Ruhr's IT security conference

Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling, and a highly recommended social event.

In 2019, all profits from the conference ticket income will be donated to the local non-profit organization Kinderhospizdienst Ruhrgebiet e.V. which supports children diagnosed with critical illnesses and their relatives.

Update (28/02/2020): We thank our attendees for helping children! We have donated the profit of RuhrSec 2019 to Kinderhospizdienst Ruhrgebiet e.V.: 1,200 EUR.

Program

Trainings (Mercure Hotel Bochum City): Monday, 27.05.2019

Microarchitectural Attacks, Ass.Prof. Dr. Daniel Gruss, Moritz Lipp, Michael Schwarz
Putting Security Checks into Your Build Pipeline, Christian Schneider
Attacking and Defending TLS, Dr. Juraj Somorovsky, Robert Merget

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 13:00Training
13:00 – 14:00Lunch
14:00 – 18:00Training
19:30 – 22:30Speakers' Dinner

Conference (Ruhr University Bochum): Tuesday, 28.05.19

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 09:15Opening, Marcus Niemietz
09:15 – 10:00Keynote: How to statically detect insecure uses of cryptography - at scale and with almost perfect precision, Prof. Dr. Eric Bodden
10:00 – 10:30Coffee Break
10:30 – 11:15Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild, Marius Steffens & Dr. Ben Stock
11:15 – 12:00Reversing Fraudulent Apps, Abdullah Joseph
12:00 – 13:30Lunch
13:30 – 14:15The Bicho: backdooring CAN bus for remote car hacking, Sheila Berta
14:15 – 15:00Greybox Automatic Exploit Generation for Heap Overflows, Sean Heelan
15:00 – 15:45Coffee Break
15:45 – 16:30Are Microarchitectural Attacks still possible on Flawless Hardware?, Erik Kraft & Michael Schwarz
16:30 – 17:151 Trillion Dollar Refund – How To Spoof PDF Signatures, Dr.-Ing. Vladislav Mladenov
17:15 – Open EndSocial Event (incl. Dinner)

Conference (Ruhr University Bochum): Wednesday, 29.05.19

08:45 – 09:15Biscuits/Coffee
09:15 – 10:00Keynote: Publish-and-Forget: Longitudinal Privacy Techniques and User Behaviour, Ass.Prof. Dr. Christina Pöpper
10:00 – 10:30Coffee Break
10:30 – 11:15Browser fingerprinting: past, present and possible future, Dr. Pierre Laperdrix
11:15 – 12:00Content-Security-Policies in mass-distributed web apps - doing the undoable, David Jardin
12:00 – 13:30Lunch
13:30 – 14:15Automate the generation of security documentation, Andreas Kuehne & Jens Neuhalfen
14:15 – 15:00Social Engineering through Social Media: profiling, scanning for vulnerabilities and victimizing, Christina Lekati
15:00 – 15:30Coffee Break
15:30 – 16:15Artifical Intelligence in Cyber Security: Threat, Tool or Target?, Tobias Burri & Elias Hazboun
16:15 – 17:00"Johnny, you are fired!" – Spoofing OpenPGP and S/MIME Signatures in Emails, Marcus Brinkmann & Damian Poddebniak
17:00 – 17:15Closing

Talks & Trainings

Microarchitectural Attacks

Training by Ass.Prof. Dr. Daniel Gruss, Moritz Lipp, Michael Schwarz (TU Graz)

Training. Microarchitectural Attacks

Abstract. With the beginning of 2018, microarchitectural attacks received a lot of attention by the computer security community and other fields. Meltdown and Spectre break isolation between processes and security domains on a hardware level. In this training, we provide a hands-on experience on microarchitectural attacks.

Starting with the basics, we first learn how caches work and then implement three very basic microarchitectural side-channel attacks. We start with Flush+Reload and use it to implement two different attacks; one on a cryptographic algorithm and one template attack. We also see how performance counters can reveal interesting information for microarchitectural attacks.

After having learned how to mount Flush+Reload attacks on shared libraries, we go one step further and get rid of the requirement of shared memory step by step. For this purpose, we learn how to build eviction sets and implement an Evict+Reload attack. Continuing from there, we implement Prime+Probe, an attack which does not require any shared memory. Finally, we implement a Meltdown and a Spectre attack, based on the Flush+Reload implementation we already have implement in the first third of the course.

