TROOPERS10 Archive - Presentations

With the third edition of TROOPERS we changed the location to our home base Heidelberg. Combined with a more holistic concept of  accompanying workshops and roundtables this event was a real breakthrough.

Troopers10 was taking place from March 8th till March 12th 2010 in Heidelberg, Germany.


Keynote: Security for Superheroes

Pete Herzog

March 10, 2010 (at 9 a.m.) in Attack & Research

The Official Training Guide for New Superheroes: Even superheroes need tactics. Showing how to get the ultimate power and control over your security, Pete Herzog pulls no punches in his presentation of the Official Training Guide for New Superheroes, full of cutting edge OSSTMM research.

Netscreen of the Dead: Developing a Trojaned ScreenOS for Juniper Netscreen Appliances

Graeme Neilson

March 10, 2010 (at 10:30 a.m.) in Attack & Research

Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.

This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.

Bugs & Kisses – Spying On BlackBerry Users For Fun

Sheran Gunasekera

March 10, 2010 (at 10:30 a.m.) in Defense & Management

Regarded by many as a platform that remains very secure and difficult to compromise, the BlackBerry has enjoyed great success not only in large corporations and governments, but now, also in the consumer market. So can a BlackBerry truly be owned?

This talk explores the one weakness in the BlackBerry handheld — wetware. It will demonstrate how malware can be planted on a BlackBerry and show how the BlackBerry API makes the task of spying on a user significantly easy. The talk also covers a real-world case of how a UAE telco, Etisalat, attempted and failed to compromise its entire BlackBerry user-base of 145,000 users.

A live demo featuring the toolkit Bugs & Kisses will be given providing examples of attacks and practical steps to mitigate them.

Return Oriented Rootkits

Ralf Hund

March 10, 2010 (at 11:30 a.m.) in Attack & Research

Ever since the large-scale exploitation of software vulnerabilities became a massive nuisance in this decade, researches from the academic and private sector invented technical countermeasures for mitigating this threat. To outsmart increasingly sophisticated defensive systems, more intelligent attack techniques were developed. In the field of kernel protection, some new solutions which rely on the concept of lifetime code integrity were introduced in the near past. Thereby, attackers are prevented from executing own code with elevated privileges. The talk shows how to evade such protections by using return-oriented programming and discusses the inherent difficulties and limitations attackers face. Our work culminates in the development of a real return-oriented rootkit for Windows.

Federated Identity – Opportunities and Dangers

Dominick Baier

March 10, 2010 (at 11:30 a.m.) in Defense & Management

The world is moving towards a federated identity model. Public facing websites like Google or Facebook utilize technologies like OpenID, OAuth and WRAP to provide single-sign-on capabilities. Enterprises and ISVs start deploying WS-Federation, WS-Trust and SAML to federate with customers, partners and even internally. The goals are always the same: provide a more meaningful representation of “identity” for authentication, authorization and personalization. This talks sheds light on all these technologies, how they work and how to secure them.

History of the TLS Authentication Gap bug

Steve Dispensa & Marsh Ray

March 10, 2010 (at 1:30 p.m.) in Attack & Research

A serious security flaw was recently found in TLS, dating back to the mid-90′s. How did this happen, why didn’t anyone catch it, why is it so hard to fix, and what can we do to prevent it going forward? The speakers will also discuss the relative merits of various mitigations and the IETF’s proposed solution.

Parameter Pollution in Connection Strings Attack

Chema Alonso

March 10, 2010 (at 2:30 p.m.) in Attack & Research

This session is about Parameter Pollution in Connection Strings Attack. Today, a lot of tools and web applications allow users to configure dynamically a connection against a Database server. This session will demonstrate the high risk in doing this insecurely. This session will show how to steal, in Microsoft Internet Information Services, the user account credential, how to get access to this web applications impersonating the connection and taking advance of the web server credentials and how to connect against internal databases servers in the DMZ without credentials. The impact of these techniques are specially dangerous in hosting companies which allow customers to connect against control panels to configure databases.

