Event Archives

IT Underground 2009 is held in Warsaw. Several ERNW experts are on-site, amongst others you'll meet: Roger Klose, Oliver Röschke and Matthias Luft. More to be announced soon.

For more information regarding the conference please visit: www.itunderground.org

All Your Packets are belong to us - Attacking Backbone Technologies

Speakers: Enno Rey, Daniel Mende

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.hft-leipzig.de
Download the tools: Download section

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speaker: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: paranoia.watchcom.no
Download the tools: Download section

Reversing Malware for Business Purposes

Speaker: Michael Thumann

This session will examine different ways to analyse malware for business purposes and discusses advantages and disadvantages of the approaches. It will introduce the most common online sandboxes and compare them to sandbox systems built individually. It will also cover the reverse engineering approach and give some conclusions which approach is useful in a business context.

Visit www.rsaconference.com for more information.

The Day-Con III Keynote is delivered by Enno Rey.

More information: www.day-con.org

IIR IT-Virtualisierung-Forum 2009

Enno Rey gives a lecture on Risk Analysis concerning virtualized environments. Look here for a detailed agenda of the 2-day forum.

More information: www.iir.de

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.brucon.org
Download the tools: Download section

Download the slides here:

Secure the weakest Link - An holistic view on End-User Security

Speaker: Michael Thumann

This talk is held in German language. Summary:

Die Absicherung moderner (Web-)Anwendungen erfordert ein tiefgreifendes Verständnis des Zusammenwirkens von Applikation, (Betriebs-)System, Netzwerkprotokollen und Datenbanken. In dieser Session wird gezeigt, mit welchen Methoden und Tools moderne Angreifer gegen Anwendungen bzw. die von Ihnen verarbeiteten Daten vorgehen. Anhand praktischer Demos (die die Teilnehmer teilweise selbst in der Session nachstellen können; eigener Laptop erforderlich) zeigt der Referent, wo typischerweise Schwachstellen zu finden sind, die "außerhalb des Scopes" des Entwicklers liegen. Diskutiert wird auch, wo etwa Infrastrukturangriffe gegen DNS oder Internet-Routing (BGP) Auswirkungen auf die Sicherheit von Anwendungen haben können und warum daher eine ganzheitliche Sicht auf Application Security notwendig ist. Weiterhin werden die verschiedenen Angriffe gegen SSL präsentiert und welche Gegenmaßnahmen hier aus Entwicklerperspektive sinnvoll sind. Last but not least wird die sicherheitskritische Rolle der oft erforderlichen Datenbankanbindung diskutiert.

More information: here.

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich, Michael Schaefer

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section.

Daniel Mende and his crew offer a workshop on MPLS Security at a conference for the first time. The workshop is free and will include heaps of hands-on learning. It's about making the theoretical practical, once more!

More information: www.har2009.org
Download the tools: Download section

Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure

Speakers: Enno Rey, Chris Hoff

[19. July 2009] Update: Unfortunately Chris and Enno had to cancel the talk due to an executive scheduling issue on Chris' side. We hope to give it soon at another occasion.

What was in is now out. This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out thanks to Cloud computing and virtualization. One of the really scary things happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect.

Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services (and by whom and using whose infrastructure) yields significant concerns related to security, privacy, compliance and survivability. Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on Cloud IaaS providers which rely on Cloud network providers. It's a house of, well, turtles.

This "infrastructure intercourse" where your resources and data can be located anywhere makes it very interesting to try and secure your assets when you don't own the infrastructure and in most cases can't control the level of security. We will show multiple cascading levels of failure associated with relying on cloud on cloud infrastructure and services including exposing flawed assumptions and untested theories as it relates to security, privacy and confidentiality in the Cloud with some unique attack vectors.

More information: www.blackhat.com

IIR IT-Security Update with Enno Rey, Vojislav Kosanovic and Thomas Kopp

This event covers a broad spectrum of current IT-Security topics. Look here for a detailed agenda.

More information: www.iir.de

Roger Klose and Matthias Luft presented at Bechtle Security Day in Würzburg. Their talks included a broad spectrum of current topics like "Targeted Attacks" and "Virtual Security". Please note that there's an other event of this series taking place in Frankfurt.

Download the slides here:

Matthias Luft and Daniel Mende gave a lecture on "Hacking Mobile Devices" at an event of F-Secure on 18th May. It featured a series of practical demos. We would be pleased to present the demos to your organization or be supportive with securing your mobile platforms.

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

Additional material:

Check out darkreading.com for an interview with Enno Rey.
Download the tools released with this talk.

