Event Archives

Attacking 3G and 4G Telecommunication Networks

Speaker: Enno Rey & Daniel Mende

In 2010 a number of practical high-profile attacks against GSM has been discussed and demonstrated. Still it should be noted that those only work against GSM (“2G”) which has been standardized in the early 90s. It was followed by the “3G” family of standards in 2000 which in turn are currently superseded (better: complemented) by yet another generation (“4G”). LTE (4G) which is expected to be “the next big thing in mobile telco business” has an all-IP network architecture that is much flatter than the earlier architectures’ ones.

In the so-called backhaul and core parts of 3G and 4G networks mainly one IP based protocol can be found, that is GTP [GPRS Tunneling Protocol]. Given that 3GPP standards mandate that GTP is either only used within one security domain (operator) or in case of roaming users should be secured by IPsec one should never be able to reach GTP speaking components from the Internet. Well, yes, one should not, but we show that reality is so often a bit different.

We will outline 3G and 4G architectures and associated attack paths, enriched by “anecdotes from the field” and – potentially more interesting results from some 3G/4G security testing “performed in the wild”. An attack classification based on the protocols involved and the attack originating networks (user equipment, other operators, Internet etc.) will be given. Lastly, we will discuss (and, of course, release) a GTP scanning tool that allows to identify entry points into mobile telecommunication networks. A number of demos will add some spice.

More information here: conference.hitb.org

Please find the slides below:

Workshop - IPv6-Sicherheit in LANs
Trainer: Christopher Werny

Integration des neues Personalausweises in Enterprise-Umgebungen: Chancen, Aufwände, Gefahren
Speaker: Friedwart Kuhn

Sicherheit von Multifunktionsgeräten (Drucker, Scanner, Kopierer, Fax) in Unternehmen
Speaker: Matthias Luft & Michael Schaefer

Please find the complete agenda here: www.it-security-2011.de

Special: There's an exclusive deal for ERNW's customers in place. Please contact us for further details.

Visit www.troopers.de or follow us on Twitter to keep up-to-date on TROOPERS - the premium IT-Security conference series.

Find the full agenda here: www.troopers.de/agenda/
Read everything about this year's speakers: www.troopers.de/speakers/
Download slides: Please head over to www.troopers.de/downloads/

Web Security - Hacking Night School

Speaker: Matthias Luft

Die traditionelle Hacking Night School präsentiert aktuelle
Angriffstechniken gegen Webapplikationen. Die Demonstration umfasst
mehrere Beispiele, wie moderne Serversysteme, also Microsoft Windows
Server 2008 und SQL Server 2008, kompromittiert werden können. Dabei
werden verschiedene Angriffsvektoren, wie zum Beispiel SQL und XML
Injection, in Kombination mit Schwächen in vermeintlich bewährten
Standards, wie zum Beispiel SSL/TLS, verwendet, um Systeme komplett zu
übernehmen. In einem letzten Schritt wird die Fallstudie einer komplexen
Sicherheitslücke in ASP.NET besprochen. Anhand der Konzeption und der
möglichen Gegenmaßnahmen wird ein allgemeines Sicherheitsmodell
erläutert, das auch bisher unbekannte Sicherheitslücken adressiert.

Find the slides below:

Risiken bei der Integration mobiler Endgeräte

Speaker: Rene Graf

Attacking 3G and 4G mobile telecommunications networks

Speakers: Enno Rey & Daniel Mende

In 2010 a number of practical high-profile attacks against GSM has been discussed and demonstrated. Still it should be noted that GSM ("2G") has been standardized in the early 90s, followed by the "3G" family of standards in 2000 which in turn is currently superseded (better: complemented) by yet another generation ("4G"). What about their security aspects? In this talk we'll outline 3G and 4G architectures and associated attack paths, enriched by "anecdotes from the field" and - potentially more interesting ;-) - results from some 3G/4G security testing "performed in the wild".

Keynote: The seven sisters wearing the emperor‘s new clothes

Speaker: Enno Rey

On the changing role of fundamental network security principles in the age of virtualization and cloud computing.

Supply Chain (In-) Security

Speakers: Enno Rey & Graeme Neilson

Find the slides below:

Industrial Firewalls

Speaker: Rene Graf

A small leak will sink a great ship: An Empirical Study of DLP solutions

Speakers: Matthias Luft, Thorsten Holz

Matthias Luft and Thorsten Holz submitted an Whitepaper (Link coming soon) about the evaluation of Data Leakage Prevention Solutions to the EEMA conference ISSE. The Whitepaper presents a methodology to evaluate DLP solutions and exemplifies the method by testing two DLP implementations in detail. This essential step in every product lifecycle revealed several flaws that were reported to the vendors.

Download slides here:

Security in virtualized environments

Speaker: Enno Rey

Compliance in the Cloud

Speaker: Enno Rey

Get the slides here:

Burning Asgard - What happens when Loki breaks free

Speakers: Daniel Mende, Rene Graf

I personally remember the release of Yersinia at Black Hat Europe 2005. It was a ground breaking experience: a number of Layer 2 attacks regarded purely theoretical until then, was suddenly available in a mostly automated way. And those guys even showed some forays completely unbeknownst to me at the time. We plan to do the same in Vegas, with a new tool called Loki (after the giant from Norse mythology associated with cunning, trickery and evil). It's a Python based framework implementing many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others.

