BruCON 0x08

This talk will dive into three very different but equally interesting vulnerabilities, from the perspective of the in-house penetration testing done by the KPN (Royal Dutch Telecom) REDteam. We will not only go into the technical details of the vulnerabilities, but also share some tips and tricks on how we handle things like reporting, emotional counselling of internal stakeholders, browbeating vendors, etc.

One vulnerability will demonstrate how pervasive the relatively recently announced Java Deserialisation vulnerability is (even among a big enterprise cloud player who should know better). This will show an interesting example of where the Java Deserialisation vulnerability can show up and we will also release an update to a tool to detect this variation. We will guide you through the process of discovery and exploitation via an enterprise mobile app that was completely unexpected.
Another vulnerability (disclosed to the vendor, but not yet publicly released) will demonstrate how simple it sometimes is to bypass or abuse "enterprise grade" solutions, in this case a security device for mobility management/single sign-on. Some of you might also be suffering through vulnerability disclosures and because pain shared is pain divided, we'll go into how the KPN-CERT has tried to deal with this vulnerability disclosure. The last vulnerability will demonstrate the finer points of reverse engineering crypto out of a custom in-house developed binary with a surprising KISS lesson learned weeks after testing was complete. You can expect to see ImmunityDebugger at work here with useful tips and tricks for getting to the core of crypto functionality and then extracting it out for fun and profit (ok, maybe not profit).
Some company and product names have been censored to protect the guilty ;-)