Here is the agenda
We will make the slides available after the conference.
Please be advised that we only record the talks of Room 1 this year and publish then about 1-2 months after the conference.
There will be no recordings of Room 2 as we want the people on-site. So visit the conference - you will not regret it!
Here is the agenda as PDF for download.
Here is the booklet incl. talk description as PDF
Monday 2nd June 2014
Tuesday 3rd June 2014
|Time||Room 1 (Saal)||Room 2 (Klub)|
|08:00||Door opening / registration||-|
|09:20-10:10||Raffael Marty: The Heatmap - Why is Security Visualization so Hard? [slides]||CrashTest: Retro-Arcade Hacking|
|10:30-11:20||Ian Amit: Painting a company red and blue||Endre Bangerter, Ramona Cioccarelli, Beni Urech: Vortessence - Automating memory forensics|
|11:30-12:20||Raul Siles: iOS: Back to the Future||Jean-Philippe Aumasson: Password Hashing Competition - Status Quo|
|14:00-14:50||Wim Remes: Threat Modeling? It's not out of fashion!||Shahar Tal: I Hunt TR-069 Admins: Pwning ISPs Like a Boss *|
|15:00-15:50||Arron Finnon: Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities||Emmanuel Tacheau: The Art of Escape|
|16:30-17:20||Dave Kennedy - Completely Destroying Education and Awareness Programs||Pascal Junod: Obfuscator-LLVM – Software Obfuscation for the Masses|
|Halvar Flake: Keynote
|CrashTest: Retro-Arcade Hacking
Old school arcade games were awesome on all aspects: games, hardware, piracy, protections. Here is the story of what it took to defeat one of them.
|Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many
As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration.
Ange Albertini: Reverse Engineer, author of Corkami
|Ian Amit: Painting a company red and blue
"Say red team one more time. I dare you. I double dare you.
The term red team has been recently more abused than cyber. And it's making us all hurt in ways we need dolls to point where the bad man touched us. Time to get back to business: In this talk we'll get down and dirty on how a company can actually see a benefit from red teaming. Beyond the red team having fun and bragging rights. Actual ROI. Dirty business speak...
Ian Amit is an IOActive Director of Services with over a decade of experience in both hands-on and strategic roles, working fluently in all manner of security-related fields: business, technical, and research. Ian brings our customers the benefit of his proven leadership, innovative management style, and established expert media presence while overseeing engagements for technical, financial, healthcare and government clients. Ian also leads the Red Team practice in IOActive, leveraging his years of experience on private, public and government engagements. He speaks publicly on security topics that include the technical and strategic, as well as marketing, strategy, and policies, working at the highest levels of corporate and multi-national engagements.
|Jean-Philippe Aumasson: Password Hashing Competition - Status Quo
The Password Hashing Competition (PHC) is starting! We will present the project and the submissions received from the community earlier this year. All candidate algorithms will be reviewed, and we'll discuss the evaluation criteria that we plan to consider in our selection of finalists, which is planned for Q3 2014. Goals of this talk are to elicit feedback from the community, as well as to encourage research and technical contributions (regarding cracking techniques, server-side implementations, bruteforce implementations, etc.).
Jean-Philippe Aumasson is principal cryptographer at Kudelski Security, Switzerland, and holds a PhD in cryptography from EPFL. He is known for designing the cryptographic functions BLAKE (one of 5 SHA-3 finalists), SipHash (OpenDNS, Perl, Ruby, etc.), BLAKE2 (Pcompress, WinRAR, etc.). He authored more than 30 research articles in the field of cryptography and cryptanalysis, and talked at security cons including Black Hat and and CCC. In 2013 he initiated the Cryptography Coding Standard (https://cryptocoding.net) and the Password Hashing Competition (https://password-hashing.net), which are open, collaborative projects to improve the overall state of security.