First Day Workshop
Attacking Endpoints

Speakers: Roger Klose, Matthias Luft

This workshop is focused on techniques how endpoints (workstations or laptops) can be owned remotely or when physical access is available. In times of workstations with their CD/DVD drives removed and USB blocked even the latter might not always be an easy task. In the past we performed quite a number of assessments where we had to get the control over some endpoint and we have compiled/developed our own toolset for this purpose. The audience will get a CD with this stuff and will have the opportunity to practice most attacks in the classroom. After a detailed discussion of attacks we will also cover ways how to protect computers against these attacks and various mitigating controls.


Second Day Talk
Reversing Malware

Speakers: Michael Thumann, Michael Schaefer


Third Day Talk
All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

What a developer can do (wrong) – An architect‘s view

Speaker: Enno Rey

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!


Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende, Enno Rey

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novel ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution.

Guaranteeing data and network security in Ethernet networks for business customers

Speaker: Enno Rey

Exploring Novelty Ways in Building Botnets

Speaker: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

First Day Workshop
Modern offensive techniques

Speakers: Daniel Mende, Michael Schaefer

Second Day Talk
A first inspection of Microsoft's Hyper-V security

Speakers: Enno Rey & Roger Klose

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Third Day Talk
Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

Microsoft's Hyper-V Security

Speaker: Enno Rey

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Application Trustworthiness

Speaker: Michael Thumann

This talk covers the different test methodologies to decide if an application can be used securely in a business environment. From blackbox testing, fuzzing, source code review to reverse engineering all the different approaches are explained, that are used by ERNW do conduct these kind of tests in real life. Finally the metric used in the assessments will be presented to give an idea how the results and findings can be used to answer the Question "can we trust this application?" in a comprehensible way.

Exploring Novelty Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

More information

Exploring Novelty Ways in Building Botnets

Speakers: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

From Ariane 5 To Sasser – Code security in complex environments

Speaker: Enno Rey

This talk deals with the meaning of software security for complex environments and discusses about the ways of avoiding typical risks at the architecture level. Various methods will be presented which are preventing the execution of untrustwothy or incorrect codes in shared environments. Furthermore showcases will be discussed: how to limit the codes' destructive capicity. The part of priviligies, compartments and capabilites and thier impact on the whole security of the ecosystem is often underrated and disregarded in the development process.

Sofware security testing

Speaker: Michael Thumann

This talk deals with the various software security testing methods. Following topics among others will be raised: Blackbox testing and fuzzing, source code analysis, source code recovery by means of reverse engineering and de-compilation, runtime analysis and manual testing of applications. Furthermore some helpful and necessary tools wil be introduced, which are used during ERNW audits. Finally a few security metrics facillating the results analysis will be discussed.

Forum's chairman: Enno Rey

iPhone - Funky Gadget, Hacker Device or just a Security Risk?
Speaker: Michael Thumann

Apple has launched with its iPhone a multifunctional portable device. The using concept is revolutionary and seduces most of the people. Its Mac OS X based user interface provides the user with nearly inexhaustible enlargement possibilities. Its new software allows the use in big companies and is also a perfect tool for top management. This talk deals with the possibilities and the security risks of the iPhone and describes its use as a business device and as an hacking tool. You will find out if your company is "iPhone ready".

Speakers:

Enno Rey:
Voice-over-IP, Attacks and Countermeasures

Roger Klose:
Security aspects of virtualization with a focus on VMware ESX
Fuzzing of infrastructure protocols - Methodology, Tools & Results

Security aspects of the virtualized environment
Speaker: Roger Klose

• Threats & Vulnerabilities in virtualized environments
• Definition of criteria for a "safe virtualization"
• Virtual appliances & virtual Shields - Concepts & Products
• Overview of measures
27.05.2008, 15:15 Uhr – 16:00 Uhr

Workshop: VMware - Attacks and security measures with attacks live demos
Speaker: Roger Klose

• Attacks overview in VMware environments (specially VMware ESX)
• Discussion about attacks with the participants
• Demo "VM Backdoor“ attacks against management interfaces
• Demo attacks on the nework level
• Classification of mitigating controls (network, storage, management)
• Risk assessment & measures evaluation
28.05.2008, 9:00 - 12:30 Uhr

Troopers08 is a Hacking Conference. Its goal is to share in-depth knowledge about the aspects of attacking and defending information technology infrastructure and applications. The featured presentations and demonstrations represent the latest discoveries and developments of the global hacker scene and will provide the audience with valuable practical know-how.
More information.

The main aim of the HITBSecConf conference series is to enable the dissemination, discussion and sharing of deep knowledge network security information. Featuring presentations by respected members of both the mainstream network security arena as well as the underground or black hat community, HITBSecConf2008 - Dubai will see over 20 of the world’s leading network security specialists talk about their latest tools and research.

