The Hackers‘ Sanctuary City

TROOPERS has a long history of theming the conference every year. Usually we pick a surreal topic, a fun story which we think is worth to pick up on. Some of it starts as a crazy thought, others have been the result of long discussions. Most of them are online, only our master piece from 2016 is securely stored in the company’s vaults.

Continue reading “The Hackers‘ Sanctuary City”

Continue reading

A Visual Guide to Day-Con 9

Welcome to Dayton

In mid-October our friend Bryan Fite aka Angus Blitter invited the community for the ninth edition of Day-Con. Bryan’s annual security summit, which we regard as the sister event of TROOPERS, is a pretty good reason to visit lovely Dayton, Ohio.

Day-Con Summit

And so we did… ERNW sent in five delegates. Delegates is Day-Con-speak for all attendees and speakers and such a subtle choice of wording sets the tone for the whole event. People seemed to be really focused and the roundtable-like setting during the talks (see above) provided a cozy atmosphere for in-depth expert chatting.

Continue reading “A Visual Guide to Day-Con 9”

Continue reading

3D-Printers in the Cloud

Dear readers,

with the rise of low-cost 3D-printers in the homes of thousands [1] of enthusiastic tinkerers the word spreads about these magical machines which can produce any mechanical, artsy, useful or useless parts you might come up with. Standing in living rooms worldwide, they don’t seem like a big threat [2] to anybody. But what happens if you connect them to the Internet?

3D-Printers at the TROOPERS12 & TROOPERS13 IT-Security Conference.
3D-printers at the TROOPERS12 & TROOPERS13 IT-Security Conference.

What’s it about? 3D-Printing in a Nutshell.

Continue reading “3D-Printers in the Cloud”

Continue reading

HackRF – A Must-Have Gadget

Dear readers,

today we welcomed Michael Ossmann at the ERNW headquarter for an exclusive workshop on his HackRF gadget. Everybody was quite excited to get hands-on with this shiny piece of hardware, which is currently crowd-funded on Kickstarter. For everybody who’s not familiar with Software Defined Radio (SDR): Let’s regard it as the ultimate tool when working with radio signals.

Michael Ossmann
Michael Ossmann in the house.

Let’s quote Michael’s campaign website:

Transmit or receive any radio signal from 30 MHz to 6000 MHz on USB power with HackRF. HackRF is an open source hardware project to build a Software Defined Radio (SDR) peripheral.

SDR is the application of Digital Signal Processing to radio waveforms. It is similar to the software-based digital audio techniques that became popular a couple of decades ago. Just as a sound card in a computer digitizes audio waveforms, a software radio peripheral digitizes radio waveforms. It’s like a very fast sound card with the speaker and microphone replaced by an antenna. A single software radio platform can be used to implement virtually any wireless technology (Bluetooth, ZigBee, cellular technologies, FM radio, etc.).

Continue reading “HackRF – A Must-Have Gadget”

Continue reading

TROOPERS14 Registration Open + TROOPERS13 Photos Online

Dear blog followers, TROOPERS speakers & attendees,
we hope you’re doing fine! Today we have a couple of great things to share with you:

Let’s start with a date. Get your calendar and mark March 17th – 21st 2014. It’s your TROOPERS14 holidays. One week full of high-end education, workshops, talks, reconnecting with friends, action, delicious food and one or the other party. You know the drill – more details further down.

Continue reading “TROOPERS14 Registration Open + TROOPERS13 Photos Online”

Continue reading
Breaking, Events

VMDK Has Left the Building – Slides available

A quick update on the workshop we’ve just finished at Hack in the Box 2012 Amsterdam:
Due to popular demand we decided to bring the slides online without wasting any more time. The official website of the conference is currently experiencing some problems due to high interest in all the stuff what was released in the last two days. Great conference!

Here you go: HITB2012AMS ERNW VMDK Has Left the Building [PDF, 6MB, link fixed]

Enjoy and feel free to express your thoughts in the comments.

Best greetings from Amsterdam,
Florian & the crew

Continue reading

ERP Platforms Are Vulnerable

This is a guest post by the SAP security expert Juan Pablo Perez-Etchegoyen, CTO of  Onapsis. Enjoy reading:

At Onapsis we are continuously researching in the ERP security field to identify the risks that ERP systems and business-critical applications are exposed to. This way we help customers and vendors to increase their security posture and mitigate threats that may be affecting their most important platform: the one that stores and manages their business’ crown jewels.

We have been talking about SAP security in many conferences over the last years, not only showing how to detect insecure settings and vulnerabilities but also explaining how to mitigate and solve them.  However, something that is still less known is that since 2009 we have been also doing research over Oracle’s ERP systems (JD Edwards, Siebel, PeopleSoft, E-Business Suite) and reporting vulnerabilities to the vendor. In this post, I’m going to discuss some of the vulnerabilities that we reported, Oracle fixed and released patches in the latest CPU (Critical Patch Update) of January 2012. In this CPU, 8 vulnerabilities reported by Onapsis affecting JD Edwards were fixed.

What’s really important about these vulnerabilities is that most of them are highly critical, enabling a remote unauthenticated attacker to fully compromise the ERP server just having network access to it.  I’m going to analyze some these vulnerabilities to shed some light on the real status of JD Edwards’ security. Most of these vulnerabilities are exploitable through the JDENET service, which is a proprietary protocol used by JDE for connecting the different servers.

Let’s take a look at the most interesting issues:

ONAPSIS-2012-001: Oracle JD Edwards JDENET Arbitrary File Write

Sending a specific packet in the JDENET message, an attacker can basically instruct the server to write an arbitrary content in an arbitrary location, leading to an arbitrary file write condition.

ONAPSIS-2012-002: Oracle JD Edwards Security Kernel Remote Password Disclosure

Sending a packet containing key hard-coded in the kernel, an attacker can “ask for” a user’s password (!)

ONAPSIS-2012-003: Oracle JD Edwards SawKernel Arbitrary File Read

An attacker can read any file, by connecting to the JDENET service.

ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification Modifications to the server configuration (JDE.INI) can be performed remotely and without authentication. Several attacks are possible abusing this vulnerability.

ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service

If an attacker sends packets larger than a specific size, then the server’s CPU start processing at 100% of its capacity. Game over.

As a “bonus” to this guest blog post, I would like to analyze a vulnerability related to the set of  security advisories we released back on April 2011 (many of them also critical). This vulnerability is the ONAPSIS-2011-07.

The exploitation of this weakness is very straight-forward, as the only thing an attacker needs to do is to send a packet to the JDENET command service (typically UDP port 6015) with the message “SHUTDOWN”, and all JD Edwards services are powered off! Business impact? None of the hundreds/thousands of the company’s employees that need the ERP system to do their every-day work will be able to do their job.

Some people still talk about ERP security as a synonym of Segregation of Duties controls. This is just an example of a high-impact Denial of Service attack that can be performed against the technical components of these systems. No user or password. No roles or authorizations.

Even worse, as UDP connections are stateless, it’s trivial for the attacker to forge its source and exploit the vulnerability potentially bypassing firewall filters.

Hope you enjoyed our post and I’d like to thank Enno, Florian and the great ERNW team for their kind invitation.

You can get more information about our work at

BTW: Meet Mariano Nuñez Di Croce, CEO of Onapsis at TROOPERS12 in about ten days! He will give a talk and also host a dedicated workshop on SAP security.

Continue reading