Schedule for 2014

Thursday Oct 23, 2014
08:30 Registration and Morning Coffee: Powered by Otaverkko
09:15 Opening Words, Tomi Tuominen
09:30 Keynote
Aral Balkan
10:30 Coffee
10:45 Style over Substance - how OEMs are breaking Android security
Robert Miller
MWR InfoSecurity
Keyless entry exploration/exploitation
Knud Hojgaard
nSense
11:45 Lunch: Powered by Combitech
13:00 Reversing iOS Apps - a Practical Approach
Patrick Wardle
Synack
ICSCorsair: How I will PWN your ERP through 4-20 mA current loop.
Alexander Bolshev
Digital Security
14:00 Break
14:15 Darshak: how to turn your phone into a low cost IMSI catcher device
Ravishankar Borgaonkar and Swapnil Udar
TU Berlin and Aalto university
Code your (p)own Flight Simulator
Hugo Teso
n.runs professionals GmbH
15:15 Coffee
15:30 Murdoch's Pirates
Jan Saggiori
SSSLLC
16:30 Closing Words for the 1st day, Tomi Tuominen
17:00 Cocktails & Networking: Powered by Nixu
18:30 Cocktails & Networking ends
19:00 Afterparty: Powered by nSense
21:00 Afterparty ends

Friday Oct 24, 2014
09:30 Morning Coffee: Powered by Otaverkko
10:00 Lockpicking and IT Security
Walter Belgers
TOOOL
11:00 Coffee
11:15 The Story Behind CosmicDuke
Timo Hirvonen
F-Secure
12:15 Lunch: Powered by McAfee
13:15 Three Stories of Three Targets
Antti Tikkanen
F-Secure
Blind Code Coverage Fuzzing
Joxean Koret
Coseinc
14:15 Break
14:30 Watching the Apple Fall
Patrick Wardle
Synack
The Missing Component in Password Management
Dmitry Nedospasov
H.rdw.re
15:30 Coffee
15:45 Solving the t2'14 Challenge
Timo Teräs
Alpine Linux
16:45 Closing Words, Tomi Tuominen
17:00 Conference Ends

Keynote

Aral Balkan


It's a keynote.

TBD


Style over Substance - how OEMs are breaking Android security

Robert Miller @ MWR InfoSecurity


Android has made significant steps in recent years in improving the security of the platform as well as the apps on their app store. But there is one area they can't control: the manufacturers.

In their race to bring new features first to market, we will have a look at how device manufacturers are undermining their security of devices and all the data they contain.

In this presentation we will be allowed by two manufacturers for the first time to perform live exploits against their devices. We will show the steps an attacker can go from being on the same network to having full control of a device.

Finally, we will demonstrate how a compromised device can be used to attack corporate networks and mobile device management applications.

The goal of this talk is to arm the security industry with the methodology to hunt out these issues in Android devices and applications, and the skills to fix them.

Rob Miller

Robert has worked for MWR InfoSecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services.

Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from malware, through to demonstrating the latest classes of mobile vulnerabilities and exploits to teams of developers and pen-testers.

Nick Walker

Nick Walker, also from MWR InfoSecurity has been performing research in the mobile security field for 5 years, speaking at a number of events on the subject including BruCon, Securi-Tay, and SyScan 2014. Whilst working on iOS and Windows Phone 8 platforms, Nick is predominantly an Android researcher and also runs MWR's Android security training programme.


Reversing iOS Apps - a Practical Approach

Patrick Wardle @ Synack


Mobile apps are ever more ubiquitous, but their widespread adoption comes at a cost. Seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users. Examples include the popular dating app Tinder (leaked the exact location of its users), the photo messaging app SnapChat (exposed connections between phone numbers and users’ accounts) and CitiMobile (stored sensitive account information without encryption). These vulnerabilities (and many more) were not found by the developers of the applications, but rather by reverse-engineers who took it upon themselves to dissect said applications.

Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art. This is due to a myriad of reasons; iOS apps are encrypted, written in a difficult-to-reverse-engineer language (Objective-C), and run on a mostly closed-sourced proprietary OS.

This talk will detail the process of reverse-engineering iOS apps in order to perform security audits and provide best practices to prevent common mobile-specific vulnerabilities. The talk will describe how to extract an application’s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps. Real-life cases from iOS applications in the App Store will be presented to provide a more 'hands-on' feel to the reversing procedure and to show some actual security vulnerabilities.

Patrick is currently the Director of Researcher at Synack. He leads R&D efforts, ensuring the company remains on the cutting edge of cyber security.

Patrick began his professional computer science career at NASA, then was hired at the NSA as a global network exploitation and vulnerability analyst. While at the NSA, Patrick received several classified patents and helped lead a team which received NSA’s highest civilian team award. In 2008, Patrick left the NSA to help found Vulnerability Researcher Labs (VRL), which was bought in 2010. Patrick recently joined Synack in 2013.

Patrick has extensive experience analyzing malware and has authored several sophisticated malware detection tools. Currently, his focus has been on the emerging threats of OS X and mobile malware. Besides malware analysis, Patrick is also a skilled vulnerability and exploitation analyst, and has found exploitable 0days in major operating systems such as OS X and Windows and popular applications such as Acrobat Reader.


Darshak: how to turn your phone into a low cost IMSI catcher device

Ravishankar Borgaonkar and Swapnil Udar @ TU Berlin and Aalto university


It is said that 80% of the world’s population now has a mobile phone. They use mobile devices to make call, send SMS message, to access internet via the cellular network infrastructure. End-users carrying mobile phones 24 hr trust cellular network operators and believe that provided mobile communication link is secure.

However, on the other hand, mobile operators, device manufacturers, OS providers, baseband suppliers do little to provide best security and privacy features to them. In particular, security capabilities of mobile communications are not shown to the end-users. Hence it is easy for malicious attackers to mount subsequent attacks using IMSI catcher equipments. Further some hidden features for example ‘silent SMS’, are supported in currently used mobile telephony systems but not notified to the end users when in use. Attackers or illegitimate agencies exploit this weakness to track user movements regularly without user’s consent.

In this talk, we address above long-standing issues by developing a low cost, easy-to-use privacy framework based on Android OS. We demonstrate our effort to build an ideal way to protect mobile user privacy. Live demo of framework detecting hidden (in ) security features of mobile communication system will be provided.

Avishankar works as a Senior Researcher in Security in the Telecommunications Department at Technical University Berlin. His research themes are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS/LTE network security to end-user device security.

Swapnil is a master student at Aalto University in Helsinki, Finland. After working for five years at a US based IT company and with a Swiss bank, he is enjoying research in mobile security.


Keyless entry exploration/exploitation

Knud Hojgaard @ nSense


This presentation will provide a walkthrough of the audit process of an IP-enabled physical access control device. Knud aims to cover some information about the methodology used during the process, but will mostly be discussing the (interesting or sad, depending on the view) results of said audit. The presentation builds on work done on and off over a few iterations of the product, with new and shiny findings not discussed earlier elsewhere.

Knud lives in Denmark where he works in the exciting field of information security. He enjoys security, from virtual to reality.


ICSCorsair: How I will PWN your ERP through 4-20 mA current loop.

Alexander Bolshev @ Digital Security


Modern Industrial Control Systems (ICS) are deeply integrated with other parts of corporate network. Plant Asset Management systems, OPC, and SCADA interconnect low-level devices, such as transmitters, actuators, PLCs, with high-level applications, such as MES and ERP. But what will happen if you can connect to the line where low-level network protocols(such as HART (FSK over 4-20 mA current loop), FF H1, Profibus DP, Modbus over RS-485, e t.c.) flow? Almost everyone knows that then you can probably affect industrial processes. But there is something more: from this point, you can attack not only the lowest levels of the network, but also PAS, MES, and even ERP systems!

