TROOPERS12 Archive - Presentations

TROOPERS12 was taking place from March 19th – 23rd 2012 in Heidelberg, Germany.


Keynote: Gary McGraw

Gary McGraw

March 21, 2012 (at 9 a.m.) in Attacks & Research


DISCQO: “Discourse on Implications for Security and Crytpography from Quantum Oddness”

Graeme Neilson

March 21, 2012 (at 10:30 a.m.) in Attacks & Research

Quantum computing is a fascinating, emerging technology with a potentially huge impact on security. This talk introduces the principles of quantum computing and the current state of the art. This is followed by a discussion on the uses of quantum based computer systems within security, the potential implications for cryptography, now and in the future, and the possibility of hacking current quantum based cryptography systems.

  • What is quantum computing?
  • What is quantum key exchange?
  • Can quantum key exchange be hacked?
  • Will a quantum computer be able to decrypt all my encrypted data?
  • Do I need a quantum computer?
  • Do quantum computers even exist?
  • What are the implications of quantum computing on my current cryptography?

DISCQO: “Discourse on Implications for Security and Crytpography from Quantum Oddness” by Graeme Neilson [This presentation is hosted externally at this fancy place called]

Cloud Storage and Its Implications on Security and Privacy

Manuel Leithner

March 21, 2012 (at 10:30 a.m.) in Defense & Management

With everything moving to the cloud nowadays, security and privacy is often left behind. An ever increasing number of cloud storage operators offer low cost online storage. In this talk we will present our results on the popular service Dropbox, which relied heavily on data deduplication for better user experience. While data deduplication is a straight forward way to decrease costs in terms of bandwidth and storage, it has implications on privacy and security of user data if done wrong – there ain’t no such thing as a free lunch. We will furthermore present methods how data deduplication can work correctly.

Into the Darkness: Dissecting Targeted Attacks

Rodrigo Branco

March 21, 2012 (at 11:30 a.m.) in Attacks & Research

The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.

This presentation analyzes a specific incident – last March?s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.

Security can not only Be Managed by Numbers – You Need More

Carsten Amann

March 21, 2012 (at 11:30 a.m.) in Defense & Management

From “the management’s perspective” IT security is usually reduced to key performance indicators. Those indicators tend to leave some room for interpretation, especially for top management people. This room for interpretation can lead to decisions which do not only not improve the security level, but might actually harm it. The presentation will give an overview how IT security should be “managed by numbers”, to provide transparency and to gain the trust of the top management.

[These slides won't be published.]

All Your Calls are Still Belong to Us – How We Compromised the Cisco VoIP Crypto Ecosystem

Daniel Mende & Enno Rey

March 21, 2012 (at 1:30 p.m.) in Attacks & Research

Modern “Enterprise” VoIP solutions are complex beasts. They usually encompass application servers (e.g. for mailboxes and to provide CTI functions), “infrastructure systems” for authentication or crypto stuff and “intelligent” phones.

In the end of the days the inherent complexity means that – while “traditional” VoIP attacks (like re-directing, sniffing and reconstructing calls) might no longer work – we’ve been able to severely compromise any enterprise VoIP environment we’ve pentested in the last twelve months. Based on a number of warstories, in this talk we’ll first lay out the relevant attack vectors and the protocol or device level vulnerabilities enabling those.

We will then focus on Cisco’s Unified Communications solution that seemingly disposes of a mature, certificate based crypto framework protecting both the signaling and the media transport. Well, seemingly. When closely inspecting the relevant parts and messages, it turns out that at some point all the key material can be replaced by attacker chosen keys. Which effectively means that we’re down to cleartext-like attacks again…

We’ll provide a technical explanation of the underlying vulnerabilities and discuss potential mitigating controls, both on a technical and on the provisioning process level.

[Due to an ongoing disclosure process we're linking to the approved version from BlackHat Europe 2012]

Securing Robot Mosquitoes with Laser Beams for Eyes in the Enterprise

Pete Herzog

March 21, 2012 (at 1:30 p.m.) in Defense & Management

One day employees start bringing robot mosquitoes into the office. They have robot mosquitoes at home and just they’re so damn useful for checking mail, making appointments, singing naptime songs, and spying over the neighbor’s fence. So why wouldn’t they? Your security policy doesn’t expressly forbid robot mosquitoes with laser beams for eyes or anything like it so here they are: riding the internal WiFi, carrying who knows what diseases and parasites from public, cyber ponds, melting the plastic plants, boiling the water cooler, and causing all sorts of other disruptions. Before you can ban them though you see that the CEO starts to bring his robot mosquito with laser beams for eyes in too. And he wants you not only support it but to make sure it doesn’t get hacked. Sounds familiar, right?

There will always be new technologies. Many of those new technologies pose new risks, perhaps even risks we hadn’t considered as risky to us before. So someone has to secure those new technologies. But how do we secure something we know so little about? Well, there’s a methodology for that. This talk will cover how to test new technologies, how to create the right policy for them, and how to control them, including robot mosquitoes with laser beams for eyes.

Business Application Security in a Global Enterprise

Thomas Stocker

March 21, 2012 (at 2:30 p.m.) in Defense & Management

In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.

More Fun Using Kautilya or Is It a Thumb Drive? Is It a Toy? No, It’s a Keyboard

Nikhil Mittal

March 21, 2012 (at 4 p.m.) in Attacks & Research

How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.

The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.

An updated version of Kautilya will be released at TROOPERS that includes a number of previously unseen Linux payloads.

Trust Panel

March 21, 2012 (at 4 p.m.) in Defense & Management

Trust Panel

SAP (In)security: Latest Attacks and Defenses

Mariano Nuñez Di Croce

March 21, 2012 (at 5 p.m.) in Attacks & Research

This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.

Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.

Keynote: You and Your Research

Haroon Meer

March 22, 2012 (at 9 a.m.) in Attack & Research

What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.

The Social Map

Johnny Deutsch

March 22, 2012 (at 10:30 a.m.) in Attack & Research

In our talk we will discuss about the threats that social networks pose on organizations. We will display case studies from our clients that have encountered unwanted exposure on account of their employees or social network applications.

The talk addresses issues, such as using the social network as a bed for corporate intelligence gathering, how do users interact with their co-workers and how can we infer from usage trends on the corporate social network policy.

We will demonstrate a variety of issues that corporations must think of when deciding to go on to the social networks. One of the most relevant usages on these networks is to harvest personal data and perform some data visualization tools, such as “Touch Graph”. This application performs this by mapping your friends, dissecting them into groups and creating a map of the employee’s social connections. The map is a good indicator of “closed groups”, a reference that indicated from where these people connect\relate to the employee. A tool that we manufactured for our cyber-services department can achieve a unique feature that enables intelligence gathering on people that user is directly related to or has social ties with. This tool creates a visualization of social circles that are not directly related to your profile, by gathering information that is open for the pubic on Facebook and displays it as a map of connections. In our talk we will display usage cases of the tool and how it relates to our social policy methodology.

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?

Dmitry Sklyarov

March 22, 2012 (at 10:30 a.m.) in Defense & Management

The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.

In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.

Theory of Insecurity

Sergey Bratus & Meredith Patterson

March 22, 2012 (at 11:30 a.m.) in Attack & Research

Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?

The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.

In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.

Real SAP Backdoors

Andreas Wiegenstein

March 22, 2012 (at 11:30 a.m.) in Defense & Management

In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.

This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publicly discussed before.* They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.

  • We have discussed these security defects with SAP and SAP has fixed these issues.

Excel (and Office apps) Kills the Citrix (or Terminal Services) Star

Chema Alonso

March 22, 2012 (at 1:30 p.m.) in Attack & Research

Microsoft Office (and Excel) are common applications in big companies and in a big amount of cases they are published through Terminal Services or Citrix. However, securing that environment against malicious users is very complicated. In this talk you’ll see a lot of demos hacking Citrix and Terminal Services using Excel… and maybe you’ll be scared after having seen this session.

Security Professionals: Plumbers of Trust

Piotr Cofta

March 22, 2012 (at 1:30 p.m.) in Defense & Management

Trust is a foundation of security, so that it is often overlooked. The presentational analyses trust from the perspective of information security professional. It discusses what trust is, how it is structured and what can be done about it, beyond the familiarity of trust assessment or trust management. As a result, participants will develop professional insight into trust.

Got your Nose! How to Steal Your Precious Data Without Using Scripts

Mario Heiderich

March 22, 2012 (at 2:30 p.m.) in Attack & Research

Cross Site Scripting techniques and quirky JavaScript have received a lot of attention recently — more and more ways to get hands on this threat are being developed and practiced. Security aware people switch JavaScript off, developers can use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filter and HTML Purifer do a great job in keeping people from getting “XSS’d”. But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data right before you know it? What about attacks, so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them, since they don’t use any scripting but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse. Deactivating JavaScript and eliminating is good level of protection? Not anymore!

BYOD – Does It work?

Rene Graf & Enno Rey

March 22, 2012 (at 2:30 p.m.) in Defense & Management

In many organizations “Bring Your Own Device” (BYOD) approaches are either subject to intensive discussion or are already practiced (with or without “proper governance”). Usually two security controls are of particular interest in BYOD scenarios, that are container solutions and acceptable use policies (AUPs). The speakers have contributed to BYOD “implementations” in several environments and – based on actual case studies – are going to discuss three main aspects in their talk:

<ul> <li>What’s the role of the supply chain of a device, in a BYOD setting? Is it possible to securely process – e.g. by means of a container solution – sensitive data on a device that was acquired on ebay or that the VIP using it received “as a present in the course of an industry fair in an emerging market country”?</li> <li>What level of security is actually provided by container solutions? Do they sufficiently secure data (including temporary data) and which user behavior might be required for this?</li> <li>When are good AUPs needed and which elements should be included in those?</li> </ul>

The goal of the talk is to enable the audience to realistically assess the security approaches and risks in BYOD scenarios.

Welcome to Bluetooth Smart

Michael Ossmann

March 22, 2012 (at 4 p.m.) in Attack & Research

Bluetooth Smart, formerly known as Bluetooth Low Energy, is an entirely new wireless protocol that is not backward compatible with “classic” Bluetooth. With consumer devices emerging in early 2012, this is the perfect time to review Bluetooth Smart and how it works. Packet captures from actual devices will be dissected, and particular attention will be given to the new security procedures specified for Bluetooth Smart.

Depending on what devices are commercially available by the time of the conference, I may or may not have a live demo prepared with actual consumer devices. At the very least, I will be able to do a demo using development boards as targets.

Some Notes on Web Application Firewalls or Why You still Get Owned

Frank Block & Michael Thumann

March 22, 2012 (at 4 p.m.) in Defense & Management

This talk illuminates Web Application Firewalls (WAFs), with particular focus on the negative detection model. It will present methods how they can be fingerprinted and circumvented in order to demonstrate the wrong feeling of security they might create. Furthermore the tool tsakwaf (The Swiss Army Knife for Web Application Firewalls) will be covered, a little script written in perl that includes various code generation functions for circumventing WAFs and a fingerprinting routine to identify supported WAFs.

Of course there will be some nice demos to prove the point and the speakers will also share their experience from daily web application pentest tasks. Finally, as a special gift, an enhanced version of TSAKWAF will be released at Troopers.