PROGRAM

Presentations – IT-DEFENSE 2013

Information to the presentations will follow after release by the speakers.

Attacking NFC – Charlie Miller

Near Field Communication (NFC) is becoming more prevalent throughout the world. This technology allows NFC enabled devices to communicate with each other within close range, typically a few centimeters. It is being rolled out as a way to make payments, by using the mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology. But as with the introduction of any new technology, the question must be asked what kind of impact the inclusion of this new functionality has on the attack surface of mobile devices. In this talk, I explore this question by introducing NFC and its associated protocols. 

I start by describing how to fuzz the NFC protocol stack for two devices as well as my results. Then for these devices, I show what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. So next time you present your phone to pay for your cab, be aware you might have just gotten owned.

The CERT Top 10 List for Winning the Battle Against Insider Threats – Dawn Cappelli

Dawn Cappelli is the Director and founder of the CERT Insider Threat Center. She spent the last twelve years of her career building a talented, diverse team of experts who have created CERT’s body of work in insider threat. After a decade of work, it seems appropriate to take a step back and to identify CERT’s Top 10 List for winning the battle against insider threats.

The CERT Program in the Carnegie Mellon University Software Engineering Institute initiated its insider threat research a decade ago. It has grown from a single project to an entire center composed of three teams: Insider Threat Research, Insider Threat Technical Solutions and Standards, and Outreach and Transition. The Center has collected over 800 insider threat cases which have been coded into the most comprehensive insider threat database in the world. That database serves as the foundation for all of CERT’s work in the Insider Threat Center.

Based on those cases, CERT developed models - or crime profiles -  that illustrate the patterns in how each type of insider crime evolves over time – the technical and non-technical behaviors that could signal escalating risk of insider attack. These models have been extremely well-accepted, and have been used by vendors in developing technical solutions, by practitioners in designing mitigation strategies, and by researchers in furthering their own field of study. We created an insider threat assessment which we use to help government and industry assess their areas of vulnerability to insider attacks. We create new technical controls in our Insider Threat Lab for preventing and detecting insider threats, then pilot test those controls with practitioners, refine them accordingly, and release them to the community. Our latest tool in the toolbox for fighting malicious insiders is a series of online exercises in which participants match wits with our most devious insiders, based on actual insider cases.

In short, we are in touch. In touch with what’s really happening with practitioners – what’s working, what’s not, and what’s causing the most frustration. We’re also in touch with the vendor community, and in touch with the brightest minds in academia.

In this session Dawn will offer suggestions for mitigating the 10 most significant issues of concern regarding insider threat, based on our cases, models, and assessments. She will use real case examples to explain why each issue is so critical, as well as suggestions for remediation.

Detecting data leaks in SAP - the next level of static code analysis - Andreas Wiegenstein

Industrial espionage is an increasingly serious problem for many companies. Even minor data leakage can endanger a company's competitiveness, if data falls into the wrong hands.

Especially in complex environments like SAP landscapes, however, it is difficult to keep control of critical company data. Particularly if a lot of self-developed code is used, companies often fail to understand which programs process their most important data and where it is copied to.

This lecture introduces a new approach to security analysis: static data loss prevention. First of all the strengths (and weaknesses) of conventional data loss prevention systems will be pointed out. Likewise, common procedures of static code analysis will be covered in more detail.

After all participants have been provided with the technical principles, it will be explained how data leaks in code can arise and why these can practically not be detected with conventional testing approaches.

For this purpose (anonymized) examples of data leaks in customer developments and in the SAP standard will be discussed exemplarily. Finally, the innovative procedure of data loss prevention by static code analysis (static data loss prevention) will be introduced in more detail. It is especially applicable for detecting certain types of backdoors in code.

Hacktivism: The influence of Internet activists on industry and politics – Volker Kozok

Anonymous, Lulsec or Arab Spring – everyone is talking about hacktivists. The speech presents four groups: cyber activists, cyber warriors, cyber occupiers, cyber leakers. They influence politics and industry in different ways and are distinguished from each other by motivation, objective and selection of means used.

The speaker provides examples of activities by the Anonymous group, the most popular cyber activists, and explains their effect. Cyber warriors are groups that represent the supposed interests of their countries; the occurrences in Estonia and the permanent feud between Japanese and Chinese hackers are examples of this. Cyber occupiers seek changes in their own country. In the Arab Spring, the significance of Web 2.0 became clearly apparent. Cyber leakers such as Wikileaks, Openleaks or whistle-blower portals are the fourth group of Internet activists who want complete freedom of information, thereby often impairing the legitimate interests of individuals or organizations.

The second part of the speech focuses on case studies that show how difficult it is to distinguish between the groups and how critical the transition is between illegal and criminal actions. The discussion on the government-driven Trojan horses or the reactions to SOPA and ACTA hacktivism is a social phenomenon, the shitstorm an expression of political action. The final examples include political players who started and lost the battle against the community. According to the motto: not much is needed to make a fool of oneself as a politician – Facebook and Twitter are enough.

"Steal Everything, Kill Everyone, Cause Total Financial Ruin! (Still misbehaving in 2013) - Jayson E. Street

This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on.

They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!

Advances in exploit defence in Visual Studio 2012 and Windows 8 – Tim Burrell

Over the past decade, Microsoft has added security features to both the Windows platform and the Visual Studio toolset that help improve software security both by detecting more bugs during development, and by making it difficult and costly for attackers to develop reliable exploits for residual memory safety vulnerabilities. 

Example mitigations include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++'s code generation security (GS) protection for stack-based buffer overruns.  In Windows 8 and Visual Studio 2012, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. 

