Events

Troopers 2014 – Second Round of Talks Selected

We’re very happy to announce the second round of Troopers 2014 talks today (first round here).
Some (well, actually most 😉 ) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.

 

Andreas Wiegenstein & Xu Jia: Risks in Hosted SAP Environments. FIRST TIME MATERIAL

Synopsis: Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though.

But how secure is hosted data in a SAP environment?
This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties.
The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.

Bio: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP security audits and received credit for more than 60 SAP security patches related to vulnerabilities he discovered in the SAP standard.

As CTO, he leads the Virtual Forge Research Labs, a team focusing on SAP/ABAP specific research and security solutions.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at multiple SAP-specific conferences (like TechEd) as well as at general security conferences such as Troopers, BlackHat, HITB, IT Defense, DeepSec and RSA. He is co-author of the first book on ABAP security (SAP Press 2009) and wrote the security chapter of the ABAP Best Practices Guideline for DSAG, the German SAP User Group (2013). He is also member of BIZEC.org, the Business Security Community.

 

===

Marion Marschalek & Joseph Moti: What Happens In Windows 7 Stays In Windows 7.

Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library.

Now we want to make use of exactly that fact to uncover potential vulnerabilities.
What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.

Bios: 

Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Pölten and has been speaking at international security conferences, including Defcon Las Vegas, hackl.lu Luxembourg and POC Seoul. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.
Moti Joseph has been involved in computer security for a long time. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland Warsaw, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan,Taipe.

 

===

Rob Lee: Get Over It – Privacy is Good for Security. FIRST TIME MATERIAL

Synopsis: Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.

Bio: Robert M. Lee is the Founder and Director of hackINT, a 501©(3) non-profit organization that teaches entry level cyber security classes in the subjects of hacking, forensics, intelligence, and defense. Additionally, he is an active-duty US Air Force Cyberspace Operations Officer working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency where he leads a national level cyber defense team. Robert is also an Adjunct Lecturer at Utica College where he teaches graduate level classes in digital forensics and cyber counter intelligence in the M.S. Cybersecurity program. He received his B.S. from the United States Air Force Academy, his M.S. in Cybersecurity – Digital Forensics from Utica College, and is currently working on his PhD in War Studies at Kings College London where he is researching control systems cyber security.

Robert has written on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal. He has also presented related topics at thirteen conferences in eight countries as well as presenting critical infrastructure protection topics to multiple international think tanks. Lastly, he has taught over 500 students through hackINT and his time at Utica College. Routinely consulted for his expertise on such subjects, Robert M. Lee is an active cyber advocate and educator.

 

=== 

Robin Sommer: Bro – A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.

Synopsis: Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at http://www.bro.org. 

Bio: Robin Sommer is leading the Bro project as a Senior Researcher at the International Computer Science Institute, Berkeley, USA. He is also a member of the cybersecurity team at the Lawrence Berkeley National Laboratory; and he is a co-founder of Broala, a recent startup providing professional Bro services to corporations and government customers. Robin Sommer’s research focuses on network security and privacy, with a particular emphasis on high-performance network monitoring in operational settings. He holds a doctoral degree from TU München, Germany. 

 

===

Christian Sielaff & Daniel Hauenstein: OSMOSIS – Open Source Monitoring Security Issues. FIRST TIME MATERIAL

Synopsis: By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.

Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.

Bios:

Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console.
As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.

Daniel Hauenstein: With over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.

==================

More talks to follow soon… so stay tuned 😉

See you @Troopers. Happy Holidays! to everybody

Enno

Continue reading
Building

ERNW Newsletter 42: Dangers of Disabled Pre-Boot Authentication in Corporate Environments

It’s been a long time… we just published an ERNW Newsletter. Here’s the abstract:

In order to protect sensitive data on corporate laptops, most companies are using full disk encryption solutions. While native encryption products like Microsoft Bitlocker, Apple FileVault and open source solutions like TrueCrypt were already heavily scrutinized by security researchers, many popular commercial third party products are to some point still black boxes.

In this paper, we discuss Check Point Full Disk Encryption (FDE) with active “Windows Integrated Logon”. Checkpoint FDE is a software package that is part of Check Point Endpoint Security and offers full disk encryption on Microsoft  Windows and Mac OS X systems. The “Windows Integrated Logon” feature reduces total cost of ownership by disabling pre-boot authentication. Check Point themselves warn about security risk associated with using this feature.

We argue that missing TPM integration and integrity checks make Check Point FDE with activated ”Windows Integrated Logon“ highly insecure against sophisticated attackers. Furthermore, we demonstrate the extraction of AES encryption
keys on a running system and subsequent decryption of the encrypted disk. Our analysis is limited to Check Point FDE v.7.4.9 on Windows operating systems and was performed during a penetration test of an encrypted customer enterprise laptop. Therefore, we concentrate on the client architecture and ignore other aspects like enterprise management interfaces.

===

The document itself can be found here.

