Profile

Who am I ?
Name: Thierry Zoller

Location: Luxembourg
Age: 30
Social Networks:· Linked-in · Twitter

I have been into IT Security research, made publications and participated in security grass root movements since over 13 years. I led a security software company, worked as a Senior Security Consultant/Engineer and directed the product security group at a well known international security company.

I have over 13 years of hands-on security background, am a lecturer at international security conferences, and member of the European ISC2 CSSLP advisory board.

Talks / Lectures

• 2006 - Hack.lu - Bluetooth Hacking Revisited
  Coverage: Symantec, Heise, Network Computing, Tecchannel , Info-Point security
  
• 2006 - Minerva - Organised by the European Union, EUBAM
• 2006 - CCC 23C3 - Bluetooth Hacking Revisited
  Coverage: Heise, H-online, Magnus, Google Video
  
• 2007 - IT-Sicherheits Forum - Scheunentor Bluetooth
• 2007 - High Level Security Board - Bluetooth Unsicherheiten
• 2007 - Heisec - Scheunentor Bluetooth
• 2007 - M-Vision - Scheunentor Bluetooth – wie man Handys ausspionieren kann
• 2007 - Hack.lu - The death of AV Defence in Depth ?"
  Press coverage: Heise, Washington Post, Security Focus, Infoworld
• 2008 - High Level Security Board - Security Metrics and beyond
• 2008 Cansecwest - “The Death of AV Defense in Depth – Revisiting AV Software”
  Press coverage: Computerwoche Le Monde Informatique

Vulnerabilities

2009

• [TZO-01-2009] Multiple Avira Antivir Denial of Service (remote) - BID33270
• [TZO-02-2009] Avira Antivir Privilege escalation - BID33291
• [TZO-04-2009] IBM Proventia multiple bypasses (forced release) - BID34345
• [TZO-12-2009] SUN Java Remote code execution - BID34667
• [NON-TZO-Release] Internet Explorer 5 & 6 Remote code execution - BID31618
  
• [NON-TZO-Release] Jscape SSH Man-in-the-Middle through key validation error- BID29882
• [TZO-26-2009] Firefox Denial of Service (unclamped loop) forced disclosure
  
• [TZO-27-2009] Firefox Denial of Service (Keygen) forced disclosure - BID35132

2008

• [NO-TZO Release] F-Secure CAB,RAR evasion

2007

• [TZO-1-2007] Citrix SSL-VPN Remote code execution (pre-auth) - US CERT 555200

2006

• [TZO-01-2006] F-Secure Remote code execution vulnerability in ZIP RAR
  
• [TZO-02-2006] F-Secure Anti-virus Bypass - CVE-2006-0337
• [TZO-04-2006] Safe'nsec HIPS & Anti-Spyware- Priviledge Escalation
• [TZO-05-2006] XAMPP - Multiple Priviledge Escalation and Rogue Autostart
• [TZO-06-2006] When you trust WehnTrust - Priviledge Escalation
• [TZO-07-2006 ] Zango Adware - Insecure AutoUpdate and remote file execution
  

2005

• [TZO-01-2005] F-prot Antivirus bypass - ZIP
• [TZO-02-2005] Silent Firefox Adware Install - Proof of concept
• [TZO-03-2005] CheckPoint VPN-1 SecureClient Privilege escalation

Anti-virus bypasses/evasions

• [TZO-25-2009] Panda generic evasion (TAR) - BID35027
  
• [TZO-24-2009] Panda generic evasion (CAB) - BID35027
• [TZO-23-2009] Bitdefender generic evasion (PDF) - BID35010
• [TZO-22-2009] Avira Antivir generic evasion (PDF) - BID35008
  
• [TZO-21-2009] F-Prot CAB bypass / evasion - BID34896 - CVE - DOE CIRC
• [TZO-20-2009] AVG ZIP bypass / evasion -BID34895
  
• [TZO-18-2009] Mcafee RAR,ZIP multiple evasions -BID34780
  
• [TZO-17-2009] Trendmicro RAR,ZIP,CAB evasion (no patch) -BID34763
  
• [TZO-16-2009] Nod32 CAB bypass / evasion - BID34764
  
• [TZO-15-2009] Aladdin eSafe generic evasion / bypass - BID34726
  
• [TZO-14-2009] Comodo RAR evasion - BID34737
  
• [TZO-13-2009] Avira Antivir ZIP evasion - BID34723
  
• [TZO-11-2009] Fortinet - Generic evasion (Limited details) - BID34583
  
• [TZO-10-2009] Nod32 - Generic evasion (Limited details) - BID34764
  
• [TZO-09-2009] Avast! - Generic evasion (Limited details) - BID34578
  
• [TZO-08-2009] Bitdefender - Generic evasion (Limited details) - BID34580
  
• [TZO-07-2009] F-Prot - ZIP Method evasion - BID15293 - CVE
• [TZO-06-2009] IBM Proventia - Generic evasion (Limited disclosure)
• [TZO-05-2009] ClamAV below 0.95 - Generic evasion (Limited disclosure) - BID34344

Past security projects

• TLSecurity
• GRCs***s
  

Research and Development :

[ BTcrack 1.11 (Win32) ]

BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured Pairing* exchanges. To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR to know how to flash a CSR based consumer USB dongle with special firmware. As of version 1.1, BTcrack started to include FPGA support through picocomputing.

