TROOPERS15 was taking place from 16th – 20th March 2015 in Heidelberg, Germany.
Please see below for the full presentation PDF.
Starting in the 80’s we will discuss the influence of nuclear weapons on the design of an ITsec “Dead Hand” system for a security practitioner, how it merged with research into firmware backdoors and microcode modification and finally triggered when instead of enjoying Summer pneumonia struck unannounced, or rather, announced by the Dead Hand via Twitter.
Networking and security vendors love to talk about their software-defined solutions and automation… but can we really deploy the products they’re advertising, and if we can, will we get the benefits the vendors and industry press promise? This session will describe typical real-life deployment scenarios, from cloud orchestration systems to Puppet- or Ansible-driven device configurations, and x86-based open source solutions. It will also point out typical pitfalls including the need for application deployment process reengineering, and lack of scale-out management and auditing tools.
Targeted attacks against ERP systems and enterprise software are not something new, however they only started appearing in the media in recent years. On the other hand, we also have new kinds of attacks by means of malware and malicious programs. Understanding the motivations and techniques adversaries use to target systems where company's most valuable assets reside is crucial to understand the nature of the attacks and the defense strategies.
This talk will introduce HoneySAP, a low-interaction research honeypot aimed at learning the techniques, tactics and motivations behind the attacks against SAP systems. When deployed, HoneySAP will be able to mimic services shown by regular SAP systems suitable for both internal and external network profiles, as well as integrate with other honeypots and attack feed systems. Creating HoneySAP involved hours of learning and understanding the inner-workings of the implemented services, how to mimic their behaviour and the best strategies to with clients. We would like to share some of the lessons learned and hope to encourage discussions about potential applications and uses of HoneySAP, as well as welcome contributions to the project.
The IBM General Parallel File System (IBM GPFS) is a high performance cluster file system powering some of the world's biggest super computers. Customers range from "Infiniti Red Bull Racing" to the "Bayrische Börse AG", as well as many universities around the globe. This makes it a prime target for attackers as not only the data stored in the file system is valuable, but also the machines running the GPFS are quite powerful, too. Besides presenting a detailed overview of the GPFS architecture and the flaws that come with it, we walk through the discovery and exploitation of a bug that looked simple at first but developed to a very special journey into the guts of GPFS.
Each new year, brings new challenges, new attacks, new defections, new groups attacking, new requirements and usually zero reinforcements. Not a game many would want to play or even be good at playing. So how does security leadership accept the challenge and attempt to get high-score? We examine aspects of classic models and the "wack-a-mole strategy", looking a issues and solutions for:
Are you aware that each of your SAP production systems statistically contains 9 security vulnerabilities in your own ABAP code that allow attackers to gain SAP_ALL privileges and thus take over complete control? This talk deals with an area usually ignored in SAP security concepts: custom code. It unveils unpleasant statistical results based on a code study of more than 200 large companies across the world that run SAP. It shows the most common and most critical security defects that exist in ABAP applications and provides guidance on how to deal with them.
The leaked pages from the NSA ANT catalog provided a glimpse into the modern world of emission security. Extending beyond passive monitoring of unintentional emissions, today's spooks employ active attacks with tools such as RF retroreflectors. I'll report on my experiments to reproduce such techniques with open source hardware and software, primarily using SDR.
In this session, a new hardware-level attack on PCIe is presented as an example for the implicit trust your organization places in 3rd parties. These implicit trust relationships that are typically overlooked will be closely examined under the lens of "InfoSec debt" and providing guidance to InfoSec decision makers on the ROI or risks of adding additional IT services/appliances to an organization's network. The "InfoSec debt" metric can then be tracked over time and provides an intuitive way to explain the cost/benefits of IT security to other organizational stakeholders.