After outlining Loki's inner architecture we'll give insight into several modules and discuss some particularly interesting attacks in the routing protocol space (e.g. cracking OSPF MD5 keys, injection of routes into OSPF and EIGRP environments etc.). Furthermore we'll describe vulnerabilities in lesser known protocols like VRRP. Every attack we mention will be shown in a practical demo and - of course - Loki will be released right after our talk.

Download here:

Presentation & Others:
Presentation
Demo Videos

Code/Builds:
Source

Please visit our tool section for gentoo and ubuntu builds.

PlumberCon is proudly supported by ERNW. We provide the conference's network.

Crash Course in Penetration Testing

Speaker: Oliver Roeschke

This course will cover some of the newer aspects of penetration testing such as open source intelligence gathering with Maltego and other open source tools. Advanced scanning, enumeration, exploitation (remote and client-side), and post-exploitation relying heavily on the features included in the Metasploit Framework will also be covered.
Emphasis throughout the entire workshop will be placed on being as stealthy as possible, and dealing with popular defensive technologies.


Attacking Cisco Enterprise WLAN

Speaker: Oliver Roeschke

Enterprise WLAN solutions depict complex setups that should support security and managability by combining several technologies and protocols. This complexity needs distinguished design patterns to ensure all security goals. Usage of insecure mechanisms can result in total breakdown regarding security. One prominent example is Cisco's Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management. This architecture is still deployed in a number of early corporate wireless networks. The proprietary 'Wireless LAN Context Control Protocol' (WLCCP) plays a major role in here.

Unfortunately, the protocol design is debatable in several aspects, leading to practical attacks that impose high risk to wireless networks. A second example is Cisco's current solution, called 'Unified Wireless Networks'. It consists of several entities with interesting communication patterns. Additionally it is built on a broken trust model.

In this talk we will describe the inner workings of these pieces, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will demonstrate the issues.


PacketWars™

Hosted by: Daniel Mende

PacketWars™ is a sport like nothing you have ever experienced! Games known as Battles pit individual players each other in a race against time to achieve predefined objectives, win prizes and attain FAME. Operating in the shadows of the Internet beyond the rule of TCP/IP and devoid of compassion, a secret war rages. Sometimes spilling over into the “real” world, digital battles are waged to advance the will of the combatants. The combatants are as varied as their skills and motivation. Every engagement is unique. It is our duty to chronicle these events. Join us as we open a portal to extreme hacking. Do you have what it takes to survive?

Read also our blog post on the conference: www.insinuator.net

How to rate the security in closed source software

Speaker: Michael Thumann

Security evaluation of software is getting more and more common in large enterprises to ensure that they can trust the software and secure the processed data. But beneath the common source code reviews, pentests and fuzzing tests, it's still hard to rate the security of closed source software without reverse engineering it. This talk will introduce some ideas how to rate this software in an almost automated way using the right tools and based on some quality metrics and other facts of the binary. It will give some advises how to implement the concept in the enterprise.

More information here: conference.hitb.org

Lecture - All Your Packets Are Belong to Us – Attacking Backbone Technologies

Speaker: Daniel Mende

Daniel Mende is a German security researcher specialized on network protocols and technologies. He’s well known for his Layer2 extensions of the SPIKE and Sulley fuzzing frameworks, he has discussed new ways in building botnets and presented on protocol security at many occasions including Troopers08, ShmooCon and Blackhat. Usually he releases a new tool when giving a talk.


Workshop - Can Data Leakage Prevention Prevent Data Leakage?

Speaker: Matthias Luft

Matthias is a seasoned pentester with vast experience in corporate environments. Over the years he focused on evaluating and reviewing all kinds of applications. So he’s one of the first researches who revealed major design flaws and vulnerabilities in the approach of Data Leakage Prevention . He is a regular speaker at international security
conferences and will happily share his knowledge with the audience.

Visit www.just4meeting.com for more information.

Roger Klose and Matthias Luft present at Bechtle Security Day in Würzburg. This is an exclusive event for customers and partners of Bechtle AG.

Get in contact: www.bechtle.com

Download the slides here:

This is an event in Germany - talks on this event are normally held in German language.

Einführung in die „Rapid Risk Assessment"-Methodik

Speaker: Enno Rey

Effiziente Risiko-Analyse ist eines der wichtigsten Werkzeuge moderner Sicherheitsarbeit. Nicht umsonst fordert ISO 27001 ein funktionales Risk Assessment & Management Framework in Organisationen und die ISO 27000 Familie hält mit ISO 27005 ja auch einen eigenen Standard zum Thema bereit. Leider scheitert Risiko-Analyse als Prozess in vielen Umgebungen an überzogenen Erwartungen, schlechter organisatorischer Einbindung oder zu hoher Komplexität. Der Vortrag stellt ein für einen der weltgrößten Outsourcer entwickeltes Modell („Rapid Risk Assessment") vor. Dessen Ziel ist es, effiziente Risk Assessments in kurzer Zeit (etwa einem 1-2 Stunden Conference Call) durchzuführen, um Sicherheitsentscheidungen vorzubereiten. Wir diskutieren praktische Erfahrungen mit dem Ansatz und unserer Learning Curve, und stellen wichtige Bestandteile exemplarisch bereit.