ICSCorsair is an open hardware tool for auditing low-level ICS protocols. It can communicate with various systems using HART FSK, Profibus, and Modbus protocols. You can control ICSCorsair via USB cable or remotely over Wi-Fi, Bluetooth, or other wireless connection. Different software will be presented to work with ICSCorsair: Metasploit modules, apps for iOS and Android, etc.

In this talk, it will be shown how to trigger such vulnerabilities as XXE, DoS, XSS, and others in SCADA, PAS, ERP, and MES systems using only ICSCorsair and the opportunity to connect to low-level ICS protocol line.

Alexander is the information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. He works on distributed systems, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and industrial protocol security. He spoke at the following conferences:BlackHat USA, ZeroNights, S4. Actively participates in the life of the Russian Defcon Group.


Code your (p)own Flight Simulator

Hugo Teso @ n.runs professionals GmbH


On my previous talks on Aviation Security I always stopped after the exploitation of the target systems, and even little details on the exploitation itself were released. It's time to change that.

On this talk I will go as deep as possible in all the details that make exploitation of avionic systems different from common exploitation techniques. In order to do so, a brief explanation on avionic systems development would be shown including standards, languages, frameworks and platforms.

After that I will move into post-exploitation. For that I would focus on the most modern airliners, as those airplanes employ the most modern technologies, like Glass Cockpit and IMA, and offer the best playground for post-exploitation. Everything would be shown on practical demos, from the development of avionic systems to their exploitation and post-exploitation.

Hugo Teso works as a security consultant at n.runs professionals GmbH in Germany. He has been working on IT security for the last 12 years, mainly in Spain. Also being a commercial pilot, he soon focused his attention on aviation security. Together with the development of some open source projects, like Inguma and Bokken, he has spent a lot of time on aviation security research and has presented some of the results in conferences like RootedCon, HITB, T2, SEC-T and CyCon.


Murdoch's Pirates

Jan Saggiori @ SSSLLC


Started the Pay-Tv CAS Security exploration at 12-14 years old, with the first Canal+ France Analogic Discret decoders that flooded Switzerland back then as well as used by Teleclub and the RAI channels by satellite. I discovered at the same time the world of smartcards during an exhibition in Grenoble, France.

Then during the beggining of the 90s, started to study the Videocrypt I that was dramatically hacked (Sky07), the Period 08 was even not distributed, then the 09 with the nano commands, the 0A, etc... as well as the D2MAC Eurocrypt M, S and S2 with the NorskTV2 Premier League Soccer, Filmnet in D2MAC then in Videocrypt II.

Swiss Italian national, citizen of the world, loving to travel and discover the differences in cultures and explore as well as pioneer technologies. Graduated from the University of Geneva with a Master in Economics and a Master in Information Technologies, after a French Baccalaureat in Economy.

Worked to help Canal+ Technologies to improve the security of the Mediaguard, giving birth au Mediaguard V1+ based on the Custom Atmel 90SC6464c delivered to more than 10 million customers.

Teamed with Canal+ and Kudelski Nagra, to prove the Piracy of their technologies by their competitor NDS then Cisco Technologies, and promoted the divulgation of the wrongdoings of NDS that ended up having Cisco buying NDS instead of NDS going public (IPO). Today most of the management of NDS was fired and the technology integrated on Cisco Video division.


Lockpicking and IT Security

Walter Belgers @ TOOOL


In this lecture, Walter Belgers will look at some security flaws in locks to see how they came about. Then, he shows us how similar mistakes are made in software development and deployment. In both cases, we have to deal with design flaws, implementation errors, zero day attacks, brute force attacks, user errors and more. Real life examples will be given and demonstrated. There are some interesting differences in how security is looked at in the hardware and the software world. Both groups can certainly learn each other.

