TROOPERS11 Archive - Presentations

TROOPERS11 was taking place from March 29th till April 1st 2011 in Heidelberg, Germany.


Opening Keynote

Enno Rey

March 30, 2011 (at 9 a.m.) in Attacks & Research

Opening Keynote

Cache on Delivery

Marco Slaviero

March 30, 2011 (at 10:30 a.m.) in Attacks & Research

Mining and abusing memcaches

Memcached has achieved a dominant position in the market as a very useful tool for enabling large-scale applications. However its initial design was based on assumptions that no longer hold true for many environments in which memcached is found today. In this talk, we describe techniques for finding, enumerating and exploiting Internet-facing memcached instances with sometimes surprising results from recognizable sites. Along the way, the go-derper tool will be demonstrated and we’ll briefly delve into exploiting Python Pickle.

Security and regulatory requirements for public cloud offerings to support selected customer use cases

Mark Gall & Joachim Lüken

March 30, 2011 (at 10:30 a.m.) in Defense & Management

Compared to customers of traditional data centers, customers of cloud computing platforms face new security risks. This is especially true for public cloud offerings since the customers have only limited possibilities to customize the platform or the application, respectively, to meet their specific security needs. Currently several activities are ongoing to investigate how cloud platforms can be used to support governmental and enterprise applications. Most of these activities are conducted on a national level. This presentation introduces some of those activities and their objectives. Additionally the presentation gives some guidance for the deployment of selected customer use cases regarding which security, regulatory, and compliance requirements have to be met by the cloud provider.

Forging Canon Original Decision Data

Dmitry Sklyarov

March 30, 2011 (at 11:30 a.m.) in Attacks & Research

Many Canon DSLR cameras (and all mid- and high-end models) can generate authenticity information for images taken with it. This information (called “Original Decision Data”) can be later used to detect if the picture is authentic, was it altered, retouched, edited or otherwise forged. It also protects image metadata, most important being GPS timestamp and coordinates.

Original Decision Data is widely used by e.g. news agencies to ensure that photos they get from their sources are genuine and can be relied upon.

The talk will deliver results of in-depth security analysis of Canon’s Original Decision Data feature and show that it is quite possible to break it.

We will start by giving detailed description of how authenticity data is generated and verified, identifying (obvious and not-so-obvious) design and implementation pitfalls. Next, a live demo will be given showing how easy it is to forge authenticity data and make fake image verify as if it were genuine. Finally, we will share some thoughts on how to improve the system and make it more resilient to forging.

Your crown jewels online – Attacks to SAP Web Applications

Mariano Nuñez Di Croce

March 30, 2011 (at 11:30 a.m.) in Defense & Management

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks. SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals. Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

I FOCA a .mil domain

Chema Alonso

March 30, 2011 (at 1:30 p.m.) in Attacks & Research

FOCA is a tool to help you in a fingerprinting phase among a pentesting work. This tool help you to find lost data, hidden information in public documents, fingerprinting servers, workstations, etc… In this demo we’ll have a good example of the results which can be obtained using FOCA. The target domain? You’ll see at TROOPERS.

Tales from the Crypt0

Graeme Neilson

March 30, 2011 (at 1:30 p.m.) in Defense & Management

Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive? Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users. Join Graeme Neilson (Aura Software Security) for a series of scary stories of real-world crypto failures and to learn how to do it the right way (with lots of code samples).

Milking a horse or executing remote code in modern Java web frameworks

Meder Kydyraliev

March 30, 2011 (at 2:30 p.m.) in Attacks & Research

If you thought that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I’ll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2, Seam) based on my security review, which involved spending no more than 1 week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. Presentation will also cover some of the ways to harden web applications built using these frameworks.

Future Directions in Malware Detection on Mobile Handsets

André Egners

March 30, 2011 (at 2:30 p.m.) in Defense & Management

Malware detection on Smartphones potentially enables the quick and timely mitigation of attacks that might originate from these devices. Typical malware detection methods known from fixed networks heavily rely on signature based detection of malware. Signature-based detection enables a very high detection rate, but is ultimately dependent on the a-priori knowledge of the kind of malware it aims to detect. If the malware is known and a signature is available, it will be detected. If the malware is unknown or employs advances hiding techniques such as encryption, polymorphism, obfuscation, or packing, the signature-based detection will not be successful. It is obvious that signature-based malware detection is needed, but has its limitation especially in the context of Smartphones and the diverse application landscape. A new approach to malware detection is based on behavioral aspects of the application and also the behavior of the users. This talk will introduce various detection mechanisms leveraging different behavioral aspects that can be extracted from Smartphones. Additionally we offer some ideas for future directions and application scenarios.

