It is the end of the year and we are hoping it is not too hectic of a time for you all! But if it is, hopefully the announcement of our next round of TROOPERS17 talks is enough to get you in the TROOPERS (if not the holiday) spirit 🙂
Francis Alexander & Bharadwaj Machiraju: How we hacked Distributed Configuration Management Systems
With increase in necessity of distributed applications, coordination and configuration management tools for these classes of applications have popped up. These systems might pop-up occasionally during penetration tests. The major focus of this research was to find ways to abuse these systems as well as use them for getting deeper access to other systems.
The talk deals with how we came across and exploited different configuration management systems during our pentests. The outline of the talk is:
- Introducing different distributed configuration management tools like Apache Zookeeper, HashiCorp Consul & Serf, CoreOS Etcd.
- Discussing multiple ways to fingerprinting these systems.
- Exploiting generic mis-configurations for increasing attack surface
- 0-Day in Zookeeper and genuine features within these frameworks.
- Using third party plugins of DCMs for better attacks.
- Automating the attacks with the help of a open source tool which can be used for scanning, fingerprinting and leveraging these systems.
BIO: Francis Alexander is an Information Security Researcher and the author of NoSQL Exploitation Framework. He has a strong vision of Free & Open Information Security Education for all. His areas of interest includes web app & standalone app security, DBMS security, coding tools and fuzzing. He has spoke at multiple conferences such as HITB AMS 2014,Hack in Paris 2014, 44Con 2014, Derbycon USA 2013, Defcon Kerala and Defcon Bangalore. All his tools are available at github.com/torque59
BIO: Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame (hackerone.com/tunnelshade). All tools are available at github.com/tunnelshade <https://github.com/tunnelshade>and all ramblings at blog.tunnelshade.in . Spoke at few conferences notably Brucon, Pycon India etc.. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.
Martin Gallo: Intercepting SAP SNC-protected traffic
SNC (Secure Network Connections) is SAP’s standard security mechanism for protecting communications from clients to servers and between SAP servers. This security layer works with SAP protocols like RFC or DIAG, and strengthen the security of them by using additional security functions. While not enabled by default, its use rate has increased since SAP started shipping it in all kernel versions. Now it can be observed implemented on large and small organizations for preventing active attackers or eavesdroppers.
This talk will introduce the details about this security layer, dissecting the packets and messages and show how SNC is related to each one of the protocols that are protected using it. We’ll also review the main security characteristics and explore the attack surface exposed.
Getting crypto to work in the right way always presents some challenges, and doing it in complex environments like SAP systems might be even harder. We’ll demonstrate what could go wrong by using an interception attack implementation on some particular configuration scenarios, and end up with some recommendations on how to improve SNC configuration.
BIO: Martin Gallo is Penetration Testing SME at Core Security, where he applies his experience on penetration testing, code reviews and vulnerabilities hunting to the continuous improvement of the company’s services and products. His research interests include enterprise software security, vulnerability research, threat modeling and reverse engineering. Martin has given talks at Troopers, Brucon and Defcon conferences.
Talks@TROOPERS:
- SAP’s Network Protocols Revisited (2014)
- HoneySAP: Who really wants your money (2015)
- Deep-dive into SAP archive file formats (2016)
Veronica Valeros @verovaleros : Hunting Them All
Threat hunting is a fascinating field that based on the assumption of ‘assuming compromise’, intends to find and identify existing threats in a given network. Looking for threats in a network is challenging, as you assume that the unknown threat you are trying to look for already bypassed all the security mechanisms in place. Can you imagine doing threat hunting at big scale? Now imagine doing threat hunting at a really big, big scale.
This talk will walk you through my experience as a threat hunter in hundreds of networks simultaneously covering more than a million hosts. I will explain how the right combination of different Machine Learning techniques makes this possible, explaining also the challenges and limitations we often face when working with big data. This talk will be illustrated with the methodologies utilized and a technical explanation of novel findings in the 2 years of hunting I’ve experienced.
If I have the data, can I hunt them all? Join me in my attempt to hunt them all.
BIO: Veronica is a security researcher from Argentina. She graduated in 2013 with a Master degree in Computer Science from FASTA University. She worked independently in different projects involving data analysis, machine learning and malware sandboxing. Since 2013 she is part of the Cognitive Threat Analytics team, Cisco Systems. She specializes in malware network traffic analysis, network behavioral patterns and threats categorization. An important part of her role consist in collaborating with other teams in order to find and confirm new threats.
James Forshaw: Demystifying COM
The Component Object Model has been part of Windows for over 20 years, in that time it’s gained new abilities such as remoting with DCOM, service component model with COM+ and forms the bedrock of the WinRT library which is used by Universal Windows Applications. This presentation will give an overview of how COM works, what secures it and how you can go about inspecting the attack surface of COM for privilege escalation, remote code execution or persistence.
BIO: James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.
Talks@TROOPERS:
Dmitry Sklyarov: Intel ME: The Way of the Static Analysis
Intel Management Engine (ME) technology is known for more than 10 years (since 2005), but it seems to be impossible to find any official information about ME on the Internet. Fortunately, some excellent studies have been published in recent years. But all of them are dealt with ME 10 and earlier, while modern computers implements ME 11 (introduced in 2015 for Skylake microarchitecture). In our presentation we would try to fill the gap in knowledge about ME 11.x and deliver findings that could be obtained with static analysis of firmware updates and tools available on the Web.
BIO: Dmitry Sklyarov is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.
Twitter: @_dmit
Talks@TROOPERS:
Arrigo Triulzi, @cynicalsecurity: Malebolge on Setun
Malebolge is a ternary programming language which takes its name from Dante’s Inferno. In, obviously, exactly 33 slides we aim to show what happens when you port this language to the Setun, a Soviet ternary mainframe (sadly now defunct except for emulators).
It is a talk about weird machines, thinking beyond the status quo and exploring long lost beautiful ideas in the history of computing.
BIO: Independent security consultant, working in ITsec since 1986. I’ve done a bit of research on firmware and microcode, had a (failed) dNIDS startup around the dot.com boom (http://www.k2defender.com, if you want to buy the source code & patents they are “for sale”, supports IPv6 too despite the era), previously a Pure Mathematician (Algebra), then a Computational Mathematician (Computer Algebra) while paying for my living doing security gigs. Now based in Geneva, Switzerland.
Talks@TROOPERS:
- Pneumonia, Shardan, Antibiotics and Nasty MOV: a Dead Hand’s Tale (2015)
- The Chimaera Processor (2016)
You can also register for TROOPERS17 with our Early Bird rate which is available until December 31, 2016, and don’t forget to check out our kickass training agenda for March 20th & 21st, 2017! What makes a better holiday present than the gift of leveling up on your skills?
Happy Holidays,
Your TROOPERS Team