PROGRAM

Presentations – IT-DEFENSE 2015

Information to the presentations will follow after release by the speakers.

Darknet: An insight into the underground scene and market mechanisms of organized crime – Volker Kozok

The speaker will outline the basic mechanisms of the “dark web” or “deep web” and describe the various user groups and their motives. Individual areas of the dark web will be explained and, with the Dread Pirate Roberts (DPR) as an example, one of the most controversial figures of the dark net will be presented in the second part of the presentation. Ross Ulbricht aka DPR, operator of Silk Road, the largest online marketplace, was arrested by the F.B.I. With Silk Road as an example, the function of illegal online marketplaces and the activities of the investigating authorities against the new form of cybercrime will be described. The issue of the right of anonymity and invisibility and the need for effective ways to combat cybercrime will be addressed again at the end of the presentation.

After the introduction the following questions will be addressed:

  • Why does the TOR network also help the dark side and why is the “non-searchable network” not an invention of the privacy activists?
  • Does encryption protect the victim or the attacker?
  • If the NSA reads and evaluates everything, why is there still cybercrime?
  • Darknet and hacktivism – how cyber activists profit from the dark net.

At the end I will offer an excursus into Lulzsec and Co. giving an update to those participants who have attended the previous conferences.

Unwrapping the Truth: Analysis of Mobile Application Wrapping Solutions - Ron Gutierrez

One of the latest trends of BYOD solutions is to employ "Mobile Application Management (MAM)," which allows organizations to wrap existing applications to perform policy enforcement and data/transport security at the application layer rather than at the device level. Today's organizations face a complex choice: there are a plethora of BYOD application wrapping products on the market, each with their own colorful datasheets and hefty security claims. How well do these BYOD application wrapping solutions stand up to their claims? And perhaps just as important, how well do they defend against real-life mobile threats?
In this talk we will analyze the application wrapping solutions offered by some of the major commercial BYOD products on the market today. We'll reverse engineer how these application wrapping solutions work for both iOS and Android; as well as, analyze their authentication, cryptography, interprocess communication (IPC), and client-side security control implementations. Finally, we'll explore the security vulnerabilities we've discovered in major vendor products that could result in the compromise of sensitive information.

Secret weapons of communication – Leo Martin

A talk like this on the art of manipulating people into trusting you has never been heard of before: An ex-agent whose job consisted of recruiting police informers in the field of organized crime to gather sensitive information, gives away his best strategies. Complete strangers trusted him and told him their most secret insider knowledge. Here he reveals his secret of success and explains impressively, how we all can easily manage to approach people, gain their trust and make others believe in us.
In a thrilling mix of hard facts and interactive experiments Leo Martin further uncovers the success factors of effective communication: our subconcious patterns of thinking and acting. Learn more about the secrets of fair and respectful communication, how to use it and appreciate it!
With intelligent interaction Leo Martin shrinks the usual distance between speaker and audience. His interactive experiments make his communication theory tangible and can easliy be put into practice.

Computer Security: I think we can win – Bill Cheswick

By a number of important measures, the Internet is working spectacularly well.  A large part of the world's economy uses it to great advantage. But there is crime and espionage as well, and the attackers are highly capable and motivated.  Meanwhile, experienced security people despair.  The same bugs seem to persist, the lessons of the past ignored or forgotten.  This has been going on for decades.
But I am an optimist. Despite the steady drumbeat of repeated problems, we are still very early in the game, making widespread rookie mistakes.  Despite the incredible progress of Moore's Law, our software isn't much better than thirty years ago. 
This is going to get better over the coming decades.  We have tools and techniques we haven't explored or deployed very far.  We can get the upper hand---yes, it is possible to write a secure program.  They are our computers, on our networks, running software we choose: we have the home-field advantage. We ought to be able to win.

The Psychology of Security – Ross Anderson

A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls.
Many frauds can be explained in terms of the heuristics and biases that we have retained from our ancestral evolutionary environment.
At an even deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Yet the move online robs us of many of the signals we use to make trust judgements; it's a lot easier to copy a bank website than it is to copy a bank. Yet even when systems are fairly secure, users often don't believe it, and this costs real money.
Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important. I will describe how security engineers are now starting to work with psychologists, behavioural economists, anthropologists and even philosophers to develop new approaches to risk, fraud and deception.

State of the Art in IPv6 Attack and Defense - Fernando Gont

During the last few years, a number of IPv6 security efforts sparked at the Internet Engineering Task Force (IETF) -- the organization in charge of standardizing the internet protocols. The aforementioned efforts have ranged from informational documents aimed at raising awareness and/or providing advice to the network operations community, to new protocol features or modifications aimed at mitigating identified vulnerabilities.
Another area that has seen a lot of evolution is that of IPv6 security assessment and attack tools, in which brand-new tools have emerged to fill a vacuum in the pentester toolkit. One prominent example is the SI6 IPv6 toolkit: the only portable IPv6 security assessment and attack toolkit, which contains a variety of tools ranging from packet-crafting tools to advanced IPv6 reconnaissance tools (most of which implement techniques that are not available in your penetration testing suite of choice).
Fernando Gont will provide an overview of the most recent IPv6 security efforts at the IETF, summarizing the key aspects of each of them, and describing their implementation status by the most popular operating systems -- thus providing a snapshot of the "state of the art" in IPv6 defense techniques. Additionally, he will present the key-features of the newest IPv6 security tools (including those comprised by the SI6 Networks' IPv6 Toolkit) along with live demos of such tools -- thus providing a snapshot of the "state of the art" in IPv6 attack techniques.

