Ruhr's IT security conference
RuhrSec is the non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr-University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling and a highly recommended social event.
In 2018, all profits from the conference ticket income will be donated to the local non-governmental youth organization THW-Jugend e.V. to support young citizens on their way to help people in emergency situations.
Call for Presentations
In RuhrSec's third edition, we have once again a call for presentations; this does not include the trainings. Areas of interest are (but are not restricted to) Internet/Web Security, Data and Application Security, Network Security, Security in the Internet of Things, and Usable Security.
Please submit your proposal to the RuhrSec programme committee until the 20th of January 2018. We have an ongoing acceptance process, your chance is higher if you submit as early as possible. Your talk must have a length of 45 minutes including Q&A and it has to be in English. Each speaker gets a free two-day conference ticket, an invitation to the speakers dinner on Wednesday, and a travel reimbursement up to a limit of EUR 1,000 (economy). Please contact us in case that you have any questions.
Easychair RuhrSec 2018 submission form
Trainings: Tuesday–Wednesday, 15.-16.05.18
Malware Analysis using Static and Dynamic Analysis, G Data | Advanced Analytics (two-day training, 17.–18.05.18)
Advanced Android Mobile Application Hacking, Context Information Security (two-day training, , 17.–18.05.18)
|08:00 – 09:00||Registration and Biscuits/Coffee|
|09:00 – 13:00||Training|
|13:00 – 14:00||Tuesday/Wednesday: Lunch|
|14:00 – 18:00||Training|
|18:30 – 22:00||Tuesday: Premium RuhrSec Tour, Wednesday: Speakers' Dinner|
Conference: Thursday, 17.05.18
|08:00 – 09:00||Registration and Biscuits/Coffee|
|09:00 – 09:15||Opening, Marcus Niemietz|
|09:15 – 10:00||Invited Talk: TBA, Prof. Dr. Michael Backes|
|10:00 – 10:30||Coffee Break|
|10:30 – 11:15|
|11:15 – 12:00|
|12:00 – 13:30||Lunch|
|13:30 – 14:15|
|14:15 – 15:00|
|15:00 – 15:45||Coffee Break|
|15:45 – 16:30|
|16:30 – 17:15||Invited Talk: TBA, Thomas Dullien (Halvar Flake)|
|17:15 – Open End||Social Event (incl. Dinner)|
Conference: Friday, 18.05.18
|08:45 – 09:15||Biscuits/Coffee|
|09:15 – 10:00||Invited Talk: Securing the Development Lifecycle in Productions Systems Engineering, Priv.-Doz. Dr. Edgar Weippl|
|10:00 – 10:30||Coffee Break|
|10:30 – 11:15|
|11:15 – 12:00|
|12:00 – 13:30||Lunch|
|14:15 – 15:00|
|15:00 – 15:30||Coffee Break|
|15:30 – 16:15|
|16:15 – 17:00|
|17:00 – 17:15||Closing|
Talks & Trainings
Systematically Exploiting Network Printers
Training (Days: 1) by Jens Müller
Training. Systematically Exploiting Network Printers
Abstract. The idea of a paperless office has been dreamed of for more than three decades. However, nowadays printers are still one of the most essential
devices for daily work and common Internet users. Instead of removing
them, printers evolved from simple devices into complex network computer
systems, installed directly into company networks, and carrying
considerable confidential data in their print jobs. This makes them to
an attractive attack target, often missed by system administrators when
securing their network and even by pentesters.
During our research we conducted a large scale analysis of printer attacks and systematized our knowledge by providing a general methodology for security analyses of printers. Based on our methodology, we implemented an open-source tool called PRinter Exploitation Toolkit (PRET). We used PRET to evaluate dozens of printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks. These attacks included, for example, simple DoS attacks or skilled attacks, extracting print jobs and system files.
In this training we will give an overview of the security of the two most widely supported printer languages: PCL/PJL and PostScript. Each participant gets his/her own test printer, which can be taken home further studies, and the opportunity to carry out manually the introduced attacks in a prepared environment (shipped for free). In addition, the automated PRET tool for systematic analysis and penetration tests of network printers will be introduced. Finally, we will show techniques for system administrators to mitigate the attacks by proxying all print jobs over a hardened print server.
- First Segment
- Basics: Printing Technologies
- Basics: PCL and PJL
- Basics: PostScript
- Attack Channels – Network/Wireless Printing, Cloud Printing, Cross-Site Printing
- Attacks: Denial of Service
- Attacks: Protection Bypass
- Second Segment
- Attacks: Print Job Manipulation
- Attacks: Print Job Access
- Attacks: Information Disclosure – Memory Access, File System Access
- Attacks: Remote Code Execution
- Countermeasures: Setting up a secure print server
What to bring? Laptop, VirtualBox
Prerequisites. Basic knowledge on network security
Who Should Attend? Penetration testers, network administrators, technical people interested in network/IoT security
What to expect? A very technical, very intense, in-depth course on printer hacking. Starting with an introduction on de facto standard printer languages you will learn how to use their powerful features to systematically exploit almost any printer out there. You will perform practical attacks ranging from simple DoS, to removing the device's password protection with malicious print jobs and manipulating other users' print jobs. You will learn how to access the printer's file system and capture print jobs based on 35 years vulnerabilities present in almost every laser printer. While most of the attacks carried out in the test setup will be performed over the wire (scenario of internal network pentesting) you will learn to use alternative channels to deploy malicious commands to a printer: USB sticks, wireless printing, cloud printing or even arbitrary websites. A quick peek on a small subset of attacks you will cope with can be found in this RuhrSec 2017 presentation: YouTube. Also, you will get a free printer for takeaway and further hacking.