|Endre Bangerter, Ramona Cioccarelli, Beni Urech: Vortessence - Automating memory forensics
Memory forensics is a key technique for detecting and analyzing malware and related attack tools. While there are several memory forensics tools, the Volatility framework is probably the most widely used and significant tool. To detect malware using Volatility, an analyst is typically looking for anomalous system properties. A simple example would be a bogus process name or processes which are started from unusual directories. Stuxnet for instance, introduces two malicious instances of the alleged “lsass.exe” process, which feature a wrong parent process. Another, more subtle anomaly, would be an unusually low or high number of DLLs in a certain process. The key point is that finding these anomalies requires lots of encyclopedic knowledge about the state of a clean Windows system. This knowledge is hard to memorize (for some of us). Moreover, searching for actual discrepancies deviating from the clean state can be a quite boring and a rather mechanical task. Due to laziness and lack of brain capacity we are developing a Volatility based system, dubbed "Vortessence", that automates the process of finding anomalies in memory images. We have tested our system with real world malware samples and the results are encouraging. We believe that Vortessence can be quite useful for practitioners, and we are going to opensource it later in 2014. In this talk we are going to discuss the inner workings of Vortessence, its capabilities, some demos, and future plans.
Endre Bangerter is professor of computer science at Bern University of Applied Sciences, where he leads the Security Engineering Lab. He is also a lecturer at the “Ecole des sciences criminelles” at the University of Lausanne. The Security Engineering Lab consists of researchers and practitioners, working in the fields of memory forensics, malware analysis, and custom security analysis. Endre has a rich experience in presenting and giving talks, and for instance has spoken at Hashdays 2012. In earlier jobs, Endre has worked as a developer and technical consultant. He has a PhD in computer science in the field of cryptography. A list of publications can be found at (the outdated site) http://sel.bfh.ch/?id=publications
|Andreas Bogk: Applying science to eliminate 100% of buffer overflows
Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software.
Andreas Bogk is a hacker from the well-known German hacker organization „Chaos Computer Club“. He has more than 20 years of experience in reverse engineering, exploitation and cryptography; and more than 10 years in compiler construction and language design. He has been active for the CCC with a wide range of presentations at its annual conference, served as a member of the board and CEO. His focus is defense and building secure systems by systematically applying sane engineering and computer science to the art of writing software. He is currently working for HERE as lead security architect for mobile applications.
|Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease
Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution.
Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, he’s a member of The Honeynet Project, and he’s also one of the Core Developers of Cuckoo Sandbox.
|Arron Finnon: Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities
Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer. Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines!
Arron "finux" Finnon has been involved in security research for a over 6 years. Arron has discussed a wide range of security related topics at a number of Security/Hacking conferences in both the UK and Europe, as well as produced over 60 security related podcasts. Interviewing countless security professionals as part of the Finux Tech Weekly Show. During Arron’s time at University he was also awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software. Now a consultant researcher for Activity, spending his time involved with security research and testing.
|Rob Fuller: Attacker Ghost Stories: Mostly Free Defenses That Gives Attackers Nightmares
This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.
Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
|Stefan Frei: International Vulnerability Purchase Program (IVPP)
The continued discovery of new software vulnerabilities and their abuse by criminals and governments is the root cause of a considerable portion of the losses experienced by society. Every exploitable vulnerability used offensively induces significant direct and indirect losses for users and society as a whole. Experience has shown that traditional approaches based on “more of the same” do not deliver better overall security. It is time to examine the economics of depriving cyber-criminals’ access to new vulnerabilities through the systematic purchase of all relevant vulnerabilities discovered at or above black market prices. Purchasing all vulnerabilities of a software vendor for USD 150k is typically less than 1% of that vendor’s revenue in a year. Purchasing all vulnerabilities for all vendors costs much less than the expected reduction in losses, or less than 0.01% of the GDP of the US or the EU. It is economically viable to make large-scale purchases of vulnerabilities to reduce losses, establish proper incentives, and provide transparency.
Dr. Stefan Frei is a lecturer at ETH Zürich.
|Alexandre Herzog: Why .NET needs MACs and other serial(-ization) tales
"What is the story behind Microsoft's patches MS13-067 (SharePoint) and MS13-105 (Outlook Web Access)? What is really involved in a .NET ViewState and why will Microsoft soon disable the ability to turn off its integrity protection (KB2905247)? What is MS13-100 all about? What was the state of the art of exploiting unprotected ViewState fields before our research? Which new advances did we identify in our research?
