Thursday Oct 27, 2016
08:30 Registration and Morning Coffee: Powered by Unknown sponsor
09:15 Opening Words, Tomi Tuominen
09:30 Keynote: Learning the wrong lessons from Offense
Haroon Meer
10:30 Coffee
10:50 Ghosts of the Past
Peter Kosinar
11:50 Lunch
13:00 Nano-Scale Red Teaming: Making REs Cry With Device-Specific Opaque Execution
Jacob Torrey
Assured Information Security
Building Management System Security
Egor Litvinov
Digital Security
14:00 Break
14:20 DVB-T Hacking - I can hack your shows
Amihai Neiderman
Georg Wicherski
15:20 Coffee
15:50 Sweet Tools O' Mine - because you don't hunt lions with blanks
Hugo Teso
16:50 Closing Words for the 1st day, Tomi Tuominen
17:00 Cocktails & Networking: Powered by Nixu
18:30 Cocktails & Networking ends
19:00 Afterparty: Powered by F-Secure
21:00 Afterparty ends

Friday Oct 28, 2016
09:30 Morning Coffee: Powered by Unknown sponsor
10:00 Dive into the dark web
Juha Nurmi
11:00 Coffee
11:20 One template to rule'em all
Kostas Lintovois
MWR InfoSecurity
Hardened Linux 101
Timo Teräs
Alpine Linux
12:20 Lunch
13:20 Windows OPSEC, where are the attackers hiding
Jarno Niemelä
How to fool an ADC II or attacks against data processing in sigma-delta
Alexander Bolshev
14:20 Coffee
14:40 Solving the t2'16 Challenge
Ludvig Strigeus & Timo Hirvonen
15:40 Closing Words, Tomi Tuominen
16:00 Conference Ends

Keynote: Learning the wrong lessons from Offense

Haroon Meer @ Thinkst

Since the early 90's when Dan Farmer and Wietse Venema wrote "Improving the Security of Your Site by Breaking Into it", people have been talking about learning to "think like attackers". Countless tutorials, books and blog posts have been dedicated to getting defenders to learn from offense. This hasn't been particularly successful.

In this talk we posit that part of the reason for this failure is that we have been trying to teach the wrong things, and have probably been missing the most important (and useful) lessons of all.

This talk aims to uncover the secret reasons that offense has been kicking defense all over the board, and hopes to help start reversing this trend.

Haroon Meer is the founder of Thinkst (the company the builds Haroon has contributed to several books on information security and has published a number of papers on various topics related to the field. Over the past decade (and a half) he has delivered research, talks, and keynotes at conferences around the world.

Ghosts of the Past

Peter Kosinar @ ESET

Targeted malware can be like a supernova: once it is discovered and publicly exposed, it enjoys it 15 minutes of glory... but what happens with it afterwards? Does it disappear into nothingness or does it keep lurking around, waiting to reappear again?

We looked at a few well-known and not-so-well-known representatives, ranging from the noble Dukes and philosopher Galileo, through the router-lurking Reincarna, all the way to the simple direct-action destroyers of Sony fame to see if their public exposition had any effect on what their nefarious doings... or those of their followers.

After spending a few years in the area of computer security as an independent researcher, Peter joined ESET more than a decade ago as malware researcher and later became one of the core developers behind its detection technology. Nowadays, his primary focus shifted more toward detailed investigation of cases of particular interest (including targeted attacks, non-standard attack vectors and cryptanalysis), crime attribution and subsequent interaction with law enforcement. In addition to his job, he holds occasional lectures for high-school and university students on topics related to computer security.

Nano-Scale Red Teaming: Making REs Cry With Device-Specific Opaque Execution

Jacob Torrey @ Assured Information Security

This talk will begin by examining architectural “tells” that can be utilized to detect the presence of analysis tools, even those with higher privilege/stealth capabilities than the attacker. These tells can be combined in a way to prove (attest) to the attacker the system is not under inspection before continuing the campaign or dropping sensitive data/code to the host. After the theory has been described, a demonstration of this will be provided to remotely attest the presence (or lack there of) of tampering with the binary, introspection from a VMM or SMM, etc.

Once you can be confident that you’re not being monitored, the second part of this talk will provide some techniques for using nano-scale hardware artifacts for use as a root-of-trust. Physically un-clonable functions (PUFs) can be used to attest the system has not been changed or emulated and provide good sources of device-specific keying material. A few PUFs present on COTS systems will be discussed and demonstrated to provide you with additional assurances that your implants remain unmolested.

TL;DR: With these tools/techniques you can work towards realizing “trusted” implant networks that can detect observation and evade analysis or theft of sensitive data/code.

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. In addition to his research, Jacob volunteers his time organizing conferences in Denver (RMISC & BSidesDenver) and regular meet-ups across the front range. Twitter: @JacobTorrey

DVB-T Hacking - I can hack your shows

Amihai Neiderman @ Equus

DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals. In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.