What not to expect? Hardware and firmware hacking, abusing specific implementation flaws like a buffer overflow in the web server of a certain printer model. This course is focused on generic attacks which can be applied to a broad range of devices.
About the trainer. Jens Müller is a PhD student at the Ruhr University Bochum. His research interests are attacks on the Internet of things and applied network security in general. He has experience as a freelancer in network penetration testing and security auditing. In his spare time he develops free open source software, at present tools related to network printer exploitation.
Malware Analysis using Static and Dynamic Analysis
Training (Days: 2) by G Data | Advanced Analytics
Training. Malware Analysis using Static and Dynamic Analysis
Abstract. Modern malware uses a large number of different techniques. Packers to avoid detection, obfuscation to deter analysis and command and control communication to obtain it's goals. Further, there can be many reasons to analyze malware. Question such as "Is this sample malicious?", "What information has been compromised?", "What counter measures can be taken?" requires different approaches from. In this training we'll focus on how the analyst can choose the right tool for the job and how to use these tools efficiently. This course is a hands-on training in how to leverage virtual machine introspection, debuggers and the IDA Pro Disassembler to get the job done. The student will learn about standard malware analysis techniques including dealing with packers, obfuscation and how malware commonly interact with the operating system. Further, we'll take a look at how to work with both file based malware and samples acquired from forensic memory analysis.
- Setting up a save environment
- Analyzing malware with sandbox logs
- Unpacking malware with debuggers
- Static analysis with IDA Pro
- Understanding common malware techniques
- Analyzing memory only malware
What to bring? Laptop with VirtualBox or VMWare installed. At least one VM running a modern Windows operating system. A licensed version of IDA Pro is advantageous, the freeware version will do.
Prerequisites. Basic knowledge on Malware and Windows. Ideally knowledge of x86 assembler and the programming language C.
Who Should Attend? Incident responders, Penetration testers, security engineers, computer security researchers, technical people interested in inner workings of malware.
What to expect? A very technical, very intense, hands-on course starting from the very basics of how you can safely analyze malware, You’ll learn about common malware behavior and you’ll get to reverse engineer real malware yourself using debuggers, disassemblers and Virtual machine introspection.
What not to expect? Generic reverse engineering. This course goes deep in the malware analysis topic.
About the trainers. Anton Wendel is working as a security engineer at G DATA Advanced
Analytics. He received a Master degree in IT-Security from Ruhr
University Bochum. Prior to joining G DATA Advanced Analytics he worked
on automated malware analysis systems at G DATA.
Anders Fogh has been reverse engineering stuff ranging from USB sticks over DVD-players to nation state malware over the past two decades. His research has been presented at venues such as BlackHat and CCS, but he is particularly proud of presenting at RuhrSec last year.
Advanced Android Mobile Application Hacking
Training (Days: 2) by Context Information Security
Training. Penetration Testing on Android Mobile Apps
Abstract. With organisations expanding their presence onto mobile devices, enabling their employees and customers to access business information wherever they are, the threat landscape has never been wider. Mobile systems offer a whole new set of challenges for security professionals, incident responders and developers to take into account including sensitive data on lost devices, applications leaking access to user accounts, data exfiltration from corporate devices to name but a few.
This training course covers Android Marshmallow devices/ apps and newer, and is designed to provide attendees with hands-on knowledge on how attackers penetrate the security around mobile applications and security policies. To achieve this it uses custom mobile applications created by Context, crafted to emulate real-world applications and provide a realistic and up-to-date look at the attack surface and vectors available to skilled attackers.
This course will teach attendees how to use advanced attack methods against mobile applications, how to reverse engineer their code to look for vulnerabilities and use this information for complex attacks. At the end of this course attendees will be able to use advanced mobile penetration testing tools, carry out injection attacks and use reverse engineering methods to deconstruct the advanced defences of modern mobile applications.
- Introduction to Mobile Security
- Advanced tools
- Automating attacks
- Application Logic and bypasses
- Reverse Engineering Applications
- Decompiling Android applications
- SMALI and patching
- Hunting for weaknesses with the decompiled code
- Cryptographic Weaknesses
- Manipulating Applications with Injections
- End of Course Capture the Flag
What to bring? Laptop, VirtualBox
Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space. Virtualization software capable of running OVA.
