I am little bit late to the party, but I had the pleasure to present a talk about VoIP based toll fraud incidents (more on this in a following blogpost, for the moment my slides can be found here) at the annual t2 security conference in Helsinki. The conference took place from 24th to 25th October in the Radisson Blu Royal hotel. I must say that it was a blast. Tomi (the host) took really good care of all speakers, and I really liked the spirit of the conference, very similar to Troopers. It is not an commercial event, seats are limited to 100 and it is all about delivering a great set of talks to the audience and having a good time during and after the conference. Sure the conference has some sponsors and tickets are sold, but Tomi doesn’t do it to earn money. His only intention is to cover the cost for setting up this great event.
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again 😉
Here we go:
==================
Toby Kohlenberg: Granular Trust – Making it Work
Over the last 5 years the concept of using dynamic or granular trust models to control access to systems, networks and applications has become well known and is now seeing partial adoption in many places. The challenge is how granular and dynamic can you get and the question is whether it is worth it. As the architect of Intel’s trust model Toby can speak to the entire journey from initial idea through current implementation and the likely road ahead. This talk will include the good, bad and ugly parts of designing a trust model and then implementing it in a Fortune 50 company’s production environment. You will learn from his mistakes so you can make different ones.
Bio: Toby is a senior information security technologist with Intel corporation. He focuses on securing new and emerging technologies and threats. He has been doing this for a long time.
===
Florian Grunow: How to Own your Heart – Hacking Medical Devices
In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines.
However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients.
We decided to take a look at a few devices that are deployed in many major hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.
Bio: Florian Grunow holds a Bachelor’s degree in Medical Computer Sciences and a Master’s degree in Software Engineering. He used to work in hospitals and got an inside view on how the daily work of healthcare professionals dealing with IT looks like. He now works as a Security Analyst at ERNW in Heidelberg, Germany, with a focus on application security.
===
Alexander Polyakov & Dimitry Chastuhin: Injecting Evil Code in your SAP J2EE systems – Security of SAP Software Deployment Server
Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service.
“By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.”
Isn’t it a perfect victim for an attack? Who cares about the security of Deployment Server? That’s why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system.
Come and see how we did it in practice and how to prevent the described attacks.
Alexander Polyakov – CTO at ERPScan
Father of ERPScan Security Monitoring Suite for SAP. His expertise covers the security of critical enterprise software like ERP, CRM, SRM, banking and processing software. Manager of EAS-SEC. Well-known expert on the security of enterprise applications, such as SAP and Oracle. Published a significant number of vulnerabilities, frequently receives acknowledgements from SAP. Author of multiple whitepapers and surveys devoted to SAP security research, for example, the award-winning “SAP Security in Figures”. Invited to speak and train at BlackHat, RSA, HITB, and 35 more international conferences around the globe as well as internal workshops for SAP AG and Fortune 500 companies.
Twitter: @sh2kerr
Dimitry Chastuhin — Head of Penetration Testing Department at ERPScan
Dimitry Chastuhin works upon SAP security, particularly upon Web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Google, Adobe, Vkontakte, Yandex.ru. He was a speaker at BlackHat, HITB, ZeroNights, Brucon.
===
Ivan Pepelnjak: Security and SDN – A perfect fit or oil-and-water?
Software-defined networks have quickly become one of the most overhyped networking concepts, with vendors promising earth-shattering results … and handwaving over scalability, reliability and security issues.
The presentation will briefly introduce the concepts of SDN and OpenFlow (the tool used to build controller-based networks that require low-level network device control), the security aspects of programmable- and controller-based networks and the potential SDN- and OpenFlow-based security use cases, from scale-out IDS clusters to first-hop network security and user authentication/authorization solutions.
===
Sebastian Schrittwieser & Peter Frühwirt: Security Through Obscurity, Powered by HTTPS
Applications on modern smartphone operating systems are protected against analysis and modification through a wide range of security measures such as code signing, encryption, and sandboxing. However, for network-enabled applications effective attack vectors can be found in their communication protocols. Most applications developers hide the implementation details of their protocols inside an HTTPS connection. While HTTPS is able to protect data leakage during transmission, it is an inadequate protection against protocol analysis. The concept of SSL interception applied to smartphone applications allows analysis and modification of transport protocols with endless possibilities: getting paid extras for free, cheating in games, finding design flaws in protocols, etc. In this talk, we demonstrate, based on several live demos, how application developers sometimes try to protect insecure protocols by wrapping them inside an HTTPS connection and show that known countermeasures are rarely used in practice.
Bios:
Sebastian Schrittwieser is a lecturer and researcher at the University of Applied Sciences St. Pölten, Austria and PhD candidate at the Vienna University of Technology. His research interests include, among others, digital forensics, software protection, code obfuscation, and mobile security. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
Peter Frühwirt is a researcher at SBA Research, the Austrian non-profit research institute for IT-Security and lecturer at the Vienna University of Technology. Peter received a Dipl. Ing. (equivalent to MSc) degree in Software Engineering and Internet Computing in 2013. His research interests include mobile security and database forensics. ==================
More talks to follow soon, so stay tuned 😉
See you @Troopers & have a great weekend everybody
Michael Thumann and me had the chance to give a talk at this year’s ISSE conference in Brussels, Belgium. ISSE was founded in 1999 as an initiative of the European Commission Directorate General Information Society. The con had a focus on eGovernment, electronic business processes and the corresponding security issues. Continue reading “ISSE 2013 – ERNW Rapid Rating System”
Some of us had the pleasure to participate in this year’s Daycon VII, three days of Real Hacking and Relevant Content, in Dayton, OH. The event began on September 16th with the Packetwars bootcamp. We had the chance to teach some really promising young students and to prepare them for the Packetwars battle that was scheduled four days later. The students had to go through topics like Windows security, network security and web application security both practical and in theory.