This course teaches attendees where microarchitectural attack surface is created and how it can be exploited. This provides engineers with valuable knowledge for building more secure hardware and software resilient to these attacks.

Course Outline.

  • Introduction
  • Flush+Reload
  • Attacking Weak Crypto I
  • Template Attacks
  • Performance Counters
  • Evict+Reload
  • Prime+Probe
  • Attacking Weak Crypto II
  • Covert Channel
  • Meltdown
  • Spectre

What to bring? Laptop, VirtualBox

Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space.

Who Should Attend? Security and computer engineers, computer security researchers, people interested in microarchitectural attacks.

What to expect? This course will teach attendees how microarchitectural attacks work and how to automate them. They will learn how to combine different side channels and use different side channels to achieve the same goal in different privilege scenarios. This will give engineers the ability to find and address microarchitectural vulnerabilities in hardware and software.

What not to expect? "Exploits", Fault attacks (Rowhammer).

About the trainers. Daniel Gruss, Moritz Lipp, and Michael Schwarz have been teaching at Graz University of Technology for several years. They are one of the leading groups in microarchitectural attack and defense research and have spoken about this topic at various international venues.

Putting Security Checks into Your Build Pipeline

Training by Christian Schneider

Training. Putting Security Checks into Your Build Pipeline

Abstract. This course gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking frontends (Web) as well as backends (APIs) into account, you will learn what steps of a security analysis can be best automated - and how. By focussing on OpenSource solutions, you will get a tool arsenal with different automation options ready to test your applications' security on every build.

In order to get the most out of the training day you can (optionally) follow exercises with Kali Linux and a specially for this workshop created demo application to test. And for those without a laptop during the workshop: Even without one to be able to take part in the practical tasks, you’ll obviously pick up a lot of information from the workshop anyway.

Course Outline.

  • DevOps pipelines
  • Security tool landscape
  • Automation capabilities and integration styles
  • Overcoming crawler problems
  • Alternative traffic generators
  • Coping with tokens, CAPTCHAs, and other automation problems
  • Configuration recommendations for different automation and scan types
  • Scan scheduling & APIs
  • How to NOT just break builds
  • Handling findings from automated scans
  • Organizational aspects (especially for agile teams)

What to bring? Laptop (with VMware or VirtualBox).

Prerequisites. If you want to attend the exercises: Kali Linux installed and running (inside VM is absolutely ok).

Who Should Attend? DevOps Engineers, QA / Test Engineers, Developers, Penetration Testers, Technical Managers.

What to expect? This course will teach attendees how to use security tools in an automated way to assess the security of their applications as part of build pipelines. At the end of this course attendees will be able to consider different techniques and utilize security tools to security-enhance the software development process of agile DevOps projects.

What not to expect? One-fits-all solutions, offensive stuff (i.e. we're not covering post exploitation techniques as part of automated build chains).

About the trainer. Christian (@cschneider4711) has pursued a successful career as a freelance Java software developer and expanded it to include the focus on IT-Security. His major areas of work are Security Architecture Consulting and Penetration Testing. Aside from trainings he coaches agile projects to include security in the SDLC by applying Security DevOps concepts. Christian enjoys speaking at conferences and blogs at Christian-Schneider.net.

Attacking and Defending TLS

Training by Dr. Juraj Somorovsky, Robert Merget (Ruhr University Bochum)

Training. Attacking and Defending TLS

Abstract. Transport Layer Security (TLS) is the most important cryptographic protocol on the Internet. It is responsible for securing connections between browsers and web servers, or between web services peers. Recent TLS history is however full of new attacks, which makes it challenging to deploy applications securely.

We give an overview of the most critical TLS attacks and show how to detect these attacks with different tools. Afterward, we present best practices to establish secure TLS connections.

Course Outline.

  • Short intro into crypto
  • The TLS protocol
  • TLS attacks
  • Secure TLS configuration
  • Security evaluation with open-source tools

What to bring? Laptop, VirtualBox

Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space.

Who Should Attend? Developers, Penetration Testers

What to expect? You will learn the concepts behind the most important cryptographic protocol and the relevant attacks from recent years. You will gain knowledge on how to analyze your server configuration with open source tools and how to deploy TLS securely.

