Program Presentations

Presentations – IT-DEFENSE 2016

Securing Security with DANE – Carsten Strotmann

Classic transport encryption on the internet via X.509 certificates (known as TLS/SSL) is problematic; the trust in the current system of commercial certificate authorities (CA) has been damaged.

Using secured DNS, their own certificates and new DNS record types, the owners of services on the internet take the security of transport encryption in their own hands.

The presentation will provide an overview on the recent fields of application of DANE (DNSSEC Authenticated Named Entities) and a prospect of new developments within the IETF DANE working group.

Circumvent patented keys with molding and 3D printing - Alexandre Triffault

In this talk, I propose to discover the world of patented keys, what they bring to your security, what they take from your freedom and how skilled people could bypass such measures for fun and profit.

Patented keys have existed for decades and every year we see new patents released. It feels like manufacturers find improvements in this ancient art every time and though, burglary and illegal duplicates are still happening every day.

For decades, if not centuries, burglar and spies have used molding techniques to duplicate keys. Hollywood movies love it, would it be with clay, soap, chewing gum or even breadcrumbs. Despite the common belief or what manufacturers tend to make us believe, even a patented moveable element or magnetic piece inside the key does not prevent to duplicate that key by molding at all!

Aggravating this fact, the rise of the 3D-printing techniques, their increasing precision and the development of nice open-source and easy-to-master parametric 3D CAD software - the duplication of such "protected" keys for evil is easier than ever!

The 3D-printing technique allows not only to duplicate keys, but also to generate ones - which is essential in a right amplification attack conducted on a masterkeyed system or on a poorly designed security system!

We must not forget that those locks, however basic their mechanics may be, do protect our IT systems, our secrets, our assets, and our lives, too!

Open door(s) – Dr.-Ing. Timo Kasper

In many places, electronic locking systems replace their purely mechanical predecessors. NFC and proprietary radio solutions increasingly find their way into larger buildings and plants. The pros, such as the flexible management of locking authorizations and increased user comfort due to opening doors without touching, are obvious. The cons, however - apart from the high purchase price - are often not recognized at first glance.

The lecturer takes a closer look and, based on practical security analyses of different commercial products, explains how they work. In parts, serious vulnerabilities will be revealed, which make bypassing the security functions a snap. A powerful tool for NFC penetration tests, the open-source project ChameleonMini, will be introduced. In its most recent version, in addition to virtualizing contact-free cards and recording the RFID communication, it also works as an individual reader. As a bonus, eventually some common features of wireless door openers and USB login tokens will be outlined, provoking some thoughts regarding security.

Hacking with Pictures: Stegosploit – Saumil Shah

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This talk discusses two broad underlying techniques used for image-based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and JavaScript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

The Stegosploit Toolkit contains the tools necessary to test image-based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique.

Together we are stupid – Prof. Dr. Gunter Dueck

Companies are a large system of employees, who have indeed been considered really good when they were hired. So how come these many intelligent people argue in meetings and waste time so that many, many people think of everything about collaboration, coordination and teamwork as very distressing?

People (for example business economists who have only recently graduated) set their initial goals too high; actually, they are not able to achieve these goals but they try hard with extra hours and extra miles. Then, they blame others in meetings and start fighting - both against each other and against customers. Slowly, everything sinks into opportunism, against which control mechanisms are coming from the top. Now everything sinks into dull excessive complexity.

Other speakers lead you to believe that “swarm intelligence” is possible; however, I will first try to make you understand the situation you find yourself in. Most people explain the bad things in life with the maliciousness and avarice of others but no one is thinking of “swarm stupidity”. It will open your eyes!

The NSA Playset: A Year of Toys and Tools – Michael Ossmann

Inspired by the contents of the leaked NSA ANT catalog, the NSA Playset project has produced an array of gadgets with capabilities similar to those employed by the spooks. I will review the entire collection since the start of the project. This includes new tools for USB, PCI Express, I2C, GSM, Bluetooth, and a family of RF retroreflectors for eavesdropping on a wide variety of electronic devices. Now you can play along with the NSA!