Walter Belgers is an ethical computer hacker by profession and by way of life. During his working hours, he tests the security of IT systems using both technical and social means at Madison Gurkha. He is also the president of TOOOL, The Open Organisation of Lockpickers. He has been lockpicking since the 1980’s and is currently the fastest Dutch lockpicker. He likes to teach others how to pick locks.


The Story Behind CosmicDuke

Timo Hirvonen @ F-Secure


In early 2013, the MiniDuke malware was discovered in use in a series of attacks against NATO and European government agencies. While investigating MiniDuke samples in April 2014, we noticed that the same loader component was used to load a variant of Cosmu infostealer family. This was the first and still the only malware that we have seen to share code with MiniDuke. We decided to name the samples showing this amalgamation of MiniDuke loader and Cosmu-derived payload CosmicDuke.

This presentation tells the story behind our journey from the discovery of the first CosmicDuke sample to the release of our analysis report. We explain how we found the initial sample and what kind of information and tools we used to hunt for more samples. In the beginning we were able to find samples only of the loader but eventually we discovered also droppers and even PDF documents with exploits. We will demonstrate a tool that we wrote to extract the server configuration from CosmicDuke samples, and also a high tech big data metadata database for storing our analysis results. We will point out some interesting details of CosmicDuke code that have not been published yet. Since the whole analysis process was a learning experience for us, we will openly share our learnings (read: mistakes) throughout the presentation. The presentation will include snippets from our IRC logs and emails to show some of the wild theories and intriguing questions we had down the road.

Our analysis effort had one big, overarching question: how strong is the connection to MiniDuke? That question was answered, along with some questions about the victims, when the release of our whitepaper inspired others to release their findings. We will conclude the presentation by looking at the CosmicDuke sample groups we were able to identify and discuss the most likely explanation behind these three groups that seem disturbingly disparate but are clearly written by the same people.

Timo Hirvonen, Senior Researcher for the Security Response Team, has been working closely with F-Secure's proprietary behavior-based DeepGuard technology for four years. Timo is an expert in exploit analysis with an emphasis in malicious Java, Flash, and PDF files. Timo has been enjoying the sunny California and working at the F-Secure North America HQ since September 2013. In addition to his 3½ t2 talks, Timo has presented at Black Hat USA 2014, Microsoft Digital Crimes Consortium 2014, CARO 2013, and Scandinavian Cybercrime Conference 2013. Timo's mission is to keep the good guys safe by studying the latest tricks the bad guys use.


Three Stories of Three Targets

Antti Tikkanen @ F-Secure


In this presentation, we will look at three case studies of targeted attacks we have analyzed at F-Secure Labs. In each case, the attackers, their motivation and tools are very different. We'll see how each of the attacks worked on a technical level and what we think the attackers were after. An attack against an individual entrepreneur is very different from an attack against an entire industry sector, and we think the first step to protecting yourself is knowing your enemy. We hope these case studies will help you do that.

Antti Tikkanen is the head of Security Response at F-Secure Labs, where he started working 10 years ago in the team that created the first commercial rootkit scanner for Windows, F-Secure BlackLight. Nowadays he leads the teams responsible for malware analysis and other security-related services at F-Secure.


Blind Code Coverage Fuzzing

Joxean Koret @ Coseinc


The presentation will show a new, open source, distributed fuzzing suite with web administration called Nightmare. Among some of the tools included in this fuzzing suite, special emphasis will be made in the "Blind Code Coverage Fuzzer" (BCCF), a fuzzing approach which mixes code coverage and the usual pseudo-random mutations in order to maximize the code executed by original templates as well as to discover vulnerabilities during this process. This fuzzing suite and the tool BCCF have been used, "somewhat successfully", against antivirus products (some old results were shown in SyScan and SyScan360 2014), scripting languages, IDA Pro, OpenSSL and a rather long list of other software products.

Joxean Koret has been working for the past 14 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowdlege to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti-malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is currently a security researcher in Coseinc.