What not to expect? 0days

About the trainers. Dr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and a co-founder of Hackmanit GmbH. He is the main developer of a flexible tool for TLS analyses called TLS-Attacker and a co-author of several well-known TLS attacks. For example, his attacks DROWN and ROBOT received Pwnie Awards for Best cryptographic attacks in years 2016 and 2018. Juraj Somorovsky presented his work on renowned scientific and industrial conferences, including Usenix Security, Blackhat, Deepsec and OWASP Europe.

Robert Merget (@ic0nz1) is a PhD Student at the Chair for Network and Data security at Ruhr University Bochum. The focus of his research is practical TLS implementations and their analysis. He is a co-author of TLS-Attacker and the main developer of TLS-Scanner.


Prof. Dr. Eric Bodden

(Paderborn University) – Keynote

Talk. How to statically detect insecure uses of cryptography - at scale and with almost perfect precision

Abstract. For decades, static code analysis has been notorious for being ineffective, due to high false positive rates. Yet, recent algorithmic breakthroughs have now given us the capability to build static analysis tools that not only rapidly analyze code bases with millions of lines of code, but also yield perfect precision in most practical cases.
In this talk I will highlight the main ideas behind those breakthroughs and will demonstrate CogniCrypt, a recent practical security code analysis tool that makes us of this leap in technology. CogniCrypt (www.cognicrypt.de) is an official Eclipse project integrating with various IDEs and CI environments, which allows code developers to precisely pinpoint security-critical misuses of APIs, particularly crypto APIs. It currently supports the analysis of Java and Android projects, but a variant for C/C++ is in the works as well.
I will conclude my talk with results from a large-scale study in which we applied CogniCrypt to security-sensitive Android apps and to all software artifacts on MavenCentral.

Biography. Eric Bodden is one of the leading experts on secure software engineering, with a specialty in building highly precise tools for automated program analysis. He is Professor for Software Engineering at Paderborn University and director for Software Engineering and IT-Security at Fraunhofer IEM, where he is collaborating with the leading national and international software development companies. Further, he is a member of the directorate of the Collaborative Research Center CROSSING at TU Darmstadt.

Prof. Bodden's research was awarded numerous times. At the German IT-Security Price, his group scored 1st place in 2016 and 2nd place in 2014. In 2014, the DFG awarded Bodden the Heinz Maier-Leibnitz-Preis, Germany's highest honour for young scientists. Prof. Bodden's research has received five ACM Distinguished Paper Awards in different communities.

Twitter: @profbodden

Ass.Prof. Dr. Christina Pöpper

(NYU Abu Dhabi) – Keynote

Talk. Publish-and-Forget: Longitudinal Privacy Techniques and User Behaviour

Abstract. Technological development and the collection of digital data prompt individuals to rethink the boundaries of their privacy. At times of social media and our digital society where online opinion, images, and connections are what counts, longitudinal privacy techniques gain importance. The decision and action of sharing or withholding information cannot be left to the individual alone but need to be facilitated by technical and legal means. Data that is no longer relevant, whose original purpose has been satisfied, or where the owner is withdrawing consent for its online presence represent valid conditions that demand for means and techniques for data fading and disappearance. In this talk, we will review technical, legal, psychological, and usability-related aspects of sharing, withholding, and removing information and discuss how computer scientists and security researchers can contribute to address open challenges for providing better data control to users.

Biography. Christina Pöpper is a computer scientist with a focus on information and communication security. Her research goal is to better understand and enhance the security and privacy of current and future IT and communication systems. Specific interests are the security of wireless systems and applications, where she is working on topics like secure localization and jamming-resistant communication, mobile-, protocol- and system-level security as well as on aspects of privacy. She is teaching computer/IT security and general computer science classes. She is affiliated with the Center for Cyber Security at NYUAD.

Prior to joining NYUAD, Christina Pöpper was an assistant professor at Ruhr University Bochum, Germany, where she headed the Information Security Group at the Electrical Engineering and Information Technology Department / Horst-Görtz-Institute for IT-Security. In the past, she taught specialized courses on wireless security as well as on private and anonymous communication. She received her doctoral and graduate degrees in computer science from ETH Zurich, Switzerland.

Her research interest is cybersecurity and privacy. One focus area is wireless and communication security, in particular securing wireless radio transmissions against jamming as well as securing localization techniques. She likes to combine systems and security mechanisms in different application settings. She addresses secure systems where cryptography alone is often not enough.