I’m currently catching up on a lot of papers and presentation from the Usenix Security Symposium in order to finish the blog post series I started last week (summarizing WOOT and LEET). One presentation, which unfortunately is not available online [edit: see also update, videos are available now], included several particularly relevant messages that I want to share in this dedicated post. Chris Evans, the head of the Google Chrome security team (herein short: GCST), described some new approaches they employed for their security team operations, some lessons learned, and how others can benefit from it as well (actually the potential of these messages to make the world a safer place was my motivation to write this post, even though I got teased for supposedly being a Google fanboy 😉 ):
Fix it yourself
The efficient security work carried out by the GCST could not be achieved if not all members of the team would also have a background as software developer/engineer/architect or in operations. This changes the character of the GCST work from “consulting” to “engineering” and enables the team to commit actual code changes instead of just consulting the developers on how to fix open issues (refer also to the next item). For the consultant work I do (and for assessment anyways 😉 ), I also follow this approach: When facing a certain problem set, have a look at the technological basics. Reading {code|ACLs|the stack|packets} helps in most cases to get a better understanding of the big picture as well.
Remove the middle man
The Google security work is carried out in a very straight way: All interaction is performed directly in a (publicly accessible, see later items) bug tracking system. This reduces management overhead and ensures direct interaction with the community as well. The associated process is very streamlined: Each reported bug is assigned to a member of the GCST which is then responsible for fixing it ASAP.
Be transparent
The bug tracking system is used for externally reported bugs as well as for internally discovered ones. This ensures a high level of transparency of Google’s security work and increases the level of trust users put into Chrome (transparency is also an important factor in the trust model we use). In addition, the practice of keeping found vulnerabilities secret and patching silently should be outdated anyways…
Go the extra mile
The subtext of this item basically was “live your marketing statements”. As ERNW is a highly spirit-driven environment, we can fully emphasize this point. Without our spirit (a big thx to the whole team at this point!), the “extra mile” (or push-up, pound, exploit, poc, …) would not be possible. Yet, this spirit must be supported and lived by the whole company: starting at the management level that supports and approves this spirit, down to every single employee who loves her/his profession (and can truly believe in making the world a safe place). As for Google, Chris described a rather impressive war story on how they combined some very sophisticated details of a PoC youtube video of a Chrome exploit without further details in order to find the relevant bug. (Nice quote in that context: “Release the Tavis” 😉 )
Celebrate the community
… and don’t sue them 😉 I don’t think there’s much to say on this item as you apparently are a reader of this blog. However, you have now an official resource when it comes to discussions whether you can disclose certain details about a security topic.
I think the messages listed above are worth to be incorporated in daily security management and operations and there is even some proof that they apparently worked for Google and hence may also improve your work.
Have a good one,
Matthias
Quick Update: All videos, including this talk, are now available.
Truncating TLS Connections to Violate Beliefs in Web Applications Ben Smyth and Alfredo Pironti, INRIA Paris-Rocquencourt
This presentation was also given at BlackHat some weeks ago. It outlines a very interesting class of attacks against web applications abusing the TLS specification which states that “failure to properly close a connection no longer requires that a session not be resumed […] to conform with widespread implementation practice”. This characteristic enables new attack vectors on shared systems where certain outgoing (TLS encrypted) packets can be dropped in order to prevent applications from e.g. correctly finishing transaction (such as log out procedures) or even modifying the request bodies by dropping the last parts.
I have the pleasure to visit this year’s USENIX Security Symposium in Washington, DC. Besides the nice venue close to the national mall, there are also several co-located workshops. Every night I will try and provide a summary of those presentations I regard as most interesting. However, I hope to manage to keep up with it as there are a lot of interesting events, people to meet, and still some projects to keep up with. The short summaries below are from the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats.
That meeting was actually a great event. Once more, big thanks! to Fernando for organizing it and to EANTC for providing the logistics.
A couple of unordered notes to follow:
a) The slides of our contribution can be found here. Again, pls note that this is work in progress and we’re happy to receive any kind of feedback.
[given Fernando explicitly mentioned Troopers, we’ve allowed ourselves to put some reference to it into this version of the slide deck…]
b) the scripts Stefan currently puts together will be released here once they’ve undergone more testing ;-).
c) Sander Steffann mentioned that Juniper SRX models do have IPv6 support for management protocols. According to this link this seems somewhat correct.
d) we had that discussion about (which) ASA inspects work with IPv6. Here‘s a link providing some info for 8.4 software releases, this is the respective one for 9.0.
e) I was really impressed by the work performed by these guys and I think that ft6 (“Firewalltester for IPv6”) is a great contribution to the IPv6 security (testing) space.
And, of course, Marc’s latest additions to THC-IPV6 shouldn’t go unnoticed ;-). And I learned he can not only code, but cook as well.
===
Eric Vyncke commented “To be repeated”. We fully second that ;-).
Next to IETF 87 going on in Berlin in a few days there will be an informal meeting of the “IPv6 Hackers” on Tuesday. We really look forward to personally meet a number of people who we (so far) only know from the associated mailing list or similar machine-enhanced exchange. We hope to contribute as well. Based on the stuff of this workshop from the IPv6 Security Summit at Troopers13 we might give a short project presentation along the lines of “Some Notes on Testing the Real-World IPv6 Capabilities of Commercial Security Products”, providing an overview of some testing done on commercial gear, together with a discussion of testing approaches, tools and key aspects.
I currently discuss this potential input with the guy who gratefully organized the meeting. In any case I encourage everybody interested in IPv6 security to show up there (you don’t have to be registered to IETF 87) as there’s not much that can substitute meeting in person to discuss how to make the IPv6 world a safer place.