Alexandre Herzog started his career in Information Technology in 1998 as an IT system administrator in the largest trading room in the Geneva region. Between 2004 and 2007 he attended the University of Applied Sciences Western Switzerland in Sierre. During his studies in computer science and business he co-founded the start-up BananaSecurity.com together with four other students. The company is still active today under the name of KeyLemon.com. In 2008 Alexandre moved to New Zealand and was hired as a Development Consultant. He essentially worked on a Microsoft based technology stack as a contractor for the fastest growing bank of the country. Aside from development tasks and second/third level support for the Internet Banking solution, he acted as an internal security expert. He was also heavily involved in the setup and deployment of a fully rewritten version of the Internet Banking solution based on the latest available Microsoft technologies. After two years down under Alexandre Herzog returned to Switzerland in 2010 and started working as an IT security analyst for Compass Security AG in Rapperswil-Jona. His predilections in terms of fields of expertise mainly include Microsoft based technologies, from the operating system up to the C# code of (ASP).NET solutions. Alexandre is also interested in Web Security in general and is the author of several security advisories concerning products from, e.g., Microsoft to SAP and AdNovum. Alexandre Herzog recently finished his MAS studies in Information Security at the University of Applied Sciences of Lucerne. His master thesis consisted of an analysis of cryptographic mechanisms in Windows and .NET.
|Chris John Riley:
Chris John Riley... he's just this guy , you know!
|Pascal Junod: Obfuscator-LLVM – Software Obfuscation for the Masses
Resistance to software reverse-engineering is a challenging discipline that has been explored for decades.
Pascal Junod is a professor of information security at the University of Applied Sciences Western Switzerland (HEIG-VD). For the last 15 years, he has been professionally active in the domain of academic and industrial cryptography, ethical hacking, and software protection. He has written dozens of scientific papers, a few books and many industrial patents. He has delivered technical talks on 4 different continents so far.
|Dave Kennedy: Completely Destroying Education and Awareness Programs
Education and Awareness has become a huge focus for a number of organizations. With the elevated trends around hackers bypassing millions of dollars of technology by simply sending an email or picking up a phone – it has never been easier to own a network. This talk will discuss a lot of the defensive measures we teach our employee population to detect attack and how to circumvent these education controls in order to get into anything. I'll be demonstrating some advanced evasion techniques on getting around some of the most popular technologies such as next generation firewalls, application whitelisting, memory analysis, and more. In this talk we'll turn around everything we are taught, everything we hold sacred, and flip it upside and then destory it with a hammer.
Dave Kennedy is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 company where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. Kennedy and was originally on the Back|Track and Exploit-DB development team and co-host of the Social-Engineer.org podcast. Kennedy has testified in front of Congress on two occasions on the security around government websites. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.
|Raffael Marty: The Heatmap - Why is Security Visualization so Hard?
The extent and impact of recent security breaches is showing that current approaches to prevent these breaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks. However, products have failed to deliver on this promise. Current solutions don't scale in both data volume and analytical insights.
Raffael Marty is one of the world’s most recognized authorities on security data analytics and visualization. Raffy is the founder and CEO of pixlcloud, a next generation visual analytics platform. With a track record at companies including IBM Research and ArcSight, he is thoroughly familiar with established practices and emerging trends in big data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. Author of 'Applied Security Visualization' and frequent speaker at academic and industry events, Raffy is a leading thinker and advocate of visualization for unlocking data insights. For more than 14 years, Raffy has worked in the security and log management space to help Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security. Zen meditation has become an important part of Raffy’s life, sometimes leading to insights not in data but in life.
|Evgeny Neyolov: Bitcoins
Bitcoin was one of the hottest topics of the past year. It is decentralized virtual currency based on cryptographic and peer-to-peer protocols and supposed to be anonymous as well as cash money. Without a doubt, bitcoin is the currency of the new age. Despite increased media attention this area is still full of rumors and pitfalls. Important but non-obvious things will be explained in this talk as well as ideas about why a system based on cryptography doesn't mean anonymity by default. It will be shown how to analyze pseudo-anonymous money flaws and how to hide traces. Also, an analysis of famous cases of a cybercrime world (Silk Road, SheepMarketplace) will be presented.