The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. The receiver itself is an embedded MIPS device which runs an embedded operating system. During the research I managed to extract the firmware from the flash memory chip on the board and analyze the binary dump. I reversed some of the main function in the OS and built a custom embedded debugger in order to be able to perform live debugging and eventually found and exploited a vulnerability in the DVBT protocol which allowed me using a USRP kit to exploit every DVBT receiver in an area of a few hundred meters.

My name is Amihai Neiderman, 27 years old. I worked with computers for the last 20 years, doing everything from high-level programming to bare metals electronics. I've always programmed for fun and problem solving and eventually found myself in the world of information security after finding "bugs" in websites competing with my own one. In the past 8 years I mostly do vulnerability research in windows, Linux and various embedded devices

Today I work for a company as a lead researcher in the field of mobile vulnerability research (I hack stuff).

Building Management System Security

Egor Litvinov @ Digital Security

Every modern business center, skyscraper or even your house is automated. Building automation technologies are widespread for the last decade because they reduce financial expenses and increase the level of comfort. BACnet is the most common solution for BMS, however, it is often used as a high-level communication technology. On the lower layers there is a variety of different field protocols, which main task is interaction between sensors/actuators and transmitting the current state to the systems of upper level. KNX, or KNX/EIB, is the one of protocols that provides a low-level communication.

In this talk, we will speak about the security of KNX from the lowest layer, when an attacker can only connect to a twisted-pair wiring from outside the secure perimeter. It's easier than it may seem - for example, in every room of your office there are smart push buttons, sensors, and other devices, which are connected to the KNX bus.

When I started this research, there was not any tools to research this protocol. So, firstly, I reverse engineered this protocol to study how it works in terms of physical processes and then I wrote pyKNXtools which allow scanning the network, reading and writing memory of any KNX node, managing any node in any KNX node and, if necessary, providing memory protection from rewriting.

At the end of the presentation, I will show the proof of concept video where we will see how to connect to a KNX twisted-pair, to read/write memory of the node and manage it.

I am an infosec specialist at Digital Security. Specialize in the security of ICS and embedded devices. Dedicated a lot of time to programming industrial controllers for ICS. Took part in smart home development projects.


Georg Wicherski @ CrowdStrike

Are you very sad that your exploit ended up getting leaked as a teaser for an auction in BitCoin? TESO could have told you how to protect your exploits against leaking back in 2000 already. The story is even more puzzling when you see the same people having their stuff leak model against this scenario in other cases, deploying to Lebanon.

In this talk, we will briefly recap historic exploit and malware protective measures, covering things like burneye and the Gauss malware. To add some real value, we will look at modifying UPX for creating your own modern ELF protector.

Georg Wicherski is Manager of Information Dominance at CrowdStrike. He enjoys all kinds of low-level work on x86 and ARM, including reverse engineering, binary exploitation and code development. He has co-authored the Android Hacker's Handbook.

Sweet Tools O' Mine - because you don't hunt lions with blanks

Hugo Teso @ F-Secure

This is not another talk about how to hack [TARGET HERE]. By now we all know that, given enough time, almost everything is "pwnable" and that every day more and more weird stuff is hackable. Lately, in every conference there are a bunch of talks about "How to hack [TARGET HERE]" that add nothing new as it's the same techniques and tools against the same software but running on a different platform. An SQL injection in a web interface is still an SQL injection... and it's still boring.

If there's one thing I love about security, that is tools; I enjoy creating them and I rarely use a tool created by others. And if there is another thing I also love is offensive security. So this talk is about some offensive security tools, devices and methodologies I have developed over time.

I will present offensive tools such as rootkits and payloads, fuzzers and disassemblers, and the methodology I usually follow to use them. Nothing brand new here although the tools presented are quite nice and attendees will learn few tricks here and there and understand the motivations and benefits of writing your own tools.

After that, the talk will move from Software to Hardware. I will show how I have "weaponized" some hardware devices in order to target specific environments where the use of a laptop may not be stealth enough. And no, by devices I don't mean just another Raspberry PI ;-)

Finally I will explain the process I followed to prototype some hardware devices made specifically for offensive security and how I ended trying to design and create my own Hardware from the ground up. The scenarios and targets for this devices are different than the normal computer networks: uncommon RF networks, buildings, drones, etc. This was a new journey for me and that means that no previous knowledge of Hardware design is expected; I will share my experience and, hopefully, help and encourage the attendees to try by themselves.

Hugo Teso works as Head of Aviation Cyber Security Services at F-Secure, he hates talking about himself in 3rd person, and he has been working on IT security for the last 16 years. Also being a commercial pilot, he soon focused his attention on aviation security. Together with the development of some open source projects, like Inguma and Bokken, he has spent a lot of time on aviation security research and has presented some of the results in conferences like RootedCon, HITB, T2, SEC-T and CyCon. No, neither Blackhat nor Defcon... and happy with it :-)

Dive into the dark web

Juha Nurmi

This presentation explores usage patters of the Tor network:

• What is this great technology called Tor? • How Tor supports human rights? • How cyber criminals use Tor? • How much Finnish people buy illegal drugs using Tor?

