Talks at Area41 conference 2016

more talks will be announced shortly...



The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.
The USB armory from Inverse Path is an open source hardware design, implementing a flash drive sized computer for security applications.
The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.
Leveraging on the current maturity of the project, the defensive and offensive uses of the USB armory are also fully explored, covering topics such as the INTERLOCK application, its Genode OS support and its role and usage in identifying new vulnerabilities affecting widely deployed USB stacks.

Andrea Barisani(@AndreaBarisani)
Andrea Barisani is an internationally recognized security researcher and founder of Inverse Path information security consultancy firm. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and code auditing with particular focus on safety critical environments, with more than 14 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team.
He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded systems security and many other topics.
Exploitation of memory corruption vulnerabilities is a prevalent problem – despite the huge amount of effort put into solving it. Nevertheless, exploitation is getting harder as new hardening techniques are being adopted.
Two of the most prominent techniques in the Windows world that were lately adopted are Return Oriented Programming (ROP) mitigations and Control-Flow Guard (CFG). Both techniques aim to obstruct code-reuse attacks.
ROP mitigations are run-time checks that try to detect ongoing ROP attacks by hooking into sensitive code locations to perform various checks. CFG is a compile-time technique that implements static coarse grained control flow integrity checks with minimal memory and CPU overhead. In this talk we have a look at the latest versions of these mitigations, namely the ROP mitigations that come with EMET 5.5 and Visual Studio 2015’s CFG. We present the implementation and discuss the implications for an attacker trying to exploit a hardened application.

Matthias Ganz(@GanzMatthias)
Matthias is a software engineer and security expert with a special interest in hardware and low-level programming.
He graduated from ETH Zurich with a Master of Science in Computer Science. He has worked on many software projects across different industry sectors, with a focus on building failsafe software systems. As a technical supervisor, he has coached his co-workers on software design and implementation.
In 2015, he co-founded xorlab and was appointed CTO where he is responsible for product development and strategy.
Providing a native mobile application in addition to an existing web solution, whether it is for usability/performance/connectivity reasons, has far more security implications than it may seem. Very often the mobile integration moves logic from server to client side, but this code cannot be considered secret anymore. We will see with the exploitation of a real world Android application how it is possible to
- retrieve documents without paying for them
- decrypt and use them on any device despite the DRM in place
The approach will combine some Java reverse engineering and HTTP monitoring, enabling to understand how basic cryptography is used by the server authentication logic. The various vulnerabilities discovered, at design or code level, will be detailed and serve as examples not to follow. Then it will be explained how to use them altogether to collect and decrypt unauthorized resources via a Python script.
To conclude, practical recommendations will be provided to address those common categories of issues.

Biography: Jeremy Matos (@SecuringApps)
Jeremy Matos has been working in building secure software over the last 10 years.
With an initial academic background as a developer, he has a clear insight of what is a software development lifecycle in practice.
Designing and developing for a two-factor authentication product during 6 years made him deal with challenging threat models, particularly when delivering a public mobile application. And also practice extensively secure coding guidelines, as the solution was regularly reviewed and penetration tested by 3rd parties.
Being responsible for the integration and deployment with customers was for him a great opportunity to work with diverse production infrastructures and security providers, in critical sectors such as banking, health or industry. Understanding the various stakeholders constraints was key to reduce operational costs as much as possible.
His experience was used in both internal and external consulting roles. He helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage.
In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels.

Christian Folini(@ChrFolini)
Dr. Christian Folini is a partner at netnea AG in Berne. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian found that defending webservers is equally interesting.
With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than ten years experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling.
Christian is a frequent committer to the OWASP ModSecurity Core Rules project, vice president of Swiss Cyber Experts, a public private partnership, member of the committee of the Swiss Cyberstorm conference and many other things.
Contact by owners of medieval castles welcome.
Digital Substation is a core of the modern Smart Grid technologies. More that 4000 of IEC 61850 compatible substations operated in Europe, 20 000+ worldwide. During this talk SCADA StrangeLove team will share results of deep technical security analysis of key Digital Substation components, such as network protocols, relay protection terminals and SCADA, network devices. Mission-centric threat modelling approach for Digital Substations will be discussed.
The goal of the talk is to demonstrate how technical vulnerabilities in the IT components can be used to bypass industrial and functional safety features and create cablemelting or blackout conditions. Few (fixed) vulnerabilities in Relay Protection terminals discovered by the SCADA StrangeLove team will be discussed.