Neyolov Evgeny is a security researcher who is mostly interested in cyber intelligence and enterprise security. His previous conference talks (Hacktivity, BSidesLisbon, Sec-T, Syscan360, Nullcon) cover topics such as forensics, anti-forensics, cybercrime analysis, anti-fraud systems and business applications security. Neyolov is an organizer of a hardcore hacker conference ZeroNights and Russian Defcon Group as well as an independent security researcher.
|Chris Nickerson: 50 Shades of RED: Stories from the "Playroom"
Ever steal a Boeing 777? How about transfer more than $400,000,000 from an account? Have you ever had one of those bad days where one wrong press of the "enter" key accidently broadcasts an emergency message to the radio station asking an entire city to evacuate? The real destruction of a business doesn't come from a shell, a picked lock or a simple lie. The REAL threat is when all of the disciplines are combined and the only thing left in the crosshairs is the BUSINESS itself. Red Teaming is not a process of finding "A" vulnerability, but showing how flaws at EVERY level of the program combine to cause devastating effects to the company (or the tester).
After 15 years in the Red Teaming, Pen Testing and Security Testing Business, I have had some of the weirdest things happen. In this 50 min story time, I plan to go over our methodology, some of our BEST and WORST moments on the job, tips/tricks we picked up along the way and hopefully we can have a few laughs at our (mis)fortune(s).
Chris Nickerson,CEO of LARES, is just another "Security guy" with a whole bunch of certs whose main area of expertise is focused on Real world Attack Modeling, Red Team Testing and InfoSec Testing. At Lares, Chris leads a team of security professional who conduct Risk Assessments, Penetration testing, Application Testing, Social Engineering, Red Team Testing and Full Adversarial Attack Modeling. Prior to starting Lares, Chris was Dir. of Security Services at Alternative Technology, a Sr. IT compliance at KPMG, Sr. Security Architect and Compliance Manager at Sprint Corporate Security. Chris is a member of many security groups and was also a featured member of TruTV's Tiger Team. Chris is the cohost of the Exotic liability Podcast, the author of the upcoming "RED TEAM TESTING" book published by Elsevier/Syngress and a founding member of BSIDES Conference.
|Pierre Pronchery: The DeforaOS Project - A journey into Operating System development and related security aspects
Operating System development as it is performed today is probably not headed in the right direction. Instead of simplifying and harmonizing components, the systems we use every day are constantly becoming more complex as extra layers are being added continuously. The Internet as a whole is another visible example of this phenomenon, with the Web and IPv6 equally important parts of the issues at stake. A number of research groups have not only realized and formalized a number of these issues, but are also proposing and developing alternative working solutions. The LANGSEC and Clean-Slate Internet projects are absolutely critical in this context. Working on the DeforaOS Project has allowed me to encounter and understand some of these issues myself. In an effort to take them into account, I am presenting a number of components and principles as they are being designed and implemented for the project, taking some of the results above into account, and demonstrating the first results obtained.
Pierre Pronchery is an IT-Security freelance consultant based in Berlin, Germany. He can also be found promoting Open Source hardware or researching on Clean-Slate Internet and the Internet of Things. The outcome of this work is eventually gathered within the DeforaOS project, an experimental Operating System project. He is also an official NetBSD developer since May 2012 (khorben@).
|Wim Remes: Threat Modeling? It's not out of fashion!
It's been more than a decade since Microsoft brought Threat Modeling to the attention of the broader development and information security audiences. DREAD and STRIDE, combined with interesting side projects like the Elevation of Privileges card game and other assets provided to the community for free remain unused by many. This presentation will not regurgitate what we already know about threat modeling (there's books for that). It will rather provide insight in how security professionals can use and apply threat modeling to effectively build better security. Practical examples will include decomposing a complex software project to reveal vulnerabilities that would otherwise remain unknown, using threat modeling to educate and support developers, applying threat modeling in a penetration testing methodology to enable more efficient scoping. This presentation reveals the often ignored value of threat modeling and enables the audience to apply it in both offensive and defensive security processes.
