PROGRAM

Speakers – IT-DEFENSE 2014

Information to the presentations will follow after release by the speakers.

Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities - Arron “finux” Finnon

Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer.

Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines!

Although the above sounds ludicrous and out of place, it isn't that far fetched from a lot of the literature produced by Network Intrusion Prevention/Detection System vendors. This talk looks at the very long and fruitful history the world of network detection systems has to offer (you'll be surprised they're nearly 4 decades old). With a overview of just some of the failings these systems have had over the years, and how these failures shaped their development. At places this talk will be cynical and it won't win any friends from vendors, but attendees will be given enough background information to understand why detection systems like IDS/IPS can work, but why they're set to fail all at the same time.

Poor testing and the general acceptance by nearly everyone within the security industry that these systems can't deliver is only the beginning of their history of fail. I intend to discuss why certain evasion techniques worked, and why they will continue to work until we understand the inherent problems. Consider this talk a historical journey with one eye fixed on the future.

Life Under Colonialism – Marcus Ranum

Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer.

Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines!

Although the above sounds ludicrous and out of place, it isn't that far fetched from a lot of the literature produced by Network Intrusion Prevention/Detection System vendors. This talk looks at the very long and fruitful history the world of network detection systems has to offer (you'll be surprised they're nearly 4 decades old). With a overview of just some of the failings these systems have had over the years, and how these failures shaped their development. At places this talk will be cynical and it won't win any friends from vendors, but attendees will be given enough background information to understand why detection systems like IDS/IPS can work, but why they're set to fail all at the same time.

Poor testing and the general acceptance by nearly everyone within the security industry that these systems can't deliver is only the beginning of their history of fail. I intend to discuss why certain evasion techniques worked, and why they will continue to work until we understand the inherent problems. Consider this talk a historical journey with one eye fixed on the future.

Hacktivism 2014 – New trends and threats – Volker Kozok

- Short introduction: What’s going on with HB Gary – News from Phoenix
- News from anti social media platforms
- Discussion: The balance between whistleblowing and  betrayal of secrets
- Exchange of experiences about Hacktivism and combined attacks

Behind the Mask - A look at the FBI's Lulzsec Investigation - Michael T. Jr. McAndrews

Who is Anonymous? Who was Lulzsec? Are hacktivist targeting your organization, or is it a state sponsored effort, and what is the difference? In this presentation, Mr. McAndrews will offer some behind-the-scenes information from the Lulzsec investigation and discuss recent hacktivist threats. He will also discuss national security concerns and how the FBI has used a partnership with the private sector to increase awareness and cooperation in combating these threats.

Legal certainty in IT security? – Certainly not – Dr. Wolfgang Hackenberg 

According to German understanding the law is a form of comprehensive insurance for the aggrieved party. This means if damage was caused due to a security gap, there will be someone to take responsibility. Unfortunately, this approach is completely wrong. In general, everybody has to provide for his own security himself. And the legal situation is far from clear and transparent.

Let’s retrace the path of a security incident caused by the exploitation of a software vulnerability:  

At the beginning is the software development:

What if an employee develops software for a company and data gets stolen due to a security gap?  Is the employee liable, then? What applies if a contractor has coded the software faultily? Is security a topic for the purchasing department and do requirements for a product's security have to be defined explicitly or isn't this rather a matter of course?  It is evident that vulnerabilities exist in this case.  

When the software is running:

Then there are also those security experts who detect vulnerabilities via revers engineering or by accident and  who - completely altruistic – do not want to exploit their findings but publish them. Ethical hacking or not – the law is rather humourless. Do you want to know why?  

And if it comes to an incident nevertheless? Then there still is the internal person in charge of security who prepares for a counter attack or acts like Sherlock Holmes and finds the real offender, even if he is inhouse in his own company. 

The law might be humourless. The speaker most certainly is not.

