TROOPERS13 Archive - Presentations

TROOPERS13 was taking place from 11th – 15th March 2013 in Heidelberg, Germany.


Paparazzi over IP

Daniel Mende & Pascal Turbing

March 13, 2013 (at 10:30 a.m.) in Attacks & Research

Almost every recent higher class DSLR camera features multiple and complex access technologies. For example, CANON’s new flagship features IP connectivity both wired via 802.3 and wireless via 802.11. All big vendors are pushing these features to the market and advertise them as realtime image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those. Not only did we discover weak plaintext protocols used in the communication, we’ve also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the “upload to the clouds” feature resulted in an image stealing Man-in-the-Imageflow. We will present the results of our research on cutting edge cameras, exploit the weaknesses in a live demo and release a tool after the presentation.

Detecting white-collar cybercrime: SAP Forensics

Mariano Nuñez Di Croce & Juan Perez-Etchegoyen

March 13, 2013 (at 10:30 a.m.) in Defense & Management

The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.

Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.

For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.

Join us in the first public presentation on how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.

The future of data exfiltration and malicious communication

Steffen Wendzel

March 13, 2013 (at 11:30 a.m.) in Attacks & Research

This talk discusses practical aspects of recent developments of the scientific community in the area of network covert and side channels.The talk will highlight new covert channel techniques which cannot be entirely prevented with state of the art techniques as well as it will discuss side channels in networks (including building automation networks) as a subset of covert channels. Covert and side channels not only allow policy-breaking communication (e.g., for journalists or botnets) but additionally allow the remote monitoring of persons in buildings — a problem that is linked to the sensitive field of Ambient Assisted Living (AAL) and eHealth. Using these techniques, future attackers can monitor inhabitants in buildings, can adapt their covert channels automatically to new circumstances (e.g., change firewall rules or statistical changes within the network traffic), and can dynamically route in covert channel overlay networks.

Hacking & Defending the big 4 Databases

Alex Rothacker

March 13, 2013 (at 11:30 a.m.) in Defense & Management

According to the Identity Theft Resource Center, in the past year and a half, there have been nearly 900 breaches and over 28 million records compromised. With the likes of Anonymous, LulzSec and government sponsored attackers continuously hacking into major corporations and government agencies, do you wonder if you’re next? No organization, industry, or government agency is immune to the proliferation of complex attacks and malicious behavior. Ensuring database security is a priority for organizations interested in protecting sensitive data and passing audits. Over the course of this presentation, a description of sophisticated methods used in invading enterprise databases will be discussed, and the evolution of the security issues and features in each will be provided. A demonstration of new and popular attacks will also be presented. The presentation will conclude by proposing essential steps IT managers can take to securely configure, maintain databases, and defend against malicious breaches entirely.

Introducing Daisho – monitoring multiple communication technologies at the physical layer

Michael Ossmann & Dominic Spill

March 13, 2013 (at 1:30 p.m.) in Attacks & Research

Most communications media can be monitored and debugged at various levels of the stack, but we believe that it is most important to examine them at the physical layer. From there, the security of every level can be investigated and tested. The task of monitoring physical layer communications has become increasingly difficult as we try to squeeze more and more bandwidth out of our links. A passive tapping circuit can be used to monitor a 100BASE-TX connections, but no such circuit exists for 1000BASE-T networks. Our solution to this problem is Project Daisho; an open source hardware and software project to build a device that can monitor high speed communication links and pass all of the data back to a host system for analysis. Daisho will include a modular, high bandwidth design that can be extended to monitor future technologies. The project will also produce the first open source USB 3.0 FPGA core, bringing high speed data transfer to any projects that build on the open platform. As a proof of concept at this early stage, we will demonstrate monitoring of a low bandwidth RS-232 connection using our first round of hardware and discuss the challenges involved with the high speed targets such as 1000BASE-T and USB 3.0 that we will take on later this year.

Virtual firewalls – the Good, the Bad and the Ugly

Ivan Pepelnjak

March 13, 2013 (at 1:30 p.m.) in Defense & Management

Anything is marketed as a virtual firewall these days, from contexts on physical boxes to hypervisor kernel modules and VMs with a kitschy GUI in front of iptables. This presentation will walk you through the virtual firewalls taxonomy, describe the major architectural options, and illustrate typical use cases with products from few established virtual firewall vendors (Cisco, VMware, Juniper, Vyatta/Brocade) and startups (LineRate Systems, Midokura).

Ghost in the Shell

Xu Jia & Andreas Wiegenstein

March 13, 2013 (at 2:30 p.m.) in Attacks & Research

Security conferences in the past years have made it clear, that common security vulnerabilities such as SQL Injection, XSS, CSRF, HTTP verb tampering and many others also exist in SAP software.