As a Managing Consultant at IOActive, Wim Remes leverages his 15 years of security leadership experience to advise clients on reducing their risk posture by solving complex security problems and by building resiliency into their organization. Wim delivers expert guidance on reducing the high cost of IT security failures, both financially and in terms of brand reputation with his deep expertise in network security, identity management, policy design, risk assessment and penetration testing. Before joining the IOActive team Wim was a Manager of Information Security for Ernst and Young and a Security Consultant for Bull, where he gained valuable experience building security programs for enterprise class clients. Wim has been engaged in various infosec community initiatives such as the co-development of the Penetration Testing Execution Standard (PTES), InfosecMentors, The Eurotrash Security Podcast and organizing the BruCON security conference. Wim has been a featured speaker at international conferences such as Excaliburcon (China), Blackhat Europe, Source Boston, Source Barcelona and SecZone (Colombia). He is also a Member of the Board of Directors at (ISC)2.
|Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background.
Marc Ruef is co-founder and member of the board at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.
|Ruchna Nigam: Android Packers: Separating from the Pack (sponsored)
Android malware has been around for a while now and is significant enough to bypass the "Is Android malware really an issue?" introduction to this abstract.
2014 saw the introduction of the first packer for Android applications.
Android packers were introduced for DRM and with the intention of providing protection for legitimate applications from modifications and tampering.
The flipside of the coin is that the same functionality can be used by malware authors to their advantage, making reverse engineering of malware more difficult for the analyst.
|Raul Siles: iOS: Back to the Future
Apple mobile devices based on the iOS platform implement multiple protection mechanisms and platform restrictions to fulfill several security requirements and support Apple's business model. This presentation focuses on a recently disclosed vulnerability that allows to manipulate a sensitive core default iOS behaviour, which facilitates the exploitation of other vulnerabilities potentially targeting this mobile platform. The design flaw affects the multiple Apple mobile devices (iPhone, iPad, iPad mini..) since iOS version 5 up to the latest iOS version. Although the flaw was discovered in early 2012, it has remained private while researching and evaluating the current vulnerability disclosure models, the real interests of modern vulnerability markets, as well as other vulnerability discovery implications which will also be discussed during the talk.
Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. Throughout his career he has worked as an information security expert, engineer, researcher and penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec. Raul is an active speaker at international security conferences and events and a certified instructor for the SANS Institute. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation. He holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e-commerce.
|Emmanuel Tacheau: The Art of Escape
In this presentation I will talk about targeted attacks and the nature of watering hole attacks. I will cover both these attacks in general, and talk in detail about a specific attack against the Energy and Finance sector. I will examine the various different techniques that can be used by attackers to achieve this goal, as well as the specific techniques used in the Energy and Finance attack. The audience will learn what kinds of websites the attacker compromised and get a deep overview of different mechanisms used by the attacker to succeed in their attack. I will cover the nature of the exploit code that hooks into the victim’s computer as well as the many different mechanisms included into the malware delivered to frustrate analysis and evade detection. Finally, I shall discuss how organizations can protect themselves, and the importance of sharing big data in order to detect these attacks.
Emmanuel Tacheau is a Threat Researcher for Cisco's Threat Research Analysis and Communications (TRAC) Team. Cisco TRAC is dedicated to advancing state-of-the-art threat defence and enhancing the value of Cisco's security products. Emmanuel has over 16 years of experience in Information Security, working previously for Symantec and F-Secure. Emmanuel's computer experience ranges from malware analysis, reverse engineering, operating system programming, and hacking to thwarting misuse of Internet application and layer protocols.
|Shahar Tal: I Hunt TR-069 Admins: Pwning ISPs Like a Boss (sponsored)
Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking.
We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio).
We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices.
Shahar Tal leads a team of vulnerability researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain.
Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.