Event-Archiv

PlumberCon is proudly supported by ERNW. We provide the conference's network.

Crash Course in Penetration Testing

Speaker: Oliver Roeschke

This course will cover some of the newer aspects of penetration testing such as open source intelligence gathering with Maltego and other open source tools. Advanced scanning, enumeration, exploitation (remote and client-side), and post-exploitation relying heavily on the features included in the Metasploit Framework will also be covered.
Emphasis throughout the entire workshop will be placed on being as stealthy as possible, and dealing with popular defensive technologies.


Attacking Cisco Enterprise WLAN

Speaker: Oliver Roeschke

Enterprise WLAN solutions depict complex setups that should support security and managability by combining several technologies and protocols. This complexity needs distinguished design patterns to ensure all security goals. Usage of insecure mechanisms can result in total breakdown regarding security. One prominent example is Cisco's Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management. This architecture is still deployed in a number of early corporate wireless networks. The proprietary 'Wireless LAN Context Control Protocol' (WLCCP) plays a major role in here.

Unfortunately, the protocol design is debatable in several aspects, leading to practical attacks that impose high risk to wireless networks. A second example is Cisco's current solution, called 'Unified Wireless Networks'. It consists of several entities with interesting communication patterns. Additionally it is built on a broken trust model.

In this talk we will describe the inner workings of these pieces, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will demonstrate the issues.


PacketWars™

Hosted by: Daniel Mende

PacketWars™ is a sport like nothing you have ever experienced! Games known as Battles pit individual players each other in a race against time to achieve predefined objectives, win prizes and attain FAME. Operating in the shadows of the Internet beyond the rule of TCP/IP and devoid of compassion, a secret war rages. Sometimes spilling over into the “real” world, digital battles are waged to advance the will of the combatants. The combatants are as varied as their skills and motivation. Every engagement is unique. It is our duty to chronicle these events. Join us as we open a portal to extreme hacking. Do you have what it takes to survive?

Read also our blog post on the conference: www.insinuator.net

How to rate the security in closed source software

Speaker: Michael Thumann

Security evaluation of software is getting more and more common in large enterprises to ensure that they can trust the software and secure the processed data. But beneath the common source code reviews, pentests and fuzzing tests, it's still hard to rate the security of closed source software without reverse engineering it. This talk will introduce some ideas how to rate this software in an almost automated way using the right tools and based on some quality metrics and other facts of the binary. It will give some advises how to implement the concept in the enterprise.

More information here: conference.hitb.org

Lecture - All Your Packets Are Belong to Us – Attacking Backbone Technologies

Speaker: Daniel Mende

Daniel Mende is a German security researcher specialized on network protocols and technologies. He’s well known for his Layer2 extensions of the SPIKE and Sulley fuzzing frameworks, he has discussed new ways in building botnets and presented on protocol security at many occasions including Troopers08, ShmooCon and Blackhat. Usually he releases a new tool when giving a talk.


Workshop - Can Data Leakage Prevention Prevent Data Leakage?

Speaker: Matthias Luft

Matthias is a seasoned pentester with vast experience in corporate environments. Over the years he focused on evaluating and reviewing all kinds of applications. So he’s one of the first researches who revealed major design flaws and vulnerabilities in the approach of Data Leakage Prevention . He is a regular speaker at international security
conferences and will happily share his knowledge with the audience.

Visit www.just4meeting.com for more information.

Roger Klose and Matthias Luft present at Bechtle Security Day in Würzburg. This is an exclusive event for customers and partners of Bechtle AG.

Get in contact: www.bechtle.com

Download the slides here:

Einführung in die „Rapid Risk Assessment"-Methodik

Speaker: Enno Rey

Effiziente Risiko-Analyse ist eines der wichtigsten Werkzeuge moderner Sicherheitsarbeit. Nicht umsonst fordert ISO 27001 ein funktionales Risk Assessment & Management Framework in Organisationen und die ISO 27000 Familie hält mit ISO 27005 ja auch einen eigenen Standard zum Thema bereit. Leider scheitert Risiko-Analyse als Prozess in vielen Umgebungen an überzogenen Erwartungen, schlechter organisatorischer Einbindung oder zu hoher Komplexität. Der Vortrag stellt ein für einen der weltgrößten Outsourcer entwickeltes Modell („Rapid Risk Assessment") vor. Dessen Ziel ist es, effiziente Risk Assessments in kurzer Zeit (etwa einem 1-2 Stunden Conference Call) durchzuführen, um Sicherheitsentscheidungen vorzubereiten. Wir diskutieren praktische Erfahrungen mit dem Ansatz und unserer Learning Curve, und stellen wichtige Bestandteile exemplarisch bereit.


Attacking Web Applications 2.0 (oder „Moderne Angriffe gegen Web-Applikationen")

Speaker: Michael Thumann

Der Vortrag beschäftigt sich mit aktuellen Angriffstechniken gegen Webanwendungen. Im Zeitalter des „Webifyings" von Unternehmensapplikationen sind Web-Applikationen schon länger im Fokus der Hacker und neue Technologien wie Web 2.0 einerseits wie auch intensive Researcharbeit der Angreifer andererseits führen zu einer Vielzahl von neuen Angriffsmöglichkeiten. Die behandelten Angriffe umfassen Web Filter Bypassing, Session Hijacking, Advanced SQL Injection gegen moderne Datenbank Server und SSL Renegotiation Attacks. Live-Demonstrationen zeigen, wie aktuelle Angriffstechniken praktisch funktionieren. Eine ausführliche Diskussion effizienter und angemessener Schutzmaßnahmen rundet die Präsentation ab.


