The document summarizes a presentation given on cryptographic failures. It introduces the speaker and provides context on cryptography. It then details three specific failures: 1) the use of MD5 for digital certificates led to forged certificates, 2) reuse of settings and keys undermined the security of the Enigma machine, and 3) flaws in WEP allowed wireless networks to be cracked. It also briefly mentions some other notable crypto failures and systems with weaknesses. The presentation used a lighthearted comic approach to explain the technical concepts.
IPv6-Experte Joe Klein gab uns einen Überblick über den aktuellen Status der IPv6-Sicherheit, typische IPv6-Angriffspunkte, Auswirkungen von Technologien wie Cloud und Blockchain sowie Herausforderungen für effektive IoT-Sicherheitsmassnahmen (Internet of Things). Vor allem im Internet der Dinge, wenn es um Gesundheitsversorgung, selbstfahrende Autos, Flugzeugcockpits, Dämme, Kernkraftwerke und ähnliche kritische Infrastrukturen geht, ist es von entscheidender Bedeutung, dass Sicherheit gewährleistet werden kann.
Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
Cyber Insurance – Did You Know?
We present a brief discussion of risk and the ways that risk can be handled by an organization, one of which mechanisms is the transfer of risk via insurance.
We describe key terms and concepts related to business insurance generally and cyber insurance specifically.
These concepts will include brief descriptions of duties to indemnify, duties to defend, limits, sublimits, exclusions, and retentions, as well as different types of insurance, including CGL policies, Crime policies, E&O, D&O, PGL, and cyber policies.
We present an introduction to the domain of cyber insurance, discussing how cyber events may or may not be covered by traditional insurance products as well as by cyber insurance products.
We will talk about the role of “standardized” contracts supplied by the ISO (Insurance Services Office), how these are changing in the cyber age, and the need for customized contracts.
We will also present a general discussion of the cost of cyber insurance, the market penetration of cyber insurance in the US, and the cost of cyber events, citing data from public sources as well as reports from NetDiligence®
Heather Goodnight-Hoffmann
Over 20 years as Global Sales and Business Development Consultant
Cofounder and President, Risk Centric Security, Inc.
Ponemon Institute RIM Council (Responsible Information Council)
Business Development Manager at Navilogic, Inc.
Cofounder and Partner, Cyber Breach Response Partners, LLC
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
Patrick Florer
37 years in Information Technology
17 year parallel career in evidence-based medicine
Cofounder and CTO, Risk Centric Security, Inc.
Member, Ponemon Institute RIM council
Distinguished Fellow, Ponemon Institute.
Cofounder and Partner, Cyber Breach Response Partners, LLC.
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
IPv6-Experte Joe Klein gab uns einen Überblick über den aktuellen Status der IPv6-Sicherheit, typische IPv6-Angriffspunkte, Auswirkungen von Technologien wie Cloud und Blockchain sowie Herausforderungen für effektive IoT-Sicherheitsmassnahmen (Internet of Things). Vor allem im Internet der Dinge, wenn es um Gesundheitsversorgung, selbstfahrende Autos, Flugzeugcockpits, Dämme, Kernkraftwerke und ähnliche kritische Infrastrukturen geht, ist es von entscheidender Bedeutung, dass Sicherheit gewährleistet werden kann.
Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
Cyber Insurance – Did You Know?
We present a brief discussion of risk and the ways that risk can be handled by an organization, one of which mechanisms is the transfer of risk via insurance.
We describe key terms and concepts related to business insurance generally and cyber insurance specifically.
These concepts will include brief descriptions of duties to indemnify, duties to defend, limits, sublimits, exclusions, and retentions, as well as different types of insurance, including CGL policies, Crime policies, E&O, D&O, PGL, and cyber policies.
We present an introduction to the domain of cyber insurance, discussing how cyber events may or may not be covered by traditional insurance products as well as by cyber insurance products.
We will talk about the role of “standardized” contracts supplied by the ISO (Insurance Services Office), how these are changing in the cyber age, and the need for customized contracts.
