TROOPERS08 Archive - Presentations

TROOPERS08 started off with latenight talks on April 22th 2008, followed by the main conference on April 23th & 24th. The main conference featured two tracks - Attack & Defense.


An insider’s view about Microsoft Security Response Center

Andrew Cushman

April 23, 2008 (at 10:30 a.m.) in Defense

Andrew Cushman – Sr. Director of the Microsoft Security Response Center gives an insider’s view of the MSRC. He’ll briefly touch on lessons from the MSRC school of hard knocks, and also review major issues from 2007. Along the way Cushman will discusses Microsoft’s current approach to security, MSRC’s view of the evolving security ecosystem and give a glimpse into the future.

KIDS – Kernel Intrusion Detection System

Rodrigo Branco

From April 23, 2008 to April 22, 2008 in Attacks

This presentation intend to cover specifically the most necessary and more undocumented area of the computer security: attacks to the core of the systems (Kernel-level attacks which can defeat the existing security models). As all we know, security systems generally runs with the kernel privilegies (like pax, lids, selinux and more others) and can be bypassed if the kernel itself has been compromised. Attempts to protect the kernel mode (like canary protection into the kernel mode, introduced by Windows 2003 and pax-randkstack/noexec protections) exist, but are restrict in protecting the exploitation, not preventing the exploitation consequences. St. Michael is an open-source project, that covers Solaris and Linux (in the future, I plan to port it to NetBSD systems too) and try to offer a security integrity checks into that systems (it will check filesystem, kernel structures and MBR of the system against any attempt to change or any changes, and have the capability to recover the system or take it down). During the presentation, many test-attacks will be used to explain how the StMichael actually works to defeat/detect attacks. Also, a sample will be showed, using StMichael and many others kernel security related tools (special focus into PAX). This presentation is intendeed to go deeper into the subject showed in Hack In The Box Conference, Dubai/2007.

Side Channel Analysis

Job de Haas

April 23, 2008 (at 11:30 a.m.) in Defense

For 10 years Side Channel Analysis and its related attacks have been the primary focus in the field of smart cards. These cryptographic devices are built with the primary objective to resist tampering and guard secrets. While embedded systems often have a lower security profile, such attacks have also become a realistic threat to these devices. This talk explores the use and impact of Side Channel Analysis on embedded systems, and outlines the large set of countermeasures that are available to defend against side channel analysis. Further, the options for developers to mitigate the impact of such attacks will be examined.

Virtualisation: There is No Spoon

Michael Kemp

April 23, 2008 (at 11:30 a.m.) in Attacks

Virtualised technologies are being lapped up left, right and centre by corporates committed to the cash savings they promise. Sadly the savings that can be gleaned are not without the attendant risk. Instead of nice normal networks that people can understand, many vendors are offering networks in a box. As well as being lovely single points of failure, they have a number of risks that remain largely unexplored. Research has already been conducted around VMWare, but there still exists a fundamental flaw that no-one seems to have spotted. This talk will illustrate why and how virtualisation works, what the difference is between what the vendors say and how it is being implemented in RL, and discusses a theoretical vulnerability that if it can be exploited can bring down the house of cards. Additionally if it can be made to work pre-con a significant vulnerability in Active Directory will be demonstrated, not for any particular reasons of relevance, but because it is very, very amusing.

Hardening Oracle in Corporate Environments

Alexander Kornbrust

April 23, 2008 (at 1:30 p.m.) in Defense

In this presentation we show how to harden the latest versions of Oracle (10g Rel.2 /11g). We talk about common architecture flaws in organizations (e.g. in Single-Home Installations) and typical security problems like database cloning, anonymisation, … and some possible solutions. To detect changes we talk about Oracle features like Virtual Private Database (VPD), Database Trigger, … and report these alerts via email or to syslog.

Reversing - A structured approach

Michael Thumann

April 23, 2008 (at 1:30 p.m.) in Attacks

For many people Reverse Engineering sounds like magic, but it’s yet another methodology to understand what soft- and hardware is doing. This session will cover the methodology and tools that are used in our company to answer very specific customer questions relating to software. The purpose of the talk is to demonstrate a timely effective approach to analyze software that is only available as a binary. After the talk the audience will know what kind of knowledge is really needed to do reverse engineering, which tools are recommended to do the job (Hey-Rays, the new decompiler plugin for IdaPro and Autodebug, a mighty debugger and api monitor will be demonstrated) and how a structured approach can help you to accomplish the task in a reasonable amount of time.