What you learned in school is that dinosaurs have been extinct for the last 65 billion years... but what you may not know is that you can still find a fearless and dangerous species in today's business critical applications. Join us in this talk to learn about products that you will find in every SAP implementation which are used for managing, searching and indexing sensitive business information. We will introduce you to SAP T-REX, which is an advanced search engine used to support all the text search processes on SAP products, such as ERP, Portal, Netweaver and Fiori and many others. Actually, in most cases companies are already running this engine, even though you don't know you have it installed. We will then get into further details about the internals (files, protocols, services, settings...) of how this product works, showing novel techniques that attackers could be using to access your most valuable business information. Finally, we will show you how to prevent the extinction of your business critical information by protecting all of your systems in a holistic way, end-to-end, preventing espionage and privilege escalation attacks.
Talks on modern rootkit techniques are often presented in conferences around the world, but most of them basically updates existing techniques to work with new kernel improvements. This talk goes beyond and proposes a new approach: the usage of many architectural (x86-64) capabilities in order to have a resilient malware. Different aspects of the architecture are going to be explored and detailed in order to demonstrate attacker leverage against detection tools. Most of those features are widely available. Some of them, are niche or fairly new enhancements. Each new idea will be discussed isolated with specific details demonstrated and discussed. After this talk, we expect the attendees to increase the pressure on the forensics tools in order to provide better coverage on platform capabilities, instead of the current assumptions we see.
In the face of the often cited Advanced Persistent Threat, most large IT environments complemented their attack landscape with so-called advanced malware detection solutions. Those solutions extend typical signature-based malware detection mechanisms with behavior-based analysis methods, detecting malicious actions in the execution trace of samples. Execution traces are created using mechanisms like emulation, hooking, or introspection and analyzed using heuristic approaches. Since many environments rely on this technology, we will describe the capabilities and limits when it comes to APT detection and mitigation for two major products. Their capabilities were analyzed in several customer projects as for the effectivity against recent attacks, which were developed based on the analysis of recent incidents. We will provide an overview which attack scenarios and primitives will be detected (and also how to bypass certain restrictions).
Have you ever thought how to get access to most influential data stored on a Fortune 2000 CEO's mobile phone and rule the world? Today, we are witnessing unprecedented number of Mobile devices being integrated into the core business processes of companies and actively being accessed by top Executives to manage them remotely. Another aspect being the level of access, even if mobile access for a typical middle level employee is restricted or limited, CEO’s can do everything! There are more and more business applications and an increasing number of mobile devices out there. The "mobilization" of enterprises also forces the advent of evils associated with integration and security. You might hear of many talks regarding mobile security but never has anything significant related to a SAP Mobile ecosystem been spoken on before. These systems access most essential functions of a large enterprise, which in turn often deploy a plethora of business systems and heterogeneous fleet of devices. Essentially, Information needs to be transmitted quickly and safely. The SAP's best-known software products are its enterprise resource planning, CRM and BW applications that are deployed in almost all companies in the Forbes Global 2000 list. You already hear a lot about vulnerabilities in different SAP's platforms and now the new emerging scenario dictates that even their Mobile infrastructure needs to be paid a closed attention. It consists of multiple systems such as SAP Mobile Platform (Formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk is an attempt to highlight how one can hack SAP Mobile.
While there has certainly been valuable interesting research of blackbox security assessments techniques presented on different conferences, it exclusively has almost focused on application layer of iOS. The recent disclosures on surveillance programs suggests that mobile users also being targeted not only by cyber criminals but also spy agencies. The level of skill and effort to prevent such an attack requires a reproducible threat model - a REDteam exercise. This talk appeals to hands-on iOS hackers looking to dive into iOS Security Architecture, Sandbox mechanism, ARM64 assembly and Security APIs while being firmly accompanied with always overlooked penetration testing techniques and the ways of how to automate them. The talk will cover dynamic memory reversing and how to tackle cryptography on an assessment so that participants will understand how to quantitatively and qualitatively carry an offensive penetration testing or forensic examination of an iOS environment.
There are a lot of preconceptions about defense, the most prevalent one probably the “defenders dilemma” in which it is stated that an attacker only needs to find one weakness to compromise a network while a defender needs to defend all of them. While this may be true in a technical sense, things become a lot more complicated once you apply real world considerations. Preconceptions like this are often the foundation on which risk management and ultimately defense strategies are based, something that has led to a number of false but generally accepted assumptions about attackers and their capabilities, and how to defend against them. This talk will discuss the capabilities, and more importantly the limitations, of different types of attackers. Using the ancient wisdom of the Teenage Mutant Ninja Turtles, the speaker will explain how knowledge of an attacker’s limitations can be leveraged to raise the cost of attack, something that will tip the scale in the defenders favor. The speaker will also explain how different defensive measures will affect different types of attackers, how they are likely to react to them, and in the end how to get them to hopefully move on to another target.
