Hacking KPN: Lessons from the trenches

Presented at BruCON 0x08 (2016), Oct. 28, 2016, 11:30 a.m. (60 minutes)

This talk will dive into three very different but equally interesting vulnerabilities, from the perspective of the in-house penetration testing done by the KPN (Royal Dutch Telecom) REDteam. We will not only go into the technical details of the vulnerabilities, but also share some tips and tricks on how we handle things like reporting, emotional counselling of internal stakeholders, browbeating vendors, etc. One vulnerability will demonstrate how pervasive the relatively recently announced Java Deserialisation vulnerability is (even among a big enterprise cloud player who should know better). This will show an interesting example of where the Java Deserialisation vulnerability can show up and we will also release an update to a tool to detect this variation. We will guide you through the process of discovery and exploitation via an enterprise mobile app that was completely unexpected. Another vulnerability (disclosed to the vendor, but not yet publicly released) will demonstrate how simple it sometimes is to bypass or abuse "enterprise grade" solutions, in this case a security device for mobility management/single sign-on. Some of you might also be suffering through vulnerability disclosures and because pain shared is pain divided, we'll go into how the KPN-CERT has tried to deal with this vulnerability disclosure. The last vulnerability will demonstrate the finer points of reverse engineering crypto out of a custom in-house developed binary with a surprising KISS lesson learned weeks after testing was complete. You can expect to see ImmunityDebugger at work here with useful tips and tricks for getting to the core of crypto functionality and then extracting it out for fun and profit (ok, maybe not profit). Some company and product names have been censored to protect the guilty ;-)

Presenters:

• Bouke van Laethem
  Bouke has been (legally) breaking stuff (or rather, finding stuff that's broken) since 2007. Fittingly equipped with a masters in Ancient History, he has been throwing himself at IT security armed with two of the most dangerous questions: "surely this wont work?" and "what does this button do?"
• Jeremy Goldstein
  Jeremy is the team lead of the KPN (Royal Dutch Telecom) REDteam based in Amsterdam, The Netherlands. He has over 10 years experience in penetration testing and has also spent plenty of time doing incident response and some threat intel. Jeremy enjoys coding and almost anything sufficiently technical... even though he's a team lead. Prior to joining KPN, Jeremy helped build and run a successful penetration testing, incident response and threat intelligence team at the Australian Taxation Office.

Links:

• https://brucon0x082016.sched.com/event/8Y7r/hacking-kpn-lessons-from-the-trenches

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Hey! I found a vulnerability – now what?
• May Contain Hackers (MCH2022) / Scanning and reporting vulnerabilities for the whole IPv4 space. How the Dutch Institute for Vulnerability Disclosure scales up Coordinated Vulnerability Disclosure
• DEF CON 24 (2016) / Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game