Security Assessment von Cisco Enterprise WLAN-Technologien

Speaker: Oliver Roeschke

Die Welt der „Enterprise WLAN-Lösungen" ist voller obskurer und nicht-standardisierter Technologien, die zu Sicherheitsproblemen führen können. Cisco bildet hier keine Ausnahme. Insbesondere die „Structured Wireless-Aware Network" (SWAN)-Architektur (die auf dem proprietären WLCCP-Protokoll basiert), aber auch moderne Wireless LAN Controller (WLC) basierte Umgebungen weisen in verschiedenen Szenarien Schwachstellen auf. In diesem Vortrag werden theoretische und praktische (!) Angriffsmöglichkeiten in solchen Netzen behandelt und demonstriert sowie die entstehenden Risiken bewertet. Ziel ist, sowohl die Investition wie auch die transportierten Daten abzusichern.


Weitere Informationen finden Sie unter www.it-security-2010.de

Attacking CISCO WLAN Solutions

Speaker: Oliver Roeschke, Daniel Mende

The world of “Enterprise WLAN solutions” is full of obscure and “non-standard” elements and technologies. Cisco’s solutions are no exception here.

In this talk we will describe potential and practical attacks against components, network traffic and/or cryptographic material in different generations of their “Enterprise WLAN offerings”. This includes pretty standard attacks against management interfaces as well as some not-so-common insight how one of their proprietary protocols works (or fails, security-wise). As usual, a number of demos will add spice and some code will be released.

For more information regarding the conference please visit: conference.hackinthebox.org

Hacking Cisco Enterprise WLANs

Speakers: Enno Rey, Daniel Mende

The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. Cisco's solutions, from the early Structured Wireless-Aware Network (SWAN) to the current Cisco Wireless Unified Networking (CUWN) architectures, only partly differ here. In this talk we describe the inner workings of these solutions, dissect the vulnerable parts and discuss theoretical and practical attacks, with some nice demos.

A new tool automating a number of attacks (incl. taking over the WDS master role, extracting WPA pairwise master keys from intra-AP communication etc) will be released at Black Hat Europe.

For more information regarding the conference please visit: www.blackhat.com

TROOPERS10 - This time it's a home match.

Bereits zum dritten Mal veranstaltet ERNW die internationale Sicherheits-Konferenz "TROOPERS".
Die TROOPERS bildet zum einen eine wissenschaftliche Plattform für internationale Forscher und ERNW-Researcher, die die Ergebnisse ihrer Arbeit präsentieren. Sie stellt zum anderen ein Forum für Sicherheitsexperten aus der Praxis dar, die von ihren Erfahrungen mit der Umsetzung von Information Security in komplexen Organisationen berichten.

Die Konferenz findet am 10. und 11. März 2010 in Heidelberg statt. Seit 2001 ist die traditionsreiche Stadt am Neckar Firmensitz von ERNW. Den Auftakt zur Konferenz bilden zu Beginn der Woche stattfindende Workshops, die sich mit den Themen "Sicherheit in virtualisierten Umgebungen sowie Cloud-basierten Diensten", "IPv6 Migration" und "Bewertungsstrategien von Schwachstellen im Unternehmen" beschäftigen. Am abschließenden Freitag bieten wir in Round Tables die Möglichkeit, mit ausgewählten Sprechern in direkten Kontakt zu treten um "in kleiner Runde" aktuelle Themen und kommende Trends zu diskutieren.

Wie in den vergangenen Jahren werden spektakuläre neue Angriffstechniken vorgestellt. Sheran Gunasekera wird etwa Spyware auf Blackberries diskutieren, während Claudio Criscione fortgeschrittene Attacken in virtualisierten Umgebungen und sein bisher unveröffentlichtes Tool VASTO [Virtualization ASsessment TOolkit] vorstellen wird.

Darüber hinaus berichten unter anderen Bryan Fite, Program Manager Security and Compliance bei einem der weltgrößten Outsourcer typische Probleme und Lösungsstrategien mit der Implementierung von Sicherheit in komplexen Outsourcingprojekten dar.
Ebenso unterhaltsam wie aufschlussreich wird Martin Freiss aus der Welt der ISO 27000 Audits berichten und aufzeigen weshalb und wie solche Audits "schiefgehen" können.

Die Veranstaltung richtet sich an (C)ISOs, Auditoren, Administratoren, IT-Berater und Sicherheitsbeauftragte aus großen und mittleren Organisationen, die sich über neueste Entwicklungen im Sicherheitsbereich und pragmatische Lösungsansätze informieren wollen.

You're a TROOPER and your next boot camp is scheduled for 8 - 12th of March 2010, Heidelberg, Germany.

Weitere Informationen finden Sie unter www.troopers.de.

Freeware-Security-Tools für .NET-Entwickler

Sprecher: Michael Thumann

In dieser Session werden frei erhältliche Security-Tools für .NET-Entwickler vorgestellt. Vom Sourcecode Analyzer über sinnvolle Bibliotheken wie AntiXSS und ESAPI bis hin zu Threat-Modeling-Tools werden die Entwickler in die Werkzeuge eingeführt und ihr Nutzen am Beispiel des Microsoft Security Development Lifecycles demonstriert. Mithilfe dieser Werkzeuge kann auch ohne die Einführung aufwendiger Unternehmensprozesse die Qualität in der Softwareentwicklung massiv gesteigert werden.