We will also present a general discussion of the cost of cyber insurance, the market penetration of cyber insurance in the US, and the cost of cyber events, citing data from public sources as well as reports from NetDiligence®
Heather Goodnight-Hoffmann
Over 20 years as Global Sales and Business Development Consultant
Cofounder and President, Risk Centric Security, Inc.
Ponemon Institute RIM Council (Responsible Information Council)
Business Development Manager at Navilogic, Inc.
Cofounder and Partner, Cyber Breach Response Partners, LLC
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
Patrick Florer
37 years in Information Technology
17 year parallel career in evidence-based medicine
Cofounder and CTO, Risk Centric Security, Inc.
Member, Ponemon Institute RIM council
Distinguished Fellow, Ponemon Institute.
Cofounder and Partner, Cyber Breach Response Partners, LLC.
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
Red, Amber, Green Status: The Human Dashboard
This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard.
Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.
When the USS John McCain collided with a freighter, there was speculation that the ship was hacked, but officials quickly stated it was impossible because the ship’s network was closed. That is not true. Stuxnet is one of many examples where attackers breached closed networks. This presentation will cover many ways closed networks can be compromised with examples, and how to prevent such attacks.
Learning Objectives:
1: Overcome the myth that closed networks can’t be hacked.
2: Identify vulnerabilities allowing access to closed networks.
3: Learn how to counter the vulnerabilities allowing compromise of closed networks.
(Source: RSA Conference USA 2018)
Software is involved in every aspect of our world, from our homes to large enterprises, and, in particular, it manages our data. As a consequence, software abuses can drastically impact our lives, for instance causing substantial financial losses or affecting people’s privacy. In this talk, we present the findings of our research on the analysis and detection of modern Internet threats, with the aim of protecting users and safeguarding their personal data. Specifically, we provide an overview of our research line in three steps: First, we concentrate on a class of malware, known as ransomware, which encrypts files preventing legitimate access until a ransom is paid, and present a self-healing approach that makes the Windows native file system immune to ransomware attacks. Second, we envision a next-generation approach that moves the malware detection logic toward the hardware level. Third, we analyze the privacy issues in the mobile world and present an obfuscation-resilient approach to identify Android apps that abuse of users sensitive information.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
Array Networks - A Layered Approach to Web and Application Security
Encryption creates the need for at least two levels of security. ADC’s provide high availability and a secure layer for SSL traffic termination, decryption, inspection and forwarding to advanced security appliances for further inspection.
Ed Keiper is a senior systems engineer with Array Networks. His background includes 10+ years of experience in cloud computing, infrastructure and security.
Mitigating Security Risks in Vendor Agreements
Providers of software, software-as-a-service, managed services, and professional services have varying degrees of sophistication in addressing security in their form contracts. Learn from an experienced technology attorney how to understand key clauses, or discover when they are missing, to ensure that the company's vendors are compliant with the appropriate security measures before signing the deal.
Brian Kirkpatrick is the founding shareholder of Kirkpatrick Law PC and a business attorney with a technology focus. He also serves as Of Counsel to Mullin Law PC for matters involving technology and information security.
His practice revolves around clients needing assistance in technology transactions, data privacy, cyber security, software compliance and audits, and general counsel related to business matters. Brian was voted 2015 Top Technology Attorney in Tarrant County by his peers as published in Fort Worth Texas Magazine.
Brian has published numerous articles and lectured nationally on legal topics such as software as a service, software licensing, contract negotiation, cyber security and legal considerations when starting a business. He is also featured in radio news interviews, as a conference panelist, a featured speaker, and is featured in an instructional video series about conducting negotiations. Before entering the legal profession, Brian was a Vice President commercial banker.
Brian is a graduate of Texas A&M University School of Law where he was inducted into the National Order of Barristers. He also has a Masters of Arts in Applied Economics from Southern Methodist University and a Bachelors of Science in Economics from Texas A&M University - Commerce where he was inducted into the Omicron Delta Epsilon International Economics Honor Society.
Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient.
(Source: RSA USA 2016-San Francisco)
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
What are the myths & legends around securing Industrial Controlled Systems? In a short presentation some of the day to day experiences are explained around problems/risks, fairy-tales around securing ICS. After reading the presentation will lead to start doing some homework....
Red, Amber, Green Status: The Human Dashboard
This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard.
Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.
When the USS John McCain collided with a freighter, there was speculation that the ship was hacked, but officials quickly stated it was impossible because the ship’s network was closed. That is not true. Stuxnet is one of many examples where attackers breached closed networks. This presentation will cover many ways closed networks can be compromised with examples, and how to prevent such attacks.
Learning Objectives:
1: Overcome the myth that closed networks can’t be hacked.
2: Identify vulnerabilities allowing access to closed networks.
3: Learn how to counter the vulnerabilities allowing compromise of closed networks.
(Source: RSA Conference USA 2018)
Software is involved in every aspect of our world, from our homes to large enterprises, and, in particular, it manages our data. As a consequence, software abuses can drastically impact our lives, for instance causing substantial financial losses or affecting people’s privacy. In this talk, we present the findings of our research on the analysis and detection of modern Internet threats, with the aim of protecting users and safeguarding their personal data. Specifically, we provide an overview of our research line in three steps: First, we concentrate on a class of malware, known as ransomware, which encrypts files preventing legitimate access until a ransom is paid, and present a self-healing approach that makes the Windows native file system immune to ransomware attacks. Second, we envision a next-generation approach that moves the malware detection logic toward the hardware level. Third, we analyze the privacy issues in the mobile world and present an obfuscation-resilient approach to identify Android apps that abuse of users sensitive information.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
Array Networks - A Layered Approach to Web and Application Security
Encryption creates the need for at least two levels of security. ADC’s provide high availability and a secure layer for SSL traffic termination, decryption, inspection and forwarding to advanced security appliances for further inspection.
Ed Keiper is a senior systems engineer with Array Networks. His background includes 10+ years of experience in cloud computing, infrastructure and security.
Mitigating Security Risks in Vendor Agreements
Providers of software, software-as-a-service, managed services, and professional services have varying degrees of sophistication in addressing security in their form contracts. Learn from an experienced technology attorney how to understand key clauses, or discover when they are missing, to ensure that the company's vendors are compliant with the appropriate security measures before signing the deal.
Brian Kirkpatrick is the founding shareholder of Kirkpatrick Law PC and a business attorney with a technology focus. He also serves as Of Counsel to Mullin Law PC for matters involving technology and information security.
His practice revolves around clients needing assistance in technology transactions, data privacy, cyber security, software compliance and audits, and general counsel related to business matters. Brian was voted 2015 Top Technology Attorney in Tarrant County by his peers as published in Fort Worth Texas Magazine.
Brian has published numerous articles and lectured nationally on legal topics such as software as a service, software licensing, contract negotiation, cyber security and legal considerations when starting a business. He is also featured in radio news interviews, as a conference panelist, a featured speaker, and is featured in an instructional video series about conducting negotiations. Before entering the legal profession, Brian was a Vice President commercial banker.
Brian is a graduate of Texas A&M University School of Law where he was inducted into the National Order of Barristers. He also has a Masters of Arts in Applied Economics from Southern Methodist University and a Bachelors of Science in Economics from Texas A&M University - Commerce where he was inducted into the Omicron Delta Epsilon International Economics Honor Society.
Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient.
(Source: RSA USA 2016-San Francisco)
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
What are the myths & legends around securing Industrial Controlled Systems? In a short presentation some of the day to day experiences are explained around problems/risks, fairy-tales around securing ICS. After reading the presentation will lead to start doing some homework....
One Does Not… write TypeScript so easily! In this Meetup talk, I'll share the tricks and pain points I had to learn in my first 6 months of professional TypeScript. The goal is to spare the reader many hours of Stack Overflow...