Biography: Sergey Gordeychik
Sergey Gordeychik was appointed Deputy CTO and Head of Security Services at Kaspersky Lab in 2015. His responsibilities include establishing the vision for Kaspersky Lab’s R&D services and leading the technological development for threat intelligence, security assessment, incident response and vulnerability research for enterprise, banks, telecom and ICS/SCADA niches.
Before moving to Kaspersky Lab, Sergey gained a wealth of practical experience in the cybersecurity industry. In particular, he led the development of enterprise security products at Positive Technologies and was a director of Positive Hack Days Forum. From 2012 he is leading SCADA StrangeLove industrial cybersecurity research team. Sergey graduated from the Far Eastern State Transport University in 1999. He is a popular speaker on internationals security conferences such as CCC, CodeBlue, POC, Zeroniighs, member of the ENISA TRANSSEC expert group and CIGRE problem group D2/B5.

Biography: Alexander Timorin
Alexander leads the ICS security group. He has deep knowledge and experience in penetration testing, ICS security assessment and research. Alexander contribute SCADA StrangeLove team, gave talks at different international security conferences, such as Confidence, Hack.lu, CodeBlue, CCC, Power of Community etc. He has found dozens of zero day vulnerabilities in ICS hardware and software of popular vendors, maintains ICS/SCADA network security toolkits.
Unlike in the past, social engineering has become an engineering discipline with precise tools, selected dynamic approaches and execution plans. This makes it also so damn hard to define counter-measures against SE attacks on the receiving end. You really never know where you could get hit next.
The social engineering framework I am going to present is comprised of well-defined methods, instructions, skills and definitions. SEEF offers the most comprehensive view on social engineering today and will boost you to the front of social engineering tomorrow.
Come to this session:
- If you are a social engineering nerd and want to get insights on some of the latest concepts and developments in social engineering.
- If have to integrate SE into your risk framework.
- If you want to complement your technical hacking skills with some soft skills.
- If you are curious about social engineering.
- If you want to become a professional social engineer.


Biography: Dominique-Cédric Brack
Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. His passion and personality will energize and inspire you and his ability to formulate complicated information clear and understandable will help you to apply what you have learned. Besides his work as a management consultant, advisor to the government and CEO of Reputelligence™, he has lectured at trade shows and conferences and is the author of various articles and white papers. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information on breaking news. Whether he is speaking on camera, to a single group of executives, or sharing his personal stories and tips as a speaker or workshop leader, Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly – inspire and empower action.
The Security Assertion Markup Language (SAML) provides a framework for cross-domain single sign-on in the enterprise field ... with a single point of failure; what if you could break it? In this talk we will first discuss the benefits of SAML by presenting two showcases of Swiss institutions that heavily rely on it. Then, we’ll turn to the risks by reviewing previous attacks on SAML and a new one we call X509 certificate tampering.

Antoine Neuenschwander(@ant0inet)
Antoine Neuenschwander worked as a software engineer in the development of security products for several years before joining Compass Security in 2014 as a penetration tester and security analyst. His fields of expertise include web application security in general and authentication protocols in particular. Antoine Neuenschwander holds a MSc degree in Computer Science from the Swiss Federal Institute of Technology (ETH/EPFZ) in Zurich.
Last summer Roland Bischofberger finished his BSc studies with a bachelor thesis, which discusses some SAML vulnerabilities and the creation of a SAML penetration testing tool named SAMLRaider. As a term paper he researched vulnerabilities in XSLT implementations and gave a presentation at OWASP Switzerland about the results. He has been working as a security analyst at Compass Security since autumn 2015.
Even in europe a couple of mobile operators already provide voice services over LTE to their customers. To provide this service they have to use the so called IP Multimedia Subsystem (short: IMS), a new element standardized by the 3GPP. But the IMS is not only providing VoLTE services, there are also a lot of other interesting features like messaging and VoWifi (LTE voice calls over WiFi).
In our talk we will introduce the audience to the IMS architecture, its provided features and how to attack these. Surely, with new methods come new challenges, even if the technology is well standardized, they will always differ in their implementation. As a case study we have analyzed some of the implementations in the european area and will demonstrate some of the vulnerabilities identified in major operator networks.