Enjoy reading & Happy Holidays to everybody

Enno

 

Continue reading
Events

ACSAC 2013

Matthias and I currently have to pleasure to be at ACSAC, in New Orleans.
From my perspective, at ACSAC the usual conference visit side-effect of personal interaction with peers plays an even larger role than at many other events. In fact we met a number of people we hadn’t seen for quite some time and I could even clear a long unresolved debt (Hi Pastor! and thanks for those International Journal of PoC issues).

Nancy Leveson from MIT delivered a great keynote on “Applying Systems Thinking to Security and Safety“, mainly discussing how an approach she calls “System theoretic process analysis” (STPA) can be used for identifying hazard scenarios in complex systems, and laying out how the same methods can be used both for safety and security. Really inspiring stuff while at the same time highly relevant, in the age of the Internet of Things.

My personal highlight was the afternoon session on “30 Years Later: The Legacy of the Trusted Computer Systems Evaluation Criteria“. Having been exposed to Common Criteria here+there and having done some stuff in the MLS world many years ago I learned a lot from the three views & memories provided (btw: did you note that Perl was initially developed in the course of the BLACKER program? I didn’t).

We ourselves also had a little contribution today, with a short talk on “Designing State-of-the-Art Business Partner Connections” which goes back to a project described in this blog post. The slides can be found here.

Looking forward to tomorrow,
have a good one everybody

Enno

Continue reading
Events

Troopers 2014 – First Round of Talks Selected

We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again 😉
Here we go:

==================

Toby Kohlenberg: Granular Trust – Making it Work

Over the last 5 years the concept of using dynamic or granular trust models to control access to systems, networks and applications has become well known and is now seeing partial adoption in many places. The challenge is how granular and dynamic can you get and the question is whether it is worth it. As the architect of Intel’s trust model Toby can speak to the entire journey from initial idea through current implementation and the likely road ahead. This talk will include the good, bad and ugly parts of designing a trust model and then implementing it in a Fortune 50 company’s production environment. You will learn from his mistakes so you can make different ones.

Bio: Toby is a senior information security technologist with Intel corporation. He focuses on securing new and emerging technologies and threats. He has been doing this for a long time.
===
Florian Grunow: How to Own your Heart – Hacking Medical Devices

In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines.
However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients.
We decided to take a look at a few devices that are deployed in many major hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.

Bio: Florian Grunow holds a Bachelor’s degree in Medical Computer Sciences and a Master’s degree in Software Engineering. He used to work in hospitals and got an inside view on how the daily work of healthcare professionals dealing with IT looks like. He now works as a Security Analyst at ERNW in Heidelberg, Germany, with a focus on application security.

===
Alexander Polyakov & Dimitry Chastuhin: Injecting Evil Code in your SAP J2EE systems – Security of SAP Software Deployment Server

Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service.
“By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.”
Isn’t it a perfect victim for an attack? Who cares about the security of Deployment Server? That’s why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system.
Come and see how we did it in practice and how to prevent the described attacks.
Alexander Polyakov – CTO at ERPScan
Father of ERPScan Security Monitoring Suite for SAP. His expertise covers the security of critical enterprise software like ERP, CRM, SRM, banking and processing software. Manager of EAS-SEC. Well-known expert on the security of enterprise applications, such as SAP and Oracle. Published a significant number of vulnerabilities, frequently receives acknowledgements from SAP. Author of multiple whitepapers and surveys devoted to SAP security research, for example, the award-winning “SAP Security in Figures”. Invited to speak and train at BlackHat, RSA, HITB, and 35 more international conferences around the globe as well as internal workshops for SAP AG and Fortune 500 companies.
Twitter: @sh2kerr

Dimitry Chastuhin — Head of Penetration Testing Department at ERPScan
Dimitry Chastuhin works upon SAP security, particularly upon Web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Google, Adobe, Vkontakte, Yandex.ru. He was a speaker at BlackHat, HITB, ZeroNights, Brucon.
===
Ivan Pepelnjak: Security and SDN – A perfect fit or oil-and-water?

Software-defined networks have quickly become one of the most overhyped networking concepts, with vendors promising earth-shattering results … and handwaving over scalability, reliability and security issues.
The presentation will briefly introduce the concepts of SDN and OpenFlow (the tool used to build controller-based networks that require low-level network device control), the security aspects of programmable- and controller-based networks and the potential SDN- and OpenFlow-based security use cases, from scale-out IDS clusters to first-hop network security and user authentication/authorization solutions.

BioIvan Pepelnjak, CCIE#1354 Emeritus, is the chief technology advisor at NIL Data Communications. He has been designing and implementing large-scale service provider and enterprise networks as well as teaching and writing books about advanced technologies since 1990. He’s author of several Cisco Press books , prolific blogger and writer, occasional consultant, and author of a series of highly successful webinars.

