German IT security conference

RuhrSec is the non-profit security conference at the Ruhr University Bochum. As one of the organizers of the famous lecture called HackPra, we are hosting a high-quality and low-priced security conference in the heart of Bochum near the river Ruhr. We provide awesome academic and industry talks from smart international speakers, the typical Ruhr University feeling and the highly recommended HackPra social event .

All profits from the conference ticket income will be donated to the local Gänseblümchen NRW e.V. for an assistance to support children with cancer. Please look at the program guide and grab your ticket.

Call for Presentations

In RuhrSec's second edition we have a call for presentations (CFP). We are looking for outstanding IT security topics. Please submit your proposal to the RuhrSec programme committee until the 15th of January 2017. We have an ongoing acceptance process, your chance is higher if you submit as early as possible. Your talk must have a length of 45 minutes including Q&A and it has to be in English.

Each speaker gets a free two-day conference ticket, an invitation to the speakers dinner on Wednesday, and a travel reimbursement up to a limit of EUR 800 (economy).

Easychair RuhrSec 2017 submission form

Program

Training: Tuesday–Wednesday, 02.-03.05.17


08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 13:00Training
13:00 – 14:00Tuesday/Wednesday: Lunch – Burger & More
14:00 – 18:00Training
18:00 – 21:00Tuesday: Premium RuhrSec Dinner, Wednesday: Speakers Dinner

Conference: Thursday, 04.05.17

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 09:15Opening, Marcus Niemietz
09:15 – 10:00Keynote: How to Build Hardware Trojans, Prof. Dr. Christof Paar
10:00 – 10:30Coffee Break
10:30 – 11:15TBA
11:15 – 12:00TBA
12:00 – 13:30Lunch
13:30 – 14:15TBA
14:15 – 15:00TBA
15:00 – 15:30Coffee Break
15:30 – 16:15TBA
16:15 – 17:00TBA
17:00 – Open EndSocial Event (incl. Dinner)

Conference: Friday, 05.05.17

08:45 – 09:15Biscuits/Coffee
09:15 – 10:00Keynote 2: Applied Crypto, Prof Dr. Kenny Paterson
10:00 – 10:30Coffee Break
10:30 – 11:15TBA
11:15 – 12:00TBA
12:00 – 13:30Lunch
13:30 – 14:15TBA
14:15 – 15:00TBA
15:00 – 15:30Coffee Break
15:30 – 16:15TBA
16:15 – 17:00TBA
17:00 – 17:15Closing

Talks & Trainings

Dr. Mario Heiderich

(Cure53) – Training

Training. Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Abstract. More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there's not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are "so nineties" in this realm. And keeping up the pace with progress is getting harder and harder. But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We'll learn how to attack any web-application with either unknown legacy features - or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps - we have that covered. Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally. HTML is a living standard. And so is this workshop. Course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training.

Course Outline

    First Segment
  • The very Basics
  • HTTP / Encoding
  • Character Sets
  • CSRF en detail
  • Cross Site-Scripting
  • DOM Clobbering
  • Drag&Drop / Copy&Paste
  • DOMXSS
  • Legacy Features
    Second Segment
  • HTML5 Attacks & Vectors
  • SVG
  • XML
  • Mutation XSS / mXSS
  • Scriptless Attacks
  • SOP Bypasses
  • Filter Bypasses
  • Optimizing your Payload

What to bring? Laptop, ideally a VM with several browsers (MSIE, FF, Chrome)

Prerequisites. Basic knowledge on HTTP, HTML and Scripting, fascination for weird technical behaviors and a love for crazy code

Who Should Attend? Penetration testers, security engineers, security developers, technical people interested in browser and client-side web-security

What to expect? A very technical, very intense, in-depth course starting from the very basics (HTTP, Charsets, Strings) and going up to advanced client-side attacks. Small focus on exploitation but huge focus on how to get there.Execute script where no one ever executes script before.

What not to expect? A trainer with bad hair. The trainer has excellent hair which is in remarkably great shape. Also don't expect the standard XSS attack 101. This course goes beyond the limits and shows attacks known to few if ever.