Connection strings allows applications to connect against databases. This connection can be constructed dynamically in some special tools, such as management tools or control panels in hosting systems. Connection String Parameter Pollution attacks allow attackers to duplicate the value of some parameters to change the connection behavior, the target server and the security authentication protocol. These attacks could allow attackers to get access to internal databases, get access to web applications without credentials in Microsoft SQL Server and Oracle databases or steal web server user credentials. At the end, after demonstrating all this attack vectors this session will give some security recommendations in order to avoid this risk in web hosting companies.

Rapid Risk Assessment

Enno Rey

March 10, 2010 (at 2:30 p.m.) in Defense & Management

To streamline the process of well-informed decision taking in a highly dynamic, complex and emotionally charged environment we were asked to develop a “Rapid Risk Assessment” (RRA) methodology for one of the world’s largest corporations. The RRA mainly consists of a documented process and some templates/MS Excel sheets that can be used by an information security officer during his/her daily work. In this talk we will discuss the overall approach of such a process and its practical uses. Of course all tables and examples shown will be available for download after the conference.

Don’t Do This At Home: 0wning Botnets

Werner Tillmann

March 10, 2010 (at 4 p.m.) in Attack & Research

Most botnets suck. They are based on crappy software maintained by clueless people – completely boring for the experienced botnet takeover guy. You are looking for challenges? This talk demonstrates how the more sophisticated botnets that make use of e.g., peer-to-peer technology or strong cryptography can be 0wned. We will have a look at the infamous Storm Worm, the Waledac bot, and also our last year’s favorite, Conficker. Sit back, relax, enjoy!

The truth about outsourcing security

Bryan Fite

March 10, 2010 (at 4 p.m.) in Defense & Management

It happens everyday, more critical infrastructure is being handed over to large service providers in order to lower costs, maximize efficiencies and shift the responsibility of IT delivery. When it works, huge benefits can be realized. However, when large outsourcing deals go bad nobody wins; companies do not achieve business objectives, hemorrhage cash and react in ways that cause more harm. Typically the first causality of a “bad deal” is security and compliance. Learn why these golden opportunities are doomed from the beginning if they do not consider governance and streamline risk management practices and how to avoid the common pitfalls while reaping the benefits of shared services and “The Cloud”.

Vulnerabilities in custom SAP ABAP Code

Markus Schumacher

March 10, 2010 (at 5 p.m.) in Defense & Management

When code is written things go wrong. Wrong code can lead to vulnerabilities. And custom applications written in SAP’s proprietary language ABAP are no exception. But there’s a difference: if wrong code in a SAP application can be exploited, the impact is very high since SAP applications directly control the processes of a business. In this talk, we provide 101 security course for ABAP. We introduce the language and different programming paradigms. Furthermore, we present by example how certain vulnerabilities in custom ABAP code might look like and what you can do to prevent them (Cross-Site Scripting and SQL Injection).

Keynote: What hacker research taught me

Sergey Bratus

March 11, 2010 (at 9 a.m.) in Attack & Research

Sergey Bratus is going to start the second conference day with his keynote “What hacker research taught me”.

Clobbering the Cloud

Marco Slaviero

March 11, 2010 (at 10:30 a.m.) in Attack & Research

Cloud Computing dominates the headlines these days but like most paradigm changes this introduces new risks and new opportunities for us to consider. Some deep technical research has gone into the underlying technologies (like Virtualization) but to some extent this serves only to muddy the waters when considering the overall threat landscape.

During this talk, SensePost will attempt to separate fact from fiction while walking through several real-world attacks on “the cloud.” The talk will focus both on attacks against the cloud and on using these platforms as attack tools for general Internet mayhem. For purposes of demonstration we will focus most of our demos and attacks against some of the big players…

How to fail an audit

Martin Freiss

March 11, 2010 (at 10:30 a.m.) in Defense & Management

An anecdotal tale of how and why (ISO27001) audits go wrong. The speaker is an accredited auditor and has suffered through various project situations where things go horribly wrong.