Femtocell: Femtostep to the Holy Grail

Ravishankar Borgaonkar & Kevin Redon

March 30, 2011 (at 4 p.m.) in Attacks & Research

Femtocells are now being rolled out across the world to enhance third generation (3G) coverage and to provide assurance of always best connectivity in the 3G telecommunication networks. It acts as an access point that securely connect standard mobile handset to the mobile network operator’s core network using an existing wired broadband connection. In this talk, we will evaluate security mechanisms used in femtocells and discuss practical & potential misuse scenarios of the same. In particular, our talk will cover:

<ul> <li>Femtocell and Telecom business model</li> <li>Security architecture of the femtocell</li> <li>Location verification techniques and how to beat them for free roaming calls</li> <li>Hacking of the device</li> </ul> <ul> <li style="padding-left: 30px;"> r00ting</li> <li style="padding-left: 30px;"> accessing confidential information stored on the device</li> <li style="padding-left: 30px;"> installing malicious application into the device</li> <li style="padding-left: 30px;"> accessing mobile network operator’s infrastructural element</li> </ul> <ul> <li>Possible countermeasures</li> <li>Demo</li> </ul>

Risk Panel

March 30, 2011 (at 4 p.m.) in Defense & Management

Risk Panel

SAP GUI Hacking

Andreas Wiegenstein

March 30, 2011 (at 5 p.m.) in Attacks & Research

SAP applications are not unbreakable. We show examples how to get your hands on a company’s crown juwels by using Forceful Browsing and Cross-Site Scripting attack vectors via the SAP GUI.

Keynote: Talking Only to Ourselves: The Dangers of Refusing to Stop, Look and Listen

Richard Thieme

March 31, 2011 (at 9 a.m.) in Attack & Research

Nothing is harder to see than things we believe so deeply we don’t even see them. This is certainly true in the “security space,” in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think.

An analysis of deeper political and economic structures reveals those statements and beliefs in a new context, one which illuminates our mixed motivations and the interpenetration of overworlds and underworlds in our global society. This analysis will make you think twice before uncritically using the buzzwords and jargon of the profession – words like “security,” “defense,” and “cyberwar.” By the end of this presentation, simplistic distinctions between foreign and domestic and us and them will go liquid while the complexities of information security will remain … and permeate future discussions of this difficult domain.

Owning the data center using Cisco NX-OS

George Hedfors

March 31, 2011 (at 10:30 a.m.) in Attack & Research

Banks and large corporations are constantly upgrading their infrastructure. One of the latest additions to the Cisco family is the 7000-series with it’s new and “secure” NX-OS. This switch can easily take the role as the sole core switch in some of the largest network infrastructures in the world. It manages a large number of network interfaces and is the new virtualization platform within networking.

It’s new Linux based operating system enables old attack vectors, such as network based denial of service attacks to become remotely exploited buffer overflows. Deployment of generic rootkits is also possible by breaking out of the Cisco CLI environment using a series of undocumented features.

What would be impact for a large bank or corporation be if the core switch was infected by backdoors that took control over all VLANs?

Attacking Oracle Web Applications with Metasploit

Chris Gates

March 31, 2011 (at 10:30 a.m.) in Defense & Management

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets beat up on…errr security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code lets see what we can do with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. We’ll also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

OMG WTF PDF – What you didn’t know about Acrobat

Julia Wolf

March 31, 2011 (at 11:30 a.m.) in Attack & Research

Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation.

PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader.

Julia will also show some cool tricks like making a single PDF file that displays completely differently in several different readers.

Further reading or German TROOPERS: <a href="" target="_blank"></a> Further reading for English TROOPERS: <a href="" target="_blank"></a>

Integration of the New German ID Card (nPA) in Enterprise Environments – Prospects, Costs & Threats

Friedwart Kuhn & Michael Thumann

March 31, 2011 (at 11:30 a.m.) in Defense & Management

The talk will cover the new nPA and related software like the AusweisApp with a special focus on possible use cases in the enterprise (“have the government run your corporate PKI” ;-) ). Besides outlining prerequisites for an integration of the nPA within an organization, it will also answer questions about legal aspects that have to be considered and threats and risks that must be controlled and mitigated. Furthermore we will give a short overview about our own security research of the AusweisApp.

Dynamic Program Analysis and Software Exploitation: From the crash to the exploit code

Rodrigo Branco

March 31, 2011 (at 1:30 p.m.) in Attack & Research

Program Analysis is a hot topic. Many people are discussing this subject even more given the amazing numbers of crashes the fuzzers are finding nowadays [1] [2].

