Presentations – IT-DEFENSE 2011

Further information to the presentations will follow after release by the speakers.

Cloud Computing: New challenge for data protection - Jörg Heidrich

Moving infrastructures to virtual systems is now as common as placing digital data on cloud servers. But not everything that is technically feasible is legally safe. For example, the outsourcing of customer and employee data in the field of data protection is limited, among other things, by very stringent regulations for contract data processing. In addition, liability and compliance aspects must be considered. With many practical examples, the presentation shows a way through the minefield of legal requirements.

Sicherheits- und Haftungsrisiken bei der Nutzung von Social Media im Unternehmen - Jörg Heidrich (Round Table)

Social networks have become a key element of corporate communications. However, Twitter, Facebook, etc. are also regularly used by employees who may send internal company information or even security-relevant content across such services.
Here the question as to who is actually allowed to publicly share information and in which way on social networks is still completely unresolved in many companies. The same applies to the highly disputed legal issue to whom important contacts and the entire account of an employee who leaves the company belong.
This round table addresses the considerable social and legal potential for conflict resulting from this. Solution proposals such as creating a social media policy in the company are also presented.

Hardware is the New SoftwareJoe Grand

Society thrives on an ever increasing use of technology. Electronics are embedded into nearly everything we touch. Hardware products are being relied on for security-related applications and are inherently trusted, though many are completely susceptible to compromise with simple classes of attacks that have been known for decades.
Bolstered by the flourishing hobbyist electronics/do-it-yourself movement, easy access to equipment, and realtime information sharing courtesy of the internet, hardware is an area of computer security that can no longer be overlooked. In this session, Joe will explore the hardware hacking process and share some of his favorite attacks against electronic devices.

Project BooShoo or the Emperor's Modified Mind - Arrigo Triulzi

In Project Maux we looked at building both a backdoor and a firewall bypass mechanism using various firmwaremodifications but in the quest for the unattainable perfect backdoor we have to look elsewhere.  The new requirements are that the backdoor should be even more stealthy than Project Maux and have remote on/off functionality which leaves the backdoor on the system but makes it undetectable.

Bulletproof Hosting 2011 - Volker Kozok  and Christoph Wegener

  • Result and trends of the 2nd International Bulletproof Hosting & Botnet Conference 2010
  • New risks and vulnerabilities
  • National and international cooperations

Jackpotting Automated Teller Machines Redux - Barnaby Jack

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.
The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.
Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

SQL Server Forensics - Kevvie Fowler

Databases are the crown-jewels of most organizations and thus are core targets of cybercrime.  Despite database breaches dominating the headlines they still remain a relatively unknown area of digital investigation. 
This session will provide an overview of the tools and methodology that can be used to investigate database intrusions. The sessions focus will be on SQL Server however concepts will apply to other database platforms. 

Bypassing Windows services protections - Cesar Cerrudo

Starting with Windows Vista, Microsoft introduced new services protections in Windows operating systems. While these protections were implemented as a defense in depth mechanism, they are far from being perfect and they can be bypassed most of the time making them almost useless. It will be described the different protection mechanisms and how they can be bypassed when exploiting vulnerabilities in services.

Detection of Hardware Keyloggers - Fabian Mihailowitsch

Hardware keyloggers are tiny devices that are plugged between a computer keyboard and a computer. They are available for PS/2 as well as USB keyboards. Once plugged, they are able to record all key strokes and store them using an internal memory. Current models have various megabytes of memory, store the recorded data encrypted, support timestamping of the keyboard events and some even can transfer the key strokes wireless. However the main focus of hardware keyloggers is to stay undetected. Most manufacturers promote their models cannot be detected by software and thus have an advantage over software based keyloggers. But not just the manufacturers' claim hardware keyloggers to be undetectable, even the common belief is they cannot be detected. However that's not correct. Hardware keyloggers make slight changes to the interaction between the keyboard and the computer. These changes can be detected by software and used to determine whether a hardware keylogger is present or not. For example some USB keyloggers change the USB signaling rate or act as USB hub. These changes are quite obvious and can be detected easily. When trying to detect PS/2 keyloggers, things gets more difficult. Nevertheless it is possible. For example whenever PS/2 keyloggers tap the wire actively (this means the data is redirected via the microcontroller of the keylogger), this influences the transfer rate between the keyboard controller (KBC) on the motherboard and the microprocessor of the keyboard. Measuring this time delay, PS/2 hardware keyloggers can be detected too. During the round table an introduction to hardware keyloggers will be given. This introduction covers their features, how they work and gives a short market overview. Afterwards various techniques will be described to detect hardware keyloggers. Some of them are theoretical as they didn't work for the tested models. However others are practical and can be used in real case scenarios. For each technique a detailed presentation will be given, explaining the basic idea, the necessary technical background and the results in practice. Finally a proof of concept tool will be released, that implements some of the techniques to detect PS/2 and USB hardware keyloggers. 