Advanced Hacking

Workshopleiter: Michael Thumann

Die traditionelle Hacking Night School präsentiert aktuelle Angriffstechniken gegen Web Application, beispielsweise SQL Injection, und zeigt, wie diese in Kombination mit anderen Angriffen (z. B. gegen das Windows-Signed-Driver-Modell) ausgenutzt werden, um Systeme komplett zu kompromittieren. Das Angriffsziel sind dabei die aktuellen Serverversionen von Microsoft, also Windows Server 2008 und SQL Server 2008.


Security & Compliance beim Outsourcing

Sprecher: Enno Rey

Der Vortrag behandelt rechtliche Aspekte und gängige Sicherheitsmaßnahmen bei der Verlagerung von Daten oder Services auf Dienstanbieter. Dabei kann es sich um Webhosting von Anwendungen oder um die komplette Verlagerung "in die Cloud" handeln. Es werden die wichtigsten Rahmenbedingungen technischer und vertraglicher Art diskutiert und typische Szenarien vorgestellt.


Weitere Informationen finden Sie unter: www.basta.net

Hier finden Sie die Folien:

WLCCP - Analysis of a Potentially Flawed Protocol

Speakers: Enno Rey, Oliver Roeschke

The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. One prominent example is Cisco's Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management, and still deployed in a number of corporate networks. The proprietary "Wireless LAN Context Control Protocol" (WLCCP) plays a major role here. Unfortunately it seems the design of the protocol might be debatable in several aspects, leading to some theoretical and, well, practical vulnerabilities. In this talk we will describe the inner workings of this piece, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will add spice and some code will be released.

Find more information and a video of the talk at www.shmoocon.org.

Download the slides here:

IT Underground 2009 is held in Warsaw. Several ERNW experts are on-site, amongst others you'll meet: Roger Klose, Oliver Röschke and Matthias Luft. More to be announced soon.

For more information regarding the conference please visit: www.itunderground.org

All Your Packets are belong to us - Attacking Backbone Technologies

Speakers: Enno Rey, Daniel Mende

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.hft-leipzig.de
Download the tools: Download section

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speaker: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: paranoia.watchcom.no
Download the tools: Download section

Reversing Malware for Business Purposes

Speaker: Michael Thumann

This session will examine different ways to analyse malware for business purposes and discusses advantages and disadvantages of the approaches. It will introduce the most common online sandboxes and compare them to sandbox systems built individually. It will also cover the reverse engineering approach and give some conclusions which approach is useful in a business context.

Visit www.rsaconference.com for more information.

The Day-Con III Keynote is delivered by Enno Rey.

More information: www.day-con.org

IIR IT-Virtualisierung-Forum 2009

Enno Rey gives a lecture on Risk Analysis concerning virtualized environments. Look here for a detailed agenda of the 2-day forum.

More information: www.iir.de

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.brucon.org
Download the tools: Download section

Download the slides here:

Secure the weakest Link - ein ganzheitlicher Blick auf Anwendungssicherheit

Sprecher: Michael Thumann

Die Absicherung moderner (Web-)Anwendungen erfordert ein tiefgreifendes Verständnis des Zusammenwirkens von Applikation, (Betriebs-)System, Netzwerkprotokollen und Datenbanken. In dieser Session wird gezeigt, mit welchen Methoden und Tools moderne Angreifer gegen Anwendungen bzw. die von Ihnen verarbeiteten Daten vorgehen. Anhand praktischer Demos (die die Teilnehmer teilweise selbst in der Session nachstellen können; eigener Laptop erforderlich) zeigt der Referent, wo typischerweise Schwachstellen zu finden sind, die "außerhalb des Scopes" des Entwicklers liegen. Diskutiert wird auch, wo etwa Infrastrukturangriffe gegen DNS oder Internet-Routing (BGP) Auswirkungen auf die Sicherheit von Anwendungen haben können und warum daher eine ganzheitliche Sicht auf Application Security notwendig ist. Weiterhin werden die verschiedenen Angriffe gegen SSL präsentiert und welche Gegenmaßnahmen hier aus Entwicklerperspektive sinnvoll sind. Last but not least wird die sicherheitskritische Rolle der oft erforderlichen Datenbankanbindung diskutiert.

Weitere Informationen finden Sie hier.

Hier finden Sie die Präsentation:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich, Michael Schaefer

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section.

Daniel Mende and his crew offer a workshop on MPLS Security at a conference for the first time. The workshop is free and will include heaps of hands-on learning. It's about making the theoretical practical, once more!

More information: www.har2009.org
Download the tools: Download section

Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure

Speakers: Enno Rey, Chris Hoff

[19. July 2009] Update: Unfortunately Chris and Enno had to cancel the talk due to an executive scheduling issue on Chris' side. We hope to give it soon at another occasion.

What was in is now out. This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out thanks to Cloud computing and virtualization. One of the really scary things happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect.

Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services (and by whom and using whose infrastructure) yields significant concerns related to security, privacy, compliance and survivability. Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on Cloud IaaS providers which rely on Cloud network providers. It's a house of, well, turtles.