Attacking Web Applications 2.0 (oder „Moderne Angriffe gegen Web-Applikationen")

Speaker: Michael Thumann

Der Vortrag beschäftigt sich mit aktuellen Angriffstechniken gegen Webanwendungen. Im Zeitalter des „Webifyings" von Unternehmensapplikationen sind Web-Applikationen schon länger im Fokus der Hacker und neue Technologien wie Web 2.0 einerseits wie auch intensive Researcharbeit der Angreifer andererseits führen zu einer Vielzahl von neuen Angriffsmöglichkeiten. Die behandelten Angriffe umfassen Web Filter Bypassing, Session Hijacking, Advanced SQL Injection gegen moderne Datenbank Server und SSL Renegotiation Attacks. Live-Demonstrationen zeigen, wie aktuelle Angriffstechniken praktisch funktionieren. Eine ausführliche Diskussion effizienter und angemessener Schutzmaßnahmen rundet die Präsentation ab.


Security Assessment von Cisco Enterprise WLAN-Technologien

Speaker: Oliver Roeschke

Die Welt der „Enterprise WLAN-Lösungen" ist voller obskurer und nicht-standardisierter Technologien, die zu Sicherheitsproblemen führen können. Cisco bildet hier keine Ausnahme. Insbesondere die „Structured Wireless-Aware Network" (SWAN)-Architektur (die auf dem proprietären WLCCP-Protokoll basiert), aber auch moderne Wireless LAN Controller (WLC) basierte Umgebungen weisen in verschiedenen Szenarien Schwachstellen auf. In diesem Vortrag werden theoretische und praktische (!) Angriffsmöglichkeiten in solchen Netzen behandelt und demonstriert sowie die entstehenden Risiken bewertet. Ziel ist, sowohl die Investition wie auch die transportierten Daten abzusichern.


Weitere Informationen finden Sie unter www.it-security-2010.de

Attacking CISCO WLAN Solutions

Speaker: Oliver Roeschke, Daniel Mende

The world of “Enterprise WLAN solutions” is full of obscure and “non-standard” elements and technologies. Cisco’s solutions are no exception here.

In this talk we will describe potential and practical attacks against components, network traffic and/or cryptographic material in different generations of their “Enterprise WLAN offerings”. This includes pretty standard attacks against management interfaces as well as some not-so-common insight how one of their proprietary protocols works (or fails, security-wise). As usual, a number of demos will add spice and some code will be released.

For more information regarding the conference please visit: conference.hackinthebox.org

Hacking Cisco Enterprise WLANs

Speakers: Enno Rey, Daniel Mende

The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. Cisco's solutions, from the early Structured Wireless-Aware Network (SWAN) to the current Cisco Wireless Unified Networking (CUWN) architectures, only partly differ here. In this talk we describe the inner workings of these solutions, dissect the vulnerable parts and discuss theoretical and practical attacks, with some nice demos.

A new tool automating a number of attacks (incl. taking over the WDS master role, extracting WPA pairwise master keys from intra-AP communication etc) will be released at Black Hat Europe.

For more information regarding the conference please visit: www.blackhat.com

TROOPERS10 - This time it's a home match.

This year we're bringing back the action right to the place where everything started: Heidelberg, Germany.

In 2007 the idea of a security conference without the usual product presentations, marketing blabla, and bull*ht-bingo was born – just pure practical IT security. After an enthusiastic response from our audiences in Munich we decided to evolve the concept into a full-blown conference combined with a series of workshops and round tables.

We're inviting (C)ISOs, IT auditors, sysadmins, security consultants and everyone who is involved with IT security to come to Heidelberg and get in touch with leading experts from all over the world. A number of workshops on monday and tuesday covers highly relevant topics in detail, on wednesday and thursday you'll learn about the latest developments, threats and achievements from world class security evangelists, experts and hackers. And on friday we seat you on round tables right next to the speakers and fellow experts. You'll be able to discuss your own strategies and concerns with them face-to-face. You will be listened to, because in the end of the day we're all the same: TROOPERS in the infosec world.

TROOPERS10 is hosted by ERNW GmbH, an independent information security consultancy and assessment company from Heidelberg, Germany. In the past years, speakers from ERNW were invited all around the world to present their latest ITsec research results and to share their knowledge within the global hacking and infosec community. With this global experience in mind, in 2008 ERNW decided to launch an international conference in Germany. Reconfirmed by the success of the year 2009 edition we decided to step up and take this thing to the next level. Once more it's going to be an event unlike most other "security conferences": No pointless marketing talks, just high-end workshops with hands-on experiences and most important: You'll get real answers and practical benefits to meet today´s and tomorrow's threats.

You're a TROOPER and your next boot camp is scheduled for 8 - 12th of March 2010, Heidelberg, Germany.

Please visit www.troopers.de for more information and sign-up.

This is an event in Germany - talks on this event are normally held in German language.

Freeware-Security-Tools für .NET-Entwickler

Sprecher: Michael Thumann

In dieser Session werden frei erhältliche Security-Tools für .NET-Entwickler vorgestellt. Vom Sourcecode Analyzer über sinnvolle Bibliotheken wie AntiXSS und ESAPI bis hin zu Threat-Modeling-Tools werden die Entwickler in die Werkzeuge eingeführt und ihr Nutzen am Beispiel des Microsoft Security Development Lifecycles demonstriert. Mithilfe dieser Werkzeuge kann auch ohne die Einführung aufwendiger Unternehmensprozesse die Qualität in der Softwareentwicklung massiv gesteigert werden.