Sheila Berta

(Freelancer) – Talk

Talk. The Bicho: backdooring CAN bus for remote car hacking

Abstract. Attacks targeting connected cars have already been presented in several conferences, as well as different tools to spy on CAN buses. However, there have been only a few attempts to create “something similar” to a useful backdoor for the CAN bus. Moreover, some of those proofs of concept were built upon Bluetooth technology, limiting the attack range and therefore tampering its effects.

Now we are happy to say, “those things are old”!

We have successfully developed a hardware backdoor for the CAN bus, called “The Bicho”. Due to its powerful capabilities we can consider it as a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Even more, have you ever imagined the possibility that your car suddenly stopped working, when you least expected it, due to a remote attack? Now all of this is possible.

The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is related to a command that can be delivered via SMS, this way it allows remote execution from any geographical location. Our backdoor is an open-hardware tool and it has an intuitive graphical interface, called “Car Backdoor Maker”, which is open-sourced too and allows payload customization.

The attack payload can be configured to be automatically executed once the target vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with any given factor, such as: the speed of the vehicle, its fuel level, and some other factors. Moreover, in our talk we will be presenting a new feature, that allows us to remotely kill the car’s ECU and consequently causing the car to stop working suddenly.

Biography. Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEFCON 26, DEFCON 25 CHV, HITBSecConf, HackInParis, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Twitter: @UnaPibaGeek

Marcus Brinkmann

(Ruhr University Bochum) – Talk

Talk. "Johnny, you are fired!" – Spoofing OpenPGP and S/MIME Signatures in Emails

Abstract. OpenPGP and S/MIME are the two major standards to encrypt and digitally sign emails. Digital signatures are supposed to guarantee authenticity and integrity of messages. We show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME's container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients' handling of partially signed messages. (4) We analyze weaknesses in the binding of signed messages to the sender identity. (5) We systematically test email clients for UI redressing attacks.

Our attacks allow the spoofing of digital signatures for arbitrary messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out of 22 email clients supporting S/MIME signatures. While the attacks do not target the underlying cryptographic primitives of digital signatures, they raise concerns about the actual security of OpenPGP and S/MIME email applications. Finally, we propose mitigation strategies to counter these attacks.

Biography. Marcus Brinkmann is a PhD student at the Ruhr University Bochum, and interested in end-to-end security. He is a free software enthusiast with contributions in the Debian and GnuPG projects.

Twitter: @lambdafu

Tobias Burri

(Live Reply) – Talk

Talk. Artifical Intelligence in Cyber Security: Threat, Tool or Target?

Abstract. Recent machine learning algorithms such as Convolutional Neural Networks or LSTMs fueled by modern GPUs have produced astonishing results unimaginable only a few years ago. These developments bring a number of challenges and opportunities in the cyber security field. First, using AI maliciously can potentially result in threats that are faster, more complex and more difficult to detect. Second, recent developments in AI can be leveraged to improve our protection capabilities against cyber-attacks. Last, as AI technology becomes increasingly popular and available in more systems and services, new challenges emerge as this technology needs also to be protected from cyber threats. In this session we will present current developments in the field of AI and their relevance for cybersecurity. We will then cover some concepts and examples for each of the T's (threat, tool and target) both in the industry and research. We will close the session by presenting our views on trends and potential future scenarios.

Biography. Although having an academic background in Economics, Tobias Burri became interested in programming during his studies and started his professional career as a developer for a web-analytics platform. Today, he is a senior consultant in Live Reply's Cyber Security unit where he supports companies in both assessing their current security landscape and integrating new security components. Tobias is strongly focused on the rising relevance of AI in the field of cyber security, both in terms of malicious use as well as leveraging current developments for new security applications.

Twitter: @tobias_burri

Elias Hazboun

(Live Reply) – Talk

Talk. Artifical Intelligence in Cyber Security: Threat, Tool or Target?

