Here is a list of all talks that will be held at BSidesVienna (talks are in random order).

On the security of security extensions for IP-based KNX networks - Aljosha Judmayer, Lukas Krammer and Wolfgang Kastner


The traditional areas of building automation like heating, ventilation and air conditioning as well as lighting and shading are more and more extended by services requiring a more robust security infrastructure like alarm-and access control systems. Additionally, building automation networks get integrated into existing IP-based networks, or even communicate directly over the Internet. Therefore, the attack surface of building automation systems has increased. This requires a solid security architecture and a profound knowledge of possible attack vectors. This work reviews two security extensions for KNXnet/IP regarding their individual security properties. Thereby, it is pointed out that the current version of the specification, called KNXnet/IP Secure, lacks some relevant details and has certain limitations concerning the provided level of security. Additionally, it is demonstrated that authenticity, integrity, confidentiality and data freshness cannot be guaranteed in classical KNX communication.

Hijacking label switched networks in the cloud - Paul Coggin


The telecommunications networks are one of our most important critical infrastructure assets. In fact all of the other critical infrastructure domains are dependent upon the telecommunications critical infrastructure for operation for example ICS/SCADA. In this talk we will discuss a quick overview of telecommunication architectures and operations for border gateway protocol (BGP) services with references to the recent BGP prefix hijacking attacks. The discussion will then pivot to how Multi-protocol Label Switch (MPLS) networks may be attacked in telecommunications networks. Could it be that the MPLS networks are being attacked similar to BGP? How would someone go about targeting MPLS networks? The MPLS discussion will provide an overview of MPLS VPN’s and MPLS traffic engineering architectures and operations including packet captures of label traffic for reference. Attack vectors for targeting MPLS networks will be addressed in addition to a couple new ideas for gathering intel from MPLS networks. Recommendations for monitoring and securing BGP and MPLS networks will be discussed as well.

Vulnerability Assessments on SCADA Networks: Outsmarting the Smart Grid - Fadli B. Sidek


Critical Infrastructure security has been on the news and the talk of the town since 2005. While there are many talks and demonstrations about how to penetrate and exploit SCADA systems, little discussions about the pre-exploitation phase were shared and discussed. I’m talking of course about the Vulnerability Assessment phase. Some may have performed such assessment before and many are curious as to how to start it in the first place. Questions like, what are the methodologies used in performing an assessment on SCADA networks? What information is required before we click the ‘Start Scan Now’ button? What plugins should be used? And do my scans guarantee that these ultra sensitive systems will not go down? And which approach (automatic or manual) should be used in which situation. This talk is to share my personal experience and challenges faced during a SCADA assessment. I will also give an overview of a typical SCADA environment, the tools used for the assessment, the type of vulnerabilities found and how possible it is for an attacker to potentially ‘own’ a Critical Infrastructure.

The A and the P of the T - Marion Marschalek


The cyber threat landscape has undergone a massive transformation since 2010 - in structure as well as in buzz wording. Numbers of mass malware have skyrocketed, cases of data breaches caused by targeted attacks also. In reality, the operators of both, mass as well as targeted malware, are not necessarily different groups any more. The term advanced persistent threat has been created to describe malicious software, which is difficult to detect, thus advanced, and remains on infected systems for a long period of time, thus persistent. Yet, the true nature of targeted malware in general remains unclear, their sophistication hard to evaluate. This talk will introduce measures of complexity for current malware and apply these measures to a chosen set of recently used targeted malware. Examples of such measures are sandbox and analysis resistance, detection evasion and the level of system infiltration and persistence on infected machines. By better understanding threat complexity the defending side can gain a crucial advantage countering whoever might be their enemy.