A Brief History of Cryptographic Failures
Cryptography is hard. It's not hard in the way a challenging video game is, or hard like getting through War and Peace without falling asleep, or even hard like learning a new skill. Cryptography is hard because it's both a system and a technical implementation, and failures in either part can have catastrophic (and sometimes existential) impacts. In this talk we'll take a look at some of the many ways that cryptographic systems have failed over the years, from accidental design flaws like the Data Encryption Standard (DES) defeat so elegantly demonstrated by the Electronic Frontier Foundation to intentional design flaws such as the reported National Security Agency (NSA) backdoor in the Dual Elliptic Curve (EC) Deterministic Random Bit Generator (DRBG). This talk will be a high-level discussion... no PhD in mathematics is required!
Brian Mork is the Chief Information Security Officer for Celanese, where he acts as a senior level executive reporting to the Chief Information Officer (CIO) and leading the strategy and operations of Information and Systems Security. His areas of responsibility include the Security Operations Center (SOC), SAP security, global security architecture, Industrial Control Systems (ICS) security architecture and governance, and the firewalls. He is responsible for establishing and maintaining an enterprise wide information security program to ensure that data information assets are adequately protected. Responsible for identifying, evaluating and reporting on information security risks in a manner that meets company needs, compliance and regulatory requirements. Mr. Mork oversees all technology risk management activities and acts as an advocate for all information security and business continuance best practices.
Social Engineering 101 or The Art of How You Got Owned by That Random StrangerSteven Hatfield
My presentation that was given at North Texas ISSA Second Annual Cyber Security Conference on 4/25/2015. This presentation covers the basics of Social Engineering and provides a good base of knowledge for anyone looking to understand more about this skill, along with where to learn more.
Steven Hatfield, Vulnerability Management Senior Advisor, Dell
Social Engineering 101 or the Art of How You Got Owned by That Stranger
Steven will be covering the basics of Social Engineering, different attack vectors that have worked with real world examples from friends currently conducting such tests, provide different sources to gather information on this topic, and present ways to prevent such attacks from happening in the future.
Presented by Paul Wilson, Director General of APNIC and Chair of APrIGF Multistakeholder Steering Group at the Asia Pacific Internet Leadership Program as part of 2016 APrIGF Taipei
Wait Wait... don't pwn me! at RSA Conference 2015Mark Miller
Test your wits and current security news knowledge against our panel of distinguished guests. Past rock stars include Joshua Corman, Chris Eng, Space Rogue and Matt Tesauro. "Wait Wait... Don't Pwn Me!" is patterned after the NPR news quiz show, where we challenge the panel and the audience with "Bluff the Listener", "This Week's Security News" and "Lightning Fill In the Blank." - See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1826/wait-wait-dont-pwn-me#sthash.KRNR5DnZ.dpuf
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Detecting and Catching the Bad Guys Using Deception
Traditional controls are well known for their short comings in the face of modern cyber-attacks. Cyber security technologies will make use of signature based, behavioral, Next Generation capabilities or attempt to augment capabilities by leveraging cloud based or on premise cyber analytics warehouse and threat intelligence feeds via indicator of compromise (IOC) or other mechanisms. Although the later efforts have increased organizational cyber capabilities, they only do so with proper investments in people, process and technology. Additionally, as attackers adapt to defenses, these controls begin to experience decreasing marginal rates of defensive capability.
Deception programs, architectures and technologies endeavor to augment existing cyber security capabilities through the use of honeypots or honey net (decoys) or breadcrumbs or broken glass (deceptions).
Advanced deception technologies are differentiated by the use of distributed deception technology which features agentless, simple deployment capabilities with lightweight deceptions that leverage operating system objects deceive attackers into triggering alerts. Normal users would never trigger the deceptions as an attacker would, resulting in high fidelity alerting with near-zero false positives. Such technology consequently serves to not only augment cyber security capabilities post-breach but provides a new, highly effective post-breach cyber security capability along with precise real-time forensics.
