TROOPERS14 Archive - Presentations

TROOPERS14 was taking place from 17th – 21st March 2014 in Heidelberg, Germany.


How to Own your Heart – Hacking Medical Devices

Florian Grunow

March 19, 2014 (at 10:30 a.m.) in Attack & Research

In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines. However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients. We decided to take a look at a few devices that are deployed in many major hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.

Granular Trust; making it work

Toby Kohlenberg

March 19, 2014 (at 10:30 a.m.) in Defense & Management

Over the last 5 years the concept of using dynamic or granular trust models to control access to systems, networks and applications has become well known and is now seeing partial adoption in many places. The challenge is how granular and dynamic can you get and the question is whether it is worth it. As the architect of Intel’s trust model Toby can speak to the entire journey from initial idea through current implementation and the likely road ahead. This talk will include the good, bad and ugly parts of designing a trust model and then implementing it in a Fortune 50 company’s production environment. You will learn from his mistakes so you can make different ones.

Injecting evil code in your SAP J2EE systems: Security of SAP Software Deployment Server

Dmitry Chastuhin & Alexander Polyakov

March 19, 2014 (at 10:30 a.m.) in Special Track: SAP Security

Why break critical systems themselves when we can attack Deployment Server: the core from which all J2EE code spreads into other systems? The core is called SAP Software Deployment Server and consists of many subsystems like SDM, DTR, CMS. They have their own SVN-like subsystem and Build service. “By offering a single point of entry for all Java development tools and an integration point for all SAP infrastructure components, the SAP NWDS supports you in developing Web Dynpro and J2EE applications. Application developers do not need to switch between different development environments and can develop, build, deploy, and execute applications centrally from the Developer Studio.” Isn’t it a perfect victim for an attack? Who cares about the security of Deployment Server? That’s why it is full of issues and it is possible to deploy your own code anonymously without having any access to NWDS using architecture flaws. In the end, your evil code will spread to any system you want, giving you the ability to control every business system. Come and see how we did it in practice and how to prevent the described attacks.

What Happens In Windows 7 Stays In Windows 7

Marion Marschalek & Joseph Moti

March 19, 2014 (at 11:30 a.m.) in Attack & Research

Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library. Now we want to make use of exactly that fact to uncover potential vulnerabilities. What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.

Easy Ways To Bypass Anti-Virus Systems

Attila Marosi

March 19, 2014 (at 11:30 a.m.) in Defense & Management

All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem. Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the detection with a detection rate in 0. In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much.

Risks in hosted SAP Environments

Xu Jia & Andreas Wiegenstein

March 19, 2014 (at 11:30 a.m.) in Special Track: SAP Security

Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though. But how secure is hosted data in a SAP environment? This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties. The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.

Making (and Breaking) an 802.15.4 WIDS

Sergey Bratus & Ryan Speers & Javier Vazquez

March 19, 2014 (at 1:30 p.m.) in Attack & Research

Real-world security-critical systems including energy metering and physical security monitoring are starting to rely on 802.15.4/ZigBee digital radio networks. These networks can be attacked at the physical layer (reflexive jamming or via Packet-in-packet attacks), the MAC layer (dissociation storms), or at the application layers. Proprietary WIDS for 802.15.4 exist, but don’t provide much transparency into how their 802.15.4 stacks work and how they may be tested for evasion.

As the classic Ptacek & Newsham 1998 paper explained, tricks used to evade a NIDS tell us more about how a protocol stack is implemented than any specifications or even the RFCs. For WIDS, evasion can go even deeper: while classic evasion tricks are based on IP and TCP packet-crafting, evading 802.15.4 can be done starting at the PHY layer! We will explain the PHY tricks that will make one chip radio see the packets while the other would entirely miss them regardless of range; such tricks serve for both WIDS testing and fingerprinting.

We will release an open, extensible WIDS construction and testing kit for 802.15.4, based on our open-source ApiMote hardware. ApiMote uses the CC2420 digital radio chip to give you access to 802.15.4 packets at the nybble level. It can be easily adopted for detecting attacks at any protocol level. It also lets you test your ZigBee WIDS and devices from the frame level up. We will give out some of the ApiMotes.

Security and SDN – A perfect fit or oil-and-water?

Ivan Pepelnjak

March 19, 2014 (at 1:30 p.m.) in Defense & Management

Software-defined networks have quickly become one of the most overhyped networking concepts, with vendors promising earth-shattering results … and handwaving over scalability, reliability and security issues. The presentation will briefly introduce the concepts of SDN and OpenFlow (the tool used to build controller-based networks that require low-level network device control), the security aspects of programmable- and controller-based networks and the potential SDN- and OpenFlow-based security use cases, from scale-out IDS clusters to first-hop network security and user authentication/authorization solutions.

