Speakers

Edmond “bigezy” Rogers

Talk : An amazing keynote

Bio :

Before joining ITI, Edmond Rogers was actively involved as an industry participant in many research activities in ITI’s TCIPG Center, including work on NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Prior to joining ITI, Rogers was a security analyst for Ameren Services, a Fortune 500 investor-owned utility, where his responsibilities included cyber security and compliance aspects of Ameren’s SCADA network. Before joining Ameren, he was a security manager and network architect for Boston Financial Data Systems (BFDS), a transfer agent for 43% of all mutual funds. He began his career by founding Bluegrass.Net, one of the first Internet service providers in Kentucky. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations.

Renaud Lifchitz

Talk : A common weakness in RSA signatures: extracting public keys from communications and embedded devices

This talk will show a very common weakness in RSA signatures. We will be able to computationally extract public RSA keys from communications and embedded systems in case the public key is voluntarily not published. This weakens RSA signatures where keys of small sizes and/or quality are used and allows direct factoring attacks. 2 studies will be conducted on PGP/GPG e-mails and on the Vigik access control system which protects access to nearly 1 million buildings in France.

Bio :

Renaud Lifchitz is a French senior IT security consultant. He has a solid penetration testing, training and research background. His main interests are protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory (integer factorization and primality tests). He currently mostly works on wireless protocols and was speaker for the following international conferences: CCC 2010 (Germany), Hackito Ergo Sum 2010 & 2012 (France), DeepSec 2012 (Austria), Shakacon 2012 (USA), 8dot8 2013 (Chile).

Hendrik Schmidt & Brian Butterly

Talk : LTE vs. Darwin: The Evolution Strikes Back?

Whether believing in Darwin or not, the Darwin-Award states an important fact of mankind, technology and probably everything that exists: You only make certain mistakes once. For mankind this usually implies taking oneself out of the gene pool, for companies it can mean to vanish of the market and for technology, well, early death.
So when looking at “Long Term Evolution”, providers need to implement proposed features properly and work out secure configurations for their networks. Otherwise, they might be struck by Darwin; being hacked and having break-ins in back- or front-end structures, could result in a situation from which companies might not be able to recover.
Having stated very ambitious plans, concepts and standards for LTE, the 3GPP group has designed a complex but self-organizing system. Surely, with new methods come new attack vectors. Our research is aimed at these new methods and split into three chapters: awareness of user equipment, an overview on self-organizing networks, and theoretical and practical attacks against themselves and their interfaces. This includes potential attack vectors, information gathering and an analysis of component
implementation and the overall architecture.

Bio :

Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are
pentesters and consultants at the german based ERNW GmbH and will happily share their knowledge with the audience.

Milan Gabor
Danijel Grah

Milan Gabor & Danijel Grah

Talk : Vaccinating APK’s

Number of mobile applications is rising and Android still holds large market share.
As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that that they are allowed to do and if they are really secure when transmitting our personal information to different servers. We will demonstrate, what can be found in mobile applications based on our experience. In the presentation some runtime techniques will be discussed and tool will be demonstrated. We will also be releasing and presenting tool can help developers to analyze runtime mobile Android applications and help them to look for different kind of vulnerabilities.
Basic principle of this method is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work.
Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.

Bio :

Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.

Danijel Grah has a Bachelor degree in Computer Science at the University of Ljubljana, Slovenia. He is a Security Consultant at Viris for some time and is involved in penetration testing, security reviews, programming, consulting and research. He has deep understanding into threats, vulnerabilities and trends. He likes to practice Information Security in everyday life. Danijel is devoted to his work, open minded, enjoys new challenges and he never stops studying.