Advanced Hacking

Workshopleiter: Michael Thumann

Die traditionelle Hacking Night School präsentiert aktuelle Angriffstechniken gegen Web Application, beispielsweise SQL Injection, und zeigt, wie diese in Kombination mit anderen Angriffen (z. B. gegen das Windows-Signed-Driver-Modell) ausgenutzt werden, um Systeme komplett zu kompromittieren. Das Angriffsziel sind dabei die aktuellen Serverversionen von Microsoft, also Windows Server 2008 und SQL Server 2008.


Security & Compliance beim Outsourcing

Sprecher: Enno Rey

Der Vortrag behandelt rechtliche Aspekte und gängige Sicherheitsmaßnahmen bei der Verlagerung von Daten oder Services auf Dienstanbieter. Dabei kann es sich um Webhosting von Anwendungen oder um die komplette Verlagerung "in die Cloud" handeln. Es werden die wichtigsten Rahmenbedingungen technischer und vertraglicher Art diskutiert und typische Szenarien vorgestellt.


Weitere Informationen finden Sie unter: www.basta.net

Hier finden Sie die Folien:

WLCCP - Analysis of a Potentially Flawed Protocol

Speakers: Enno Rey, Oliver Roeschke

The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. One prominent example is Cisco's Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management, and still deployed in a number of corporate networks. The proprietary "Wireless LAN Context Control Protocol" (WLCCP) plays a major role here. Unfortunately it seems the design of the protocol might be debatable in several aspects, leading to some theoretical and, well, practical vulnerabilities. In this talk we will describe the inner workings of this piece, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will add spice and some code will be released.

Find more information and a video of the talk at www.shmoocon.org.

Download the slides here:

IT Underground 2009 is held in Warsaw. Several ERNW experts are on-site, amongst others you'll meet: Roger Klose, Oliver Röschke and Matthias Luft. More to be announced soon.

For more information regarding the conference please visit: www.itunderground.org

All Your Packets are belong to us - Attacking Backbone Technologies

Speakers: Enno Rey, Daniel Mende

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.hft-leipzig.de
Download the tools: Download section

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speaker: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: paranoia.watchcom.no
Download the tools: Download section

Reversing Malware for Business Purposes

Speaker: Michael Thumann

This session will examine different ways to analyse malware for business purposes and discusses advantages and disadvantages of the approaches. It will introduce the most common online sandboxes and compare them to sandbox systems built individually. It will also cover the reverse engineering approach and give some conclusions which approach is useful in a business context.

Visit www.rsaconference.com for more information.

The Day-Con III Keynote is delivered by Enno Rey.

More information: www.day-con.org

IIR IT-Virtualisierung-Forum 2009

Enno Rey gives a lecture on Risk Analysis concerning virtualized environments. Look here for a detailed agenda of the 2-day forum.

More information: www.iir.de

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Roger Klose

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section. It's about making the theoretical practical, once more!

More information: www.brucon.org
Download the tools: Download section

Download the slides here:

Secure the weakest Link - An holistic view on End-User Security

Speaker: Michael Thumann

This talk is held in German language. Summary:

Die Absicherung moderner (Web-)Anwendungen erfordert ein tiefgreifendes Verständnis des Zusammenwirkens von Applikation, (Betriebs-)System, Netzwerkprotokollen und Datenbanken. In dieser Session wird gezeigt, mit welchen Methoden und Tools moderne Angreifer gegen Anwendungen bzw. die von Ihnen verarbeiteten Daten vorgehen. Anhand praktischer Demos (die die Teilnehmer teilweise selbst in der Session nachstellen können; eigener Laptop erforderlich) zeigt der Referent, wo typischerweise Schwachstellen zu finden sind, die "außerhalb des Scopes" des Entwicklers liegen. Diskutiert wird auch, wo etwa Infrastrukturangriffe gegen DNS oder Internet-Routing (BGP) Auswirkungen auf die Sicherheit von Anwendungen haben können und warum daher eine ganzheitliche Sicht auf Application Security notwendig ist. Weiterhin werden die verschiedenen Angriffe gegen SSL präsentiert und welche Gegenmaßnahmen hier aus Entwicklerperspektive sinnvoll sind. Last but not least wird die sicherheitskritische Rolle der oft erforderlichen Datenbankanbindung diskutiert.

More information: here.

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich, Michael Schaefer

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available in our "Download" section.

Daniel Mende and his crew offer a workshop on MPLS Security at a conference for the first time. The workshop is free and will include heaps of hands-on learning. It's about making the theoretical practical, once more!

More information: www.har2009.org
Download the tools: Download section

Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure

Speakers: Enno Rey, Chris Hoff

[19. July 2009] Update: Unfortunately Chris and Enno had to cancel the talk due to an executive scheduling issue on Chris' side. We hope to give it soon at another occasion.

What was in is now out. This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation in the enterprise, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out thanks to Cloud computing and virtualization. One of the really scary things happening with the massive convergence of virtualization and cloud computing is its effect on security models and the information they are designed to protect.

Where and how our data is created, processed, accessed, stored, backed up and destroyed in what is sure to become massively overlaid cloud-based services (and by whom and using whose infrastructure) yields significant concerns related to security, privacy, compliance and survivability. Further, the "stacked turtle" problem becomes incredibly scary as the notion of nested clouds becomes reality: cloud SaaS providers depending on Cloud IaaS providers which rely on Cloud network providers. It's a house of, well, turtles.