This article uses program analysis as the way of making a computational system reason automatically (or at least with little human assistance) about the behavior of a program and draw conclusions that are somehow useful.

In a world where thousands of crashes do exist and are easily found in very important software, the classification of exploitability of such bugs is the first priority. It is known that it is impossible (or inviable or nobody wants to, or whatever other excuse you find to not fix your software) to fix all the bugs such fuzzers are finding, so, at least, companies want to fix (or exploit) the ones that are exploitable.

The problem is that the widely used solution to analyze such crashes are provided by Microsoft (named !exploitable or bang exploitable) [3][4] and are not really useful to create actual exploits or to better understand the problem, but just to give a static classification (exploitable, probably exploitable, not exploitable or unknown).

Even people with source code access are sometimes relying on such tools to determine the exploitability of a given path (sometimes it is easier to analyze a bug without getting into the messy code structure).

Taint Analysis concepts and challenges are going to be explained in order to determine what is being done by the proposed solution and to provide a better idea of future and areas of improvements.

[1] Nagy, Ben. “Finding Microsoft Vulnerabilities by Fuzzing Binary. Files with Ruby – A New Fuzzing Framework”; Syscan 2009

[2] Miller, Charlie. “Babysitting an Army of Monkeys: An analysis of fuzzing 4 products with 5 lines of Python”; Cansecwest 2010

[3] Microsoft !exploitable page [4] Abouchaev, Adel; Hasse, Damian; Lambert, Scott; Wroblewski, Greg. “Analyze crashes to find security vulnerabilities in your apps”

Ongoing Identity Weaknesses

Steve Dispensa & Marsh Ray

March 31, 2011 (at 1:30 p.m.) in Defense & Management

Authentication is a fundamental human activity and has even older origins in biological systems back to the first immune system. Perhaps it’s because humans have such deep experience with it that we seem doomed to continually underestimate its significance. When it is a protocol or system designer who makes this mistake, a vulnerability is the likely result. Over and over again we find network protocols and secure systems that are subject to spoofing, MitM, or authentication forwarding attacks. Attacks against these weak authentication systems are maturing. The last year has seen practical attacks on network protocols, applications, major websites, and more. These attacks specifically leverage weaknesses in authentication architectures, and point to a need for a fundamental rethinking of authentication. Authentication is evolving. We start by discussing what “being authenticated” really means. We present a few representative samples of existing (broken) authentication schemes and give examples of real apps under attack. We discuss the inherent problems with fundamental concepts like “login sessions” and why we think they are becoming obsolete. We talk about other dubious authentication practices which remain in common use. We then talk about event-based authentication, its strengths and limitations, and why we think this is the direction the world is moving.

Last minute change: Adventures in SCADA

Sergey Bratus & Edmond Rogers

March 31, 2011 (at 2:30 p.m.) in Attack & Research

Adventures in SCADA

Security reflections on Multi Function Devices

Matthias Luft & Michael Schaefer

March 31, 2011 (at 2:30 p.m.) in Defense & Management

Multi Function Printers are common devices in any corporate environment. They are integrated into the common office networks and process any kind of information — reaching from publicly available documents to strictly confidential business plans. The processing of confidential data usually results in a high need for protection. Nevertheless, multi function devices are often not covered by security guidelines or processes. This talk discusses the most common attack vectors, vulnerabilities and security controls to operate those devices at a reasonable level of security.

Do you know what’s happening in your $application?

Felix Leder

March 31, 2011 (at 4 p.m.) in Attack & Research

Malware and especially root-kits monitor every of your actions. The same techniques can be used be used to monitor malware itself or to make sure nothing nasty is going on inside your regular applications. In this talk, we will present state of the art monitoring techniques found in malware and talk about advantages and disadvantages of the different possibilities. Furthermore, we are going to demo and present our user-level framework for writing your own root-kits in python. This allows to observe the malicious actions going on in your PDF reader while being exploited, to monitor the unencrypted data of HTTPS sessions inside your browser, or to have a look at the actions of malware.

Business Transparency via Security Dashboards

Michael Hoche & Heiko Kirsch

March 31, 2011 (at 4 p.m.) in Defense & Management

Transparent security risk is a clear business advantage. Security risk is a concept that links value with security threats. Traditionally security risk is treated by implementation of counter measures for pre-defined threats. This implies the knowledge of any future threat and up-front investments in security measures with unclear pay-off. Furthermore this approach limits usually collaboration. A security dashboard overcomes these deficits. It discovers effectively security risks by observing relevant security incidents and compiling them into one picture. This talk illustrates the difference between the two security approaches and lays down how to realize such a security dashboard.