Christian Sielaff
Daniel Hauenstein

Christian Sielaff & Daniel Hauenstein

Talk : OSMOSIS – Open Source Monitoring Security Issues

OSMOSIS – the process of pinching holes through presumably separated systems. In the IT world this means:
How we can utilize existing network connections through firewalls to gain access to central monitoring systems. To examine these possibilities, we conducted several audits on software solutions, which are based on Open Source software.
By trying to emulate a real world environment, we have deliberately chosen software solutions, which are
ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.
Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective.
This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.

Bio :

Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console. As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.

Daniel Hauenstein with over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.

Andrei Dumitrescu

Talk : WMI Shell: A new way to get shells on remote Windows machines using only the WMI service

The Windows Management Instrumentation (WMI) technology is included by default in all versions of Windows since Windows Millenium. The WMI technology is used by Windows administrators to get a variety of information concerning the target machine (like user account information, the list of running processes etc.) and to create/kill processes on the machine.

From a pentester’s point of view, WMI is just another method of executing commands remotely on target machines in a post-exploitation scenario. This can be achieved by creating processes on the remote machine using a WMI client. However, at the present time the output of the executed command cannot be easily recovered ; a potential solution would be write the output to a file and get these files using the SMB server on port 445, but this requires having remote file access on the target machine, which might not always be the case.

We have developed a tool that allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using just the WMI service that listens on port 135. During this talk we will quickly review current authenticated remote code execution methods available for Windows, we will explain the aspects of the WMI architecture that make the wmi-shell possible and we will present the tool itself (demo & links to the source code).

Bio :

Andrei Dumitrescu is a pentester for LEXSI, a CTF enthusiast thanks to the Hackerzvoice CTF team, and his interests include: database security, web application testing, cryptography, philosophy and alcohol.

Eric Leblond

Eric Leblond

Talk : Suricata 2.0, Netfilter and the PRC

Suricata IDS/IPS is a signature based network intrusion detection system engine developed by a non-profit foundation, the Open Information Security Foundation (OISF) since 2008. The version 2.0 has been released in March 2014 featuring a lot of exciting features that increase the mixed Network Security Monitoring and IDS approach of the engine. As the development of new features is driven by the community, the impact of them can be clearly seen. The presentation will focus on some features that really matter for the users like the new JSON full output, the luajit extension for signature or the TLS, DNS and HTPP protocol decoders. Practical and real life example will be shown for each features and a demonstration showing the interest of combining Suricata and Netfilter data in Elasticsearch will be made by showing how some attacks seem to be specific to China.

Bio :

Eric Leblond is a Free Software and Security hacker. He’s part of Netfilter coreteam where he mainly work on kernel and userspace interaction. He is the maintainer of ulogd2, the Netfilter’s userspace logging daemon. He has started working on the IDS/IPS Suricata in 2009 and he is currently working the OISF as developer. He is also one of the founder of Stamus Networks, a company providing network probe appliance based on Suricata.

José Garduño

José Garduño

Talk : The government as your hacking partner: using public data to block passports, national ID cards, steal tax data, and other mischievous deeds.

Democratic societies are currently facing a very difficult dilemma, on one hand, there is a demand to access the data handled by the government as a mechanism of controlling and auditing it, and on the other hand, there are no up-to-date international legal frameworks for setting limits on what information should be exposed, specially concerning personal private data.

This talk will present the results of the master thesis titled “Shortcomings in Chilean privacy protection: an overview of public policies, culture, system design, IT implementations and tools to exploit them.”

Bio :

José is a developer-hacker and a globetrotter of sorts. He has international academic and work experience in Finland, Norway, Spain, Mexico, China and currently Chile, situation which often makes him wonder about the cultural differences between countries and their effects on information security.

joernchen of Phenoelit

joernchen of Phenoelit

Talk : Ruby on Rails exploitation and effective backdooring

Ruby on Rails is that fancy Web application framework everybody

Bio :

Besides exploring dancefloors by night joernchen also conquers a DJ booth from time to time. The special <3 for exploitation of Ruby on Rails apps came up in him a couple of years ago, since then he's been happily hacking Web2.0 hipsters and the Ruby on Rails framework itself.