James Muren is a strategist and delivers workshops in cyber security strategy, GRC and security architecture that are used to develop long-term strategies and tactical roadmaps for customers that addresses security for legacy and cloud architectures. As a strategic management consultant and having built fully capable cyber programs in the past, he helps mentor and lead teams for programs & projects in information technology & cyber security. James is primarily focused on the business benefits of cyber security, and the demonstration of those benefits through metrics that can be quickly communicated to executive leadership. By properly integrating security controls within a regulatory and policy context, security programs such as breach and incident response, data governance, forensics, etc. can properly demonstrate value, receive proper investment and adequately secure organizations.
James is also a researcher. His areas of research include: Continuous GRC, cyber analytics, Trusted Computing Group (TCG), Security Automation, Hardware & Software Security, ICS, SCADA, IOT, Malware Research, Full System Security Design Lifecycle and Leap Ahead technology.
This power point presentation is about AWS-ECC508 a chip which is used to protect the IoT cloud of Amazon and design to provide end-to-end security between the IoT and cloud infrastructure.
2. @NTXISSA #NTXISSACSC4
Who Am I?
• CISO at S&P 500/Fortune 500 company
• Former air-drop hacker, security engineer,
penetration tester, RF simulation engineer,
electronics intelligence expert, optician’s
assistant, newspaper delivery boy, software
pirate, party organizer, and short order cook.
• Also known as “Hermit” within the
information security/hacker community
NTX ISSA Cyber Security Conference – October 2-3, 2015 2
3. @NTXISSA #NTXISSACSC4
DISCLAIMERS
• I’m not an expert in cryptography
• While I take cryptography seriously, I don’t
take myself seriously
• I used pictures from the Internet. I’ve listed
the sources I know on the second to last
slide.
• If we can’t have fun with this…
NTX ISSA Cyber Security Conference – October 2-3, 2015 3
5. @NTXISSA #NTXISSACSC4
Agenda
• What is Cryptography?
• Why Cryptography?
• Our Cast
• The Failures
• Honorable Mentions
• Q&A
NTX ISSA Cyber Security Conference – October 7-8, 2016 5
6. @NTXISSA #NTXISSACSC4
What Is Cryptography?
“The process of writing or reading secret
messages or codes.”
- Miriam Webster Dictionary
“The art of writing or solving codes.”
- Oxford English Dictionary
“The scientific field of study related to
protecting or verifying information.”
- Brian Mork
NTX ISSA Cyber Security Conference – October 2-3, 2015 6
7. @NTXISSA #NTXISSACSC4
Why Cryptography?
• Because you lack trust in… something…
• Transmission mediums
• Integrity of communications
• Other people
• Governments
• Cigarette smoking men
• Etc.
NTX ISSA Cyber Security Conference – October 2-3, 2015 7
8. @NTXISSA #NTXISSACSC4
Our Cast
In traditional cryptographic discussions we
would consider the following actors:
• Alice – Someone sending information
• Bob – Someone receiving information
• Eve – Someone eavesdropping
All because Ron Rivest (of RSA fame) used
such terms back in the 1970s.
NTX ISSA Cyber Security Conference – October 2-3, 2015 8
9. @NTXISSA #NTXISSACSC4
Our REAL Cast
Times have changed, and we need heroes who
reflect those times…
NTX ISSA Cyber Security Conference – October 2-3, 2015 9
Alice, as… well… Alice
… Dilbert, as Bob …
… and Catbert, as Eve. Or
evil. Either one/both.
10. @NTXISSA #NTXISSACSC4
And now here’s something
we hope you’ll really like!
NTX ISSA Cyber Security Conference – October 2-3, 2015 10
12. @NTXISSA #NTXISSACSC4
The Scenario
Alice and Dilbert set up a secure website. It’s
amazing. It was hacker proof (just trust me on
this one), with an official certificate and
everything.
Unfortunately, their agents used browsers that
still trusted root certificate authorities that
used MD5 for hashing.
NTX ISSA Cyber Security Conference – October 2-3, 2015 12
13. @NTXISSA #NTXISSACSC4
Failure: MD5 Certificate
So what is MD5?