This "infrastructure intercourse" where your resources and data can be located anywhere makes it very interesting to try and secure your assets when you don't own the infrastructure and in most cases can't control the level of security. We will show multiple cascading levels of failure associated with relying on cloud on cloud infrastructure and services including exposing flawed assumptions and untested theories as it relates to security, privacy and confidentiality in the Cloud with some unique attack vectors.

More information: www.blackhat.com

IIR IT-Security Update with Enno Rey, Vojislav Kosanovic and Thomas Kopp

This event covers a broad spectrum of current IT-Security topics. Look here for a detailed agenda.

More information: www.iir.de

Roger Klose and Matthias Luft presented at Bechtle Security Day in Würzburg. Their talks included a broad spectrum of current topics like "Targeted Attacks" and "Virtual Security". Please note that there's an other event of this series taking place in Frankfurt.

Download the slides here:

Matthias Luft und Daniel Mende haben auf einer Veranstaltung des Herstellers F-Secure am 18. Mai einen Vortrag zum Thema "Hacking Mobile Devices" gehalten, der eine Reihe von praktischen Demonstrationen beinhaltete. Gerne führen wir die Demos auch in Ihrer Organisation vor oder unterstützen Sie bei der Sicherung mobiler Plattformen.

Die Folien finden Sie hier:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

Additional material:

Check out darkreading.com for an interview with Enno Rey.
Download the tools released with this talk.

First Day Workshop
Attacking Endpoints

Speakers: Roger Klose, Matthias Luft

This workshop is focused on techniques how endpoints (workstations or laptops) can be owned remotely or when physical access is available. In times of workstations with their CD/DVD drives removed and USB blocked even the latter might not always be an easy task. In the past we performed quite a number of assessments where we had to get the control over some endpoint and we have compiled/developed our own toolset for this purpose. The audience will get a CD with this stuff and will have the opportunity to practice most attacks in the classroom. After a detailed discussion of attacks we will also cover ways how to protect computers against these attacks and various mitigating controls.


Second Day Talk
Reversing Malware

Speakers: Michael Thumann, Michael Schaefer


Third Day Talk
All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

What a developer can do (wrong) – An architect‘s view

Speaker: Enno Rey

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!


Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende, Enno Rey

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novel ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution.

Guaranteeing data and network security in Ethernet networks for business customers

Speaker: Enno Rey

Exploring Novelty Ways in Building Botnets

Speaker: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

First Day Workshop
Modern offensive techniques

Speakers: Daniel Mende, Michael Schaefer

Second Day Talk
A first inspection of Microsoft's Hyper-V security

Speakers: Enno Rey & Roger Klose

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Third Day Talk
Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

Microsoft's Hyper-V Security

Speaker: Enno Rey

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Application Trustworthiness

Speaker: Michael Thumann

This talk covers the different test methodologies to decide if an application can be used securely in a business environment. From blackbox testing, fuzzing, source code review to reverse engineering all the different approaches are explained, that are used by ERNW do conduct these kind of tests in real life. Finally the metric used in the assessments will be presented to give an idea how the results and findings can be used to answer the Question "can we trust this application?" in a comprehensible way.

Exploring Novelty Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

More information

Exploring Novelty Ways in Building Botnets

Speakers: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

From Ariane 5 To Sasser – Zur Sicherheit von Code in komplexen Organisationen

Referent: Enno Rey

Der Vortrag behandelt die Bedeutung von Software-Sicherheit für komplexe Organisationen und diskutiert Wege, wie typische Risiken auf Architektur-Ebene adressiert werden können. Neben einer Darstellung verschiedener Methoden, die Ausführung von nicht vertrauenswürdigem oder fehlerhaftem Code in verteilten Umgebungen zu unterbinden, werden Modelle erörtert, wie die (zerstörerischen) Fähigkeiten solchen Codes begrenzt werden können. Die Rolle von etwa Privilegien, Compartments und Capabilities und ihrer Auswirkung auf die Gesamtsicherheit des Anwendungs-Ökosystems wird meist unterschätzt und im Entwicklungs-Prozess vernachlässigt.

Testen von Software auf Sicherheitsprobleme

Referent: Michael Thumann

Der Vortrag beschäftigt sich mit den verschiedenen Methoden Software auf Sicherheitsprobleme zu untersuchen. Behandelt werden u.a. Themen wie Blackbox Testing und Fuzzing, Source Code Analyse, Source Code Gewinnung mittels Reverse Engineering und Dekompilierung, Runtime- Analyse sowie manuelles Testen von Applikationen. Neben der Vorstellung der verschiedenen Methodiken werden auch hilfreiche bzw. notwendige Werkzeuge vorgestellt, die bei den Applikations-Audits von ERNW zum Einsatz kommen. Abschließend werden einige Security Metriken diskutiert, die bei der Bewertung der Ergebnisse unterstützen können.

Vorsitz: Enno Rey

iPhone - Funky Gadget, Hacker Device or just a Security Risk?
Referent: Michael Thumann

Mit dem iPhone hat Apple ein vielseitig einsetzbares Mobile Device auf den Markt gebracht. Das Bedienkonzept ist revolutionaer und entsprechend beliebt ist das iPhone bei fast allen Personengruppen. Basierend auf Apples Betriebssysem OS X bietet es fast unerschoepfliches Potential fuer Erweiterungen und mit dem neuen Software Release ist es auch in grossen Unternehmen einsetzbar und managebar, ein ideales Werkzeug fuer das Top Mangement. Der Vortrag beschaeftigt sich mit dem Moeglichkeiten aber auch den Security Risiken des iPhones und beleuchtet sowohl den Einsatz als Business Device, als auch den Nutzen als Hacker Tool. Erfahren Sie, ob auch Ihr Unternehmen "iPhone ready" ist.