Top Ten Web Hacking Techniques of the Year (2011) - Jeremiah Grossman

Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between. Historically much of this research would unfortunately end up in obscure corners of the Web and become long forgotten. Now it its fifth year the Top Ten Web Hacking Techniques list provides a centralized repository for this knowledge and recognize researchers contributing to the advancement of our industry.

Website Security Statistics: 3 years and 10 reports -- what have learned? - Jeremiah Grossman (Round Table)

Over last several years WhiteHat Security has measured a myriad of website security aspects including vulnerability prevalence, impact of languages & frameworks, industry comparison, and analyzed what possibly makes a site with zero open issues different from the rest. We've learned a lot from the metric collection process, but also a great deal from feedback on how others use our data on a daily basis. As 2010 comes to a close it is a perfect time to look back and identify the lessons learned. Understanding what these metrics have taught us and how our actions going forward may be changed is key to improvement.

Network Analysis and Text Mining for Detecting and Examining the Structure, Functioning and Evolution of Covert Networks - Jana Diesner

Socio-technical networks represent the interactions between social agents and their infrastructures. Examples for socio-technical networks include commercial enterprises, geopolitical entities, formally to loosely organized groups of sub-state and non-state actors, and other communities of practice. Typically, socio-technical networks are complex, dynamic, and can reach far into society. At a bare minimum, networks comprise nodes and edges between the nodes. Nodes are instances of relevant entity classes such as people, organizations, information, tasks, resources, locations, and events. Edges can represent relationships such as transactions, collaboration, and conflicts. Nodes and edges may also feature attributes, such as agents' beliefs and sentiments or locations' longitudes and latitudes. The structure, function and evolution of networks can be visualized, formally described, computationally modeled, and simulated by using network analytic methods. A common challenge with this approach is that reliable data about covert networks often cannot be collected through classic methods such as surveys and observations. However, relevant information originating from within and outside a network is often available in the form of unstructured, natural language text data. Examples for such text data include communication data, reports from subject matter experts, material from judicial proceedings, and data from the web. In my talk I present how text analysis and network analysis can be brought together to serve as an alternative or supplement solution for revealing and analyzing the structure and behavior of covert networks. I provide examples from our research on Sudan, where relevant interactions include conflicts and coalitions between tribes, and competition for resources such as water and oil. I also present on our work on the Enron corporation, where we used their internal email communication and additional meta-data to explore the dynamics of a corporation in crises, and where several individuals engaged in unethical to illegal business practices. Controversially discusses issues such as data privacy and security aspects will also be addressed in the presentation. The overarching goal with this talk is to provide the audience with an overview on opportunities, risks and cutting-edge advances in jointly utilizing text analysis and network analysis to map and examine socio-technical networks that are covert or hard to access.

Money laundering, cybercrime and how to deal with them - David Zollinger

Money laundering and its prevention has been a major issue in the financial industry for over 20 years. But if one does not know what to look for, one will not find anything. What is "money laundering" all about? Why are we usually able to find crooks but not drug dealers? What technological measures can be taken? What means can be used to detect money laundering? What are the new forms of cybercrime, like phishing, identity theft, etc? Why does legislation always lag behind? The presentation will deal with these questions using practical examples.

Mac Hackin' 2: Snow Leopard Boogaloo - Charlie Miller and Dino Dai Zovi

Since the publication of "The Mac Hacker's Handbook", a number of key aspects of Mac OS X were changed with the release of Snow Leopard.
Most notably, Snow Leopard boasts a number of improvements to application runtime security, including: non-executable stacks, non-executable heaps on 64-bit processes, compiler-generated stack cookies, heap metadata protection, system library randomization, and sandboxing. These security improvements were enough to defeat the code examples in the book, but not the authors, who will demonstrate just how much protection these security improvements actually provide.
Among other myths, they hope to also dispel the myth that sequels are always inferior to the originals.

Make GSM accessibleKarsten Nohl

GSM is more common than almost any other technology but not understood to the same extent. This discrepancy has led to trust in 20-year-old protection measures hardly found even in the insecure Internet. Current research and open-source projects make GSM accessible to researchers on all levels.
This workshop presents the available tools and, using the example of current attack vectors, asks how much we can still trust GSM.
What are the attacks scaling to a threat to critical infrastructures and what are pure harassment? How much at risk is critical company data already today?

iOS Mobile Security in the Enterprise - Dino Dai Zovi (Round Table)

Apple's mobile devices, including the iPhone and iPad, are becoming increasingly popular among consumers and due to their popularity among users, many enterprises are evaluating them for business use.  These devices, however, may not have all of the security features that competing alternatives such as RIM's BlackBerry device do that have historically catered to security-conscious businesses.  This workshop will discuss the security features and limitations of Apple's iOS-based devices in an interactive format with attendees able to discuss their organization's security concerns, impressions, and deployments of iOS-based Apple devices.