• Hashing algorithm
• Vulnerable to collisions
• Was still used through 2008 by certificate
authorities
NTX ISSA Cyber Security Conference – October 2-3, 2015 13
14. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
What is a collision?
It’s when two different inputs create the same
output.
Why is that bad?
Because… that’s exactly what it’s not
supposed to do!
NTX ISSA Cyber Security Conference – October 2-3, 2015 14
15. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
How can we make that worse?
By having a condition where two different
inputs share a function or format, such as
documents and executables
Or, I don’t know… cryptographic material
NTX ISSA Cyber Security Conference – October 2-3, 2015 15
16. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
The first MD5 collision was in 2004.
By 2007 colliding executables, documents, and
more were possible and had been
demonstrated, due to chosen-prefix collisions.
Enter the fake certificate authority!
NTX ISSA Cyber Security Conference – October 2-3, 2015 16
17. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
Step 1: Generate a pair of certificates with the
same hash but different characteristics (e.g.
make one a CA that can sign anything).
Step 2: Get the benign certificate signed by a
”real” CA and copy that signature to the
malicious one.
Step 3: Profit
NTX ISSA Cyber Security Conference – October 2-3, 2015 17
19. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
And what does that give you?
A certificate that can sign literally anything, and
which validates back to a trusted root certificate
authority.
I am
Google
Microsoft
Mr. Robot
Whomever I want to be!
NTX ISSA Cyber Security Conference – October 2-3, 2015 19
20. @NTXISSA #NTXISSACSC4
Failure: MD5 Collisions
NTX ISSA Cyber Security Conference – October 2-3, 2015 20
I am Dilbert. You can
trust this because Alice
said I am. Now tell me
all your secrets.
They’re safe with me.
22. @NTXISSA #NTXISSACSC4
The Scenario
• In an alternate dimension, Alice has
ascended to lead a military force against the
evil feline nation of Catbertia.
• Dilbert, her lead general, needs to
communicate securely with her.
• They decide to deploy one of the most
effective physical cryptographic systems ever
made… the enigmatic… er… Enigma.
NTX ISSA Cyber Security Conference – October 2-3, 2015 22
23. @NTXISSA #NTXISSACSC4
Failure X: Enigma
This is the Engima. It
was a beauty of
engineering. Multiple
rotors, each input
changed the next
encoding, easy to
operate and fiendishly
difficult to brute force.
NTX ISSA Cyber Security Conference – October 2-3, 2015 23
24. @NTXISSA #NTXISSACSC4
Failure X: Engima
How complex was it?
• 3 rotor wheel positions, 5 wheel choices (60
starting combinations)
• 26 starting positions per wheel (17,576
combinations)
• Wheels rotate one another… wiring to
create substitutions… egads!
• 107,458,687,327,250,619,360,000 keys
NTX ISSA Cyber Security Conference – October 2-3, 2015 24
25. @NTXISSA #NTXISSACSC4
Failure X: Engima
Oh, and then there was the fact that Engima
operations used key encrypting keys… really!
The day key was a pre-shared secret used to
encrypt one-time keys called message keys.
Message keys were then used to encrypt
actual messages.
Pretty nifty!
NTX ISSA Cyber Security Conference – October 2-3, 2015 25
26. @NTXISSA #NTXISSACSC4
Catbert Has No Chance!
• It’s true! With that many combinations and
frequency of change there’s no hope for the
empire of evil.
• Then again, people have been known to
make mistakes.
• But I’m sure Alice and Dilbert wouldn’t make
the same ones that their historical
predecessors did. What were those again?
NTX ISSA Cyber Security Conference – October 2-3, 2015 26
27. @NTXISSA #NTXISSACSC4
Failure X: Engima
How was Enigma previously defeated?
• Reuse of rotor settings
• Transmission with multiple ciphers
• Operators often reused the same message
key multiple times (e.g. “cillies”)
• Common message formats
NTX ISSA Cyber Security Conference – October 2-3, 2015 27
28. @NTXISSA #NTXISSACSC4
Failure X: Enigma
• What’s that? Dilbert has taken to using the
day of the week as the message key?