Hendrik Schmidt & Brian Butterly
Hendrik Schmidt is a seasoned security researcher with vast experiences in large and complex enterprise networks. He is a pentester at the german based ERNW GmbH with focus on telecommunication networks. Over the years he evaluated and reviewed all kinds of network protocols and applications. He loves to play with complex technologies and networks and demonstrated several implementation and design flaws. In this context he learned how to play around with core and backhaul networks, wrote protocol fuzzers and spoofers for testing implementations and security architecture. As his profession of pentester, security researcher and consultant he will happily share his knowledge with the audience.
Brian Butterly is a security researcher, analyst and simply a hacker at Heidelberg (Germany) based ERNW GmbH. Coming from the field of electronic engineering he tends to choose alternate approaches when hitting new projects. He currently works on the intersection of embedded-, mobile and telco-security, with tasks and research ranging from evaluating apps and devices through to analyzing their transport networks and backend infrastructures. Resulting from the broad range of practical experience and natural curiosity he has developed a very diverse set of skills and knowledge. He enjoys cracking open black boxes and learning about their details down to the electronic circuits. He is always happy to share his knowledge and findings.
This presentation explores how your shiny new Cyber Threat Intelligence program can also be used to understand your internal environment – the targets of the attacker. You can use CTI tools and processes to improve your understanding of internal context such as system characteristics, network architectures, system business alignment and purpose to directly support cyber security incident detection and response. Most security incident response centers are too small to be familiar with all aspects of their internal network – which means that time-consuming analysis is often required to understand what is potentially affected by a security incident. Intelligence techniques and tools can be used to address this. This talk will explore common incident handling and threat intelligence models and tools, and demonstrate how they can be turned on their head to solve an often-ignored problem in incident detection and response.

Mark Baenziger
Mark Baenziger has 20 years of commercial and government security engineering, incident handling, and threat intelligence experience. Other interests include pentesting, agile development, using systems engineering techniques to solve security and process problems, and strategic planning. He currently works for FIreEye in their managed defense organization (FireEye as a Service) helping customers overcome their incident response and threat intelligence challenges.
This talk is inspired from Star Wars thriller. In this premier, we will see, XSS--- the force awakens again or has never been disappeared. Is XSS a new threat on the landscape even though it was discovered sixteen years ago or the threat was there all the time. XSS is a war between the developers of the web applications and the attacker but the question is: who is winning the war so far? Can we hug developers now or should find a way for them to escape from this endless pain of war?
Smart researchers out there have already started talking about post-XSS era ("may the force be with you") but the question is are we really at this stage? Can we say "We’re home"? Unfortunately not! It seems the empire of XSS has been advancing and flourishing (at least the evidence shows). "It’s true. All of it. The Dark Side".
Can developers make things right and have some resistance even after sixteen years of XSS? Is there a call from light? With the help of some real fairy tales, we will shed light on developers’ rudimentary knowledge about XSS protection(s). Is there a universal panacea for XSS epidemic? No one knows how the upcoming chapters of XSS will look like but the leaked teaser shows wind turbine has been XSSed.
This talk will conclude on: There’s been an awakening...The Dark and Some Light

Biography: Ashar Javed (@soaj1664ashar)
Ashar Javed currently works on penetration testing, source code review, and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include all forms of Cross-Site Scripting. He has a passion for XSS and lives and breaths in XSS.
Ashar delivered talks at the main security events like Black Hat Europe 2014, Hack in the Box Kuala Lumpur 2013, OWASP Spain (2014, 2015), SAP product security conference 2015, International PHP Conference 2015, ISACA Ireland 2014, RSA Europe (OWASP Seminar) 2013, DeepSec Austria (2013, 2014 & 2015) and GISEC 2016. In his free time, he likes participating in bug bounty programs. He has been listed 13 times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/GitHub/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. Ashar also does security consulting and it includes consulting for a media tycoon. He blogged at "Respect XSS" and tweet at @soaj1664ashar
When securing a software application, implementing cryptographic protections is often an unavoidable step. Many software libraries, being open-source or not, provide cryptographic functionalities. This talk will demonstrate that most cryptographic APIs are badly designed and how they tend to increase the likelihood for the developer to use them in a wrong way. A sketch of an ideal crypto API will also be discussed.

Pascal Junod(@cryptopathe)
Pascal Junod is a cryptographer, a professor of information security at HEIG-VD in Yverdon-les-Bains and a co-founder of the startup strong.codes SA, active in the domain of software protection. When not playing with obfuscated cryptographic implementations or teaching reverse engineering, he is probably paddling on white-water in a location where no network is available.
This talk introduces a new type of attack in web browsers that can be used to extract secret and sensitive information from trusted websites. These timing attacks obtain side-channel information by performing various operations on remote resources. The speaker will demonstrate the harmful consequences by the means of several real-world scenarios against widely popular web services.