This "infrastructure intercourse" where your resources and data can be located anywhere makes it very interesting to try and secure your assets when you don't own the infrastructure and in most cases can't control the level of security. We will show multiple cascading levels of failure associated with relying on cloud on cloud infrastructure and services including exposing flawed assumptions and untested theories as it relates to security, privacy and confidentiality in the Cloud with some unique attack vectors.

More information: www.blackhat.com

IIR IT-Security Update with Enno Rey, Vojislav Kosanovic and Thomas Kopp

This event covers a broad spectrum of current IT-Security topics. Look here for a detailed agenda.

More information: www.iir.de

Roger Klose and Matthias Luft presented at Bechtle Security Day in Würzburg. Their talks included a broad spectrum of current topics like "Targeted Attacks" and "Virtual Security". Please note that there's an other event of this series taking place in Frankfurt.

Download the slides here:

Matthias Luft and Daniel Mende gave a lecture on "Hacking Mobile Devices" at an event of F-Secure on 18th May. It featured a series of practical demos. We would be pleased to present the demos to your organization or be supportive with securing your mobile platforms.

Download the slides here:

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

Additional material:

Check out darkreading.com for an interview with Enno Rey.
Download the tools released with this talk.

First Day Workshop
Attacking Endpoints

Speakers: Roger Klose, Matthias Luft

This workshop is focused on techniques how endpoints (workstations or laptops) can be owned remotely or when physical access is available. In times of workstations with their CD/DVD drives removed and USB blocked even the latter might not always be an easy task. In the past we performed quite a number of assessments where we had to get the control over some endpoint and we have compiled/developed our own toolset for this purpose. The audience will get a CD with this stuff and will have the opportunity to practice most attacks in the classroom. After a detailed discussion of attacks we will also cover ways how to protect computers against these attacks and various mitigating controls.


Second Day Talk
Reversing Malware

Speakers: Michael Thumann, Michael Schaefer


Third Day Talk
All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Simon Rich

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!

What a developer can do (wrong) – An architect‘s view

Speaker: Enno Rey

All your packets are belong to us - Attacking backbone technologies

Speakers: Daniel Mende, Enno Rey

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more!


Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende, Enno Rey

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novel ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution.

Guaranteeing data and network security in Ethernet networks for business customers

Speaker: Enno Rey

Exploring Novelty Ways in Building Botnets

Speaker: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

First Day Workshop
Modern offensive techniques

Speakers: Daniel Mende, Michael Schaefer

Second Day Talk
A first inspection of Microsoft's Hyper-V security

Speakers: Enno Rey & Roger Klose

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Third Day Talk
Exploring Novel Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

Microsoft's Hyper-V Security

Speaker: Enno Rey

It is expected that Microsoft's Hyper-V will rapidly gain ground in the ever emerging virtualization market. Still, the crucial question remains: how trustworthy is this piece as for isolation of guests and protection of the hypervisor itself and management interfaces. This talk tries to give a first answer. I will present the design and architectural components of Hyper-V, explain configuration tweaks and pitfalls and discuss hardening steps & tools. Furthermore the results of in-deep security testing of Hyper-V will be published. Some fuzzing demo against various pieces of Hyper-V is included and I will provide a detailed comparison of the security features and potential weaknesses of Hyper-V and VMware ESX.

Application Trustworthiness

Speaker: Michael Thumann

This talk covers the different test methodologies to decide if an application can be used securely in a business environment. From blackbox testing, fuzzing, source code review to reverse engineering all the different approaches are explained, that are used by ERNW do conduct these kind of tests in real life. Finally the metric used in the assessments will be presented to give an idea how the results and findings can be used to answer the Question "can we trust this application?" in a comprehensible way.

Exploring Novelty Ways in Building Botnets

Speakers: Daniel Mende & Simon Rich

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

More information

Exploring Novelty Ways in Building Botnets

Speakers: Simon Rich & Daniel Mende

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novelty ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution. Additionally some code for an intelligent agent's "phone home" without direct IP based communication channel will be discussed and released.

From Ariane 5 To Sasser – Code security in complex environments

Speaker: Enno Rey

This talk deals with the meaning of software security for complex environments and discusses about the ways of avoiding typical risks at the architecture level. Various methods will be presented which are preventing the execution of untrustwothy or incorrect codes in shared environments. Furthermore showcases will be discussed: how to limit the codes' destructive capicity. The part of priviligies, compartments and capabilites and thier impact on the whole security of the ecosystem is often underrated and disregarded in the development process.

Sofware security testing

Speaker: Michael Thumann

This talk deals with the various software security testing methods. Following topics among others will be raised: Blackbox testing and fuzzing, source code analysis, source code recovery by means of reverse engineering and de-compilation, runtime analysis and manual testing of applications. Furthermore some helpful and necessary tools wil be introduced, which are used during ERNW audits. Finally a few security metrics facillating the results analysis will be discussed.

Forum's chairman: Enno Rey

iPhone - Funky Gadget, Hacker Device or just a Security Risk?
Speaker: Michael Thumann

Apple has launched with its iPhone a multifunctional portable device. The using concept is revolutionary and seduces most of the people. Its Mac OS X based user interface provides the user with nearly inexhaustible enlargement possibilities. Its new software allows the use in big companies and is also a perfect tool for top management. This talk deals with the possibilities and the security risks of the iPhone and describes its use as a business device and as an hacking tool. You will find out if your company is "iPhone ready".