Straight Talk about Cryptography

Jon Callas

April 23, 2008 (at 2:30 p.m.) in Defense

What is possible? What is not possible? Can major governments break the cryptography you use? Can the Mafia? How safe are you crossing borders? Is liquid nitrogen really useful in cryptanalysis? Find out this and more from a crypto guru. Ask your own questions.

Criminal Hackertools according to § 202c StGB

Horst Speichert

April 23, 2008 (at 2:30 p.m.) in Attacks

  • state of affairs
  • basic principles, german legislation, european background
  • criminalization of vulnerability analysis
  • legal uncertainty for admins and penetration testing
  • constitutional complaint and recent trials
  • counterproductive law, security vulnerability, future prospects

“Self defending networks” – hype or essential need for international organisations?

Rolf Strehle

April 23, 2008 (at 4 p.m.) in Defense

How does VOITH deal with future threads and security risks in its corporate IT network. Insights in a global manufacturing company’s security strategy

Evilgrade – “You have pending upgrades”

Francisco Amato

April 23, 2008 (at 4 p.m.) in Attacks

Vulnerabilities are disclosed on a daily basis and in the best case, new patches are released. It is not new that many application’s update processes have security weaknesses allowing fake updates injection. Evilgrade is a modular framework that allows the user to take advantage of an upgrade process from different applications, compromising the system by injecting custom payloads. The lecture will be the presentation and release of the tool, showing its features and possible attack scenarios.

Log Management – The way of the future?

Andrew Morris

April 23, 2008 (at 5 p.m.) in Defense

What is Log Management, and will it solve all your security problems? Andrew Morris looks at the top logging challenges, the drivers, and asks which is the right solution for your enterprise.

Keynote: Virtualization: Floor Wax, Dessert Topping and The End of Information Security As We Know It?

Christofer Hoff

April 24, 2008 (at 9 a.m.) in Attacks

Christofer Hoff has over 15 years of experience in network and information security administration, engineering, and operations with his expertise focused on developing strategies for innovation in the area of information security, survivability, resilience and assurance with a focus on rational risk management. Hoff is Unisys Corporation’s chief architect of security innovation. Hoff is a prolific blogger (,) featured speaker at numerous information security conferences, holds several security credentials and is an accomplished and accredited instructor in multiple security disciplines.

GPUs, password recovery and thunder tables

Andrey Belenko

April 24, 2008 (at 10:30 a.m.) in Attacks

I’m going to talk about using graphic processors for accelerating cryptographic algorithms and, thus, password recovery. Some information on GPU architecture will be given along with general optimization strategies. Step by step, you’ll see how to build GPU-enabled password cracker from ground up and turn your GeForce into password crunching machine :-)

Incident Management – Tasks and organization

Volker Kozok

April 24, 2008 (at 10:30 a.m.) in Defense

Definition Organization of an Incident Management Team Tools and Technics Training IT-Forensics Legal Aspects Case Studys Guideline Incident Management

A penetration testing learning kit

Ariel Waissbein

April 24, 2008 (at 11:30 a.m.) in Attacks

A penetration testing learning kit” – Penetration testing remains a standard practice for the security-aware professional for assessing the security posture of their infrastructure. Lately, security professionals and newbies have started learning the art of pen-testing from courses, newsgroups and through books that specialize in the distinct protocols, operating systems, web application platforms, et cetera. Today, there are different toolsets and frameworks, some free, some commercial, that provide many of the necessary means for executing a pen test. These can be used to pen-test computers or virtual machines in a laboratory. However, during his work a pen-tester will encounter diverse network configurations with which he must have previous experience. Providing laboratories that can handle these configurations was previously deemed expensive, resource intensive and yet a difficult task –even when using virtualization technologies.

In this talk we will introduce a penetration testing simulation suite that allows the user to design networks (or import real networks) to a network simulator and then execute a penetration test against it using a traditional penetration testing platform (a modified version of Core Impact). The pen-tester´s view of his attack isn´t modified by the simulation.

Throughout the talk we will show different penetration testing scenarios, define targets for these scenarios and show how to achieve these targets. By recreating penetration experiments over arbitrary network designs, the students (i.e., users) can easily access scenarios that would be otherwise impossible. Moreover, each user can access a different simulation for exactly the same network design.

The introduction of our kit will provide a teacher with an excellent tool, not only for teaching, but for researching penetration testing problems and discovering new solutions. We will briefly discuss some research problems we’ve been studying which evidence the utility of our kit.

Finally, we’d like to remark that this talk & the underlying suite do not study exploit and payload engineering, but other tasks of penetration testing. Such as, selecting tasks efficiently, correctly reading the information discovered in information gathering steps, using effective exploits against the most promising targets and mostly, in recreating experiences (and problems) from real penetration tests. During the talk we will describe the kit’s features and limitations.