NTX ISSA Cyber Security Conference – October 2-3, 2015 28
30. @NTXISSA #NTXISSACSC4
The Scenario
Alice and Dilbert are joining the modern age.
They visit each other’s houses frequently, and
use each other’s wireless networks.
To be extra safe, they’ve selected Wired
Equivalent Privacy (WEP) to secure their
network. What could possibly go wrong?
Well, since WEP uses a single key that needs
to be protected!
NTX ISSA Cyber Security Conference – October 2-3, 2015 30
31. @NTXISSA #NTXISSACSC4
Failure: WEP
NTX ISSA Cyber Security Conference – October 2-3, 2015 31
They know that Catbert is trying
to intercept their
communications, so they paid a
driver to take the out in the
middle of a mud field in Elbonia.
Once out there, they chose a
super secret password just
between the two of them. This is
now their wireless network
password.
Whew! That was close. Good
thing that sharing the key is the
biggest concern. Right?
32. @NTXISSA #NTXISSACSC4
Failure: WEP
Well, maybe not JUST that… there’s also:
• Poor initialization vectors (IV) size
• Weak IVs
• Weak key space
• Poor key entry (ASCII reduces key space)
• Replay/packet stimulation (when you need
more IVs)
• Chop-Chop Attack!
NTX ISSA Cyber Security Conference – October 2-3, 2015 32
33. @NTXISSA #NTXISSACSC4
Failure: WEP
NTX ISSA Cyber Security Conference – October 2-3, 2015 33
The only thing I like more
than weak crypto is my
enemies using it.
35. @NTXISSA #NTXISSACSC4
Honorable Mention
• Advanced Encryption Standard (AES) –
Electronic Codebook (ECB)
• Same key used over and over
• Block-based encryption
• Known plaintext lookup!
• SmashECB, for example (written by yours truly)
NTX ISSA Cyber Security Conference – October 2-3, 2015 35
36. @NTXISSA #NTXISSACSC4
Honorable Mention
• Clipper Chip – Law Enforcement Access Field
• Included data necessary to recover key
• Only 16-bit hash protecting it
• Bypass and reuse were possible and
demonstrated
• Use of third party LEAF data was possible too!
NTX ISSA Cyber Security Conference – October 2-3, 2015 36
37. @NTXISSA #NTXISSACSC4
Honorable Mention
• Microsoft’s ”Golden Key”
• Booting RT/ARM devices check two things: a
policy (must be signed by Microsoft) and the
operating system (also must be signed by
Microsoft)
• The “Golden Key” is a debug mode policy that
was accidentally shipped, and that policy allows
skipping the check for the operating system
• Presto! Any OS on a Surface/WinPhone/etc.
NTX ISSA Cyber Security Conference – October 2-3, 2015 37
38. @NTXISSA #NTXISSACSC4
Honorable Mentions
And so many, many more…
• WPA - Design
• Dual EC DRBG - Design
• MD4 – Time, mostly
• NIST P- curves (ECC) – Design
• Digital Encryption Standard (DES) – Design
• 3 DES – Design
NTX ISSA Cyber Security Conference – October 7-8, 2016 38
39. @NTXISSA #NTXISSACSC4
Questions
If you’ve got ’em, throw ‘em.
If I know the answer, I’ll give it.
If I don’t, I’ll answer anyways before I disclose
that I have no clue what I’m talking about.
NTX ISSA Cyber Security Conference – October 2-3, 2015 39
40. @NTXISSA #NTXISSACSC4
Miscellaneous
• Picture Credits
• Mulder Image: Pascal Wagler
• Dilbert Characters: Scott Adams
• Engima Machine: TheHistoryBlog.com
• Failure Pictures: The Internet Tubes
• Find Me
• Twitter: @hermit_hacker
• LinkedIn: /in/bcmork
NTX ISSA Cyber Security Conference – October 2-3, 2015 40
41. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 41
Thank you