Who Should Attend? Mobile Developers, Development Managers, Penetration Testers
What to expect? This course will teach attendees how to use advanced attack methods against mobile applications, how to reverse engineer their code to look for vulnerabilities and use this information for complex attacks. At the end of this course attendees will be able to use advanced mobile penetration testing tools, carry out injection attacks and use reverse engineering methods to deconstruct the advanced defences of modern mobile applications.
What not to expect? 0days
About the trainers. Christian Becker and Tim Guenther work as penetration testers for Context Information Security in Germany. They both have several years of experience in performing penetration tests such as in the areas of application testing, infrastructure testing, testing of mobile applications and devices as well as others.
Prof. Dr. Michael Backes
(Saarland University) – Invited Talk, Keynote
Biography. Michael Backes is a full professor at the Computer Science Department of Saarland University and a Max Planck Fellow of the Max Planck Institute for Software Systems. He has the chair for Information Security and Cryptography. He is the Director of the Center for IT-Security, Privacy, and Accountability (CISPA), the speaker of the collaborative research center (Sonderforschungsbereich) on Methods and Tools for Understanding and Controlling Privacy, and a Principal Investigator and Vice-coordinator of the Cluster of Excellence on Multimodal Computing and Interaction (MMCI).
Thomas Dullien (Halvar Flake)
(Google) – Invited Talk, Keynote
Biography. Thomas Dullien / Halvar Flake started work in reverse engineering and digital rights management in the mid-90s, and began to apply reverse engineering to vulnerability research shortly thereafter. He pioneered early windows heap exploitaiton, patch diffing / bindiffing and various other reverse engineering techniques. In 2004, he started zynamics, a company focused on reverse engineering technologies. He continued to publish about reverse engineering, ROP gadget search, and knowledge management technologies in relation to reverse engineering. In 2011, zynamics was acquired by Google, and Halvar spent the next few years working on defensive technologies that leveraged the then hot buzzwords "big data" and "machine learning". In summer 2015, Halvar received the lifetime achievement Pwnie, and decided to take a year off to travel, read, and surf. Since November 2016, he is back at Google.
Priv.-Doz. Dr. Edgar Weippl
(SBA Research) – Invited Talk, Keynote
Biography. After graduating with a Ph.D. from the TU Wien, Edgar worked in a research startup for two years. He then spent one year teaching as an Assistant Professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the TU Wien and founded the research center SBA Research together with A Min Tjoa and Markus Klemen. Edgar R. Weippl (CISSP, CISA, CISM, CRISC, CSSLP, CMC) is member of the editorial board of Computers & Security (COSE), organizes the ARES conference and is General Chair of SACMAT 2015, PC Chair of Esorics 2015, General Chair of ACM CCS 2016, and PC Chair of ACM SACMAT 2017.
Training address: TBA, Bochum
Conference address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum
Google Maps: Link to the conference building
Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center (German: Veranstaltungszentrum). You can find parking spaces for your cars directly under the conference location (University Center/ Universität Mitte, parking level P9). Otherwise you can use the train station (U35 - "Ruhr-Universität"). From the train station, it is a five minutes walk to get to the conference building.
Flight and Train Information
The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the railway station "Düsseldorf Flughafen". After that you should drive to "Bochum Hauptbahnhof" (aka. "Bochum Hbf."). From there we recommend to take a taxi to the conference center (about 10 euros). Otherwise you can take the underground station (U-Bahn) train U35 to "Ruhr Universität Bochum".
- Please pay for the sky train (a few euros).
- To get your train tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can pay (often) with your credit cards. Please be sure to bring enough cash (euros) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be something around €3 (SkyTrain) and €20 (train).
- Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.
If you want to check out when your train will arrive you can use this web page: http://www.bahn.com/i/view/DEU/en/index.shtml
We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.
Directly in the heart of Bochum and near the train station, we recommend two hotels:
Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous Bermuda Dreieck (with a lot of good bars and German beer).
Anfahrt zum Veranstaltungszentrum
(German, pdf, 5.04 MB)
(German, JPG, 487.36 kB)
Conference location with way-description
(English, pdf, 1.39 MB)
Conference location with way-description - details
(English, pdf, 1.37 MB)
Next to their anti-virus products, G DATA is known as the evening sponsor of the Ruhr University's HackPra lecture. As it is in the case of HackPra, RuhrSec will have an awesome evening event too.
Every participant with a valid conference ticket is invited to be our guest at the social event. G Data provides awesome people, tasty food and high quality drinks. Feel free to join us and to talk with other security interested people, including the speakers.
Location: G DATA Academy, Königsallee 178, D-44799 Bochum
How to get there: After the conference we will go together to the location by using public transport systems. More information is given before the first conference keynote.
German way description: Download PDF
Time: After the first conference day (>=17:00 o'clock)
This event will be provided by Hackmanit. The Hackmanit organisation team consists of Marcus Niemietz, Christian Mainka and Juraj Somorovsky. We are security researchers with a strong relationship to the Horst Görtz Institute for IT security.
In case that you have any questions regarding the conference, please contact us via mail:Email us
Universitätsstraße 150 (ID 2/469)
T: (+49)(0)234 / 45930961
(+49)(0)234 / 45930960