Abstract. Recent machine learning algorithms such as Convolutional Neural Networks or LSTMs fueled by modern GPUs have produced astonishing results unimaginable only a few years ago. These developments bring a number of challenges and opportunities in the cyber security field. First, using AI maliciously can potentially result in threats that are faster, more complex and more difficult to detect. Second, recent developments in AI can be leveraged to improve our protection capabilities against cyber-attacks. Last, as AI technology becomes increasingly popular and available in more systems and services, new challenges emerge as this technology needs also to be protected from cyber threats. In this session we will present current developments in the field of AI and their relevance for cybersecurity. We will then cover some concepts and examples for each of the T's (threat, tool and target) both in the industry and research. We will close the session by presenting our views on trends and potential future scenarios.

Biography. Elias Hazboun is a security consultant at Live Reply Cyber Security unit with expertise in security assessment and testing. His responsibilities revolve around helping clients secure their current and future solutions, whether it is API, network equipment or cloud infrastructure. He is also a certified Penetration Tester (OSCP) and has worked on multiple offensive security projects including websites, VoIP and Chat-bots. He is currently contributing towards securing next generation carrier-grade software defined networks. Elias is a passionate advocate of security by design, privacy and the study of the intersection between future technology and society. He is also the recipient of DAAD Study Scholarship that allowed him to complete his Master studies with distinction in computer science at the Technical University of Munich.

Sean Heelan

(University of Oxford) – Talk

Talk. Greybox Automatic Exploit Generation for Heap Overflows

Abstract. In this talk we will introduce a completely grey-box approach to automatic exploit generation for heap overflows. Heap overflows are difficult to generate exploits for as they require reasoning over another dimension not present when considering stack overflows, namely the layout of the heap. We will show how this problem can be compartmentalised and addressed separately from the remainder of the exploit generation task. Furthermore, we will show how dynamic analysis and learning from existing inputs can be used in place of expensive white-box techniques that are traditionally used for exploit generation.

Biography. Sean Heelan is a co-founder of Optimyze and a PhD candidate at the University of Oxford. In the former role he works on full-stack software optimisation, and in the latter he is investigating automated approaches to exploit generation. Previously he ran Persistence Labs, a reverse engineering tooling company, and worked as a senior security researcher at Immunity Inc. His primary interest is in building program analysis tools that allow the integration of static and dynamic techniques with expert knowledge.

Twitter: @seanhn

David Jardin

(Joomla!) – Talk

Talk. Content-Security-Policies in mass-distributed web apps - doing the undoable

Abstract. Content-Security-Policy is a well-established technology that is able to catch Cross-Site-Scripting attacks in modern browsers. However, regardless of the benefits, usage in mass-distributed web-apps like WordPress or Joomla is still close to be non-existant. In this talk, we will talk about the concepts of CSP, the huge challenges that web app developers face during the implementation and potential workarounds to get CSP out of the door.

Biography. Born and living in Cologne, Germany, David got in touch with web development during school in 2002. After a few years working with plain HTML sites, he started to develop his own CMS in 2004 and switched to Mambo shortly after. He quickly became an active member of the German community and met them in person for the first time during JoomlaDay Germany 2006. After school, he started his business as a freelance webdeveloper and quickly got more involved in the community by giving support in the forums, co-organizing the German JoomlaDay and the J&Beyond conference, starting a Joomla Usergroup in his home town, developing own extensions and joining the board of the German Joomla association "J&Beyond e.V.". In 2012, he joined the Bug Squad and started contributing to the CMS code. In late 2012, he co-founded the CMS-Garden project, which is cooperation of 12 opensource CMS. In the CMS-Garden, volunteers from all participating systems combine their forces to improve their marketing and reach new potential users.

Twitter: @SniperSister

Abdullah Joseph

(Adjust) – Talk

Talk. Reversing Fraudulent Apps

Abstract. Wherever there is money, there is fraud. Companies invest massive amounts on their ad campaigns to showcase their product to the world. In reality, however, most of that money goes to fraudsters and malicious app makers.

In this talk, the speaker will demonstrate how a popular app with over 100 million downloads conducts their mobile fraud operation and performs a commonplace mobile fraud technique: Click Injection.

Biography. Abdullah Joseph works as a security specialist at Adjust, a mobile analytics company, as part of the company’s fraud team. His responsibilities include researching current and future mobile fraud schemes, reversing malicious apps and developing appropriate countermeasures. He is the holder of both GREM and GMOB certifications.

Twitter: @malwarecheese

Erik Kraft

(TU Graz) – Talk

Talk. Are Microarchitectural Attacks still possible on Flawless Hardware?