Referenten:

Enno Rey:
Voice-over-IP, Angriffs-Szenarien und Gegenmaßnahmen

Roger Klose:
Sicherheitsaspekte von Virtualisierung, mit Schwerpunkt auf VMware ESX
Fuzzing von Infrastruktur-Protokollen - Methodik, Tools & Ergebnisse

Sicherheitsaspekte virtualisierter Umgebungen
Referent: Roger Klose

• Threats & Vulnerabilities in virtualisierten Umgebungen
• Definition von Kriterien für „sichere Virtualisierung“
• Virtual Appliances & Virtual Shields - Konzepte & Produkte
• Überblick über Härtungs-Maßnahmen
27.05.2008, 15:15 Uhr – 16:00 Uhr

Workshop: VMware - Angriffe und Sicherheits-Maßnahmen mit Live-Demos von Angriffen
Referent: Roger Klose
• Übersicht über Angriffswege in VMware-Umgebungen (insbesondere VMware ESX)
• Diskussion von Angriffen vom Gast aus
• Demo Escape-Szenarien und „VM Backdoor“ Angriffe gegen Management-Interfaces
• Demo-Angriffe auf Netzwerk-Ebene
• Klassifizierung von Mitigating Controls (Network, Storage, Management)
• Risiko-Analyse & Bewertung von Maßnahmen
28.05.2008, 9:00 - 12:30 Uhr

Troopers08 is a Hacking Conference. Its goal is to share in-depth knowledge about the aspects of attacking and defending information technology infrastructure and applications. The featured presentations and demonstrations represent the latest discoveries and developments of the global hacker scene and will provide the audience with valuable practical know-how.
More information.

The main aim of the HITBSecConf conference series is to enable the dissemination, discussion and sharing of deep knowledge network security information. Featuring presentations by respected members of both the mainstream network security arena as well as the underground or black hat community, HITBSecConf2008 - Dubai will see over 20 of the world’s leading network security specialists talk about their latest tools and research.

Speaker: Michael Thumann
Beyond being an online game SecondLife is a growing marketplace for big companies where lot of money is made. And living and acting in a virtual world gives the people the opportunity to do things they would never do in real life. Therefore, it is not surprising that SecondLife has increasingly attracted real world hackers.

The talk will cover the basic architecture of SecondLife and point out the possible attack vectors against SecondLife itself, but will also demonstrate hacks from the inside of SecondLife against real-life systems in the internet. So watch out what virtualization can do for the “Bad Guys”.

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues.

Speakers: Enno Rey and Daniel Mende
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"
The talk is based on a research project whose goal was to evaluate the security of network devices used in carrier space. After some (very short) introduction into the main concepts of fuzzing (in particular of network protocols) we will explain which options of existing fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE has no Layer2 functionality by default we were forced to write some additional modules like a (libnet-based) generic Layer 2 packet generator and lots of SPK-scripts for different protocols. We will describe this development process, the pitfalls and lessons learned. Furthermore we will release all the code and discuss the results of performing extensive fuzz-testing of network devices and some common operating systems.

Hochsicherheits-Duo SBC und Thin Clients

Referent: Roger Klose

Security- und Compliance-Aspekte auf Server- und Client-Seite Höhere Sicherheit und leichtere Einhaltung gesetzlicher Vorschriften mit SBC und TCs; rein serverseitige Datenhaltung vs. lokales Speichern, VPNs, Identity-Management mit Tokens/Smartcards, PKI, Nutzung von ADS für rollenbasierte Zugriffe, USB-Port-Sicherung, Spyware-Vermeidung.

Sicheres und datenschutzgerechtes WLAN

Referent: Enno Rey

PDAs und Notebooks in den Händen von Ärzten und Klinikpersonal erleichtern und verbessern die Behandlung von Patienten und stellen sicher, dass der Arzt oder Helfer immer alle wichtigen Informationen bei der Hand hat. Die speziellen Anforderungen des Klinikbetriebs bringen es aber mit sich, dass WLAN-Technik hier extrem zuverlässig, sicher und datenschutzgerecht arbeiten muss. Der Vortrag zeigt, wie weit der Stand der Technik dies möglich macht.

Die Schwerpunktthemen:

- Mensch und IT-Sicherheit
- Awareness-Kampagnen
- Indentitätsmanagement
- Network Access Control
- Industriespionage

Referenten: Dror-John Röcher & Michael Thumann
Thema: Attacking Cisco Network Admission Control

Referent: Enno Rey
Virtualisierungs-Sicherheit

Laut aktuellen Umfragen plant rund die Hälfte der IT-Manager, innerhalb der nächsten 12 Monate umfangreiche Teile ihrer Rechenzentren zu virtualisieren. Gleichzeitig haben 43 Prozent davon erhebliche Sicherheits-Bedenken. Der Vortrag klärt, welche Sicherheits-Risiken durch Virtualisierung entstehen koennen. Schwachstellen und Gegenmassnahmen werden am Beispiel wichtiger kommerzieller Lösungen diskutiert sowie konkrete Angriffsszenarien dargestellt.