Speakers:

Enno Rey:
Voice-over-IP, Attacks and Countermeasures

Roger Klose:
Security aspects of virtualization with a focus on VMware ESX
Fuzzing of infrastructure protocols - Methodology, Tools & Results

Security aspects of the virtualized environment
Speaker: Roger Klose

• Threats & Vulnerabilities in virtualized environments
• Definition of criteria for a "safe virtualization"
• Virtual appliances & virtual Shields - Concepts & Products
• Overview of measures
27.05.2008, 15:15 Uhr – 16:00 Uhr

Workshop: VMware - Attacks and security measures with attacks live demos
Speaker: Roger Klose

• Attacks overview in VMware environments (specially VMware ESX)
• Discussion about attacks with the participants
• Demo "VM Backdoor“ attacks against management interfaces
• Demo attacks on the nework level
• Classification of mitigating controls (network, storage, management)
• Risk assessment & measures evaluation
28.05.2008, 9:00 - 12:30 Uhr

Troopers08 is a Hacking Conference. Its goal is to share in-depth knowledge about the aspects of attacking and defending information technology infrastructure and applications. The featured presentations and demonstrations represent the latest discoveries and developments of the global hacker scene and will provide the audience with valuable practical know-how.
More information.

The main aim of the HITBSecConf conference series is to enable the dissemination, discussion and sharing of deep knowledge network security information. Featuring presentations by respected members of both the mainstream network security arena as well as the underground or black hat community, HITBSecConf2008 - Dubai will see over 20 of the world’s leading network security specialists talk about their latest tools and research.

Speaker: Michael Thumann
Beyond being an online game SecondLife is a growing marketplace for big companies where lot of money is made. And living and acting in a virtual world gives the people the opportunity to do things they would never do in real life. Therefore, it is not surprising that SecondLife has increasingly attracted real world hackers.

The talk will cover the basic architecture of SecondLife and point out the possible attack vectors against SecondLife itself, but will also demonstrate hacks from the inside of SecondLife against real-life systems in the internet. So watch out what virtualization can do for the “Bad Guys”.

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues.

Speakers: Enno Rey and Daniel Mende
Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"
The talk is based on a research project whose goal was to evaluate the security of network devices used in carrier space. After some (very short) introduction into the main concepts of fuzzing (in particular of network protocols) we will explain which options of existing fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE has no Layer2 functionality by default we were forced to write some additional modules like a (libnet-based) generic Layer 2 packet generator and lots of SPK-scripts for different protocols. We will describe this development process, the pitfalls and lessons learned. Furthermore we will release all the code and discuss the results of performing extensive fuzz-testing of network devices and some common operating systems.

High Security Duo SBC and Thin Clients

Speaker: Roger Klose

Security and compliance aspects on server and client side. Higher security and easier compliance to legal regulation with SBC and TCs; data management entirely based on server vs. local storage, VPNs, Identity-Management with Tokens/Smartcards, PKI, use of ADS, USB port safety, Spyware prevention.

Speaker: Enno Rey
Topic: Secure WLAN meeting the requirements of the data protection

The PDAs and notebooks of the doctors and of the hospital staff facilitate and improve the patient care and make sure that the medical staff always get important information. The WLAN technique has to be extremely reliable in order to fulffill the high requests of the medical institutions. In this conference you will learn in what way the technical level conforms to these requirements.

Topics:

- People and IT-security
- Awareness campaigns
- Indentity management
- Network Access Control
- Industrie espionage

Speaker: Dror-John Röcher & Michael Thumann
Topic: Attacking Cisco Network Admission Control

Speaker: Enno Rey
Virtualization security

According to recent surveys, half the IT managers project to virtualize wide parts of their computer centers within the next 12 months. Meanwhile 43 % of them worry about the security. In this conference, you will learn what securiy risks may result from the virtualization. Vulnerabilities and contermeasures will be discussed with the example of important commercial solutions and concrete attack settings will be demonstrated.

Speaker: Enno Rey
Topic: Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to
"SPIKE Land"

The talk is based on a research project whose goal was to evaluate the
security of network devices used in carrier space.
After some (short) introduction into the main concepts of fuzzing (in
particular of network protocols) we will explain which options of existing
fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE
has no Layer2 functionality by default we were forced to write some
additional modules like a (libnet-based) generic Layer 2 packet generator
and lots of SPK-scripts for different protocols. We will describe this
development process, the pitfalls and lessons learned. Furthermore we will
release all the code and discuss the results of performing extensive
fuzz-testing of network devices and some common operating systems.

Topic: Vulnerability Scoring with CVSS 2.0

Speaker: Dror-John Röcher

Der transparenten und nachvollziehbaren Bewertung von Schwachstellen kommt
nicht nur durch Compliance-Anforderungen eine ständig wachsende Bedeutung
zu. Auch für effizientes Patchmanagement ist die korrekte Bewertung von
Schwachstellen ausschlaggebend. Zum einen hat CVSS mit der kuerzlich
erschienen Version 2.0 qualitativ einen grossen Schritt in die richtige
Richtung getan, zum Anderen kristallisiert sich CVSS als kommender,
herstellerunabhaengiger Standard zur Bewertung von Schwachstellen heraus.
Ziel des Vortrags ist neben der Vorstellung und Diskussion von CVSS 2.0 eine
Erörterung in welchen Szenarien und unter welchen Randbedingungen der
Einsatz von CVSS sinnvoll möglich ist.

