Alain Mowat
Alain Mowat is the Head of Research & Development at Orange Cyberdefense Switzerland. He joined the company (then called SCRT) in 2009 as a penetration tester and subsequently led the offensive security team in the same company for many years until turning towards R&D. While still performing various engagements throughout the year, Alain is also dedicated to exploring new approaches to be used by the offensive security industry to better secure client infrastructures.
Aside from these activities, Alain was an active member in the 0daysober CTF team that finished 3rd at DEFCON CTF in 2015 and has responsibly disclosed vulnerabilities in multiple products such as Citrix NetScaler, SonicWall, Barracuda, Twitter and McAfee.
Alain is also responsible for giving various security-related trainings at Orange Cyberdefense Switzerland and has presented at several conferences, such as Insomni’hack, where he is also one of the organisers, Secure IT VS, CyberSecurity Alliance, SIGS and Area41.
Session
By it's own definition, Dell's Wyse Management Suite is "a secure hybrid cloud management solution for Dell thin clients". While attempting to determine how secrets are encrypted in the policies pushed to thin clients, we stumbled down a rabbit hole which led to the discovery of multiple vulnerabilities.
These vulnerabilities allow not only to decrypt the secrets from policies issued to arbitrary devices, but also to fully compromise the Wyse Management Suite server, which in turn allows to take over all the devices in the thin client fleet.
While these issues are already important in the case of on-premise deployments, the risk is even higher in Dell's own cloud environment, where tenant isolation is not sufficient to prevent exploitation from one tenant to another.