Referent: Enno Rey
Vortragsthema: Reviewing the Liability of Internet Carriers:
What they could do, should do and actually do to prevent cyber crime.
-Examining what carrier space might have to do with cyber crime
-Reviewing the different attidudes in the current carrier space toward cyber crime: "We only transport" vs. "We are responsible"
-Providing practical examples and cases studies
-Evaluating the role of specific regulations
-Looking to the future

Speaker: Enno Rey & Simon Rich
Topic: Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to
"SPIKE Land"

The talk is based on a research project whose goal was to evaluate the
security of network devices used in carrier space.
After some (short) introduction into the main concepts of fuzzing (in
particular of network protocols) we will explain which options of existing
fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE
has no Layer2 functionality by default we were forced to write some
additional modules like a (libnet-based) generic Layer 2 packet generator
and lots of SPK-scripts for different protocols. We will describe this
development process, the pitfalls and lessons learned. Furthermore we will
release all the code and discuss the results of performing extensive
fuzz-testing of network devices and some common operating systems.

14:45-15:30
NAC unter Compliance-Gesichtspunkten

Network Access Control entwickelt sich zu einem Standard-Sicherheitskonzept.
Die Einführung einer genaueren Kontrolle der Zugänge zum Firmennetz ist aber nicht nur sicherheitstechnisch von Vorteil, sondern erleichert auch den rechtskonformen Betrieb ungemein. Der Vortrag informiert darüberm wie man dieses Ziel optimal erreicht.

Vortragsthema: Vulnerability Scoring mit CVSS 2.0

Referent: Dror-John Röcher

Der transparenten und nachvollziehbaren Bewertung von Schwachstellen kommt
nicht nur durch Compliance-Anforderungen eine ständig wachsende Bedeutung
zu. Auch für effizientes Patchmanagement ist die korrekte Bewertung von
Schwachstellen ausschlaggebend. Zum einen hat CVSS mit der kuerzlich
erschienen Version 2.0 qualitativ einen grossen Schritt in die richtige
Richtung getan, zum Anderen kristallisiert sich CVSS als kommender,
herstellerunabhaengiger Standard zur Bewertung von Schwachstellen heraus.
Ziel des Vortrags ist neben der Vorstellung und Diskussion von CVSS 2.0 eine
Erörterung in welchen Szenarien und unter welchen Randbedingungen der
Einsatz von CVSS sinnvoll möglich ist.

Themen-Highlights:
- Bluetooth Hacking
- Spionage und Sabotage per Funknetz
- Blackberry-Security
- Verschlüsselung und Kommunikationssicherheit
- Sicherheitsaspekte mobiler Betriebssysteme

Treffen Sie u.a. unsere Experten Enno Rey, Michael Thumann und Dror-John Röcher, alle Details und die vollständige Agenda finden Sie hier.

Vortragsthema: Network Security on Layer 2 and 3 (12.09.2007, 11:00-12:30 Uhr)
Referent: Enno Rey

Vortragsthema: Attacking Cisco Network Admission Control – NAC@ACK
Referenten: Michael Thumann & Dror-John Röcher

The last two years have seen a big new marketing-buzz named “Admission Control” or “Endpoint Compliance Enforcement” and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: “Cisco Network Admission Control”. NAC is a pivotal part of Cisco’s “Self Defending Network” strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of “posture spoofing attack”. We will demonstate code & tool for posture spoofing in Cisco NAC secured networks.

Referenten: Dror-John Röcher & Michael Thumann
Vortragsthema: NACATTACK

Part I: Introduction—Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology—How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem—NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack—how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach—“stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror-John Roecher has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Vortragsthema:
"Captain, Eisberg voraus" - Was wir von der Titanic über Incident Response Prozesse lernen können
Referent: Friedwart Kuhn

Der Referent erläutert anhand einer Analyse des Titanic-Untergangs, welche organisatorischen und menschlichen Faktoren für funktionale Incident Response Prozeduren wichtig sind.

Vortragsthema: Wireless LAN in der Produktion (27.06.2007 14:15-15:00 Uhr)
Firewalls in der Industrie- und Produktionsumgebung (27.06.2007 16:15-17:00 Uhr)
Referent: Dror-John Röcher

- Segmemtierung von Produktionsnetzen
- Aktueller Stand WLAN-Security - Angriffsmethoden & Sicherheits- Technologien, Protokolle
- Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung* Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung
- Access Point Security - Hardening und sicherer Betrieb
- Wichtige Prozesse (Rollout, Management, Intrusion Detection)
- Neue Ansätze, Protokolle, Probleme
- Einsatz von Firewalls


Vortragsthema: Firewalls in Industrie- und Produktionsumgebung
Referent: Dror-John Röcher

* Sicherheit in den Produktionsnetzen
* Unterscheiden sich Produktionsnetzwerke stark von Büro-Netzwerken?
* Anforderungen an die Komponenten
* Praxisbeispiel: Einführung von Firewalls in einer großen, dezentralen Produktionsumgebung


Workshop: Risiko-Analyse als Werkzeug zur effizienten Steuerung von IT-Sicherheit (29.06.2007 9:00-17:00 Uhr)
Referent: Enno Rey

- Methoden und Tools
- Anwendungsszenarien und Beispiele aus der Praxis
- Notwendige Tabellen und Checklisten

Vortragsthema: Firewalls in Industrie- und Produktionsumgebung
Referent: Dror-John Röcher