Topics:
- Bluetooth Hacking
- Spying and sabotage by radio network
- Blackberry-Security
- Encryption and communication security
- Security aspects from mobile operating systems

You can meet there our specialists Enno Rey, Michael Thumann and Dror-John Röcher, you can find more information here.

Topic: Network Security on Layer 2 and 3 (12.09.2007, 11:00-12:30 Uhr)
Speaker: Enno Rey

Topics: Attacking Cisco Network Admission Control – NAC@ACK
Speakers: Michael Thumann & Dror-John Röcher

The last two years have seen a big new marketing-buzz named “Admission Control” or “Endpoint Compliance Enforcement” and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: “Cisco Network Admission Control”. NAC is a pivotal part of Cisco’s “Self Defending Network” strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of “posture spoofing attack”. We will demonstate code & tool for posture spoofing in Cisco NAC secured networks.

Topic: NACATTACK
Speakers: Dror-John Röcher & Michael Thumann

Part I: Introduction—Marketing Buzz:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. As the market is still evolving and one framework has been quite successful on the market: "Cisco Network Admission Control". NAC is a pivotal part of Cisco’s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view “NAC” is a very interesting emerging technology which deservers some scrutiny. We are able to hack the Cisco NAC-solution by exploiting a fundamental design flaw.

Part II: NAC Technology—How it works:
The basic idea behind Cisco NAC is quite simple: Before allowing a client admittance to the network the client is tested against a predefined set of “policies”. These tests are performed by a backend system (a Cisco ACS) which processes .credentials supplied by the client against one or more administrator-defined policies. Based on the result of these tests a client is categorized and a well-defined access-level to the network is granted. While the client is connected to the network it is repeatedly rechecked and the state of the client is reassessed. On a somewhat more technical layer the communication takes place using EAP over UDP with undisclosed Cisco-proprietary EAP messages and the UDP connection itself is secured using SSL. The connection-point to the network (e.g. the switch, wireless AP, Firewall, Router, etc.) acts sort of as a "translating proxy" between the client talking EAPoU and the Cisco Secure ACS server talking RADIUS [Client <-EAPoU-> Switch <-RADIUS-> ACS). Besides this "proxy"-functionality the connection-point also acts as an enforcing element of the security policy. Three somewhat different deployment flavours of Cisco NAC exist but the underlying concept “admittance-level based on the result of a test” is always the same.

For every .NAC-enabled application on the client a client-side agent provides so called “credentials” to the ACS server where they are compared against the defined tests to derive a “posture token” per application. From all application posture tokens an overall “system posture token” is inferred which determines the access-level granted to the client. The client-side agent of the framework responsible for the communication is the “Cisco Trust Agent” (CTA) which also includes the capability to report a few basic credentials (e.g. OS Version, Hostname, etc) without an additional NAC-enabled application. The CTA contains an API enabling third-party vendors to hook their applications into the NAC framework. Anti-Virus Vendors have been among the first to join the NAC-Alliance formed by Cisco.

Part III: The Problem—NAC is not “secure by design”:
The Cisco NAC solution contains at least one major design-flaw which enables us to hack (at least) two of the three different variants: The server authenticates itself to the client using a server-certificate and client and server establish a secure tunnel (something like “SSL over UDP”), but the client does not authenticate itself to the server, so we have a situation in which a component (the client) is authorized without prior authentication. After realizing this fundamental design-error, the idea of a “posture spoofing attack” was born and research started with evaluating different attack-vectors for their feasibility. In the end we decided to analyse the protocols used within the framework and code our own “NAC-client” which provides the ACS with attacker-supplied-credentials in order to get illegitimate access to NAC-secured networks.

Part IV: The Hack—how we did it
NAC is a complex system involving different protocols which are used in an odd combination. Especially the usage of SSL over UDP/EAP-FAST over UDP made the usage of SSL-Proxies for man-in-the-middle attacks or clear-text-traffic-analysis with standard methods impossible. So instead of focusing on the network-traffic (which was our first approach—“stare at the packets until you understand them”), we decided to focus on the client first. Analysing the CTA client in different versions and on different operating systems revealed some of the inner workings of the protocols. Besides “Client analysis” we built a NAC test-lab and developed a “NAC-test-suite” to implement different “admission-scenarios”. While running theses tests we hooked into the interesting functions of the client in order to understand the functions used and their (inter)dependencies. As a next step we started coding our own NAC client to get a better insight into the communication process. The first goal was to get a clear text dump of the communication by establishing the secure tunnel. The next goal was to provide our own credentials to the ACS in order to get access to the NAC protected network. We will release our "NAC-Credential-Spoofing"-tool at the conference alongside with our insight into the operating of NAC.

Part V: Our proposed talk
We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist, if NAC is implemented (there actually exist mitigations and secure setup-approaches). We will present our approach, disclose technical details yet unpublished and release our tool. As an “add-on”-benefit we will explain how to tackle a complex system like NAC when doing security research.

Dror-John Roecher has enjoyed working with Cisco stuff for more than eight years and is usually busy assessing the security of enterprise networks and data-centers. He works as a senior security consultant for germany-based ERNW GmbH all over Europe and has published multiple whitepapers on security-related topics. He is a seasoned speaker and enjoys sharing his experience with his audience.

