Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Thursday, June 26 • 16:00 - 16:50
Shameful Secrets of Proprietary Network Protocols

Sign up or log in to save this to your schedule and see who's attending!

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful mystery - completely unsecured mechanisms breaking all good coding practices.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols - a world full of own implementations of asymmetric cryptography, revertible hash algorithms, lack of user authentication and no function or data access control at all.

To demonstrate, we will show 5 case-studies - most interesting examples from real-life financial industry software, which in our opinion are aquintessence of "security by obscurity". We will talk about homeautomation, embedded pull printing software in multifunction printers (MFP), remote desktop protocols and twisted vulnerabilities in FOREX trading software, which is particularly risky business regarding security.

Speakers
SJ

Slawomir Jasek

IT security consultant with over 10 years of experience. Participated in | many assessments of systems' and applications' security, for leading | financial companies and public institutions, including a few dozen | e-banking systems. Currently focuses on consulting design of secure | solutions for various projects during all the phases - starting from a | scratch. For 8 years has been working with SecuRing.
avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events. Previously working for European Space Agency and internet payments intermediary. Apart from testing applications, he digs into proprietary network protocols... Read More →


Thursday June 26, 2014 16:00 - 16:50
LAB003
  • Company 83

Attendees (7)