
===
Graeme Neilson: Vox Ex Machina
Speaker verification (authentication using voice biometrics) systems are already in use by banks and other financial institutions. Voice recognition systems are becoming more and more common in systems ranging
from home IoT, cars, mobiles and desktop operating systems. So speaker verification appears to be a potential method of interacting with these devices in the future.
The talk will present a methodology for testing the security of speaker verification systems including developing tools and exploring the types of attacks possible against voice biometric authentication systems. The
results of attacks against a variety of speaker verification APIs will be discussed along with live demos and a tool release.
BIO: Graeme Neilson, Chief Research Officer, RedShield Security. https://www.redshield.co
===
JP Aumasson & Markus Vervier: Hunting For Vulnerabilities in Signal
Signal is the most trusted secure messaging and secure voice application, recommended by Edward Snowden and the Grugq. And indeed Signal uses strong cryptography, relies on a solid system architecture, and you’ve never heard of any vulnerability in its code base. That’s what this talk is about: hunting vulnerabilities in Signal.
We will present vulnerabilities found in the Signal Android client, in the underlying Java libsignal library, and in example usage of the C libsignal library. Our demos will show how these can be used to crash
Signal remotely, to bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs.
Combined with vulnerabilities in the Android system it is even possible to remotely brick certain Android devices. We will demonstrate how to initiate a permanent boot loop via a single Signal message.We will also describe the general architecture of Signal, its attack surface, the tools you can use to analyze it, and the general threat model for secure mobile communication apps. Open Whisper Systems, which maintain Signal, rapidly acknowledged and fixed the vulnerabilities.
BIO: Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security. He designed the popular cryptographic functions BLAKE2 and SipHash, initiated the Crypto Coding Standard and the Password Hashing Competition that developed the Argon2 algorithm. He has spoken at Black Hat, DEFCON, RSA, CCC, SyScan, Troopers about applied cryptography,quantum computing, and platform security. He published the 2015 book “The Hash Function BLAKE”, and will publish a new book about cryptography in 2017. JP tweets as @veorq.
BIO: Markus Vervier is a security researcher from Germany. Software security is his main focus of work. During the last 15 years he collected professional experience in offensive IT security working as a penetration tester and security consultant for highly regarded companies. His experience combined with his personal passion regarding security research made him start his own company in 2015. Besides his daily security work, he is very actively practicing security research and discovers high profile vulnerabilities regularly such as the recent libotr heap overwrite.
===
Matt Graeber & Casey Smith: Architecting a Modern Defense using Device Guard
With the relentless proliferation of compiled and script-based malware, trusting prevention and detection to antivirus solutions alone simply won’t cut it. The only ideal method of effectively blocking binaries and scripts on a host is with a robust whitelisting solution. Device Guard is one such solution provided my Microsoft for Windows 10 and Server 2016 and if implemented properly, can eliminate an entire suite of attacks your organization may face.
Device Guard, like any other whitelisting solution, will never be impervious to bypasses, however. A robust solution will, however, provide mechanisms to block known bypasses. Device Guard provides such
functionality in addition to providing features that can effectively block rogue administrators from altering policies or disabling the service.
In this talk, we will discuss configuration and deployment of an aggressive whitelisting policy, bypasses to the policy through exploitation of trusted applications, and mitigation strategies for effectively blocking such bypasses. We will also explain our methodology for uncovering bypass techniques to help better prepare your organization.
BIO: Matt Graeber (@mattifestation) is the Manager of Research with Veris Group’s Adaptive Threat Division. He has a passion for reverse engineering, PowerShell, and advocating the “living off the land” philosophy – tradecraft that makes heavy use of built-in, trusted applications.
BIO: Casey Smith @subTee is a Researcher with Veris Group’s Adaptive Threat Division. He has a passion for understanding and testing defensive systems.
===
Christopher Truncer & Evan Peña FIRST TIME TROOPERS SPEAKER: Windows 10 – Endpoint Security Improvements and the Implant since Windows 2000
Windows 10 and Server 2016 immediately provide defensive technologies that can be used to secure the endpoints within your domain. Both operating systems allow administrators granular control over how to best administer and defend their network, and in the opinion of the speakers, one of the best new defensive technologies provided by these operating systems is Device Guard.
Device Guard is Microsoft’s latest defensive addition that allows administrators to defend their domain against malware. Device Guard is designed to work together with AppLocker and enables administrators to customize how and if applications are allowed to run on endpoints within their domain. This can be based on File Name, Hash, PCACertificate, or more. We will talk about Device Guard, how it is used, demo deploying device guard, and create a couple sample deployment configurations. We want attendees to be able to walk away from this part of our talk and have an idea how they can immediately improve their defenses.
This talk also wouldn’t be complete without looking at these same technologies from an attacker’s perspective! We’ve been analyzing Device Guard configurations and how we expect them to be deployed in the field, and have worked to develop a tool that can not only help attackers in today’s Windows 7 environment, but in the future’s Server 2016 and Windows 10 domains. Developing a multifaceted tool in PowerShell was critical because we wanted maximum functionality, flexibility, and impact. This talk will conclude with the
release of our tool.
BIO: Christopher Truncer (@ChrisTruncer) is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well. Chris has spoken at various industry conferences including TROOPERS16!
BIO: Evan Peña is a Principal Consultant and red team lead for Mandiant’s West Region. Evan has years of experience in enterprise information technology administration, leading covert red team operations to evaluate incident response procedures, and assessing enterprise network defense capabilities from the perspective of an attacker. In addition, Evan participates in security diverse assessments of large government agencies and Fortune 500 companies. These networks consist of an online presence of hundreds of thousands of address space around the world.