Abstract. In recent years, we have seen that optimizations in processors often enable new microarchitectural side channels. The severity of side-channel attacks varies widely, from small annoyances for which developers have to introduce workarounds in software, to highly critical attacks leaking arbitrary memory contents. While new attacks pop up regularly, finding defenses is not a trivial task.
In this talk, we first briefly overview the state of the art of microarchitectural attacks and defenses. We then assume that we have a futuristic CPU which magically hides all microarchitectural side effects, rendering all known attacks useless. Even in this thought experiment, we show that such attacks are not dead. In fact, we present ways of mounting well-known microarchitectural attacks without relying on any hardware effects, making these attacks hardware agnostic. We show that attack primitives exploiting the hardware can be shifted to the software level, making these attacks easier to mount and independent of the CPU. The attacks that we present work on Windows, Linux, and Android, both on x86 and ARM processors.

Biography. Erik Kraft is a master's student in Information and Computer Engineering at Graz University of Technology focusing on secure and correct systems. He holds a bachelor's degree in Information and Computer Engineering. In the past, he has been invited to teach computer science courses on undergraduate level. In his current research, he focuses on software-based side-channel attacks.

Andreas Kuehne

(trustable) – Talk

Talk. Automate the generation of security documentation

Abstract. Formal security documentation is usually a neglected task. However, it’s a basic requirement to have comprehensive and recent documents in place, not only if you are facing some sort of audit. We will compare the aims and structure of "classical" security documentation and will show common shortcomings of these documents. Especially when moving from waterfall to a more agile approach there are new challenges:
- changes occur more frequently and must be reflected in the security documents,
- increasing numbers of (micro-) services require significantly more documentation efforts,
- resource-oriented services do not match well with usually established process-focused approaches,
- security documentation is the first victim in high frequency deployment environments.
The proven way to solve these issues is automation! We will outline an approach to take advantage of already existing meta information to derive a solid foundation of a security documentation. The process can be integrated into the usual build process and liberates the dev team from annoying documentation tasks.

The talk will be completed with a summary of documentation parts that can be produced by automation and parts that need human expertise. We will also give an outlook on aspects that maybe addressed in later stages of automation.

Biography. Andreas Kuehne is the founder of trustable Ltd., a security consultancy company and member of the FutureTrust project. He is an active initiator and contributor of several open source projects as well as the co-chair of the OASIS DSS-X committee.

Dr. Pierre Laperdrix

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Browser fingerprinting: past, present and possible future

Abstract. Browser fingerprinting has grown a lot since its debut in 2010. By collecting specific information in the browser, one can learn a lot about a device and its configuration. It has been shown in previous studies that it can even be used to track users online, bypassing current tracking methods like cookies. In this presentation, we will look at how this technique works and present an overview of the research performed in the domain. We will then see how this technique is currently used online before looking at its possible future.

Biography. Pierre Laperdrix is currently a postdoctoral researcher in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security working with Ben Stock. Previously, he was a postdoctoral researcher in the PragSec lab at Stony Brook University working with Nick Nikiforakis. His current topics of research are Security and privacy on the Web. He obtained his PhD at Inria in Rennes working on the topic of browser fingerprinting. As part of his thesis, he developed the AmIUnique.org website to understand fingerprinting and worked with the Tor organization to improve the Tor browser fingerprinting defenses.

Twitter: @RockPartridge

Christina Lekati

(Cyber Risk GmbH) – Talk

Talk. Social Engineering through Social Media: profiling, scanning for vulnerabilities and victimizing

Abstract. Online presence is undeniably important. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities. Christina will explain how the online presence of a company's employees on social media can attract social engineers to target them and victimize them to "open doors" through the organizational security. The talk covers the topic of information gathering through social media and explains how even seemingly innocent information can be used to manipulate targets, and in what way. Case studies will be provided. A two-part demonstration is included on how a hacker's mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to. The talk closes with practical recommendations and best practices. The purpose on this talk is not to make everyone delete their online presence but rather, to urge them to use it responsibly. Training and awareness are often a catalytic factor between a successful and an unsuccessful attack attempt.

Biography. Christina Lekati is a psychologist and a social engineer. With her background and degree in psychology, she learned the mechanisms of behavior, motivation, decision making, as well as manipulation and deceit. She became particularly interested in human dynamics and passionate about social engineering.