Hacking Online Banking Trojans - Sebastian Bachmann and Tibor Éliás


Banks all over the world encourage their users to use their online banking services for comfort and convenience. While these services and banking applications do help in our everyday life by making our management of transactions easier using a so called mTAN, some criminals want a piece of the pie as well. Using all kinds of targeted messages (e-mail/SMS) customers can be tricked into installing applications (like banking Trojans/Malware) by these cyber criminals. Fortunately so far these applications have not been intelligent in any way on how they operated. This seems to be changing: In the spring of 2014, an aggressive banking Trojan called Hesperbot appeared, that once installed, can be controlled by SMS messages received from an attacker. Now, these capabilities were already well known and were seen in almost all Banking Malware that appeared in the wild. This Trojan differentiates its self from the other Malware families, by incorporating its own defense mechanism that activates, once the user tries to revoke the Administrator rights from the attacker’s application. At this point the host device becomes almost useless to its user. At first we were not aware of this capability and fell into its trap. Fortunately with a clever exploitation strategy we’ve managed to unlock the infected device and save it from the grasps of cyber criminals.

The wrong side of history - everything that is old is new again - Arron Finnon

Snowden shocked the world, but few were surprised. Many were amazed by the scale and complexity of the infrastructure . How could so many people be involved in such a massive system without the secret getting out? Surely something that big didn’t need a whistle blower to come forward for everyone to know! The truth of the matter is, looking back in our modern history books you need not look too far before seeing similar operations of magnitude being undertook. Just as secretive, just as wide reaching, and with the pursuit of ensuring ‘freedoms’ the Manhattan Project showed what can be achieved. Its hard on initial inspection to see the similarities between the pursuit of nuclear weapons and how global interception of communications have anything in common, but they do! By inspecting our past it becomes less surprising and shocking that something of this size can be undertook with few people ever realising it or questioning it. An inspection of Manhattan Project and the recent disclosures have found many interesting and yet surprising recurrences. It is the speaker’s hope by highlighting these recurrences and drawing parallels from our pasts people can start to see where, why, and who are the catalysts for these systems. As the Russians say; Keep one eye on the past and your blind in one eye, keep both eyes on the future and your blind in both!

Attack points in health apps & wearable fitness devices - Candid Wueest


Each day, millions of people worldwide are recording every aspect of their lives in an activity known as self-tracking or quantified self, often using wearable devices. These people have various reasons for doing this, but are they thinking about the risk involved in this process? Given the amount of personal data that is generated, transmitted, and stored at various locations during self-tracking, we wanted to analyse how well this data is protected against attackers, since the quantified self involves more than just the personally identifiable information (PII) that we are used to. We analysed the top health applications that are currently available for smartphones and found all sorts of worrying behaviour. Many apps are not following security best practice guidelines. For example, some apps submit passwords in clear text, transmit activity details over HTTP, allow for user enumeration, or store information insecurely. Other applications contact up to 14 different service providers, spreading personal information even further. To make matters worse, more than half of all of the apps did not have any privacy policy at all. These findings raise several questions: how much data is actually gathered? Who has access to this data? How securely is it stored? How can the be attacked? We will explain the different attack vectors and attack scenarios against wearable devices and their corresponding applications. We will provide concrete examples, such as how cybercriminals could misuse this information. For example, quantified-self devices could be a spammer’s dream come true, as the devices allow the spammer to harvest complete user profiles with contact information and relevant contextual details. Furthermore, we discovered that none of the analysed quantified-self sports bracelets implemented the full spectrum of available privacy functions. As a result, people using these activity trackers could be tracked without their knowledge by any unrelated third party. This raises concerning opportunities for stalkers or other attackers. We created a proof-of-concept Bluetooth low energy (BTLE) scanner based on a Raspberry Pi and performed tests in different European cities. We will discuss the recently completed scan results and show a demo of the device. When this tracking is combined with the leakage of personal identifiable information, the dream of the quantified self can quickly become a nightmare.

