Andreas Falkenberg, Senior Security Consultant, SEC Consult Deutschland Unternehmensberatung

GmbH

How White Hat Hackers Operate

About me

Andreas Falkenberg, M.Sc.

a.falkenberg@sec-consult.com

Security Consultant @ SEC ConsultSource code audits(Web) application penetration tests Internal / external network audits

Speaker @OWASP AppSecEu 2011, Dublin, IrelandIEEE ICWS 2013, Santa Clara, CA, USAISACA Chapter Meeting, August 2014, KL MalaysiaLecturer FH Technikum Wien, AT

Web App Security SS 2014, Web App Security WS 2014/2015

2© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Canada

India

Singapore

LithuaniaGermany

Austria Central and Easter Europe

Moscow

Qatar

US

3

50+ White Hat Hackers

ISO/IEC 27001 certified

Delivery Centers in

- Austria,

- Germany,

- Lithuania,

- Singapore,

- Switzerland

strong customer base in Europe and Asia

Established 2002

SEC Consult in a Nutshell

3© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Canada

India

Singapore

LithuaniaGermany

Austria Central and Easter Europe

Moscow

Qatar

US

4

50+ White Hat Hackers

ISO/IEC 27001 certified

Delivery Centers in

- Austria,

- Germany,

- Lithuania,

- Singapore,

- Switzerland

strong customer base in Europe and Asia

Established 2002

SEC Consult in a Nutshell

4

White Hat Hackers find…

- REAL vulnerabilities in…

- REAL software.

- REAL consequences are the result if those

vulnerabilities are exploited!

and disclose them responsibly.

© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure Process

… A defined process on how to publish vulnerabilities

…“rules of engagement“ for White Hat Hackers.

Identificationof

Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

1. 2. 3. 4.

Responsible Disclosure

5© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A WellDefined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

- Be creative!

- Be confident!

- In Capture the Flag Events

- In Courses at University / School

- @ SEC Consult

- In Customer Projects

- As a Researcher

6© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A WellDefined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

7© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A WellDefined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

8

AVG Admin

Server

Admin Client

Client

Client

Client

Admin.exe

Problem:

AuthN logic

on client-side

Problem:

All Users / PW-Hashes

send to client during AuthN

© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A WellDefined Process

Notification over a secure channel…

Responsible Disclosure – A Well Defined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

9© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A WellDefined Process

Notification over a secure channel (not always easy)

Responsible Disclosure – A Well Defined ProcessResponsible Disclosure – A Well Defined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

10© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Vendor provides fix and publishes patch (fast!?)…

~ 1

Year

Till

Patch

Responsible Disclosure – A Well Defined ProcessResponsible Disclosure – A Well Defined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

11

Is this

Responsible

Disclosure?

© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Vendor provides fix and publishes patch (or not)…

Responsible Disclosure – A Well Defined ProcessResponsible Disclosure – A Well Defined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

12© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure – A Well Defined ProcessResponsible Disclosure – A Well Defined ProcessIdentification

of Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

13© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Responsible Disclosure Done

… is the „rule of engagement“ for a White Hat Hacker.

… a fun process with some interesting twists & turns.

… shows how (in)significant security is to certain vendors.

Identificationof

Vulnerability

Vendor

Notification

VulnerabilityValidation

andResolution

Public Disclosure

1. 2. 3. 4.

Responsible Disclosure…

14© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

career@sec-consult.com

• Internship Junior

Security Consultant

• Security Consultant

• White Hat Security

Specialist

We want you!

15© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015

Q && A

Thank you!

16© Andreas Falkenberg, SEC Consult Deutschland Unternehmensberatung GmbH, 2015