Mistakes in chosing an auditor Misunderstanding ISO27001 Arguing with Auditors

Some notes on SAP security

Alexander Polyakov

March 11, 2010 (at 11:30 a.m.) in Defense & Management

Enterprise application security is one of the most important topics in computer security as nowadays corporate environment has became more secure. As a result, attack vectors shift from OS down to the applications. And mostly it is about Enterprise business applications like ERP, CRM, SRM and others because these are the applications that store business data and any vulnerability in these applications will cause a real monetary loss.

SAP has many security problems on all levels such as network, OS, database and application. This talk will cover common and some uncommon vulnerabilities on all these levels backed up with real world examples.

Among the more uncommon vulnerabilities is SAP client side exploitation. This talk will describe different ways to attack SAP clients and demonstrate how you can get access to the whole SAP environment just by exploiting a client side vulnerability.

The good, the bad and the virtual

Claudio Criscione

March 11, 2010 (at 1:30 p.m.) in Attack & Research

Virtualization, from an assessor perspective, is often a pure black box. Most of the time a whole penetration test can go on without the tester even noticing that the machines he assessed were virtual ones. However, virtualization poses new challenges to the tester and new threats to any data center, which should be identified and addressed. Or maybe exploited.

In this talk, we will go into the details of various kinds of attacks leveraging a new toolkit, VASTO [Virtualization ASsessment TOolkit], which will be released at TROOPERS10.

How to rate the security of closed source software

Michael Thumann

March 11, 2010 (at 1:30 p.m.) in Defense & Management

Security evaluation of software is getting more and more common in large enterprises to ensure that they can trust the software and secure the processed data. But beneath the common source code reviews, pentests and fuzzing tests, it’s still hard to rate the security of closed source software without reverse engineering it. This talk will introduce some ideas how to rate this software in an almost automated way using the right tools and based on some quality metrics and other facts of the binary. It will give some advises how to implement the concept in the enterprise.

Letting your fuzzer knows about target’s internals

Rodrigo Branco

March 11, 2010 (at 2:30 p.m.) in Attack & Research

If you just want to use fuzzers for QA purposes, this talk is not for you. If you want to really use fuzzers to find security vulnerabilities and write real exploit or at least to understand how people are actually doing that professionally, let’s have fun together.

This talk will cover the integration between fuzzers and debuggers, showing how important is to have target’s internal information to discover complex vulnerabilities and to differentiate then from simple crashes. This problem is even increased when you have thousands crashes that needs to be analyzed and prioritized.

Fuzzers became the most important technology in finding software vulnerabilities nowadays. The biggest problem in fuzzing is to determine the exploitability of the problems you will find. We are going to show the ideas behind the tools and the tools in action.

Tools of the Trade for a Modern (C)ISO

Enno Rey

March 11, 2010 (at 2:30 p.m.) in Defense & Management

Enno will discuss some of the challenges that ISOs face on a daily basis and the necessary skills to master those challenges. Hopefully in a moderately entertaining and practical way ;-)

A security assessment of Cisco Enterprise WLAN components

Oliver Roeschke

March 11, 2010 (at 4 p.m.) in Attack & Research

The world of “Enterprise WLAN solutions” is full of obscure and “non-standard” elements and technologies. One prominent example is Cisco’s Structured Wireless-Aware Network (SWAN) architecture, which features a flawed-by-design™ protocol called “Wireless Context Control Protocol” (WLCCP). Further obscurities and design-flaws can be found when digging into newer concepts like the so-called “Cisco Unified Wireless Network”. This talk will give an overview of the concepts themselves, discuss secure protocol design and associated vulnerabilities when disobeying these.

Security of Control Networks – An Insiders Perspective


March 11, 2010 (at 4 p.m.) in Defense & Management

Availability, Integrity, Confidentiality. Wait, isn’t that in the wrong order? Control system networks rely on real time data, have zero tolerance for downtime, and need to provide telemetry to operations. This is only half the battle, balancing the need for securing the network while still providing data out and not letting anything get in, further adds to this complexity. This talk provides insight on what it takes to perform this ballet day in and day out.