IT-Defense 2020Presentations

Presentations – IT-DEFENSE 2020

There is always something new – Update obligations and the information security law – Prof. Dr. Thomas Hoeren

One of the big challenges of the digital economy is the security of information technology. New guidelines and laws are introduced time and again. The European Union, for instance, has passed several regulations on the obligation to install updates and on improving data security, whose outlines are anything but clear. Furthermore, the new information security law imposes numerous requirements, which will be discussed in this presentation.
 

Securing Windows in 2020 and Forward – Sami Laiho

In year 2018 the number of malware per day did not increase for the first time in years. On the other hand the amount of money lost because of malware and security breaches more than doubled. The biggest threat to people is currently ransomware, cryptominers and loss of credentials. Join this session to hear one of the worlds leading security professionals, Sami Laiho, give his predictions on security in 2020 and forward, and what Windows can do to protect you in the all the time evolving cybersecurity landscape.
 

Consent, Alignment, and Cooperation in the Internet Era – Paul Vixie

Much of the spectrum of human action and human custom translates more or less obviously from the real world ("meat space") into the Internet ("cyber space"). Yet, some pieces of the human puzzle do not have an obvious place in the Internet game board, and this has wrought unconsidered change to human society through its digital nervous system, the Internet. Is this merely the post-Westphalia era, or as many claim, the post-national era? Let's discuss.
 

Countering Pre-Installed App Supply Chain Threats - Dr. Ryan Johnson & Dr. Angelos Stavrou

Android devices contain pre-installed apps to provide inherent functionality. Pre-installed apps present an attractive target to attackers due to their privileged position and extensive capabilities. This threat is not limited to the theoretical domain as various pre-installed apps have contained design flaws that exposed the end-user to significant risk. Therefore, pre-installed apps warrant additional scrutiny in order to detect capability leaks and adversarial threats in the supply chain. To address the substantial volume of Android vendor firmware images that contain the pre-installed apps, we propose proactively scanning them for vulnerabilities prior to live deployment. We will present some real-world use cases demonstrating the threat to the end-user. As part of our presentation, we will also demonstrate how automated analysis of pre-installed Android apps can help identify potential risks and help mitigate them. Over the past couple of years, Kryptowire was able to identify and report more than 150 CVEs in the Android ecosystem indicating the extent of the problem of software analysis and verification for mobile telecommunication companies, chipset vendors, and device manufacturers.
 

Artificial intelligence: Will we remain smarter than robots? - Boris Nikolai Konrad

There is much speculation, but what are robots really capable of? This presentation shows the opportunities and risks artificial intelligences harbor. The computer scientist and brain researcher Dr. Boris Nikolai Konrad knows how advanced and explored artificial intelligence (AI) yet is. And he is asking the provocative question: Will we remain smarter than robots, which are constantly learning something new? Because what has been shown in Hollywood science fiction movies for decades – loyal companions on adventure trips like R2D2 or villains who want to take over the world – is not what reality looks like.

Boris Nicolai Konrad will demonstrate the role artificial intelligence already plays in our daily life and explain which inventions are going to change our life in the future – from the music play list suggesting the right song to smart homes controlling the energy balance themselves and self-driving cars that learn new things on their own and, according to Konrad, will reach the mass market in only a few years’ time. In an entertaining and exciting way, he will provide a both fascinating and realistic insight into the world of AI and robots.

“The image we have of robots nowadays is almost nostalgic and romanticized,” the brain researcher explains. However, the tin box with a wind-up key on the back has long since been a thing of the past. Instead, there are already computer programs that are more intelligent than we humans are, at least in certain areas. “But we humans can also become more intelligent if we learn from machines or use the findings of brain research. Our willingness to do so will determine whether we will still control computers in the future or vice versa,” says Boris Nikolai Konrad. Amazement and shivers lie close together in his presentation, because the scientific expert equally causes both when he casts a glance into the future of artificial intelligence.

But do we have to be afraid of AI? The speaker clearly points out the dangers of the new technology, but he also sees many opportunities in artificial intelligence, for instance, in medicine or for enterprises: In his presentation, Boris Nikolai Konrad shows how by using big data it is possible to make more precise predictions on customer behavior than through expensive surveys and market studies. He provides concrete recommendations for action to enable companies to align their production, logistics and selling strategies based on big data in order to gain a significant competitive advantage. Because Boris Nikolai Konrad is convinced: “The company that uses the best AI and meanwhile remains willing to learn from it will come out on top.”
 