[ BTCrack GPL ]
This is a straight forward linux port of BTCrack. Should work with most other unixes too, code is nearly ansi clean, except for strdup(), but I guess every OS should have this by now.

[ Secure-IT ]

Secure-It ™ is a local Windows security hardening tool, pro actively secure your PC by either disabling the intrusion and propagation vectors pro actively or simply reduce the attack surface by disabling unimportant functions.

It secures Windows desktop PCs aswell as Internet servers against new dangers by blocking the root cause of the vulnerabilities exploited by malware, worms and spy ware. Secure-it had a track record of preventing several 0-day exploits pro actively

History of real-life proactive protection :

- 2004 Protected against the Help Active X control exploit in advance.

- 2004 Protected against the second Help Active X control exploit not correctly patched in advance.

- 2004 Protected against the DHTML Active-x Control exploit in advance.

- 2005 Protected against the Microsoft MSHTA Script Execution Vulnerability in advance.

Note: Secure-it last update was in 2005 and some settings, like the active-x blacklist are outdated and should no longer be used.

[ Harden-it ]

Harden-It™ is a Network and System hardening tool for Windows, by hardening the IP stack your Network can sustain or completely thwart various sophisticated network attacks

- Harden your server's TCP and IP stack (Netbios, ICMP, SYN, SYN-ACK..)

- Reduces or mitigates effects from DoS and other network based attacks

- Enable SYN flood protection when an attack is detected

- Set the threshold values that are used to determine what constitutes an attack

- Various other protections.

History of real-life proactive protection :
- 2006 Protected against the Windows IGMP Denial of service attack in advance.

[ Remote Administration Tool ]

Remote Administration Tool is a small free remote control software package derived from the popular TightVNC software. With "Remote Administration Tool", you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. Small, easy, no installation required.

[ CSS-DIE ]
CSSDIE is a community-developed utility for verifying browser integrity, written by H D Moore, Matt Murphy, Aviv Raff, and Thierry Zoller. CSSDIE will look for common CSS1/CSS2/CSS3 implementation flaws by specifying common bad values for style values. This utility may cause the browser to "freeze" for a long period of time, this is OK, and interrupting the process will prevent all the tests from completing. Some browsers will raise a warning if a script is taking too long to execute - you will need to click "No, do not abort" or the equivalent to allow all tests to complete.

[ Omron Communicator ]
This software is based on my efforts to reverse engineer Hitachi Omrons Hybrid Card readers. Omron Card readers are used in various commercial setups. Identity management, payement systems, parking systems are a few of these. The effort displayed on this blog is purely done out of research and awareness purposes.

Papers - Please get the Sarcasm

[ The Influence of Bayesian Methodologies on Algorithms ]

Consistent hashing must work. Given the current status of random configurations, bi- ologists famously desire the deployment of PKI, which embodies the intuitive principles of cryptoanalysis.

[ Signed, Large-Scale Methodologies for Public-Private Key Pairs ]

The implications of certifiable configurations have been far-reaching and pervasive. After years of confirmed research into flip-flop gates, we disprove the analysis of robots that would make simulating context free grammar a real possibility, which embodies the confusing principles of stenography.

[ Moo : Investigation of Hierarchical Databases ]

Our focus in this work is not on whether multi-processors can be made authenticated, random, and empathic, but rather on presenting new semantic communication (Moo).

[ A Methodology for the Exploration of DNS ]

The study of the location-identity split has evaluated linked lists, and current trends suggest that the analysis of evolutionary programming will soon emerge.

[ Valence : Simulation of Thin Clients ]

Unified optimal symmetries have led to many extensive advances, including SCSI disks and agents [10]. After years of appropriate researchinto cache coherence, we prove the improvement of digital-to-analog converters, which embodies the robust principles of cryptoanalysis. Valence, our new heuristic for the construction f rasterization, is the solution to all of these problems.

[ ApodAni : A Methodology for the Analysis of Compilers ]

The emulation of erasure coding is an essential challenge. ApodAni, our new framework for pseudo random theory, is the solution to all of these grand challenges.

Hardware Hacking

[ Bluetooth Sniper Weapon ]

This is my version of the the Bluetooth Sniper weapon, it features a medium sized YAGI antenna combined with a 10* magnification scope and a metallised parabolic which may bundle the Bluetooth signal, thus further enhancing the range.

[ USB HW Fuzzer ]

A long term project with reards to USB devices and security.