Cатсн²² (in)sесuяitу / ChrisJohnRiley

The Security Forum is the annual IT-Security Conference in Hagenberg that addresses current issues in this domain. Traditionally it takes place over the course of two days in April. On the first day visitors are offered technical as well as management-oriented papers by representatives of business, research and public service.

After last years security forum I couldn’t very well miss this years event, and it didn’t disappoint. Although a number of the presentations were a little too management focused and light on technical details for my liking, these were overshadowed by great presentations from Scott Behrens from Neohapsis and the short but very interesting Security Insight talks that took place in the evening.

Just like last year the real benefit I feel came from the discussions between sessions. Talking to the presenters and attendees is always the high-point of these conferences I find.

Below is a few brief notes on the presentations I managed to attend and think are worth noting. Slides aren’t yet available for most talks as far as I’m aware.

Webshell Detection using NeoPI (Scott Behrens)

(https://www.securityforum.at/agenda-2/neopi/)

This talk concentrated on the issue of detecting webshells when performing incident response. When faced with a collection of servers and maybe more than 20,000 files present in a webroot, how can you find the needle amongst the needles. Scott demonstrated a number of analysis techniques that can be used to better discover webshells present on a system, and showed the abilities of the NeoPI script to dig into a webroot and point out discrepancies and possibly malicious webshells.

The NeoPI script is currently available on the Neohapsis github page and is looking for people to assist in future development and testing.

Security Insights (evening talks)

(https://www.securityforum.at/security-insights/)

The evening talks moved away from the more management style presentations during the day and focused more on technical projects. Three of the talks were of particular interest.

Sicherheit in der Bürgerkartenumgebung (Wolfgang Ettlinger)

In this talk Wolfgang discussed some of the issues he discovered when testing the security of the Austrian Citizen Card. In Austria this card can be used to officially sign documents and prove the identity of the holder. This includes the ability to sign-in to online banking using the card and a pin to prove the holder is who they say they are. Wolfgang showed a number of vulnerabilities in the BKU (the Java based environment that deals with PIN authentication and card communication) and showed the ability for an attacker to steal the PIN and use it to sign documents or perform actions as the user. A more detailed write-up is available on Wolfgang’s blog.

Covert Channel Protocol – verdeckte Informationsübertragung (Florian Preinstorfer)

Florian discussed his ongoing research into covert channels and in particular discussed his (PoC) implementation that uses both HTTP, ICMP and  DNS to transfer data covertly by using client and server-side proxies to alter traffic. Although the work is still ongoing I’m looking forward to seeing what the final result it, as the premise seems interesting. As soon as code is released or more information becomes available I’ll make sure to post it up in my [SuggestedReading] feed.

Oh noes! Another Android Malware Talk (Thomas Eder, Michael Rodler)

The final presentation of the night walked us through an analysis of Android malware (in particular an SMS application that sends premium rate SMS messages). The tools discussed were the usual fare, however the presenters are working together with a larger team to implemented a more automated and structured way to analyse Android malware called EPIC (DE). The project is still in it’s PoC phase, but seems to be something to keep an eye on!

Special thanks to the Hagenberger Kreis for making the conference such an enjoyable experience… Hope to see you all next year!