Tom Van Goethem(@tomvangoethem)
As a PhD researcher at the University of Leuven, Tom Van Goethem engaged in a (not so secret) love affair with security and privacy on the web. In his work, Tom explores the malpractises of various web-based ecosystems, and tries to demystify security claims, such as those made by security seal providers and cloud-based DDoS protection services. By the means of large-scale evaluations, Tom aims to analyse the current security practises, and estimate how worried we should be about our online security. More recently, his focus has shifted towards exposing side-channel attacks that allow adversaries to circumvent the Same-Origin principles which form the foundations of browser security.
While Developers and Operators have learned to collaborate in DevOps both application and infrastructure security have had it hard to be kept in the loop. In this talk I’ll shed some light on keeping the DevOps infrastructure (Continuous Integration/Delivery, Configuration Managment, Containers/Docker) safe, integrating security-relevant automated tests in both CI/CD and production-monitoring and security best practices in automating infrastructure. I will show examples from customer projects at VSHN.ch and use mostly open-source tools. After the talk you will be able to argue why you need automated tools and know what to look out for when deploying them.

Aarno Aukia (@aarnoaukia)
Aarno Aukia is Co-Founder and CTO at VSHN AG, the leading Swiss DevOps company. VSHN does software reliability engineering for operating (web-) applications on different public and private clouds and is involved on the defensive side of web application security. Before VSHN he was engaged with a managed security company and Google after his masters degree at ETH Zurich.
Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.

Biography: Ian Amit (@iiamit)
Iftach (Ian) Amit, has over a decade of experience in hands-on and strategic roles, working across a diversity of security fields: business, industry, marketing, technical and research. His career spans innovative and disruptive startups, high-end consulting firms, information security vendors. He is also a sought after keynote speaker, with frequent appearances at conferences such as BlackHat, DEFCON, RSA, and others. A skilled researcher, Ian has deep technical knowledge of programming, operating systems, applications (including most network server applications), penetration testing, databases and infrastructures. He founded the Tel-Aviv DefCon chapter (DC9723) and also was a founding member of the Penetration Testing Execution Standard (PTES). Ian studied Computer Science and Business Administration at the Herzliya Interdisciplinary Center and lives in Manhattan.
Internet of Things (IoT) are not a hype: they are already here and growing, Despite concerns on their security and privacy - IDC predicted that in two years 90% of IT networks s will have an IoT-based security breach - not so many security researchers are investigating the field yet. The (likely) reason for this status is that the reverse engineering of IoT is difficult. Indeed, nearly each product has its own custom hardware, firmware, operating system, protocols etc. Consequently, the first few steps are painful: gather the equipment, start research with close to no help from the community (no tools, documentation...).
However, there is an easier way in: IoT often come with a mobile companion application. That’s where to focus your initial efforts, because the app contains lots of valuable information. That’s what I did with several devices (Recon Jet smart glasses, a house safety alarm of Meian etc). Very fruitful! The reverse engineering of the mobile apps was fruitful beyond expectations! Hardware details,interactions with the devices, where to place protection against viruses, and discovery of vulnerabilities ;)

Biography: Axelle Apvrille (@cryptax)
Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called "smart" devices.
Known in the community by her more or less mysterious handle "Crypto Girl", she turns red each time someone mentions using MD5 (or CRC...) for hashing.
Creditcards using EMV chips are known to be way safer than the alternative with magnetic stripes. With encryption and signing in place abuse seems to be impossible, but in the end of 2014 first rumors about a EMV chip cloning case were reported after some banks in brazil and the US became victims of a creditcard fraud. Carders succeeded to clone track2 information of valid creditcards to white plastics with EMV chips. This talk gives insights about that case and how it works in depth.

Biography: Frank Boldewin
Frank Boldewin is a reverse engineer and has long experience in security & malware research. By day he works as a security-architect for a large german datacenter in the finance sector. He is well known for his researches on the Stuxnet case and his forensics tool Officemalscanner.
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Biography: Abraham Aranguren (@7a_)
Abraham was an honors student in Information Security at university. His work experience from 2000 until 2007 was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security.
He is a senior member of the Cure53 team, and a senior consultant for Version 1 - the top IT consultancy in Ireland. Abraham is also the creator of Practical Web Defense - a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on http://7-a.org or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.

Biography: Fabian Faessler (@samuirai)
Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security, but started to seriously get into it, after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice.
Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification.
Fabian is interested in all computer topics from low level hardware up to high level web applications and writes about it on his blog at http://smrrd.de and twitters with @samuirai
Contrary to Abraham, Fabian cannot grow a full beard.