3rd Round of TROOPERS17 Talks

We had to make some tough choices regarding our TROOPERS17 Main Conference Agenda. Thank you again to everyone for submitting! The full agenda will be published later this week, but for now here are the next round of talks!

Ivan Pepelnjak: Securing Network Automation
If you have operational experience in running large networks then you’re probably yearning to replace the traditional way of managing individual network devices via SSH with something better and more reliable. Software Defined Networking (SDN) was touted as the all-encompassing solution, but what we got instead is a heap of academic ideas, several platforms that require as much investment as an SAP deployment, and a bunch of proprietary products focused more on increasing lock-in and vendor revenue than solving operational problems.

It’s time we learn from the Unix playbook and start building our network automation solutions from small reusable components… but can we make such a solution secure and reliable? Can we still protect the network from misconfiguration, management-plane attacks, or automation-caused failures? This presentation will discuss the security and reliability challenges of network automation, and describe a few potential solutions.

BIO: Ivan Pepelnjak, CCIE#1354 Emeritus, has been designing and implementing large-scale service provider and enterprise networks as well as teaching and writing books about advanced technologies since 1990. He’s the author of several Cisco Press books, prolific blogger and writer, occasional consultant, and creator of a series of highly successful webinars.


Dominic Spill & Michael Ossmann: Exploring The Infrared World, Part 2

There have never been more infrared signals, from the remote control toys and televisions that we all know, to audio distribution systems and unintentional emissions from electronic equipment.

Reusing existing receivers has allowed researchers to decode IR signals in the past. However, that technique lacks the ability to detect arbitrary communication signals without prior knowledge of protocol. This is exactly the type of problem that we solve every day with Software Defined Radio (SDR), so we decided to apply those Digital Signal Processing techniques to Infrared.

Using low cost open source hardware of our own design, we have been able to apply our traditional wireless reverse engineering techniques to infrared signals, giving us the opportunity to sniff and inject. In this second part in a series we will show entirely new infrared systems that we have investigated and demonstrate the ways in which our hardware platform can meddle with them.

BIO: Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as “extraordinary”. This has gone to his head.


BIO: Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.


Dmitry Sklyarov: Intel ME: The Way of the Static Analysis

Intel Management Engine (ME) technology is known for more than 10 years (since 2005), but it seems to be impossible to find any official information about ME on the Internet. Fortunately, some excellent studies have been published in recent years. But all of them are dealt with ME 10 and earlier, while modern computers implements ME 11 (introduced in 2015 for Skylake microarchitecture). In our presentation we would try to fill the gap in knowledge about ME 11.x and deliver findings that could be obtained with static analysis of firmware updates and tools available on the Web.

BIO: Dmitry Sklyarov is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.

Kelly Shortridge: Volatile Memory: Behavioral Game Theory in Defensive Security

This presentation will explore some of the teachings from the young field of behavioral game theory, which empirically measures how humans behave in games, as an improvement upon prior discussions involving traditional Game Theory models in which humans are considered perfectly rational. I will use behavioral game theory to examine how people’s natural cognitive biases lead to sub-optimal behavior in their decision-making processes in adversarial games – and specifically processes related to playing defense in the information security “game.”

I will detail various sorts of games in which this sub-optimal performance manifests, how humans cognitively approach these games and touch on some of the algorithms, such as self-tuning EWAs, that help predict how people will behave in certain defender-attacker-defender (DAD) games. Finally, I will explore what sort of strategies and counter-measures can be implemented to improve defense’s performance in DAD games, incorporating techniques such as belief prompting, improved incorporation of information and decision trees.

BIO: Bio: Kelly is currently Threat Analytics Product Manager for BAE Applied Intelligence. She previously was co-founder and COO of IperLane, a mobile monitoring and access control startup. Prior to IperLane, she was an investment banking analyst at Teneo Capital responsible for coverage of the data security, intelligence and analytics sectors, advising clients on M&A and capital raising assignments.

She graduated from Vassar College with a B.A. in Economics and was awarded the Leo M. Prince Prize for Academic Achievement. In her spare time, she enjoys practicing Krav Maga, world-building, weight lifting, reading sci-fi novels and playing open-world RPGs.

Nahuel Sanchez & Gaston Traberg: SAP Netweaver: How to get around the Circle of trust

SAP Netweaver is one of the most important platforms developed by SAP. It supports all of the business-critical processes companies depend on such as payroll, sales, invoicing, production and others.

During this presentation, we will analyze different parts of the SAP Netweaver platform such as SAP Message Server, the ABAP application server and the SAP Gateway. We will also discuss how these components communicate with each other, the relationships between them, and how an attacker can exploit these relationships.

SAP has been improving their default security settings, making it harder for an attacker to exploit systems by default without any user interaction. This probability is even smaller If reliable operating system command execution is added to the equation.

Going deeper in this relationship, we have found a new attack vector that appears to complete the circle of trust: how an attacker can execute commands leveraging the trust that the SAP system has in the registered application servers.

We will end our presentation by showing this new attack. Combining known vectors with new techniques, this attack allows attackers to obtain network access to the system, enabling them to fully compromise the SAP platform. It affects SAP Netweaver from versions 7.2 up to 7.5, and still exists within the default security settings on this platform.

BIO: Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication “SAP Security In-Depth” and also spoke at different security conferences such as Ekoparty, 44con, Troopers and others. He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.


BIO: Gaston is a Security Researcher at the Onapsis Research Labs. He holds a computer degree from Universidad Nacional de La Plata (UNLP), where he works for more than six years in the CERT Team, handling computer security incidents at the university infrastructure. Before joining Onapsis he also worked as an Ethical Hacker for several companies. Currently, he work on discovering security vulnerabilities in SAP and Oracle and creating detection rules for ERP attacks for Onapsis Security Platform.

You can also register for TROOPERS17 with our Early Bird rate which is available until December 31, 2016, and don’t forget to check out our kickass training agenda for March 20th & 21st, 2017! What makes a better holiday present than the gift of leveling up on your skills?

Happy Holidays,