OSPF - Open Shortest Pwn First - Louis Duruflé


IT-Network are becoming a vital part of every infrastructure. With the growth of the networks, maintaining the routing tables of every router had become complex and time-consuming. To automate this process, routing protocol like RIP or OSPF have been developed. These protocols allow routers to communicate and exchange route with each other and ensure that every IP packet emitted by a computer reaches its destination. The good configuration of these protocols is crucial for the availability and the security of the networks. A wrong or naive configuration can lead to potential great disaster for the global security of all data transmitted over the network. In this talk I will present the routing protocol, what is it used for, how does it work and where is it used. I will then present the security aspects of routing protocols with focus on OSPF. In the last part I’ll introduce some attacks that can be launched against routing protocols and their consequences.

Sentinel - Semi automated web application testing - Dobin Rutishauser


Sentinel is a burp plugin to assist the penetration tester on finding security vulnerabilities. Unlike fully automated scanners, Sentinel displays valuable information about the sent and received HTTP requests, which aids the tester in finding weaknesses and strange behaviour. The talk will present an introduction in the tool and practical example of finding blind sql injections.

Smashing the Buffer - Miroslav Stampar


Smashing the Buffer hands-on workshop should consist of two parts. In the first (introductory) part all protection mechanisms accompanied with respective attack vectors used in exploitation of the buffer overflow vulnerability should be presented in form of a regular presentation (e.g. In part two, practical presentation would be given consisting of a step-by-step guided instructions for all popular attack vectors: ret2libc, ret2reg, SEH bypass, egg hunting, ROP chaining and heap spraying.

Screw Compliance! Why security standards kill security! - Johannes Stillig

Everyone is talking about security at the moment Poodle, Sandworm, Heartbleed etc.. But still most companies only invest into security for the sake of being compliant to standard X, framework y or regulation z.. Of course compliance is a big issue in regulated markets. But many breaches during the last two years show us that being compliant will make most of the bad guys out there laugh about you and your organisation. By analyzing some high-profile breaches down to a technical level this speech wants to show how often the hunger for being compliant to certain standards leaves complete organisations expose to attackers. This speech is supposed to be a sermon to return to the roots of security, to forget about fancy tools and buzzwords in security for a while and to understand: Being compliant does not equal being secure, but being secure often equals being compliant!

Antivirus Evasion with ShCoLo/ExLo - Why Malware Works in face of Antivirus Software - Matthias Deeg


For many years, different types of malware rank among the biggest IT security threats both in the business and the private domain. In order to protect oneself from the dangers of malware, numerous software manufacturers offer IT security products like antivirus and endpoint protection software. But these products alone offer no sufficient protection from malware that knows some tricks, as the results of our recent research with the topic antivirus evasion shows.

Alternative Cashout Strategies - Benjamin Brown

The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts we are seeing some interesting alternative strategies to make money off of these compromised accounts beyond simply selling the account credentials as is. Many online retailers offer voucher, rewards, or e-gift card programs that can make an account much more valuable than just their login and identity information. These vouchers and e-gift cards can be safer and quicker cashout avenues than traditional strategies for identity theft and muling/shipping tangible goods. In this presentation we will outline the context, inputs, and outputs of these alternative strategies and walk through specific cases we have dealt with involving these compromise and cashout strategies.

Analytics Killed the Risk Management Star - Alex Hutton

GRC has typically been the domain of the Audit-Consultancy Industrial Complex. As such, the value GRC adds has been reduced from the optimistic expectations we had at the turn of the century about adding value to the business and become a mechanism that basically creates an oligarchy of certification bodies and consultants who now have the ability to declare ‘secure’ based on their dogma. Change is coming. And security will be no different than every other discipline that has evolved from unfounded opinion to measurement. This talks about the why and how change is happening, and gives pointers to help prevent the attendee being among the first up against the wall when the revolution comes.