Watching the Apple Fall

Patrick Wardle @ Synack


“It doesn’t get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers.” (apple.com)

Mac’s recent growth in both the home and enterprise is truly impressive and unlikely to abate. Macs are loved for a variety of reasons, including a perceived security superiority, especially when compared to their Windows-based counterparts. While the naive amongst us may not, those who are wiser do acknowledge the reality of OS X malware, but often still defend Mac’s perceived security superiority. True; Apple’s BSD-core and advanced security mechanisms may exude malware immunity, but in reality a skilled attacker can decimate them, allowing persistent malware to thrive even on Apple’s latest OS - OS X Mavericks.

This talk to will begin with a technical analysis of Apple’s latest security mechanisms, such as XProtect, Gatekeeper, and signed-code requirements (applications and kernel extensions). For each, weaknesses will be identified and attacks will be demonstrated that completely bypass the protection. Since Apple’s security mechanisms may fail to thwart malware, it’s essential to understand where malware may persistently live. With this in mind, the talk will comprehensively identify methods in the boot and logon process of Mavericks that can be abused to provide malware persistence. To ensure a sense of practicality, real-world examples of OS X malware will be presented that target portions of the OS in order to gain persistence, while for novel persistence techniques, proof of concept code will be discussed.

In order to protect against both current and future malware threats, an open-source tool will be demonstrated that can enumerate and display persistent OS X binaries that are set to execute automatically at each boot.

As a result of attending its presentation, participants will gain a deep technical understanding of Apple’s anti-malware security mechanisms (and their weaknesses), the OS X boot and logon process, and components that are, or may be, targeted by persistent malware.

Patrick is currently the Director of Researcher at Synack. He leads R&D efforts, ensuring the company remains on the cutting edge of cyber security.

Patrick began his professional computer science career at NASA, then was hired at the NSA as a global network exploitation and vulnerability analyst. While at the NSA, Patrick received several classified patents and helped lead a team which received NSA’s highest civilian team award. In 2008, Patrick left the NSA to help found Vulnerability Researcher Labs (VRL), which was bought in 2010. Patrick recently joined Synack in 2013.

Patrick has extensive experience analyzing malware and has authored several sophisticated malware detection tools. Currently, his focus has been on the emerging threats of OS X and mobile malware. Besides malware analysis, Patrick is also a skilled vulnerability and exploitation analyst, and has found exploitable 0days in major operating systems such as OS X and Windows and popular applications such as Acrobat Reader.


The Missing Component in Password Management

Dmitry Nedospasov @ H.rdw.re


Although some password managers suck less than others, they all are bad in general. One of the main issues is keeping passwords in sync across multiple devices. One of the best and most feature rich password managers is 1Password, but it is closed source and uses iCloud and Dropbox for sync (!!!). A completely different approach is the Yubikey. The Yubikey emulates a keyboard and enters passwords for you. However it can only store a total of TWO configurations. The Yubikey is great for OTP, but far too constrained as a password manager for general use. Also the yubikey is also closed source.

This work introduces the "Any Key". An Open Source Hardware Design that can store many passwords. The interface is simple (like the Yubikey) and the Any Key includes a secure compartment for secure password storage. Since it's Open Source Hardware the design is completely transparent. The hardware includes a DFU mode which makes it easy to flash the device with alternative firmware. As a result the Any Key can be used as an exploit platform as well, similar to the facedancer.

Dmitry Nedospasov is a PhD student and researcher in the field of IC security at the Security in Telecommunications (SECT) research group at the Berlin University of Technology (TU Berlin) and the Telekom Innovation Laboratories. Dmitry’s research interests include hardware and IC reverse-engineering as well as physical attacks against ICs and embedded systems. His academic research focuses on developing new and novel techniques for semi and fully-invasive IC analysis. Most recently, Dmitry was involved in identifying vulnerabilities in the most wide-spread Phyiscally Unclonable Function (PUF) schemes.


Solving the t2'14 Challenge

Timo Teräs @ Alpine Linux


Not available.

Not available.