Contrary to typical career paths, her history and involvement in the cybersecurity field started quite early in her life. Being raised by George Lekatis, a sought-after cyber security expert, she found herself magnetized by the security field at a very young age. Growing up, she was able to get involved in different projects that were often beyond her age, that gave her an edge in her own knowledge and experience.

Christina has participated among other things in penetration tests, in training to companies and organizations, and in needs and vulnerability assessments.

She is working with Cyber Risk GmbH as a social engineering expert and trainer. Christina is the main developer of the social engineering training programs provided by Cyber Risk GmbH. Those programs are intertwining the lessons learned from real life cases and previous experiences with the fields of cybersecurity, psychology and counterintelligence. They often cover unique aspects while their main goal is to inspire delegates with a sense of responsibility and a better relationship with security.

Twitter: @ChristinaLekati

Dr.-Ing. Vladislav Mladenov

(Ruhr University Bochum) – Talk

Talk. 1 Trillion Dollar Refund – How To Spoof PDF Signatures

Abstract. The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures.

In this talk, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce 3 novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF.

We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated 8 online validation services and found 6 to be vulnerable. These results are due to the absence of a standard algorithm to verify PDF signatures – each client verifies signatures differently, and attacks can be tailored to these differences. We therefore propose the standardization of a secure verification algorithm, which we describe in this paper. All findings have been responsibly disclosed and the affected vendors were supported during fixing the issues. As a result 3 generic CVEs for each attack class were issued (CVE-2018-16042, CVE-2018-18688, CVE-2018-18689).

Biography. Vladislav Mladenov works as a security researcher at the Chair of Network and Data Security at the Ruhr University Bochum since 2012. In his dissertation he analyzed the security of Single Sign-On protocols such as SAML 2.0, OpenID, OpenID Connect and OAuth and discovered various vulnerabilities. After completing his doctorate Vladislav Mladenov works as a PostDoc and additionally devotes his attention to the security of data description languages, e.g. JSON, XML and PostScript. Since 2018, Mr. Mladenov focused his research on the security of PDF files and recently published several attacks on PDF signatures.

Twitter: @v_mladenov

Jens Neuhalfen

(Deutsche Post DHL Group) – Talk

Talk. Automate the generation of security documentation

Abstract. Formal security documentation is usually a neglected task. However, it’s a basic requirement to have comprehensive and recent documents in place, not only if you are facing some sort of audit. We will compare the aims and structure of "classical" security documentation and will show common shortcomings of these documents. Especially when moving from waterfall to a more agile approach there are new challenges:
- changes occur more frequently and must be reflected in the security documents,
- increasing numbers of (micro-) services require significantly more documentation efforts,
- resource-oriented services do not match well with usually established process-focused approaches,
- security documentation is the first victim in high frequency deployment environments.
The proven way to solve these issues is automation! We will outline an approach to take advantage of already existing meta information to derive a solid foundation of a security documentation. The process can be integrated into the usual build process and liberates the dev team from annoying documentation tasks.

The talk will be completed with a summary of documentation parts that can be produced by automation and parts that need human expertise. We will also give an outlook on aspects that maybe addressed in later stages of automation.

Biography. Jens Neuhalfen is Information Security Officer at Deutsche Post DHL Group and lives and breathes IT since 20 years. He is convinced that the interface between IT and non-IT is the most important lever to run a successful business for IT-centric ventures. Further, Jens is convinced that sensible IT security not only saves money but opens new business opportunities.

Damian Poddebniak

(Münster University of Applied Sciences) – Talk

Talk. "Johnny, you are fired!" – Spoofing OpenPGP and S/MIME Signatures in Emails

Abstract. OpenPGP and S/MIME are the two major standards to encrypt and digitally sign emails. Digital signatures are supposed to guarantee authenticity and integrity of messages. We show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME's container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients' handling of partially signed messages. (4) We analyze weaknesses in the binding of signed messages to the sender identity. (5) We systematically test email clients for UI redressing attacks.

Our attacks allow the spoofing of digital signatures for arbitrary messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out of 22 email clients supporting S/MIME signatures. While the attacks do not target the underlying cryptographic primitives of digital signatures, they raise concerns about the actual security of OpenPGP and S/MIME email applications. Finally, we propose mitigation strategies to counter these attacks.

