At first a very happy new year to all our readers!
Today we announce the third round of Troopers 2014 talks (first round here, second here).
Here we go:
===
Daniel Mende: Implementing an USB Host Driver Fuzzer FIRST TIME MATERIAL
Abstract: The Universal Serial Bus (USB) can be found everywhere these days, may it be to connect a mouse or keyboard to the computer, transfer data on a flash drive connected via USB or to attach some additional hardware like a Digital Video Broadcast receiver. Some of these devices use a standardized device class which are served by an operating system default driver while other, special purpose devices, do not fit into any of those classes, so vendors ship their own drivers. As every vendor specific USB driver installed on a system adds additional attack surface, there needs to be some method to evaluate the stability and the security of those vendor proprietary drivers. The simplest way to perform a stability analysis of closed source products is the fuzzing approach. As there have been no publicly available tools for performing USB host driver fuzzing, I decided to develop one ;-), building on Sergey’s and Travis’ legendary Troopers13 talk. Be prepared to learn a lot about USB specifics, and to see quite a number of blue screens and stack traces on major server operating systems…
Bio: Daniel Mende is an ERNW security researcher specialized on network protocols and technologies. He s well known for his routing protocol attack tool LOKI, the DIZZY fuzzing framework and a bunch of testing tools from the 3GPP domain. He has presented on protocol security at many occasions including Troopers, Blackhat, CCC, HackInTheBox and ShmooCon. Usually he releases a new tool when giving a talk.
===
Martin Gallo: SAP’s Network Protocols Revisited FIRST TIME MATERIAL
Abstract: What network protocols does my SAP system use? Are those services secure from a network perspective? Are old and well-known attacks still relevant? What’s the remote attack surface of my SAP environment? Do I really know my level of exposure? Are there tools available to assess the security of the services?
This talk is the result of my journey trying to answer these questions and understanding how the different SAP network protocols work, after spending some of my spare time during the last months working on expanding my knowledge about the network attack surface of SAP systems, reversing some of the protocols and implementing tools and libraries to work with them.
The talk will bring some details and realistic attack vectors regarding the different networks protocols available on both new and classic SAP installations. Some hardening and mitigation ideas will be discussed aimed at increasing the defenses against these threats and attacks.
Bio: Martin Gallo is Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.
Previous talks:
– Uncovering SAP vulnerabilities – Reversing and breaking the Diag protocol, BruCon 2012 / Defcon XX
Advisories published:
– CORE-2012-1128 – SAP Netweaver Message Server Multiple Vulnerabilities
– CORE-2012-0123 – SAP Netweaver Dispatcher Multiple Vulnerabilities
Tools released:
– pysap
– SAP Dissection plug-in for Wireshark
Articles published:
– http://blog.coresecurity.com/2013/02/14/sap-netweaver-message-server-security-advisory/
– http://blog.coresecurity.com/2012/07/19/erp-security-sap-infrastructure-pentest-notes/
– http://blog.coresecurity.com/2012/05/09/core-labs-discovery-of-six-vulnerabilities-within-sap-netweaver/
===
Stefan Schumacher: Psychology of Security
Abstract: IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.
In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
Bio: Stefan Schumacher is the Head of the Magdeburger Institut fuer Sicherheitsforschung and Editor of the Magdeburger Journal zur Sicherheitsforschung. He studied Educational Science and Psychology and is currently managing the research project Psychology of Security.
His research interest focusses on Social Engineering, Security Awareness and Qualitative Research about the Perception of Security. He is also an Assistant Lecturer at the University Magdeburg.
He has been involved in the Hacker and Open Source Scene (NetBSD) for the last 20 years. He gave more than 140 public talks in the last 10 years at conferences like DeepSec Vienna, DeepIntel, Chaos Communication Congress, Chaos Communication Camp, Chemnitzer Linux-Tage, Datenspuren, LinuxDays Luxembourg, DGI Forum Wittenberg, GUUG FFG, ILA etc. and published several articles and a book on IT and Security Policy.
A full list of publications and talks can be downloaded at
http://www.kaishakunin.com/bib/Stefan-Schumacher-Bibliographie-Liste.pdf
http://www.kaishakunin.com/bib/Stefan-Schumacher-Vortraege.pdf
===
Attila Marosi: Easy Ways To Bypass Anti-Virus Systems
bstract: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem.
Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the VirusTotal.com detection with a detection rate in 0.
In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much.
Bypassed AntiVirus Systems:
F-Secure, AVG, NOD32 6 and 7, !avast, Kaspersky, Trend Micro, McAfee…
Educational value of the topic:
– We look at how the virus writers develop their codes.
– We will develop a puzzle which may distract the AV virtualization engine to avoid the detection.
– We will develop a code to encrypt/decypt our malicious shellcode.
– We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.)
– We will look at what solutions are often used to avoid the sandbox.
– Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will a real challenge for the AVs.
Bio: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking.
===
Job de Haas: 20 Ways past Secure Boot
Abstract: This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices. On both sides of the fence secure boot is a vital mechanism to understand.
Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenters experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.
Bio:
Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, smart meters and a variety of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics.
At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has participated in the creation of several certification schemes for customers of embedded products. Job has a long speaking history at international conferences, including talks on security of mobile technologies, reverse engineering of firmware and side channel attacks on embedded systems.
===
Furthermore there’s a new workshop of Jose Miguel Esparza (@EternalTodo) on “Squeezing Exploit Kits and PDF Exploits”. Detailed agenda here.
Stay tuned & have a great weekend everybody
Enno
Regarding “Daniel Mende: Implementing an USB Host Driver Fuzzer”:
I’m all for more USB fuzzing, but “no publicly available tools for performing USB host driver fuzzing” isn’t accurate. Andy Davis has been working on umap for a while:
https://www.youtube.com/watch?v=R7sYRvtyzPc
https://github.com/nccgroup/umap
Kees,
thanks a lot for that hint. Actually neither Daniel nor I were aware of that. this proves why blogging & accepting comments can be so tremendously helpful for the infosec community 😉
have a great 2014
Enno
What about the USB Attack Toolkit?
http://translate.google.com/translate?hl=en&sl=es&u=http://www.guadalajaracon.org/usb-attack-toolkit-uat-en-guadalajaracon-2012/