Hacking Email Filtering Appliances and Solutions – Ben Williams
 
In this presentation Ben will talk in detail about tools and techniques he has developed for automated enumeration of internet filtering services, products and policies. Ben will talk about how this information could be used by malicious hackers to improve the efficiency of attacks against organisations, and show how this type of automated reconnaissance can be combined with phishing attacks and exploit-development to quickly find and exploit vulnerable systems and users. These tools and techniques can also be used defensively in security auditing and penetration testing, to enabling the quick identification of weaknesses.

Current SAP security patches risk and relevance – Andreas Wiegenstein 

SAP publishes security patches every month in order to fix various vulnerabilities. Some of the security gaps were detected by SAP istself, others were reported by secruity researchers or SAP customers.

This roundtable offers participants a platform for discussing the criticality of current SAP patches with each other and with security experts of the Business Application Security Initiative (BIZEC).

We will especially talk about which patches should be installed urgently and promptly, which patches have a lower priority and how you can evaluate the criticality yourself.

Security management in practice – Stefan Krebs 

Successful security and risk management requires processes and structures that work in practice. Stefan Krebs talks from his longstanding experience as CISO about solutions that have proven effective and myths that turn out to be completely different in reality.

SAP BusinessObjects Attacks: Espionage and Poisoning of Business Intelligence platforms – Juan Perez-Etchegoyen & Will Vandevanter

Business executives make their strategic decisions and report on company performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company's largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?

SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.

Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

Attacking Microchips on the back side - Starbug 

During the last few years, manufacturers of security ICs have put a lot of work in the protection of their products. However, they have mainly focused on the front side of the chip. The presentation deals with the next large playground for chip hackers. It highlights probing attacks using “focused ion beam” and direct control of switching transistors through analysis of optical side channels.

Love letters to Frank Abagnale (How do I pwn thee let me count the ways) – Jayson E. Street

In previous talks I have shown how I have used emails to gain entry into places I should not have been. In this talk I give an in depth explanation on how I use emails not just for phishing but to gather intel & make a way in. I will go over the steps to recon your target. To find important information to make sure the email is not just believed but acted on in the way you desire. I will also show you how to create a convincing get out of jail free card. That will aid in avoiding being detained but will also get employees to aid you in your attack.

Watching the Watchers: Hacking Wireless IP Security Cameras - Sergey Shekyan & Artem Harutyunyan

Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of December 2013 Shodan (www.shodanhq.com) shows close to 600000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the identical hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware. While some security issues were addressed after raised concerns, some issues are still overlooked.
Our contribution will cover how those cameras work, as well as how to gain control over a camera in the wild. Furthermore, we will present analysis of security malpractices ¬that make it possible to harvest sensitive data stored on the camera, as well as to use a camera as an attack platform inside victim's private network. The presentation will conclude with the introduction of toolkit for extracting, altering and re¬packaging original components of the camera, as well as a demo during which we will show how a camera (that was set-¬up following vendors’ recommendations and tutorials) can be compromised. Last but not least we will share recommendations on how the setup of the camera can be made less insecure.

Mobile Fail: Cracking Open “Secure” Android Containers – Chris John Riley

We've known for some time that physical access to a device means game over. In response, we've begun to rely more and more on "secure" container applications to keep our private and company data secret. Whether you use LastPass to secure your passwords, or GOOD for Enterprise to make sure your company emails are safe and sound, this presentation will demonstrate that more often than not, the container isn't as secure as you think. In this presentation I will discuss specific design flaws in the security of "secure" Applications that promise to keep your data / password and even company email safe and sound should the device fall into the wrong hands.

Hacking the Microsoft Cloud - Joshua Tiago

Microsoft is offering an increasing number of products as cloud solutions. Companies who use such solutions often underestimate the risks associated with it. In his presentation, Joshua Tiago will show previously undocumented vulnerabilities in a current Microsoft product, thereby demonstrating various types of attacks available to an attacker.