This talk covers several vulnerabilities that are unique to SAP systems and shows how these can be used in order to bypass crucial security mechanisms and at the same time operate completely below the (forensic) Radar.

We uncovered undocumented mechanisms in the SAP kernel, that allow launching attacks that cannot be traced back to the attacker by forensic means. These mechanisms allow to actively inject commands at any time into the running backend-session of an arbitrary logged on user, chosen by the attacker. We named this attack mechanism “Ghost in the Shell”.

We will also demo how to use this attack vector to distribute malware to the attacked user’s client machine despite mechanisms in the SAP standard that are designed to prevent this.

BIO: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications.

As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as Troopers, BlackHat, HITB, RSA as well as many smaller SAP specific conferences. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of, the Business Security Community.

The Interim Years of Cyberspace: Security in a Domain of Warfare

Rob Lee

March 13, 2013 (at 2:30 p.m.) in Defense & Management

The cyberspace domain is one that nations and companies alike are quickly trying to secure as well as militarize, yet it encompasses users all around the globe. Thus it is a domain for everyone to take part in. This presentation makes the case that the cyberspace domain is currently in its interim years akin to the interim years of the aerial domain between World War I and World War II. It is in this period that people must get involved in the domain to guide the debates, doctrine, and education that will secure its place in history. The presentation will compare the current state of cyberspace to that of the interim years of airpower and make the case that security professionals and hackers alike must adapt and take part in a rapidly evolving environment.

Your IPv6 default config meets FOCA

Chema Alonso

March 13, 2013 (at 4 p.m.) in Attacks & Research

Your laptop is probably working on IPv6 and probably you even don´t know it. Probably you need to stop configuring your IPv4 address when you cannot connect to your fileserver but you don´t know it. In this talk you are gonna see how an attacker can take advantage of your IPv6 default configuration in your laptop… with the Evil FOCA }:))

Panel: “Targeted Attacks – Hype or Reality?”

Sergey Bratus & Bryan Fite

March 13, 2013 (at 4 p.m.) in Defense & Management

Flash Storage Forensics

Dmitry Sklyarov

March 13, 2013 (at 5 p.m.) in Attacks & Research

Lots of modern devices use flash memory as primary storage, and some of those devices (e.g. smartphones) often hold private data. There are common ways to protect stored data (with encryption). But is there easy ways to properly dispose sensitive information?

UI Redressing Attacks on Android Devices

Marcus Niemietz

March 14, 2013 (at 10:30 a.m.) in Attacks & Research

In this presentation, we describe novel high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from desktop- to mobile- browser field. Our main contribution is a demonstration of a browserless tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, one can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. To protect against this attack, we introduce a concept of a security layer that catches all tap-jacking attempts before they can reach home screen/arbitrary applications.

Understanding & Mitigating Large Scale DoS Attacks.

Adam Sen

March 14, 2013 (at 10:30 a.m.) in Defense & Management

In 2012, quite a few organizations have been exposed to large scale denial-of-service attacks. Still in some places there’s a lack of understanding and preparedness/response capabilities. This talk will provide a classification of common DoS attacks and the methods & tools used by the attackers. Furthermore different mitigation approaches will be discussed, together with their advantages/disadvantages and scenarios where they can (or can not) be applied. The speaker can & will provide first hand experience from being in charge to counter an attack of multi-gigabit scale and from several other case studies.

Malicious pixels: QR-codes as attack vectors

March 14, 2013 (at 11:30 a.m.) in Attacks & Research

QR-Codes, a version of two-dimensional barcodes that are able to store quite large amounts of information, started gaining huge popularity throughout the last few years, including all sorts of new applications for them. Originating from the area of logistics, they found their ways into marketing and since the rise of modern smartphones with their ability to scan them in the street; they can be found virtually everywhere, often linking to sites on the internet. Currently even standards for paying using QR-codes were proposed and standardized. In this talk we will highlight possible attack vectors arising from the use of QR-Codes. Furthermore we will outline an algorithm for calculating near-collisions in order to launch phishing attacks and we will demonstrate the practical utilization of this technique.

Pitfalls of Vulnerability Rating & A New Approach Called ERRS (ERNW Rapid Rating System)

Matthias Luft & Michael Thumann

March 14, 2013 (at 11:30 a.m.) in Defense & Management

Just as most IT operations, security management has to deal with a permanent lack of resources. In order to address this lack and carry out effective security management and operations, the prioritization of tasks is crucial. This also holds true for the handling of data resulting from security assessments and vulnerability management. Even though there are several approaches for the rating of findings and vulnerabilities out in the wild, those hide several pitfalls (such as a lack of support for “chains and composites” or blurry impact perspectives) which will be outlined during this presentation. We will also present a new approach in vulnerability metrics that will allow a rapid rating both for auditors and internal governance departments and allows agile security practitioners to deal with “decision entropy”.