Vortrag am 20. Juni 2007 (15:00-15:45 Uhr)
Referent: Friedwart Kuhn
Windows Vista Security
Konzeptuelle Änderungen im Betriebssystem und deren Folgen im praktischen Einsatz
Benutzerkontensteuerung (UAC) und Mandatory Integrity Control (MIC)
BitLocker
Services Hardening
Code-Integrität
Internet Explorer Verbesserungen
Auditing

Is it secure? - Projektbericht: Bewertung einer VoIP Implementierung aus Sicherheits-Sicht

Abstract:
"In vielen Umgebungen gibt es aus Sicherheits-Sicht Vorbehalte gegen den Einsatz von VoIP, aus Business-Sicht aber gleichzeitig das dringende Beduerfnis/die Anforderung danach. Der Referent stellt anhand eines konkreten Projekts vor, wie bestehende oder geplante VoIP-Implementierungen mit einer formalen Methodik darauf untersucht werden, ob sie die Sicherheits-Anforderungen einer Organisation erfüllen oder Best Practices genügen."

Vortragsthema: Industrial Firewalls
Referent: Dror-John Röcher

Firewalls in Industrie- und Produktionsumgebung
- Sicherheit in den Produktionsnetzen
- Unterscheiden sich Produktionsnetzwerke stark von Büro-Netzwerken?
- Anforderungen an die Komponenten
- Praxisbeispiel: Einführung von Firewalls in einer großen, dezentralen Produktionsumgebung

Vortragsthema: Mehr Wissen durch Pen-Tests
Referent: Oliver Roeschke

Vortragsthema: SNMP (16.05.2007, 16.15 Uhr)
Referent: Enno Rey

Knowledge of the SNMP write community string gives you complete control of a device. Statements like this can often be heard when SNMP security is discussed. But beware: it's not that simple! When taking a closer look, two (not so easy to answer) questions arise: how is the exploitation done exactly and how'n'where vulnerable boxes and their associated community strings can be found. These are the two topics I'll be focusing on.

I will first discuss (and show) how to exploit SNMP practically on examples from the provider (Cisco, Foundry, Extreme) and SOHO space (DSL routers, WLAN APs, voice gateways), including advanced attack techniques (spoofing packets, multicasting SNMP, MPLS-labeling to inject packets into foreign networks etc.). In a second part the (staggering!) results from a research project will be presented, whose goal was to examine the spread and use of SNMP in the internet. You will be surprised to learn how easy SNMP can be abused on a large scale.

Tutorium am 07.05.2007: "Sicheres Netzwerk-Management", Referent: Enno Rey
SNMP
Sicherheitsprobleme und Gegenmaßnahmen
SNMPv3
Architektur und Konfiguration
Wann SNMPv3 eingesetzt werden muss und wann es nicht eingesetzt werden sollte
Device-Zugriff
SSH vs. Telnet, Arbeit mit Jumphosts, das Problem Web-Interfaces, sichere Konsolenzugriff
Sichere Konfigurations- und Image-Verwaltung
Integrationsprüfung von Konfigs, wichtige Tools (RANCID et.al.)
Logging und Log-Auswertung
Protokolle & Formate (BSD syslog, syslog-ng, Windows Eventlog) wichtige Tool
Revisionsanforderungen und rechtliche Aspekte

Vortrag am 08.05.2007 (15:15-16:00 Uhr) "MPLS-Sicherheit", Referent: Enno Rey
MPLS Sicherheit
Sicherheitsaspekte beim Einsatz von MPLS (eigener Betrieb oder "Kauf eines VPN-Produkts")
Rahmenparameter und mögliche Sicherheitsmaßnahmen
neue (Ethernet-) Dienste und Sicherheitsprobleme
Vorstellung einer Checkliste zur Bewertung

Vortragsthema: MPLS Security Methodology (02.05.2007, 15:15-15:45 Uhr),
Referent: Enno Rey

Are They Secure? How to Assess MPLS Providers From a Customer Perspective?

One of our clients, a multi billion revenue corporation with HQ in New York is currently in the course of a world wide network migration to MPLS based structures. Given the absolute priority of information security at our client and against the background that MPLS-VPNs are not regarded as a "trustworthy technology" in itself an internal evaluation methodology was developed to rate the eligible carriers as for their security/trustworthiness. This methodology consists of detailed questionnaires delivered to the carriers, extensive lab testing together with carrier personnel and on-site reviews. During the talk the methodology and some of the results will be presented and discussed. We will share our experiences and learning curve with the audience. Service providers will learn what security-sensitive customers will expect from them and enterprise people will get an idea how to conduct such an assessment.

Vortragsthema: "Kid Tracking" (28.04.2007, 11:00 Uhr)
Referent: Enno Rey

"RFID technology has many (ab-) uses. Amongst them are so called
localization services that permit to inventory cattle or to detect lost kids
in theme parks. The same approach can also be found in GPS-based tracking
services used to follow movements of delinquents on probation. On the other
side these techniques seem pretty appealing for parents desiring to track
their children to prohibit kidnapping or to locate them after accidents.
Several questions quickly arise though: when should such a .track your kid.
thing be applied, when . if ever . removed? Do we really want to put our
children in the panopticon Michel Foucault describes in .Discipline and
Punish.? In which way must we re-think our own responsibilities?
The talk will give an overview of the tools involved and their current
state-of-implementation. Using some risk analysis method I will then
illustrate potential problems (security-/privacy-wise) and discuss the
social implications of this technology."