Speaker: Michael Thumann
Beyond being an online game SecondLife is a growing marketplace for big companies where lot of money is made. And living and acting in a virtual world gives the people the opportunity to do things they would never do in real life. Therefore, it is not surprising that SecondLife has increasingly attracted real world hackers.

The talk will cover the basic architecture of SecondLife and point out the possible attack vectors against SecondLife itself, but will also demonstrate hacks from the inside of SecondLife against real-life systems in the internet. So watch out what virtualization can do for the “Bad Guys”.

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues.

Speakers: Enno Rey and Daniel Mende
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"
The talk is based on a research project whose goal was to evaluate the security of network devices used in carrier space. After some (very short) introduction into the main concepts of fuzzing (in particular of network protocols) we will explain which options of existing fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE has no Layer2 functionality by default we were forced to write some additional modules like a (libnet-based) generic Layer 2 packet generator and lots of SPK-scripts for different protocols. We will describe this development process, the pitfalls and lessons learned. Furthermore we will release all the code and discuss the results of performing extensive fuzz-testing of network devices and some common operating systems.

High Security Duo SBC and Thin Clients

Speaker: Roger Klose

Security and compliance aspects on server and client side. Higher security and easier compliance to legal regulation with SBC and TCs; data management entirely based on server vs. local storage, VPNs, Identity-Management with Tokens/Smartcards, PKI, use of ADS, USB port safety, Spyware prevention.

Speaker: Enno Rey
Topic: Secure WLAN meeting the requirements of the data protection

The PDAs and notebooks of the doctors and of the hospital staff facilitate and improve the patient care and make sure that the medical staff always get important information. The WLAN technique has to be extremely reliable in order to fulffill the high requests of the medical institutions. In this conference you will learn in what way the technical level conforms to these requirements.

Topics:

- People and IT-security
- Awareness campaigns
- Indentity management
- Network Access Control
- Industrie espionage

Speaker: Dror-John Röcher & Michael Thumann
Topic: Attacking Cisco Network Admission Control

Speaker: Enno Rey
Virtualization security

According to recent surveys, half the IT managers project to virtualize wide parts of their computer centers within the next 12 months. Meanwhile 43 % of them worry about the security. In this conference, you will learn what securiy risks may result from the virtualization. Vulnerabilities and contermeasures will be discussed with the example of important commercial solutions and concrete attack settings will be demonstrated.

Speaker: Enno Rey
Topic: Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to
"SPIKE Land"

The talk is based on a research project whose goal was to evaluate the
security of network devices used in carrier space.
After some (short) introduction into the main concepts of fuzzing (in
particular of network protocols) we will explain which options of existing
fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE
has no Layer2 functionality by default we were forced to write some
additional modules like a (libnet-based) generic Layer 2 packet generator
and lots of SPK-scripts for different protocols. We will describe this
development process, the pitfalls and lessons learned. Furthermore we will
release all the code and discuss the results of performing extensive
fuzz-testing of network devices and some common operating systems.

Topic: Vulnerability Scoring with CVSS 2.0

Speaker: Dror-John Röcher

Der transparenten und nachvollziehbaren Bewertung von Schwachstellen kommt
nicht nur durch Compliance-Anforderungen eine ständig wachsende Bedeutung
zu. Auch für effizientes Patchmanagement ist die korrekte Bewertung von
Schwachstellen ausschlaggebend. Zum einen hat CVSS mit der kuerzlich
erschienen Version 2.0 qualitativ einen grossen Schritt in die richtige
Richtung getan, zum Anderen kristallisiert sich CVSS als kommender,
herstellerunabhaengiger Standard zur Bewertung von Schwachstellen heraus.
Ziel des Vortrags ist neben der Vorstellung und Diskussion von CVSS 2.0 eine
Erörterung in welchen Szenarien und unter welchen Randbedingungen der
Einsatz von CVSS sinnvoll möglich ist.

Topics:
- Bluetooth Hacking
- Spying and sabotage by radio network
- Blackberry-Security
- Encryption and communication security
- Security aspects from mobile operating systems

You can meet there our specialists Enno Rey, Michael Thumann and Dror-John Röcher, you can find more information here.

Topic: Network Security on Layer 2 and 3 (12.09.2007, 11:00-12:30 Uhr)
Speaker: Enno Rey

Topics: Attacking Cisco Network Admission Control – NAC@ACK
Speakers: Michael Thumann & Dror-John Röcher

The last two years have seen a big new marketing-buzz named “Admission Control” or “Endpoint Compliance Enforcement” and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: “Cisco Network Admission Control”. NAC is a pivotal part of Cisco’s “Self Defending Network” strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of “posture spoofing attack”. We will demonstate code & tool for posture spoofing in Cisco NAC secured networks.