Defense-in-Depth or just LOL (Layers On Layers)? - Rahul Kashyap

In this talk I present a pragmatic view of 'Defense in Depth' advocated to enterprises today. We look at the evolution of the security industry in response to the threats and how the 'Defense in Depth' term word got coined. Then we shift gears and learn about how attackers are leveraging the weaknesses in our security systems and infecting users despite the various layers of security software deployed. To illustrate this point we take an exploit and leverage it to bypass several layers of defenses that are likely to be used by organizations.
Before formulating a defense in depth strategy, it is important to know about the limitations of each layer and plan around it. Failure to do so, will result in a 'LOL' for attackers.

The Future of Incident Response – Bruce Schneier

DProtection and detection can only take you so far, and breaches are inevitable. As a result, response incident response has stepped into the spotlight. This session will examine the economic and psychological forces within the computer security field and describe the future of incident response (IR) and thus, the industry. It will discuss how response technology, unlike detective and preventative controls, must augment people rather than replace them. Understanding the implications of this reality requires a systems theory approach to IR. This session borrows one from the US Air Force: OODA loops. By leveraging the cycle of observe, orient, decide, and act, this session demonstrates how we can optimize IR efforts, and deliver valuable insight into what is arguably the most crucial discipline to maintaining IT security in the coming decade.

RFIDler - RFID SDR FTW! – Adam Laurie

Software Defined Radio has been quietly revolutionizing the world of RF. However, the same revolution has not yet taken place in RFID. The proliferation of RFID/NFC devices means that it is unlikely that you will not interact with one such device or another on a daily basis. Whether it's your car key, door entry card, transport card, contactless credit card, passport, etc. you almost certainly have one in your pocket right now!
RFIDler is a new open platform project, created by Aperture Labs Ltd., designed to bring the world of Software Defined Radio into the RFID spectrum. We have created a small, open source, cheap to build platform that allows any suitably powerful microprocessor access to the raw data created by the over-the-air conversation between tag and reader coil. The device can also act as a standalone 'hacking' platform for RFID manipulation/examination. The rest is up to you!
You can find further information at  https://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul

I see, therefore I am … you - Starbug

It is a well-known fact that we can look over the shoulder of people entering their passwords. We are also aware that cameras can take pictures of certain biometric features or that traces of these features may be found on objects. It has previously been assumed that you had to be in close proximity to the person to be spied on for these attacks. The presentation is to demonstrate that this is not the case. We will present results of our inspections revealing that it is also possible to spy out biometric features and passwords from far away or even remotely through cameras in mobile phones in a direct or indirect way (by reflections in the eye).

Whiteboard Warriors – Jayson E. Street

Defenders always want to build better walls. The issue is building defenses in the way a defender would build them not how an attacker will attack them! So how about you have a sit down with someone who gets paid to be an attacker.
There will be no powerpoint slides there is no one standing and talking to you for a certain amount of time and giving you only a few minutes to ask your questions.
This is only a session of questions and answers! Questions you've always wanted to ask but was afraid of the response! When questions are not forthcoming I'll fill the silence with ways I've mitigated certain attacks & how I've executed certain attacks against my clients. Attendees should show up with questions and problems and though I can't promise to provide all the answers I promise to at least be entertaining as we try to sort it out!

BREAKING in BAD! (I’m the one who doesn’t knock) – Jayson E. Street

I’ve come to realize that while I may not do a lot of social engineering engagements I do a quite a few weird ones. I also seem to have three main roles I play (all adorably) to try to get into my target.I thought it would be cool to share at least a story from each one of these roles. Some have pictures, some with just witty comments.  Though all three will come more importantly with ways that would have stopped me from being successful. The goal is not to show how ‘L337’ I am or these attacks are! Far from it this talk is to show how EASY these attacks were done and how every single attack has one common thread connecting all of them! Though you’ll have to see my talk to find out what that is! ;-)

Bio Hacking and the Global DIYbio Scene - An Introduction – Rüdiger Trojok
Who are bio hackers and what is it about?

The topic is being discussed by a day-to day phenomenon but therefore even more pressing occurrence - the antibiotic resistance spread in bacteria. A problem affecting each and everyone of us, globally, that cannot be resolved by e.g. better regulation, but neither by a smart new invention. It needs scientifically literate public, to engage with the problem from a holistic point of view, working in accordance with smart governance as well as innovative and sophisticated technologies.
During the talk, latest innovations in the life sciences are addressed, as well as the potential to apply them outside of traditional laboratory research. The risks and chances, but also the challenges to face in order to realize this urgently needed solution will be laid out.
Finally, a first approach is taken to define requirements for the future use of the involved digital and biological technologies.

Stay Out of the Kitchen: A DLP Security Bake-Off – Zach Lanier

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass - or worse.
This talk will discuss our research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

Where Flow Charts Don't Go: An Examination of Web Application Security Process Management – Jeremiah Grossman

This presentation will focus on strategic challenges impacting how an organization protects itself against the latest security threats. Specifically, we will paint a picture of how effective the security countermeasures outlined in the Vendor Building Security In Maturity Model (vBSIMM) are for protecting real-world applications.

“Trust" in Computer Systems and Networks - Felix “FX” Lindner

This discussion is for people who have or had encounters with the brick wall called "trust" in computer systems and networks. We are forced to operate with a model that can only express "trusted" and "not trusted" entities, without any way to reliably say "yes, but ...". On top of it, we need to talk to a master control program, known as PKI, just to validate that simple claim.
The purpose of this discussion is to talk about scenarios in which this was or is a pain, impractical, or of insufficient granularity. A standardized alternative for expressing trust relationships shall be used as an example to determine whether scenarios presented by participants would profit from it, and how these particular scenarios would be modeled.