SAP applications build the business backbone of the largest organizations in the world. In this presentation, exploits will be shown manipulating a business process to extract money, critical payment information, and credit card data out of the business backbone. Follow the bird and enjoy tweets of data that will interest you.
MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can't see it all and when the endpoint addresses change in the middle of a connection?
This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.
Many companies spend millions for locking down their SAP landscape. But even the highest invest in SAP security is in vain, if there are backdoors in the SAP standard that allow malicious parties to bypass all existing measures. This talk demonstrates how a single, fundamental backdoor in SAP's RFC protocol allows external attackers to penetrate even the strongest SAP security fortress. This severe security vulnerability was reported to SAP in January 2012 and has recently been fixed.
While cyber attacks are increasing every year, SAP systems are still not immune to being targeted by attackers and being involved in IT security incidents. Incident response and forensics analysis are complex tasks, especially when performed on systems that are not only diverse in terms of products, versions, operating systems and databases, but also in the big customisation layer that SAP systems have.
In these scenarios, identifying and tracking down potentially malicious activities can be extremely challenging if you are not prepared for it. Indications and evidence of attacks are stored in diverse places. Join us on this talk to get an overview of what steps to take after a breach to a SAP system was detected, discussing about important concepts such as relevant files and tables, memory dumping, disk images, evidence, chain of custody and many other terms that you need to be aware of if you ever face an incident within your SAP implementation.
Finally, examples of real-life attacks will be shown going through the incident response procedure and showing how to identify what really happened on the SAP systems.
Below are the slides from Sergey Bratus' keynote
We're going to cover the intros to CAN bus hacking with interactive demos for hacking ECU signals to the Instrument Cluster. This will include a detailed explanation of how to develop shellcode for infotainment units as well as discussion of new tools from Open Garages.
Most possibly there is no need to make a long introduction when speaking about the famous FinSpy application, a product of the company FinFisher from Gamma Group. In this case study I will present how I reverse engineered this law-enforcement tool and I also will share the results of the analysis in detail (configuration and installation process, cryptography solutions, control mechanism). Because it is a case study I will present which techniques and tools I used during the analysis. How to analyze an Android application quickly to get a basic view from it and after then how to analyze it deeply, how to patch it, and how to defeat obfuscations and the self-checks. Walking on this way I had some successes and mistakes as well, both are good to share to learn from it. The result of this analysis was quite disappointing because this tool has several serious weaknesses on multiple part of it, which is unacceptable from a law-enforcement spying tool. A test/analysis without proof-of-concept codes are nothing so at the end of the lecture I will present my scripts to demonstrate how to hijack the control of the application perfectly and to show how to loot the collected data from the phone (call logs, SMS, contacts, every what the app has collected on the device).
Credential theft and Pass-the-Hash (PtH) attacks are nowadays current threats to Active Directory environments. This is not simply due to Microsoft´s implementation of weak protocols (i. e. LM, NTLMv1, WDigest) but mainly due to Single-Sign-On (SSO) functionality requirements in multi-authentication protocol environments. The official statement of Microsoft is now assume breach. But assuming breach how should you efficiently protect your Active Directory from credential theft and large scale compromise? In order to perform this task, operationally feasible solutions will be presented and concisely characterized upon the background of so called green table controls which could often not be implemented due to a gap to real-word operation (as for example Rebuild your Active Directory). It will be shown that there is a way and what it looks like, but that this way is a (probably) long-term process that requires the implementation of organizational /operational changes together with some important technical controls. Going that way may lead to a sustainable and secure operation of Active Directory environments defeating credential theft and PtH attacks at the root.