 

===
Sebastian Schrittwieser & Peter Frühwirt: Security Through Obscurity, Powered by HTTPS

Applications on modern smartphone operating systems are protected against analysis and modification through a wide range of security measures such as code signing, encryption, and sandboxing. However, for network-enabled applications effective attack vectors can be found in their communication protocols. Most applications developers hide the implementation details of their protocols inside an HTTPS connection. While HTTPS is able to protect data leakage during transmission, it is an inadequate protection against protocol analysis. The concept of SSL interception applied to smartphone applications allows analysis and modification of transport protocols with endless possibilities: getting paid extras for free, cheating in games, finding design flaws in protocols, etc. In this talk, we demonstrate, based on several live demos, how application developers sometimes try to protect insecure protocols by wrapping them inside an HTTPS connection and show that known countermeasures are rarely used in practice.

Bios:
Sebastian Schrittwieser is a lecturer and researcher at the University of Applied Sciences St. Pölten, Austria and PhD candidate at the Vienna University of Technology. His research interests include, among others, digital forensics, software protection, code obfuscation, and mobile security. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.

Peter Frühwirt is a researcher at SBA Research, the Austrian non-profit research institute for IT-Security and lecturer at the Vienna University of Technology. Peter received a Dipl. Ing. (equivalent to MSc) degree in Software Engineering and Internet Computing in 2013. His research interests include mobile security and database forensics.
==================

 

More talks to follow soon, so stay tuned 😉

See you @Troopers & have a great weekend everybody

Enno

Continue reading
Building

IPv6 Scanner

This is a guest post from Antonios Atlasis.

===

Having just finished the second “Advanced Attack Techniques against IPv6 Networks” workshop (some of the course material can be found here), organised and hosted by ERNW and their partner HM Training Solutions, I would like to take this opportunity to release publicly one of my scripting tools, an IPv6 scanner. This tool is based on Scapy (so you have to install Scapy and its prerequisites before using it). It should not be considered as a replacement or a competitor of nmap against IPv6 or of the scanners incorporated into the great IPv6 toolkits already released by Marc Heuse and Fernando Gont, but, instead, as a tool released mainly for educational purposes. Specifically, this scanner, apart from supporting some of the most well known port scanning techniques, from ping scanning to SYN, RESET, ACK, XMAS, etc., etc., TCP or UDP scanning, it also combines, by using the suitable switches, some IDS/IPS evasion techniques. As I have found out up to now, at least two of them, if used “properly”, can be effective against a very popular IDS/IPS software used by many “Fortune 100” companies out there. This means that you can launch actually any type of the supported network-scanning techniques while flying under the radar of this specific IDS software (and perhaps some other too, who knows…). But first of all, as always please check the corresponding README file.

Continue reading “IPv6 Scanner”

Continue reading
Building

IPAM Requirements in IPv6 Networks

I recently had a discussion with some practitioners about requirements to IP Address Management (IPAM) solutions which are specific for IPv6 networks. We came up with the following:

Mandatory: Track all dynamic IPv6 assignments (SLAAC + PrivExtensions, DHCP etc.), by polling neighbor caches from network devices. Support SNMPv3 for this task.
Optional (read: nice-to-have): support other methods than SNMP to gather this info (e.g. SSH-ing into devices and execution of appropriate “show” commands).

Mandatory: Display connected switch port (incl. device name or CDP-type info) for all addresses.

Mandatory: Be able to sort addresses according to their categories, e.g. “show all SLAAC systems vs. all systems with DHCPv6 addresses”.
Optional: Be able to easily identify systems which have several types _simultaneously_ (e.g. “static + SLAAC address”, “SLAAC + DHCP managed address”).

Mandatory: Full support for RFC 5952 notation in all UIs (both entry and display of addresses).
Optional: be able to display addresses in other formats in reports or exported files (e.g. CSV files).

===

Hope that some of you might find this useful when reflecting on the topic; have a great day everybody

Enno

Continue reading
Events

IPv6 Hackers Meeting @ IETF 87 in Berlin / Slides

That meeting was actually a great event. Once more, big thanks! to Fernando for organizing it and to EANTC for providing the logistics.
A couple of unordered notes to follow:

a) The slides of our contribution can be found here. Again, pls note that this is work in progress and we’re happy to receive any kind of feedback.
[given Fernando explicitly mentioned Troopers, we’ve allowed ourselves to put some reference to it into this version of the slide deck…]

b) the scripts Stefan currently puts together will be released here once they’ve undergone more testing ;-).

c) Sander Steffann mentioned that Juniper SRX models do have IPv6 support for management protocols. According to this link this seems somewhat correct.

d) we had that discussion about (which) ASA inspects work with IPv6.
Here‘s a link providing some info for 8.4 software releases, this is the respective one for 9.0.

e) I was really impressed by the work performed by these guys and I think that ft6 (“Firewalltester for IPv6”) is a great contribution to the IPv6 security (testing) space.
And, of course, Marc’s latest additions to THC-IPV6 shouldn’t go unnoticed ;-). And I learned he can not only code, but cook as well.

===

Eric Vyncke commented “To be repeated”. We fully second that ;-).

thanks

Enno

Continue reading