Referent: Roger Klose
Workshop-Thema: Sicheres Netzwerk-Management (18.04.2007)

Referent: Dror-John Röcher
Vortragsthema: "Segen oder Fluch? - Cisco Network Admission Control" (19.04.2007)

* Wunschdenken des Marketings
* Die Wirklichkeit
* Funktionsweise der Technologie
* Vorschläge für den sicheren Betrieb

Aggressiv vermarktet Cisco das „Self-Defending-Network", dessen Kernkomponente das „Network Admission Control" bildet. Diese Technologie soll garantieren, dass nur Clients, die einer definierten Policy entsprechen, Zugang zum Netz erhalten. Nach einem Blick auf die Funktionsweise der Technologie werden Schwachstellen in der NAC-Architektur aufgezeigt und Ansätze zum sicheren Betrieb einer NAC-Lösung diskutiert.

Referent: Roger Klose
Vortragsthema: "Checklisten zur MPLS-Sicherheit" (19.04.2007)

- Kauf ohne Sicherheitscheck

- Unterschiede zu Frame Relay und ATM

- Einsatzmöglichkeiten und daraus resultierende Lücken

- Checkliste zur Sicherheit von MPLS

MPLS ist die mittlerweile wichtigste Backbone-Technologie grosser Netze und wird inzwischen in vielen Organisationen nicht nur als Produkt zur VPN-Realisierung eingekauft, sondern zur logischen Verkehrstrennung auch zunehmend in Campus-Netzen eingesetzt. Übersehen wird dabei häufig, dass MPLS sich hinsichtlich möglicher Sicherheitsprobleme oder Angriffs-Szenarien von seinen „Vorgängern" Frame-Relay oder ATM deutlich unterscheidet. Der Vortrag thematisiert Sicherheits-Aspekte beim Einsatz von MPLS und darauf basierender Dienste. Es wird auch eine Checkliste vorgestellt, mit der MPLS-Sicherheit bewertet werden kann, wenn ein entsprechendes VPN-Produkt von einem Provider eingekauft wird.

Referent: Dror-John Röcher
Routing-Security 2007: Stand der Technik (19.04.2007)

* Status in den Unternehmen
* Sicherheitslücken
* Angriffe (Live)
* Sicherheitsmechanismen

Die geroutete Infrastruktur bildet das Rückgrat unserer Netzwerke. Dabei vernachlässigen viele Unternehmen die Sicherheit der Routing-Infrastruktur. Erfolgreiche Angriffe auf Routingprotokolle ermöglichen die Unterwanderung vieler darauf aufbauender Sicherheitsmechanismen. Neben praktischen Angriffen auf Routingprotokolle werden verfügbare Sicherheitsmechanismen und ihre Wirksamkeit erläutert.

Trainingskurs: Sicheres Netzwerk-Management (16.04.2007, 9:00-17:00 Uhr)

Referent: Enno Rey

Lernziel: Die Teilnehmer lernen, wie typische Aufgaben im Rahmen des Netzwerk-Managements sicher gestaltet werden können. Es werden Sicherheitsprobleme und Gegenmaßnahmen diskutiert und bewertet. Viele praktische Demos und Beispiele aus komplexen Umgebungen gewährleisten einen hohen Praxis-Bezug.

Inhalt
SNMP: Sicherheitsprobleme von SNMP & Gegenmaßnahmen. SNMPv3: Architektur & Konfig. Wann SNMPv3 eingesetzt werden muss und wann es nicht eingesetzt werden sollte.

Device-Zugriff: SSH vs. Telnet, Arbeit mit Jumphosts, das Problem Web-Interfaces, sicherer Konsolen-Zugriff
Sichere Konfigurations- und Image-Verwaltung
Logging & Log-Auswertung: Protokolle & Formate (BSD syslog, syslog-ng, Windows Eventlog), wichtige Tools, Revisionsanforderungen und rechtliche Aspekte.


Termin und Dauer
am 16.04.2007 im CongressCentrum Nürnberg

1 Tag
Zielgruppe und Voraussetzung

Sicherheitsbeauftragte, Projektleiter, Netzwerk-Leiter und -Administratoren, Operator

Grundlegende Kenntnisse der Netzwerk-Kommunikation. Interesse an Netzwerk-Sicherheit.
Referent

Enno Rey, ERNW GmbH
Enno Rey (CISSP/ISSAP, CISA) ist technischer Geschäftsführer eines von ihm 2001 gegründeten Sicherheits-Dienstleisters mit Sitz in Heidelberg. In mittlerweile 15 Jahren Netzwerk-Arbeit hat er umfangreiche Erfahrung in Design, Betrieb, Troubleshooting und Sicherung grosser Netze sammeln können. Er ist Autor vieler einschlägiger Fachartikel sowie eines Buchs zu Penetrations-Tests und regelmässiger Sprecher auf internationalen Konferenzen zu Fragen der Protokoll- und Netzwerksicherheit.

Vortragsthema Digging into SNMP 2007 - An Exercise on Breaking Networks (04.04.2007 10:30-11:30 Uhr)
Referent: Enno Rey

Vortragsthema: "NAC@ACK" (30.03.2006)
Michael Thumann + Dror-John Röcher
Abstract:

Part I: Introduction – Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology – How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem – NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack – how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach – “stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.