As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications. If you’re a breaker, you will learn a new technique and enjoy our exploits. If you’re a builder, you will learn how to mitigate this attack. In both cases, you can help us to eradicate CVE20112461. After all, Troopers is about making the world a safer place.
The Snowden Leaks triggered a worldwide scandal. The public interest and discussions focus on the mass surveillance of internet users by secret services. But another even more severe aspect that was revealed by Snowden is the total compromise of nearly everything that is important for IT security: crypto products and standards, worldwide spread masses of infiltrated Internet servers ready for botnet misuse, manipulation of hardware and software components partly with knowledge or collaboration of producers and vendors. The underlying trust model as a whole has to be reviewed and checked from the scratch. This has to lead to huge consequences on companies' IT security strategies that (if at all) are just partly realized by decision makers on senior management level. Therefore most of the needed and important consequences are still pending. Our talk gives an overview on the requirements und some first step recommendations for companies' IT security strategies considering the change of the IT security game triggered by the Snowden Leaks.
This session is NOT about analyzing exploits but about learning to manipulate PDF contents. Among others
It's an extended session (2 hours) to leave the audience time to try by themselves actively. The slides' PDF is entirely hand-written to explain clearly each fact, so the presentation slides themselves will be the study materials.
While it is long known to the security community that attacks against hardware are among the hardest threats to deal with, some work is under way to create cryptographic hardware that is designed to be difficult to subvert in real world scenarios. While it remains true that an attacker with unlimited resources can't be stopped, the IT industry has for decades made large scale "sweeping" attacks ridiculously easy for "intelligence" agencies and other entities alike. But stopping to ask "how can we prevent this technically" -which we can't anyway - and starting to ask "how can we make this so expensive that it isn't affordable even to THEM" is a change in strategy which is both promising and long overdue. Both the speaker's personal pet project, a cryptographically secure hardware random number generator, and the much larger Cryptech project aiming to build a full-blown hardware security module (HSM), have already provided exciting insight into the possiblities and limitations of these approaches.
Back in the early 1980s, when email was invented, the Internet population was many orders of magnitude smaller than four million. The small group of people that used the Internet knew each other and they adhered to this thing called 'netiquette', so they wouldn't send each other unwanted emails. They definitely wouldn't read each other's emails, even if they could.
That 1980s Internet has changed beyond recognition in the three decades since. But email is still more or less the same. In this presentation we will look at the state of email in 2015. Does spam show that email is broken? Do the Snowden revelations show that it is? Or will the migration towards IPv6 break it? And what is being done to fix these issues?
There have been many discussions online about governments making use of sock puppets on social media sites (and on the Internet in general) to sway popular opinion. Keen observers have spotted military RFP’s calling for the creation of sockpuppet-control software or recruiting groups of students to fill this space. Recent Snowden revelations reveal that GCHQ’s JTRIG has been largely dedicated to such tasks, but there has been little talk of it in information security circles. We hope to change that. While many intuitively agree that sock puppets could be used for distraction (or mass trolling), very little can be said conclusively about such attacks, in part because they have not been widely scientifically demonstrated & measured. We hope to change that. In this talk, we aim to briefly cover the background of sock puppets (and related attacks) before moving on to real world demonstrations & “attacks“. Rigging polls, abusing Twitter, causing Reddit riots & targeting popular news organisations are some of the (many) attacks covered. In all these cases we discuss what we tried, what worked, what didn’t and what the implications are of the attacks. Where possible we will cover defences and solutions. So, if you are interested in a glimpse at “Censorship 2.0? or just want to learn how to troll people on Reddit, you should attend this talk.
Learn about network attack vectors that an adversary can use to control, and influence network traffic flows and exfiltrate data by exploiting network devices and protocols in enterprise or service provider networks. Defensive methods and techniques for monitoring and protecting against the outlined attack vectors will be discussed. This presentation explores advanced methods and techniques that the CISO, network and security architects and security auditors need to understand about network infrastructure and protocols. Understand how routing infrastructure can be compromised to enable sophisticated pivoting and exfiltration of data. Know how to analyze often over looked network trust relationships, integration, dependencies and interdependencies in the enterprise and service provider network architecture. Review the architecture and operations for border gateway protocol (BGP) services with references to the recent BGP prefix hijacking attacks. The discussion will cover how Multi-protocol Label Switch (MPLS) networks may be attacked without the Enterprise being aware of the event. Strategies for monitoring and securing enterprise networks including BGP and MPLS against the threats vectors presented will be discussed.