Organizing and analyzing logdata with entropy

Sergey Bratus

April 24, 2008 (at 11:30 a.m.) in Defense

I will show how entropy, a measure of information content defined by Shannon in 1948, can provide useful ways of organizing and analyzing logdata. In particular, we use entropy and mutual information heuristics to group syslog records and packet captures in such a way as to bring out anomalies and summarize the overall structure in each particular data set. I will show a modification of Ethereal that is based on these heuristics, and a separate tool for browsing syslogs. Our data organization heuristics produce decision trees that can be saved and applied to building views of other data sets. Our tools also allow the user to mark records based on relevance, and use this feedback to improve the data views. Our tools and algorithm descriptions can be found at

Layer 2 Fuzzing

Daniel Mende & Simon Rich

April 24, 2008 (at 1:30 p.m.) in Attacks

The talk is based on a research project whose goal was to evaluate the security of network devices used in carrier space. After some (very short) introduction into the main concepts of fuzzing (in particular of network protocols) we will explain which options of existing fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE has no Layer2 functionality by default we were forced to write some additional modules like a (libnet-based) generic Layer 2 packet generator and lots of SPK-scripts for different protocols. We will describe this development process, the pitfalls and lessons learned. Furthermore we will release all the code and discuss the results of performing extensive fuzz-testing of network devices and some common operating systems.

The data went down the drain – Can something be learned from the Lichtenstein tax-affair?

Dror-John Roecher

April 24, 2008 (at 1:30 p.m.) in Defense

The media covered it at length, just about every columnist uttered his opinion regarding it and in internet discussion forums and social networking platforms it is still a vividly debated subject: The German intelligence agency, BND, paid a whistle-blower approximately EUR 5 million for a DVD containing data of Lichtenstein bank customers and passed it on as “administrative assiistance” to the German equivalent of the IRS criminal investigation, the infamous “Steuereuerfahndung”, which started tax evasion prosecutions against several hundred individuals, including Klaus Zumwinckel (former CEO of the Deutsch Post) and Karl Michael Betzl, Bavarian privacy protection officer. Quite displeasing for the concerned citizens. A first-class worst case for the involved banks. A deal with an excellent yield for the German state. And for us a perfect occasion to ask ourselves some questions: If and how this could have happened in our own companies? If and how this could have been prevented? Starting with a chronological abstract of the affair it will be thoroughly analyzed and judged as an InfoSec incident and “lessons learned” will be deduced.

Tapping $$$ Enterprises

Pierre Kroma

April 24, 2008 (at 2:30 p.m.) in Attacks

Room observation (for example: audio, video, cable manipulations) Car observation (tracking systems) Demonstration of bugging devices Counter-intelligence

Virtual Honeypots

Thorsten Holz

April 24, 2008 (at 2:30 p.m.) in Defense

Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be complex, time-consuming, and expensive. A solution to this problem are virtual honeypots: they share many attributes of traditional honeypots, but you can run thousands of them on a single system-making them easier and cheaper to build, deploy, and maintain. In this talk, we will introduce some recent developments in this area and focus on lessons learned with honeypots.

SCADA and National Critical Infrastructures: is security an “optional”?

Raoul Chiesa

April 24, 2008 (at 4 p.m.) in Attacks

SCADA acronym stands for Supervisory Control And Data Acquisition, and its related to industrial automation inside critical infrastructures. This talk will introduce the audience to SCADA environments and its totally different security approaches, outlining the main key differences with typical IT Security best practices. We will analyze a real world case study related to industry. We will describe the most common security mistakes and some of the direct consequences of such mistakes to a production environment. In addition, attendees will be shown a video of real SCADA machines reacting to these attacks in the most interesting ways!

Data Loss Protection – Hope or Hype?

Bryan Fite & Enno Rey

April 24, 2008 (at 4 p.m.) in Defense

To lose control over one’s own data is one of the primal fears of the digital age. More than ever this applies in particular to the world of corporations and organizations with all their trade secrets and marketing plans to be protected from leaking outside. To prevent such leakage is the promise of salvation of a new set of security tools called “Data Loss Protection” or “Extrusion Prevention” solutions. All relevant vendors are already offering such pieces (mostly by acquisition of smaller companies specialized in the field). This talk will discuss why the approach these solutions take will fail in most environments and which pre-requisites must be fulfilled before even thinking about such a solution. We will further discuss what can be done on a structural level to protect sensitive data and use the existing tool set of the infosec space.