About the trainer. Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides. Mario also did his PhD in Bochum, the most beautiful city of Germany if not the entire world. The Pneumoconiosis he caught during these days will always remind him of those golden times.

Vladislav Mladenov

(Ruhr University Bochum) – Training

Training. Systematically Breaking and Fixing Single Sign-On

Abstract. Single Sign-On belongs to the group of the most important Internet technologies. However, in recent years, it has been shown that these technologies are target of serious attacks. As part of our research we systematically analyzed different Single Sign-On protocols like SAML, OpenID, OAuth, and OpenID Connect and came up with a large range of attacks partially or totally breaking the security of these protocols. On the example of OpenID Connect, the last standardized SSO protocol used by companies like Google and PayPal, we came up with 15 different attacks resulting in Broken-End-User authentication, information leakage, Server-Side-Request-Forgery (SSRF) and Denial-of-Service (DoS).

In this training we will give an overview of the Single Sign-On authentication scheme in general and will present insights into three most used protocols: SAML, OAuth and OpenID Connect. Participants will get the opportunity to carry out manually the introduced attacks in a prepared environment. In addition, existing tools facilitating the analysis of Single Sign-On will be introduced. Finally, we will show techniques strengthening the SSO authentication scheme and mitigating the attacks for each protocol.

Course Outline

    First Segment
  • Basics: HTTP and Single Sign-On
  • Basics: HTTP attacks
  • Basics: SAML
  • SAML: Attacks on Service Providers
  • SAML: Attacks on Identity Providers
  • SAML: Countermeasures and Additional Security Features
    Second Segment
  • Basics: OAuth 2.0
  • OAuth 2.0: Attacks on Service Providers
  • OAuth 2.0: Attacks on Identity Providers
  • Basics: OpenID Connect
  • OpenID Connect: Single-Phase attacks
  • OpenID Connect: Cross-Phase attacks
  • OAuth and OpenID Connect: Countermeasures and Additional Security Features

What to bring? Laptop, VirtualBox, BurpSuite

Prerequisites. Basic knowledge on HTTP and HTML

Who Should Attend? Penetration testers, security engineers and security developers.

What to expect? Very technical and in-depth course regarding the security of modern Single Sign-On protocols like SAML, OAuth and OpenID Connect. You will learn how to recognize Single Sign-On protocols, how to systematically analyze them. You will get a good overview of the current technologies, known attacks and mitigation techniques.

A quick peek on a small subset of attacsk you will cope with can be found in his OWASP AppSec EU 2016 presentation: YouTube.

What not to expect? Simple and standard attack techniques. This course goes deep into the world of SSO attacks.

About the trainer. Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, and a freelance penetration tester. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics of interest are Identity Management and Cloud Computing.


Prof. Dr. Christof Paar

(Ruhr University Bochum) – Talk, Keynote

Talk. How to Build Hardware Trojans

Abstract. TBA

Biography. Christof Paar has the Chair for Embedded Security at Ruhr University Bochum, Germany, and is research professor at the University of Massachusetts Amherst. He co-founded CHES (Cryptographic Hardware and Embedded Systems), the leading international conference on applied cryptography. Christof's research interests include efficient crypto implementations, hardware security, and security analysis of real-world systems. He also works on applications of embedded security, e.g., in cars or consumer devices. He holds an ERC Advanced Grant in hardware security and is spokesperson for two doctoral research schools, UbiCrypt and SecHuman. Christof has over 180 peer-reviewed publications and he is co-author of the textbook Understanding Cryptography (Springer, 2009). He is Fellow of the IEEE and has given invited talks at MIT, Yale, Stanford, IBM Labs and Intel. Christof co-founded ESCRYPT GmbH, a leading system provider for automotive security. Escrypt is now part of Bosch.

Prof. Dr. Kenny Paterson

(Royal Holloway, University of London) – Talk, Keynote

Talk. Applied Crypto

Abstract. TBA

Biography. I obtained a B.Sc. in 1990 from the University of Glasgow and a Ph.D. from the University of London in 1993, both in Mathematics. I was then a Royal Society Fellow at Institute for Signal and Information Processing at the Swiss Federal Institute of Technology, Zurich, from 1993 to 1994. After that, I was a Lloyd's of London Tercentenary Foundation Research Fellow at Royal Holloway, University of London from 1994 to 1996.