Topic: NACATTACK
Speakers: Dror-John Röcher & Michael Thumann

Part I: Introduction—Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology—How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem—NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack—how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach—“stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror-John Roecher has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Topic: "Captain, Eisberg voraus" - Was wir von der Titanic über Incident Response Prozesse lernen können.
Speaker: Friedwart Kuhn

Vortragsthema: Wireless LAN in der Produktion (27.06.2007 14:15-15:00 Uhr)
Firewalls in der Industrie- und Produktionsumgebung (27.06.2007 16:15-17:00 Uhr)
Referent: Dror-John Röcher

- Segmemtierung von Produktionsnetzen
- Aktueller Stand WLAN-Security - Angriffsmethoden & Sicherheits- Technologien, Protokolle
- Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung* Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung
- Access Point Security - Hardening und sicherer Betrieb
- Wichtige Prozesse (Rollout, Management, Intrusion Detection)
- Neue Ansätze, Protokolle, Probleme
- Einsatz von Firewalls


Vortragsthema: Firewalls in Industrie- und Produktionsumgebung
Referent: Dror-John Röcher

* Sicherheit in den Produktionsnetzen
* Unterscheiden sich Produktionsnetzwerke stark von Büro-Netzwerken?
* Anforderungen an die Komponenten
* Praxisbeispiel: Einführung von Firewalls in einer großen, dezentralen Produktionsumgebung


Workshop: Risiko-Analyse als Werkzeug zur effizienten Steuerung von IT-Sicherheit (29.06.2007 9:00-17:00 Uhr)
Referent: Enno Rey

- Methoden und Tools
- Anwendungsszenarien und Beispiele aus der Praxis
- Notwendige Tabellen und Checklisten

Topic: Firewalls in Industrie- und Produktionsumgebung
Speaker: Dror-John Röcher

Speaker: Friedwart Kuhn
Windows Vista Security
UAC and Mandatory Integrity Control (MIC)
BitLocker
Services Hardening
Code-Integrity
Internet Explorer
Auditing

Topic: VoIP Security
Speaker: Roger Klose

Topic: Industrial Firewalls
Speaker: Dror-John Röcher

Vortragsthema: tba
Referent: tba

Topic: SNMP, Routing Security (16 May 2007)
Speaker: Enno Rey

07 May 2007: "Sicheres Netzwerk-Management", Speaker: Enno Rey
08 May 2007 "MPLS-Sicherheit", Speaker: Enno Rey

MPLS Security Methodology
Speaker: Enno Rey

Are They Secure? How to Assess MPLS Providers From a Customer Perspective?

One of our clients, a multi billion revenue corporation with HQ in New York is currently in the course of a world wide network migration to MPLS based structures. Given the absolute priority of information security at our client and against the background that MPLS-VPNs are not regarded as a "trustworthy technology" in itself an internal evaluation methodology was developed to rate the eligible carriers as for their security/trustworthiness. This methodology consists of detailed questionnaires delivered to the carriers, extensive lab testing together with carrier personnel and on-site reviews. During the talk the methodology and some of the results will be presented and discussed. We will share our experiences and learning curve with the audience. Service providers will learn what security-sensitive customers will expect from them and enterprise people will get an idea how to conduct such an assessment.

Topic: "Kid Tracking" (28.04.2007, 11:00 Uhr)
Speaker: Enno Rey
Abstract:
"RFID technology has many (ab-) uses. Amongst them are so called localization services that permit to inventory cattle or to detect lost kids in theme parks. The same approach can also be found in GPS-based tracking services used to follow movements of delinquents on probation. On the other side these techniques seem pretty appealing for parents desiring to track their children to prohibit kidnapping or to locate them after accidents. Several questions quickly arise though: when should such a .track your kid. thing be applied, when . if ever . removed? Do we really want to put our children in the panopticon Michel Foucault describes in .Discipline and Punish.? In which way must we re-think our own responsibilities? The talk will give an overview of the tools involved and their current state-of-implementation. Using some risk analysis method I will then illustrate potential problems (security-/privacy-wise) and discuss the social implications of this technology."

Speaker: Roger Klose
Workshop-Topic: Sicheres Netzwerk-Management (18.04.2007)

Speaker: Dror-John Röcher
Topic: "Segen oder Fluch? - Cisco Network Admission Control" (18.04.2007)

Topic: Sicheres Netzwerk-Management (16.04.2007, 9:00-17:00 Uhr)

Speaker: Enno Rey

Topic: "Digging into SNMP 2007 - An Exercise on Breaking Networks" by Enno Rey

Topic: "NAC@ACK" (30.03.2007)
Speaker: Michael Thumann + Dror-John Röcher

Abstract:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.