Biography. Damian Poddebniak is a PhD student at the University of Applied Sciences in Münster. He is co-author of the Efail attack paper and interested in email security, cryptography and privacy-related topics.

Twitter: @dues__

Michael Schwarz

(TU Graz) – Talk

Talk. Are Microarchitectural Attacks still possible on Flawless Hardware?

Abstract. In recent years, we have seen that optimizations in processors often enable new microarchitectural side channels. The severity of side-channel attacks varies widely, from small annoyances for which developers have to introduce workarounds in software, to highly critical attacks leaking arbitrary memory contents. While new attacks pop up regularly, finding defenses is not a trivial task.
In this talk, we first briefly overview the state of the art of microarchitectural attacks and defenses. We then assume that we have a futuristic CPU which magically hides all microarchitectural side effects, rendering all known attacks useless. Even in this thought experiment, we show that such attacks are not dead. In fact, we present ways of mounting well-known microarchitectural attacks without relying on any hardware effects, making these attacks hardware agnostic. We show that attack primitives exploiting the hardware can be shifted to the software level, making these attacks easier to mount and independent of the CPU. The attacks that we present work on Windows, Linux, and Android, both on x86 and ARM processors.

Biography. Michael Schwarz is an Infosec PhD candidate at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016, Black Hat Asia 2017 & 2018, and Black Hat US 2018, where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016 & 2018, NDSS 2017, 2018 & 2019, IEEE S&P 2018 & 2019. He was part of one of the four research teams that found the Meltdown and Spectre bugs published in early 2018.

Twitter: @misc0110

Marius Steffens

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Abstract. The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long focused on three categories of XSS: reflected, persistent, and DOM-based XSS. We argue, however, that this classification lacks a key threat in the modern Web: persistent Client-Side XSS.

In this talk, we not only provide an improved notion of the classes of XSS, but rather report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can succesfully be infected with a malicious payload. We also discuss a number of real-world case studies to highlight the severity of this threat.

Based on our insights, we show that in many cases, the use case requires the execution of persisted JavaScript code. We identify four distinct classes of intended uses for the persisted data, and end our talk with a discussion of applicable countermeasures tailored for those cases.

Biography. Marius Steffens is a first year PhD student in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security, where he is supervised by Ben Stock. Marius is currently interested in the area of Web Security, and specifically looking into the prevalence of vulnerabilities in client-side Web applications.

Twitter: @steffens_marius

Dr. Ben Stock

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Abstract. The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long focused on three categories of XSS: reflected, persistent, and DOM-based XSS. We argue, however, that this classification lacks a key threat in the modern Web: persistent Client-Side XSS.

In this talk, we not only provide an improved notion of the classes of XSS, but rather report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can succesfully be infected with a malicious payload. We also discuss a number of real-world case studies to highlight the severity of this threat.

Based on our insights, we show that in many cases, the use case requires the execution of persisted JavaScript code. We identify four distinct classes of intended uses for the persisted data, and end our talk with a discussion of applicable countermeasures tailored for those cases.

Biography. Ben Stock is a Tenure-Track Faculty at the newly founded CISPA-Helmholtz Center for Information Security. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.

Twitter: @kcotsneb

Conference location

Directions

Training address: Mercure Hotel Bochum City (website), Massenbergstraße 19-21, 44787 Bochum

Google Maps: Link to the hotel


Conference address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the conference building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center ("VZ" or "Veranstaltungszentrum"). You can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking space P9). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the train station "Düsseldorf Flughafen". Afterwards, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend to take a taxi to the conference center (about 10 euro). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Please notice:

  • Please pay for the sky train (about 2 euro).
  • To get your train tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euro (SkyTrain) and 20 euro (train).
  • Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.

If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the central station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.

Social Event

Besides their anti-virus products, G DATA is known as the evening sponsor of the Ruhr University's HackPra lecture. As in the case of HackPra, RuhrSec will have an awesome evening event too.

Every participant with a valid conference ticket is invited to be our guest at the social event. G Data provides awesome people, tasty food and high quality drinks. Feel free to join us and to talk with other security interested people, including the speakers.

Details

Location: G DATA Academy, Königsallee 178, D-44799 Bochum

How to get there: After the conference we will go to the location by using public transport systems together. More information is given before the keynote on the first conference day.

German way description: Download PDF

Time: After the first conference day (>=17:00 o'clock)