In 1996, I joined Hewlett-Packard Laboratories Bristol, becoming a project manager in 1999.

I then joined the Information Security Group at Royal Holloway in 2001, becoming a Reader in 2002 and Professor in 2004. From March 2010 to May 2015, I was an EPSRC Leadership Fellow working on a project entitled Cryptography: Bridging Theory and Practice. In May 2015, I reverted to being a Professor of Information Security.

My research over the last decade has mostly been in the area of Cryptography, with a strong emphasis being on the analysis of deployed cryptographic systems and the development of provably secure solutions to real-world cryptographic problems. I co-founded the Real World Cryptography series of workshops to support the development of this broad area and to strengthen the links between academia and industry. I am co-chair of the IRTF's research group on Cryptography, CFRG. This group is working to provide expert advice to the IETF in an effort to strengthen the Internet's core security protocols.

My research on the security of TLS (the Lucky 13 attack on CBC-mode encryption in TLS and attacks on RC4) received significant media attention, helped to drive the widespread adoption of TLS 1.2 with its support for modern encryption schemes, and was an important factor in the TLS Working Group's decision to abandon legacy encryption mechanisms in TLS 1.3.

I am lucky to have been the recipient of several prizes and awards for my research. These include a Google Distinguished Paper Award for my joint work with Nadhem AlFardan presenting plaintext recovery attacks against DTLS published at NDSS 2012; an Applied Networking Research Prize from the IRTF for my work with Nadhem AlFardan on the Lucky 13 attack; and an Award for Outstanding Research in Privacy Enhancing Technologies for my work with Mihir Bellare and Phil Rogaway on the Security of symmetric encryption against mass surveillance published at CRYPTO 2014.

Other career highlights include being selected as Programme Chair for EUROCRYPT 2011, and being an invited speaker at ASIACRYPT 2014.

Conference location

Directions

Training address: Blue Square Kortumstr. 90, (Entrance "Passage Voswinkel/Fotobox"), 44787 Bochum

Conference address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center (German: Veranstaltungszentrum). You can find parking slots for your cars directly under the conference location (University Center/ Universität Mitte, parking deck P9). Otherwise you can use the train station (U35 - "Ruhr-Universität"). From the train station, it is a five minutes walk to get to the conference building.

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the railway station "Düsseldorf Flughafen". After that you should drive to "Bochum Hauptbahnhof" (aka. "Bochum Hbf."). From there we recommend to take a taxi driver to the conference center (about 10 Euro). Otherwise you can take the underground station (U-Bahn) train U35 to "Ruhr Universität Bochum".

Please notice:

  • Please pay for the sky train (a few euros).
  • To get your train tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can pay (often) with your credit cards. Please also take money (Euro) with you if credit cards are not accepted. The ticket price should be something around €3 (SkyTrain) and €20 (train).
  • Please do not forget to stamp your train ticket with one of the stamp machines. Otherwise it is not valid/used.

If you want to check out when your train will arrive you can use this web page: http://www.bahn.com/i/view/DEU/en/index.shtml

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the train station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous Bermuda Dreieck (with a lot of good bars and German beer).

More Information

Contact us

This event will be provided by our company Hackmanit. Our organisation team consists of Marcus Niemietz, Christian Mainka and Juraj Somorovsky. We are security researchers with a strong relationship to the Horst Görtz Institute for IT security.

In case that you have any questions regarding the conference: please contact us via mail:

Email us

Hackmanit GmbH

Universitätsstraße 150 (ID 2/469)
44801 Bochum

Our Phone:

T: (+49)(0)234 / 45930961

Fax:

(+49)(0)234 / 45930960

Our Email:

ruhrsec@hackmanit.de

Find us elsewhere

Facebook

Connect us with facebook

Twitter

Follow our tweets

Flickr

Explore our 93 pictures

YouTube

Enjoy our 14 videos

©2016 RuhrSec. All rights reserved.