Finding and discovering bugs has to be one of the most special times in a security researchers life (until you realise that crash you've been searching for and finally found is not actually exploitable). But the process of searching, discovery, understanding and of course some very much needed trial and error, many would say are rewarding and fulfilling themselves (I would of course, prefer to have my exploit cherry on the top)! So this talk will detail some of the aspects required to hunt down and find these coveted security vulnerabilities and bugs and some approaches that have proven to be invaluable (and some not so much). Of course bug hunting principle need to produce bugs so as the cherry there will be a virtual box exploit and Barracuda networks 0 day exploit discussed and demonstrated as the fruits of the bug hunting labour.
Nowadays common ways to find exploitable vulnerabilities include but are not limited to fuzzing, static and dynamic analysis and patch reversing. All common approaches have advantages and limits. Fuzzers tend to only find a limited number of bugs, depending on the sophistication of the fuzzer which is indirectly dependent on the development time invested. Reverse engineering a binary for finding bugs, regardless whether statically or with a debugger, is tedious and requires a lot of time and expertise.
As we are lazy bastards, we refuse to do all the work by hand and brain. And, as we are greedy bastards, we want a maximum scope of vulnerabilities we can cover and not be limited to what we see from a fuzzers perspective.
So as you know – in general the lazy greedy bastards have the better ideas. We present you with our idea, which is built after the model of the Wallstreet. We built a tool which weighs the value of a function in a Windows binary as the Wallstreet values a stock; the value telling us the likability of a function to be exploitable.
The Wallstreet technique works with two different evaluation methods, for once the likability that a function is vulnerable and also the likability that it is exploitable.
We collect indicators, which help us evaluate that a specific function is potentially vulnerable. Such could be a present memory allocation or conversion function, a lacking sanitization check or a suspicious pattern in the functionname such as 'create', 'convert' or 'set'. A combination of these and a handful more indicators lets us calculate what we call the speculation value.
For the validation of the exploitability we traverse the call tree of a suspicious candidate, to verify its accessibility in an automated way. Only functions which we can influence as an attacker are interesting for us; thus we rate these accessible functions with a price-to-earnings value. Finally putting speculation value and price-to-earnings value in context, we evaluate a function with either 'buy' if we believe it comes with an exploitable vulnerability, or with 'sell' when we are certain it is not interesting to us. No worries, the presentation will not contain advanced mathematical equations.
Our tool parses binaries and persists all the gathered information to a database, from where we can retrieve highly suspicious functions in an automated way. Without getting our hands dirty, that is. And because we are lazy bastards who like colors, a lot, we use visuals to make evaluation even easier. The tool is dubbed Wallstreet, free after the most famous stock market on the planet. It is based on Python, C and SQLite and will be released under the WTFPL license (http://www.wtfpl.net/). Also, there will be demos :D
Wrapping it up, this presentation shows an easy to use approach which makes the complicated topic of binary exploitation more accessible. Wallstreet of Windows Binaries provides beginners with better understanding of the challenges and practitioners with a hands-on tool.
Although cloud services become more and more popular, security concerns of the customers prevent a stronger adoption. Customers are mainly afraid of data leakage and loss of data. In this talk, several cryptographic mechanisms are explained that may help to protect the user against these aforementioned risks. With respect to the risk of data leakage, the best way would be to intrinsically protect the data by encrypting it. However, this usually prevents that the cloud provider who should not know the decryption key can process the data any further, e. g., to execute search queries for the user. In the first part of the talk, I will explain special types of encryption schemes that enable the cloud provider to “blindly” execute on behalf of the user certain operations on the data without revealing its content. In the second part of the talk, I address the risk of data loss. In particular, I will explain cryptographic protocols that allow for efficiently verifying whether the outsourced data is still stored by the cloud provider without the need to download the whole data.