SAP BusinessObjects Attacks: Espionage and Poisoning of Business Intelligence platforms

Juan Perez-Etchegoyen & Will Vandevanter

March 19, 2014 (at 1:30 p.m.) in Special Track: SAP Security

Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

20 Ways past Secure Boot

Job de Haas

March 19, 2014 (at 2:30 p.m.) in Attack & Research

This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices. On both sides of the fence secure boot is a vital mechanism to understand. Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenters experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.

Medical Device Cyber Security: The First 164 Years

Kevin Fu

March 19, 2014 (at 2:30 p.m.) in Defense & Management

Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What’s special about medical devices and cybersecurity? What’s hype and what’s real? What can history teach us? How are international standards bodies and the U.S. Food and Drug Administration draft guidance on cybersecurity affecting the global manufacture of medical devices? This talk will provide a glimpse into the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

SAP’s Network Protocols Revisited

Martin Gallo

March 19, 2014 (at 2:30 p.m.) in Special Track: SAP Security

What network protocols does my SAP system use? Are those services secure from a network perspective? Are old and well-known attacks still relevant? What’s the remote attack surface of my SAP environment? Do I really know my level of exposure? Are there tools available to assess the security of the services? This talk is the result of my journey trying to answer these questions and understanding how the different SAP network protocols work, after spending some of my spare time during the last months working on expanding my knowledge about the network attack surface of SAP systems, reversing some of the protocols and implementing tools and libraries to work with them. The talk will bring some details and realistic attack vectors regarding the different networks protocols available on both new and classic SAP installations. Some hardening and mitigation ideas will be discussed aimed at increasing the defenses against these threats and attacks.

The Three Billion Dollar App

Vladimir Wolstencroft

March 19, 2014 (at 4 p.m.) in Attack & Research

Mobile social applications are proliferating through our society and are starting to take the lime light away from traditional social networks such as Facebook. Younger people especially, are moving towards applications such as WhatsApp and SnapChat. Incumbent companies are eager to exploit this new user base and are willing to offer billions to purchase these apps. Clearly the value is driven by access to this user base and the ability to collect information about users or deliver ads direct to users. But do we need to spend billions to gain access to this user base? What if we don’t need to spend anything….what if there was a way to deliver content to all the users just by using the app…? This talk details what is possible after reverse engineering the SnapChat app and will show how you don’t have to spend billions of dollars to deliver content to SnapChat users.

Panel: Ethics of Security Work & Research

March 19, 2014 (at 4 p.m.) in Defense & Management


Bro: A Flexible Open-Source Platform for Comprehensive Network Security Monitoring

Robin Sommer

March 19, 2014 (at 5 p.m.) in Attack & Research

Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at

How I Latch on Me and Protect My Digital Life against Passwords.

Chema Alonso

March 19, 2014 (at 5:30 p.m.) in Attack & Research

This session will show how to configure an extra protection to put on top of your digital life. Probably you are very aware about 2FA solutions but in this session you’ll see how can be done everything using latches. This session show how to protect your SSH, your Windows Account, your webapps or your e-mails just in minutes, with few clicks and no spending money at all in all your personal projects. Just using Internet, Latch and a free app. Come up to see it!

Security through Obscurity, powered by HTTPS

Peter Frühwirt & Sebastian Schrittwieser

March 20, 2014 (at 10:30 a.m.) in Attacks & Research

Applications on modern smartphone operating systems are protected against analysis and modification through a wide range of security measures such as code signing, encryption, and sandboxing. However, for network-enabled applications effective attack vectors can be found in their communication protocols. Most applications developers hide the implementation details of their protocols inside an HTTPS connection. While HTTPS is able to protect data leakage during transmission, it is an inadequate protection against protocol analysis. The concept of SSL interception applied to smartphone applications allows analysis and modification of transport protocols with endless possibilities: getting paid extras for free, cheating in games, finding design flaws in protocols, etc. In this talk, we demonstrate, based on several live demos, how application developers sometimes try to protect insecure protocols by wrapping them inside an HTTPS connection and show that known countermeasures are rarely used in practice.

OSMOSIS – Open Source Monitoring Security Issues

Daniel Hauenstein & Christian Sielaff

March 20, 2014 (at 10:30 a.m.) in Defense & Management

By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories. Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure? We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion. Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.