The last two years have seen him develop additional points of interests, as e.g. “Mobile Security” [he simply loves to play around with all the newest funky gadgets] and “Endpoint Security”—but at the heart he still is a networker.

Michael Thumann is Chief Security Officer and head of the ERNW "Research" and "Pen-Test" teams. He has published security advisories regarding topics like 'Cracking IKE Prshared Keys' and Buffer Overflows in Web Servers/VPN Software/VoIP Software. Michael enjoys sharing his self-written security tools (e.g. 'tomas—a Cisco Password Cracker', 'ikeprobe—IKE PSK Vulnerability Scanner' or 'dnsdigger—a dns information gathering tool') and his experience with the community. Besides numerous articles and papers he wrote the first (and only) german Pen-Test Book that has become a recommended reading at german universities. In addition to his daily pentesting tasks he is a regular conference-speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels' main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

Topic: "Captain, Eisberg voraus" - Was wir von der Titanic über Incident Response Prozesse lernen können.
Speaker: Friedwart Kuhn

Vortragsthema: Wireless LAN in der Produktion (27.06.2007 14:15-15:00 Uhr)
Firewalls in der Industrie- und Produktionsumgebung (27.06.2007 16:15-17:00 Uhr)
Referent: Dror-John Röcher

- Segmemtierung von Produktionsnetzen
- Aktueller Stand WLAN-Security - Angriffsmethoden & Sicherheits- Technologien, Protokolle
- Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung* Managed vs. unmanaged Access Points, Produkte und Sicherheits-Diskussion
- WLAN-Design und -Segmentierung
- Access Point Security - Hardening und sicherer Betrieb
- Wichtige Prozesse (Rollout, Management, Intrusion Detection)
- Neue Ansätze, Protokolle, Probleme
- Einsatz von Firewalls


Vortragsthema: Firewalls in Industrie- und Produktionsumgebung
Referent: Dror-John Röcher

* Sicherheit in den Produktionsnetzen
* Unterscheiden sich Produktionsnetzwerke stark von Büro-Netzwerken?
* Anforderungen an die Komponenten
* Praxisbeispiel: Einführung von Firewalls in einer großen, dezentralen Produktionsumgebung


Workshop: Risiko-Analyse als Werkzeug zur effizienten Steuerung von IT-Sicherheit (29.06.2007 9:00-17:00 Uhr)
Referent: Enno Rey

- Methoden und Tools
- Anwendungsszenarien und Beispiele aus der Praxis
- Notwendige Tabellen und Checklisten

Topic: Firewalls in Industrie- und Produktionsumgebung
Speaker: Dror-John Röcher

Speaker: Friedwart Kuhn
Windows Vista Security
UAC and Mandatory Integrity Control (MIC)
BitLocker
Services Hardening
Code-Integrity
Internet Explorer
Auditing

Topic: VoIP Security
Speaker: Roger Klose

Topic: Industrial Firewalls
Speaker: Dror-John Röcher

Vortragsthema: tba
Referent: tba

Topic: SNMP, Routing Security (16 May 2007)
Speaker: Enno Rey

07 May 2007: "Sicheres Netzwerk-Management", Speaker: Enno Rey
08 May 2007 "MPLS-Sicherheit", Speaker: Enno Rey

MPLS Security Methodology
Speaker: Enno Rey

Are They Secure? How to Assess MPLS Providers From a Customer Perspective?

One of our clients, a multi billion revenue corporation with HQ in New York is currently in the course of a world wide network migration to MPLS based structures. Given the absolute priority of information security at our client and against the background that MPLS-VPNs are not regarded as a "trustworthy technology" in itself an internal evaluation methodology was developed to rate the eligible carriers as for their security/trustworthiness. This methodology consists of detailed questionnaires delivered to the carriers, extensive lab testing together with carrier personnel and on-site reviews. During the talk the methodology and some of the results will be presented and discussed. We will share our experiences and learning curve with the audience. Service providers will learn what security-sensitive customers will expect from them and enterprise people will get an idea how to conduct such an assessment.

Topic: "Kid Tracking" (28.04.2007, 11:00 Uhr)
Speaker: Enno Rey
Abstract:
"RFID technology has many (ab-) uses. Amongst them are so called localization services that permit to inventory cattle or to detect lost kids in theme parks. The same approach can also be found in GPS-based tracking services used to follow movements of delinquents on probation. On the other side these techniques seem pretty appealing for parents desiring to track their children to prohibit kidnapping or to locate them after accidents. Several questions quickly arise though: when should such a .track your kid. thing be applied, when . if ever . removed? Do we really want to put our children in the panopticon Michel Foucault describes in .Discipline and Punish.? In which way must we re-think our own responsibilities? The talk will give an overview of the tools involved and their current state-of-implementation. Using some risk analysis method I will then illustrate potential problems (security-/privacy-wise) and discuss the social implications of this technology."

Speaker: Roger Klose
Workshop-Topic: Sicheres Netzwerk-Management (18.04.2007)

Speaker: Dror-John Röcher
Topic: "Segen oder Fluch? - Cisco Network Admission Control" (18.04.2007)

Topic: Sicheres Netzwerk-Management (16.04.2007, 9:00-17:00 Uhr)

Speaker: Enno Rey

Topic: "Digging into SNMP 2007 - An Exercise on Breaking Networks" by Enno Rey

Topic: "NAC@ACK" (30.03.2007)
Speaker: Michael Thumann + Dror-John Röcher

Abstract:
The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.