Andreas Bogk

Andreas Bogk

Talk : Applying science to eliminate 100% of buffer overflows

Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software.

Bio :

Andreas Bogk is a hacker from the well-known German hacker organization „Chaos Computer Club“. He has more than 20 years of experience in reverse engineering, exploitation and cryptography; and more than 10 years in compiler construction and language design. He has been active for the CCC with a wide range of presentations at its annual conference, served as a member of the board and CEO. His focus is defense and building secure systems by systematically applying sane engineering and computer science to the art of writing software. He is currently working for HERE as lead security architect for mobile applications.

Graham Steel

Graham Steel

Talk : Hardware Security Modules: attacks and secure configuration

We take a look at Hardware Security Modules (HSMs), as used in CAs, government and military applications, and in the global cash machine and payment network to secure transactions. Reputed uncrackable thanks to their FIPS-140 and CC certifications, we’ll show that their APIs are often open to subtle attacks that expose sensitive keys in plaintext or allow harvesting of multiple customer PINs. We’ll also look at ways to prevent these attacks.

Bio :

Graham Steel is CEO and cofounder of Cryptosense, which provides vulnerability analysis tools for cryptographic systems to an international clientele in particular in the financial, industrial and government sectors. He has published attacks on PKCS#11 devices, the YubiHSM, and new cryptanalysis for RSA PKCS#1v1.5 encryption. In addition to international conference and journal publications, his research results have featured in Wired magazine and the New York

Alexandre De OliveiraPierre-Olivier Vauboin

Alexandre De Oliveira & Pierre-Olivier Vauboin

Talk :

Mobile telecommunication networks are complex and provide a wide range of services, making them a tempting target for fraudsters and for intelligence agencies. Moreover, the architecture, equipment and protocols used on these networks were never designed with security in mind, availability being the first concern. Today, even though some telecom operators are investing money into securing their network, events confirm that for most of them maturity in term of security is yet to come, as recently shown with the example of massive traffic interception on compromised SCCP and GRX providers like Belgacom’s BICS. Here we present the most typical and legitimate telecom callflows from making a mobile phone call to sending a SMS. Then we describe the protocol layers involved and how to abuse them, which fields can be manipulated in order to attack both the operator infrastructure and its subscribers. Finally, we show a real life example of scan performed from an international SS7 interconnection and practical attacks on subscribers such as spam, spoofed SMS and user location tracking.

Bio :

Pierre-Olivier is an engineer in Telecom and IT Security working for P1 Security since early 2012. He is passionate about network-oriented security, and has been developing a strong knowledge in telecom domain and associated vulnerabilities and attacks. He currently leads the development and deployment of an active telecom vulnerability scanner (P1 Telecom Auditor) for SIGTRAN and SS7 networks, providing P1 Security customers with visibility into the domain of Telecom Core Networks’ security. He also takes part in on-site pentesting, professional trainings and audit missions.

Alexandre De Oliveira is an engineer in Telecom and Network security. He works especially on the exposure of telecom core network over Internet, harvesting information through weird protocols presents on telecom networks. Working at P1 Security since 2012, focusing mainly on SS7/SIGTRAN, OAM proprietary protocols and LTE protocols, he also leads on-site pentests, audits missions, trainings and Telecom MBSS on large ISP networks. Alexandre is also part of the Hackito Ergo Sum conference main organizers.

Laurent Ghigonis

Laurent Ghigonis

Talk : Hacking Telco equipment: The HLR/HSS

HLR and HSS are the most important Telecom Equipment in an Operator Core
Network.
We are going to see that this so-called “Critical Infrastructure” is not
as robust as you could think, by exploring the some weaknesses of the
HLR/HSS equipment.

Menu:
* Virtualization of HLR/HSS, for instrumentation purposes
* HLR/HSS system analysis
* SS7/Diameter network fuzzing
* HLR/HSS binaries reverse