Security Analysis of the Computer Architecture: What a software researcher can teach you about your

Rodrigo Branco

March 20, 2014 (at 11:30 a.m.) in Attacks & Research

This talk will clarify different aspects of a modern computer architecture, with emphasis in the Intel-based platforms, but with an open-mindset. It will define the threats that exist, processes in place, new (and upcoming) security features and pinpoint difficulties protecting computer networks. As usual, Rodrigo will also face the FUD around misplaced news explaining hardware-based backdoors, their power and easy to spot and proposing ways for companies to protect Virtualized environments and avoid supply chain hijacks (all the NSA-related jokes will be part of the talk and not of the Abstract since Rodrigo is currently living in US). If you don’t know a lot about your computer and how it works, this talk is for you. If you do, this talk will challenge your knowledge and hopefully will have one (or five) things you didn’t knew before.

Modern smartphone forensics: Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; encrypted BlackBerry backups (BB 10 and Olympia Service)

Vladimir Katalov

March 20, 2014 (at 11:30 a.m.) in Defense & Management

Apple iCloud Backups: there are various methods to perform data acquisition from iOS devices: logical, advanced logical (using hidden services running in iOS and physica. iCloud analysis is the further step. The iCloud may contain complete device backups (for all devices connected to Apple ID), geolocation data (Find My Phone data), documents, and additional data saved by 3rd party applications. We show how (and where) this data is actually stored, how to request and decrypt it, and how to analyse it. Some information on iCloud keychain is also provided — and yes, sometime there is a way to get all your passwords (including ones from the other devices) and credit card data. And yes, most data is available to Apple itself, as well as to Amazon and Microsoft, so probably to three-letter agencies as well. BlackBerry: For BB 10 devices, backups created with BlackBerry Link are always encrypted, but the encryption is not user-configurable, and there is no way to view the backup contents or even restore from thgs backup to the other device. We have found that encryption keys is being generated by BlackBerry ‘Olympia Service’, based on BlackBerry ID, password, and device PIN. ID and PIN is something we can get from the backup itself, and if we know the password as well, we can generate the series of requests to Olympia service to obtain the key and decrypt the backup. Backlup contains all applications (purchased from AppWorld), their data (such as WhatsApp conversations), device settings, call logs, passwords etc — most in the plain form or SQLite databases.

Implementing an USB Host Driver Fuzzer

Daniel Mende

March 20, 2014 (at 1:30 p.m.) in Attacks & Research

The Universal Serial Bus (USB) can be found everywhere these days, may it be to connect a mouse or keyboard to the computer, transfer data on a flash drive connected via USB or to attach some additional hardware like a Digital Video Broadcast receiver. Some of these devices use a standardized device class which are served by an operating system default driver while other, special purpose devices, do not fit into any of those classes, so vendors ship their own drivers. As every vendor specific USB driver installed on a system adds additional attack surface, there needs to be some method to evaluate the stability and the security of those vendor proprietary drivers. The simplest way to perform a stability analysis of closed source products is the fuzzing approach. As there have been no publicly available tools for performing USB host driver fuzzing, I decided to develop one , building on Sergey’s and Travis’ legendary Troopers13 talk. Be prepared to learn a lot about USB specifics, and to see quite a number of blue screens and stack traces on major server operating systems…

Get Over It: Privacy is Good for Security

Rob Lee

March 20, 2014 (at 1:30 p.m.) in Defense & Management

Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.

Vulnerability Classification in the SaaS Era

Noam Liran

March 20, 2014 (at 2:30 p.m.) in Attacks & Research

This talk we will thoroughly analyze two major SaaS vulnerabilities that were found by Adallom (one of which is still in responsible disclosure stages at the time of writing). By demonstrating this new class of exploits which we have nick-named “Ice Dagger” attacks, we aim to change the current industry-wide criteria for vulnerability classifications, which were developed in the Desktop/Server world, are inadequate when classifying SaaS vulnerabilities. We will specifically discuss the details of MS13-104.

How to Work towards Pharma Compliance for Cloud Computing– What Do FDA and Similar Regulations Mean

Martijn Jansen

March 20, 2014 (at 2:30 p.m.) in Defense & Management

How to Work towards Pharma Compliance for Cloud Computing– What Do FDA and Similar

Compromise-as-a-Service: Our PleAZURE.

Matthias Luft & Felix Wilhelm

March 20, 2014 (at 4 p.m.) in Attacks & Research

This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!

Psychology of Security

Stefan Schumacher

March 20, 2014 (at 4 p.m.) in Defense & Management

IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems. In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?