Enhancing Mobile Malware: an Android RAT Case Study - Marco Lancini and Roberto Puricelli


Cyber-attacks are quite common nowadays: data breaches, malware, botnets, phishing are some of the (buzz)words we hear almost constantly in the media. Indeed, while these attacks were once carried out by ‘white hat’ hackers, whose purpose was to bypass security systems as a hobby or intellectual challenge, now they are performed mostly by criminals, with the aim of making profit. The constantly growing interest in this sector enables the proliferation of attack toolkits, sold also in underground markets, potentially allowing more people to perform cyber-attacks. Moreover, the discover of new vulnerabilities is often accompanied by blog posts or proof of concepts from researchers or security firms that demonstrate the technical details of their exploits. Despite their purpose of raising awareness, these information could also be used to perform attacks. In this context, the goal of this talk is to demonstrate how it is possible to easily create powerful malware, combining public available attack toolkits and exploits of known vulnerabilities. In particular, we focused on mobile devices as the latest trends show how these kinds of terminals are becoming more often target of attacks. Remote Access Toolkits (RATs) for mobile devices are widespread and they could be considered an enabler for attacks aimed to obtain the control of the device itself. Moreover, given the source code of a RAT, it is possible to extend its features, adapting or modifying its behavior to the attacker’s needs; for example “hiding” malicious features inside another application, or adding exploits in order to escalate privileges thus obtaining access to the administrative device’s features. Therefore, we propose a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application. The attack scenario that we propose is then subdivided into several incremental phases. The first step is the installation of a malicious application from an alternative (non-official) store, which allows the attacker to remotely control the device. In general this is a common user behavior, especially in case of such paid applications, which are then provided free of charge. The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information (such as contacts, calls & SMS logs, photos, files stored on the SD card, GPS geolocation), and potentially using the device for malicious purposes (create alerts, open links in the browser, make calls or send SMS, take pictures, use the microphone to intercept environmental audio, intercept calls). Moreover, if the attacker compromises a consistent number of devices, he could use them to create a botnet to perform attacks against third parties (e.g., DDOS attack against a website). Subsequently, the attacker can also attempt to escalate his privileges in order to gain complete access to the device’s resources. Embedding exploits for known kernel or driver vulnerabilities in the RAT, the attacker can then silently obtain root privileges and, therefore, complete access to the device. This allows, in addition to gaining access to many additional features (like the complete access to the internal memory, the possibility to install other packages, and to edit configurations), also a number of new attacks, like the exfiltration of protected system files, the ‘transparent’ installation of new applications, or the interception of all the communications (e.g., performing a MITM attack by configuring a system proxy on the device). In the talk we will describe the process that led us to realize the proof-of-concept of a mobile malware, starting from the public sources of a mobile RAT, to the integration of new and customized functionalities. We will also show a live demo of the proof-of-concept, following the steps described above.

Identifying and Detecting Botnet Behaviors in the Network - Sebastian Garcia

Detecting malware in the network is so difficult that we don’t even know if we are doing it wrong. From all the network-based detection techniques, the behavioral methods are the less explored and the most promising. The behavioral methods are being used because the botnets traffic is so complex that we can not characterize it with statistical tools. If we fail to identify its trends we may fail to protect our network. We present a behavioral-based network traffic model and free software tool that can characterize and detect the botnet traffic by identifying specific malicious behaviors. To create our method we analyzed dozens of large botnet captures in our Malware Capture Facility Project and we extracted the inherent characteristics of their time-based behaviors. Our Markov Chains-based detection method was compared and verified in real captures with normal, botnet and unknown data. This detection method is a promising approach to integrate behavioral controls in our network defenses.

Lockpicking Beginner Workshop -

Introduction to basic techniques on how to open locks. I’ll bring a lot of different locks and tools so there will be enough for everybody, hopefully. Usually the workshop runs for a couple of hours and people come and go whenever they feel like opening a lock. This is not meant as a presentation, because the presentation is about 10-15 min and the rest is just practice. People who already know the basics can also join just for practicing.