Security strategies and technologies are changing – Stefan Strobel 

The perimeter is dead, prevention is dead and antivirus is dead. You can hear those and similar statements repeatedly. In some cases, the reasons mentioned are indeed convincing. At times, however, tangible alternatives are missing, or the statement itself raises doubts.

The presentation looks at the recent situation from a technical and strategic perspective; it shows modern technologies not only for prevention but also for detection and response.

The talk outlines the pros and cons of the approaches and offers a prospect for useful security strategies for the years ahead.

Following Safe Harbor: Cloud Computing, Big Data & Data Protection – Joerg Heidrich

By now, moving the infrastructure to virtual systems has become the usual thing, as has moving data to digital “server clouds”. Everything that is technically feasible, however, is by no means uncritical from a legal perspective, so moving customer or employee data is limited by data protection requirements. The issue has only recently become more difficult with the abolition of the Safe Harbor principles by the European Court of Justice. As a result, the export of data to international servers is only possible in a very restricted way. Using many practical examples, the talk shows ways through the minefield of legal requirements.

Attack possibilities on networked vehicles – Stephan Gerhager

From automobile to wheeled computer: With the evolution from purely mechanical vehicles to wheeled networked computers with many sensors and control units, modern cars provide a number of attack possibilities to various attacker groups. Researchers have repeatedly succeeded in attacking modern vehicles. The digital evolution in the automotive field results in unprecedented possibilities for cyber-attacks.

The presentation deals with technical backgrounds and the attack surface of modern vehicles. Moreover, the speaker will present the motivation of different attacker groups. The talk will finish with a prospect for risks arising not only for drivers but also for the industry and the manufacturers from a large insurance provider’s perspective.

Judgment Day for Critical Infrastructure - Eugene Kaspersky

In his presentation, Eugene Kaspersky will give an overview of the principal threats we face today in the cyber domain, splitting them into three main branches – cybercrime, cyber-espionage and cyber-sabotage.

Despite the growing sophistication of hacker attacks, we still have reason to be optimistic. They can be counteracted – naturally through law enforcement, but also importantly through education and international cooperation, and by applying the latest protective technologies to secure everything – critical data, industrial infrastructure, and, of course, the Internet itself.

Security Metrics: The Quest For Meaning – Marcus J. Ranum

Security practitioners constantly bemoan their difficulty in communicating effectively with business units or senior management. The key, of course, is using the right language - namely, metrics. In this presentation we'll outline a bunch of useful things you should know about setting up your own metrics process.

WebRTC, or How Secure is P2P Browser Communication - Dr. Martin Johns & Lieven Desmet

In this presentation, we will provide the audience the necessary insights in this emerging Web technology, and discuss the various security aspects of WebRTC. This content is based on a recent study of the Web Security specifications one of the speakers has been conducting together with researchers from W3C, IETF and SAP.

Firstly, the overall WebRTC architecture will be presented, and the enabling technologies (such as STUN, TURN, ICE and DTLS-SRTP) will be introduced. This architecture will be illustrated in multiple deployment scenarios. As part of this description, the basic security characteristics of WebRTC will be identified.

Secondly, we will discuss how the new WebRTC technology impacts the security model of the current Web. We will highlight some of the weaknesses spot during the security assessment as well as discuss the open security challenges with the WebRTC technology.

Conversations with your Refrigerator - John Matherly

The ability to find, classify and interact with Internet-connected things has grown significantly over the past few years and public awareness of its issues has increased alongside it. Proprietary protocols have open-source implementations, security conferences let you play with PLCs and honeypots have become increasingly popular for measuring attacks on the Internet. This talk goes through the history of discovering publicly accessible IoT with Shodan, how the landscape has changed since it started (IPv6, SSL) and what issues we can expect to see in the future based on the experience of running an Internet search engine.

Information on the presentations will be following after it has been released by the speakers.