You wouldn’t share a syringe. Would you share a USB port?

Sergey Bratus & Travis Goodspeed

March 14, 2013 (at 1:30 p.m.) in Attacks & Research

Previous work has shown that a USB port left unattended may be subject to pwnage via insertion of a device that types into your command shell (e.g. here). Impressive attack payloads have been delivered over USB to jailbreak PS3 and a “smart TV“. Not surprisingly, USB stacks started incorporating defenses such as device registration, USB firewalls, and other protective kits. But do these protective measures go far enough to let you safely plug in a strange thumb drive into your laptop’s USB port? We demonstrate that the scope of the OS code manipulation feasible through a USB port is much broader than could be expected. USB stack abuse is not limited to emulating HID keyboards or a few exotic devices — it is a clear and present danger throughout the USB software stack and can reach into any part of the operating system kernel and driver code. We show a simple development environment that is capable of emulating any USB device to engage whatever software on the host computer is meant to interact with such devices — and break any and all of the assumptions made by such software, leading to pwnage. In a nutshell, sharing a USB port belongs in the past — just as the era of downloading arbitrary executables and other Internet “free love”.

OAuth2 – Ready or not (here I come)

Dominick Baier

March 14, 2013 (at 1:30 p.m.) in Defense & Management

After a 3-year long struggle, the IETF finally released the OAuth2 specifications (RFC 6749 & 6750). While all the big players (like Google, Microsoft and Facebook) are already using it, more and more people want to follow. But there is big confusion about what OAuth2 really is, what its uses cases are and which problems it can actually solve. At the same time, also the security experts out there don’t really agree if OAuth2 is a complete failure, or not – or something in between. Dominick walks you through OAuth2, its use cases, dark corners and pitfalls.

Hacking and Craft

Jeff Gough

March 14, 2013 (at 2:30 p.m.) in Attacks & Research

Hackers and craftsmen have a lot in common. Today 3D printing and other rapid prototyping technologies are making it increasingly easy to make stuff. They also bridge the digital and the physical words, so increasingly software hackers are making inroads into hardware.

However, there are ancient, simple and powerful craft techniques which are being neglected by this maker movement. In this talk I will show how high and low-tech tools can be combined to maximise the capability of the modern hacker-craftsman. I will present some of my recent work, including metalwork, jewellery, metal casting, and the design and construction of a full custom embedded electronic hardware product including firmware, circuit design, and mechanical integration. Finally I will discuss hacking-craft in the context of physical security. Can you 3D print your way into the data center?

Smart TV Security

Lee SeungJin

March 14, 2013 (at 4 p.m.) in Attacks & Research

Smart TV sold over 80,000,000 around the world in 2012. The next generation “smart” platform is becoming more and more popular. On the other hand, we hardly see security researches on Smart TV. This presentation will talk about what we’ve found and figured out on the platform. You can picture that Smart TV has almost all attack vectors that PC and Smart Phone have. Also, Smart TV has its own attack vectors such as remote controller. We’ll talk about attack points of Smart TV platform and discover security bugs we found. Moreover, what attackers can do on a hacked Smart TV. For example, fancy Smart TVs have many hardware modules like Camera or Mic which means bad guys could watch you in a way that users never notice about it. Even more, they possibly make Smart TV working 24/7 even though users turn off their TV that means #1984 could be done. In addition, we’ll point out a difference of viewpoint of leaked information type among on PC, Smart Phone and Smart TV. Lastly, we’ll give demo of capturing photos lively taken and sending to attacker’s server at this talk.

Corporate Espionage via Mobile Compromise: A Technical Deep Dive

David Weinstein

March 14, 2013 (at 4 p.m.) in Defense & Management

Corporate scale cyber espionage is a threat to keeping a leg up on the competition. Mobile phones are increasingly targeted by attackers and can be a powerful tool to gain entry to a company and exfiltrate intellectual property. We will examine how the ability of the mobile device to operate on either side of corporate boundaries exposes the company to risk. This talk will be particularly technical in describing the implementation of a reprogrammable USB device built upon the Linux gadget framework on Android used to penetrate traditional corporate defenses. We will also demonstrate an Android RAT specifically designed to aware of its surroundings, capable of recording sensitive audio, video, bluetooth, and wireless connections, while silently waiting to be plugged into a corporate laptop/desktop. Then the fun begins!