If you want to Lock, Lock – Don’t Talk: Bypassing Locked Screens with Voice Assistants - Amichai Shulman & Yuval Ron

Voice assistants are becoming an integral part of many computing platforms, including general-purpose computers as well as smartphones. Their usage pattern is such that encourages their use even when the device is in “locked screen” mode. We will show how the introduction into voice assistant capabilities over “locked screen” dramatically influences the security of such devices.

Our presentation includes an introduction to the architecture of voice assistance systems. We will then provide a walkthrough of various security vulnerabilities that stem from enabling voice assistants (including Cortana, Siri, Alexa, and Bixby) over the locked screen in computers and phones. We discuss this side by side with the evolution of the locked screen concept. As a summary, we point out the main failures that led to these vulnerabilities and present some concepts that should be introduced into the locked screen architecture in order to avoid such mishaps.
 

Leading Change: Building a Security Culture of Protect, Detect and Respond – Lance Spitzner

Cybersecurity is no longer just about technology it is ultimately about organizational change. Organizational change in not only how people think about security but what they prioritize and how they act, from the Board of Directors on down. Learn how to become a far more effective security leader by leveraging the principles of behavioral economics and embed security at an organizational level. Key things you will learn include

  • How we are driving attackers to target humans
  • Why so many security initiatives fail at the human level
  • What is a strong security culture and the two key elements to creating one
  • Most common mistakes organizations make attempting to address the human issue
     

PDFex: How to Break PDF Encryption – Jens Müller

PDF is among the most widely used document formats worldwide. To ensure confidentiality, PDF supports document encryption. In this talk, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is one single block of known plaintext, which we show is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels, based on standard compliant PDF properties.

We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors mitigating the issues.
 

Quantum Computing and the future of cryptography - Grégoire Ribordy

PDF is among the most widely used document formats worldwide. To ensure confidentiality, PDF supports document encryption. In this talk, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is one single block of known plaintext, which we show is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels, based on standard compliant PDF properties.

We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors mitigating the issues.
 

Cloud Security under the microscope – Joshua Tiago

The large cloud providers are trying to attract customers from all areas. No matter if small medium-sized company or big corporation – specific products are offered as cloud services for any customer. While many security products are comparable in the on-premises world, a direct comparison is not always as easy in the world of the cloud. Different providers pursue different approaches and strategies. Even the designations often do not allow to draw any direct comparisons. But what about the actual security when the big providers are compared directly? In this talk, the cloud offerings from Microsoft (Azure) and Amazon (AWS) will be contrasted and the respective approaches and solutions regarding security will be presented.
 

Breaking LTE on Layer Two - David Rupprecht

LTE combines performance goals with modern security mechanisms and serves casual use cases and public safety communications. However, the strong dependence on LTE leads to a significant impact on any open attack vector. In particular, the authenticity of communication partners and the data integrity must be assured all time, as otherwise an attacker can modify data or impersonate a victim to undermine one of LTE’s most important security goals. The second layer of LTE is responsible for protecting the user data, but also must meet the requirements for a high-speed and low-latency connection. Meeting both requirements has often lead to trade-off decisions that are to the disfavor of security. In this talk, we survey the security mechanism of LTE’s layer two and point out crucial design flaws. First, we provide insights about the aLTEr attack, which exploits the specification flaw of missing integrity protection for user data. User data in LTE is encrypted in counter mode (AES-CTR), but not integrity protected, which allows modifying the message payload. As a proof-of-concept, we demonstrate how an active attacker can redirect DNS requests to perform a DNS spoofing attack. As a result, the user is redirected to a malicious website, where the attacker can steal, e.g., the user credentials. Second, we present the latest insights of our layer two analysis and give an overview of 5G specification flaws.
 

Star Trek: How technical visions become reality – Dr. Hubert Zitt

When Captain Kirk of the starship Enterprise flipped open his communicator at the end of the 1960s, probably nobody imagined that this device would inspire the development of mobile phones 30 years later. Some of these visions of the science fiction authors from the late 20th century have long since become reality today.

How good are or were those visions of the authors of Star Trek regarding man-machine interaction? The touchscreen has already made its way into everyday life. What are the real changes of us being able to speak with computers in the future? And will our generation perhaps be the last that has to learn foreign languages, because soon everyone will carry a universal translator in his or her pocket? Will we in future spend our spare time in a holodeck instead of in front of the TV and interactively participate in what is happening?

In this presentation, the visions of Star Trek will be compared with today’s state of science and technology in both serious and funny ways.