This presentation will provide a detailed technical walkthrough of the improvements that have been made, an evaluation of their expected impact, and how to take advantage of these features.

Hacking Huawei VRP – Felix “FX” Lindner

Huawei routers are no longer devices only seen in China. Entire countries run their Internet infrastructure exclusively on these products and established tier 1 ISPs make increasing use of them. However, very little is known of Huawei’s Software Platform and its security. This presentation will introduce the architecture, special properties of configurations and services as well as how to reverse engineer the OS. Obviously, this is done only to ensure compatibility with router products of other vendors Routers might be still hurt in the process.

Let Me Answer That For You Nico Golde 

In spite of its age, GSM is still one of the most widely used and spread mobile communications technologies in the world. However, during the last years various scientists have demonstrated again and again that GSM is vulnerable to diverse security issues which can in effect have devastating consequences. This speech discusses an aspect of GSM security which has not been talked about so far. To be precise: delivering a service. What happenes in the background when the network tries to rout a call to a participant? Is it possible to prevent this for individuals or large areas? Is it even possible for an attacker to completely take over a service? This talk will demonstrate the feasibility of such attacks and explain them based on the example of a big city like Berlin.

Secrets of Super Spies – Ira Winkler

Spies are unstoppable geniuses who can steal any information they want. Then there are the spy wannabes such as criminals, hackers, and even your employees. As good as spies steal your information, they are as good at protecting their information. While some spy cases hit the newspapers, they are rare when compared with all the people out to get them. The fact is that they know the underlying ways to compromise information, so they know best how to protect immense amounts of information. Learn from actual cases of espionage, including some committed by our speaker, that help demonstrate the most cost-effective security programs for your organization.

Detecting data leaks in SAP - the next level of static code analysis Andreas Wiegenstein

The Business Application Security Initiative (BIZEC.org) has recently updated both of its top-risk lists for SAP environments: BIZEC TEC/11 (typical SAP configuration flaws) and BIZEC APP/11 (typical ABAP programming flaws). This update is based upon insights gained by BIZEC members and SAP experts from the industry in their projects during the past two years. BIZEC.org is a non-profit organization consisting of SAP security companies across the world. Its goal is to identify the most common SAP security issues at customer installations in order to give SAP users a baseline for SAP security audits (analogous to the OWASP Top 10 list for Web applications). This session provides an overview of the current top risks in SAP systems and all participants are invited to provide feedback.

Security aspects of “bring your own device” – Stefan Strobel

Since the use of modern smartphones and tablets has become increasingly popular in the business world, the call for “bring your own device”-strategies gets louder and louder. Private iPads should not only have access to business E-Mails, but also to ERP or CRM systems. Some companies even consider whether company-owned workplace PCs will be necessary at all. All these approaches obviously have great influence on information security. This presentation will introduce different approaches as well as typical security aspects and will discuss solutions.

Big Bang Theory…Pentesting High Security Environments - Joe McCray and Chris Gates

This presentation focuses on pentesting high security environments and how to bring more (actual) value to customers that have mature/high security environments. Traditional pentesting delivers very little value to mature customers and this talk with attempt to show ways to bring value by emulating the techniques of more advanced attackers. These techniques include new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. It will also touch on Red Teaming, and the importance of testing the convergence of Social, Physical and Electronic operating areas.

How to communicate with upper management about information security & how to properly approach end user security awareness training – Jayson E. Street 

1. How do you engage upper management?
I discuss that it is the responsibility of INFOSEC to educate and inform upper Management on INFOSEC related issues. The fact that a C level person may not understand a threat is not because they are stupid it is because INFOSEC has not done a proper job of explaining it in a way that conveys the information while at the same time not using jargon or examples that would be foreign to the person they are trying to communicate the threat to.
We will go over several methods on how to accomplish this and better ways for INFOSEC to interact in a productive way with upper Management.

2. How do you engage the end users?
I help INFOSEC people step back and take a closer look on how they treat the end users. We need to understand that saying stupid users need to stop clicking on links or stupid users need to stop opening up files from emails is not helping anyone. We need to educate the end users in ways they better understand computer security even to the point of showing them how to secure their home networks and family online profiles so they can better understand how to treat the company data. Because if they don't even understand how to protect themselves or loved ones online with their own data how can we expect them to protect their employers? Then we need to empower them to be engaged and active in the INFOSEC process show them how questioning and then reporting suspicious emails or people in the building helps protect everyone. Then we need to understand how to use positive reinforcement to enforce better security practice throughout the organization.

3. How do you engage the INFOSEC Industry (not the "INFOSEC Scene")
I discuss something that I think needs to be addressed and that is how a small vocal group in the INFOSEC industry is trying to lead and change it but without taking into account that 90% of the industry has no clue this group exist. I also talk about how I have lost touch with the industry and how going past the community I have gotten wrapped up in the scene and how we all need to be more involved in the community and the industry.

Lockpicking – Barry Wels and Han Fey

Those interested in lockpicking will have a good time at IT-Defese. Our regular experts Barry Wels and Han Fey (from Toool.NL) will be present for some hands on instructions.

Practical Exploitation of Embedded Systems - Andrea Barisani, Daniele Bianco

Our new presentation keeps it old school with an in-depth exploration of the reverse engineering and exploitation of embedded systems.
We will cover hardware by showing how to identify and probe debugging and I/O ports on undocumented circuit board layouts.
We will cover software by exploring the analysis, reverse engineer and binary patching techniques for obscure real time OSes and firmware images with real world examples.
We are also going to address the post compromise art of debugging and patching running live kernels with custom backdoors or interception code.
At least one Apple laptop embedded subsystem will be harmed during the course of the presentation.