Juha Nurmi is the founder and project leader of the Ahmia search engine and a voluntary member of the Tor Project.

He is a security researcher and data scientist, and has been involved in numerous projects funded by both the commercial and government spheres, including DARPA Memex project in the Silicon Valley and Kinkayo Ltd in Singapore.

Juha is also a noted lecturer and public speaker. Juha's work on Ahmia has been in part sponsored by the Google Summer of Code and he is mentoring Summer of Code 2016.

One template to rule'em all

Kostas Lintovois @ MWR InfoSecurity

Current attack vectors indicate that malware families are still abusing Microsoft Office's functionality to attack unsuspecting victims and formulate attacks against today's businesses. Cracking the perimeter is no longer a requirement in order to obtain a foothold within a target environment. As the Office suite is an integral tool in business today, such attack vectors stay current and relevant.

This presentation will walk the audience through the different configurations and mitigating controls made available by Microsoft over the years. It will discuss various bypasses that have been known and highlight Office templates and the ways that they can be used to assist in different stages of an APT life cycle. More specifically, in this talk we demonstrate how they can be used as a covert persistence mechanism as well as for asynchronous C2 communications. Furthermore, the presentation identifies how these templates can be used as a mechanism for native code execution in locked down environments where VBA is explicitly disabled.

The talk will include the demonstration and release of a new tool that generates VBA architecture independent code to be used in an Office template and capable of enumerating a target system's configuration. The generated implant evaluates the applied security controls and decides what the appropriate attack elements should be in order to reliably bypass application control and circumvent EMET's mitigations.

Kostas Lintovois is a senior security consultant at MWR InfoSecurity. He has over 10 years of experience in the security industry, holds a BSc in Computer Science and an MSc in Information Security. Kostas' primary areas of expertise are infrastructure and application security with focus on Red Teaming, post exploitation and attack detection. Kostas is a CREST Certified Infrastructure Tester.

Windows OPSEC, where are the attackers hiding

Jarno Niemelä @ F-Secure

Anyone who has been doing forensics knows that either attackers are easy to find, or you end up spending numerous hours on the task and still come up dry.

There are various tricks that can speed up forensics, but then there is also anti-forensics tactics attackers can employ and use those tricks to make their creations look trustworthy. This presentation is an overview of most common and not so common methods which attackers use to hide, and what you can do to counter those methods.

Jarno Niemelä has spent the past 16 years at F-Secure security lab working on analyzing and identifying malware and malicious behavior and planning automatic malware handling systems. His current duties focus on planning new cyber-defense systems for F-Secure corporate products. Keen on data science and on analyzing attack and malware behavioral patterns, he also teaches corporate cyber defense security at Metropolia University of Applied Sciences. He is also a regular speaker at various cybersecurity events.

Hardened Linux 101

Timo Teräs @ Alpine Linux

Discussion of linux application hardening techniques (eg. SSP, ASLR, Fortify, RELRO). We take a deep dive to see how it all works the assembly code level. And include a look at the big picture how the kernel, c-library, and compiler all need to work together to implement them.

Teräs (engl. Man of Steel) according to the legend was born with a keyboard. He first typed in MSX BASIC, and grew up size-optimizing x86 assembly and writing C. Modern day works include Alpine Linux development, and reverse engineering Cisco DMVPN and implementing it for Linux. Also known as Mr. Double Elegance of the T2 Challenges.

How to fool an ADC II or attacks against data processing in sigma-delta

Alexander Bolshev @ IOActive

We live in the analog world but program and develop digital systems. The key element connecting these to worlds is ADC (analog-to-digital converter), small integrated circuit (IC) that transforms physical variable (amperage or voltage) into a bunch of bytes. Most modern systems, that interact with real world (like embedded systems, industrial control systems (ICS) and even a kettle in your kitchen) make decisions based on the value that has been received from ADC. Thus, it is important to use ADC and interpret its data correctly. Ignoring this fact, especially in the ICS and embedded world, could lead to decreasing safety of the process, and in the worst case -- to the catastrophic conditions.

Let's look at the ADC mechanisms from security perspective. Imagine that you have an ADC that monitors state of some analog process (e.g. industrial controller sending analog signal to the motor to change its speed). This ADC could be inside safety system that will shutdown motor in case of incorrect signal value. Will it be possible to generate such analog signal that will be misinterpreted by safety system? For example, could we supply signal that causes vibration issue in the motor (and will destroy it after some time), but is treated as a correct plain signal (e.g. constant 5V) by the safety ADC?

In the previous research we have proven that it is possible (at least with Successive approximation ADC). However, the most-popular industry type of the ADC is sigma-delta. In this talk, we will focus on its features, "design vulnerabilities" and attacks leading to the misinterpretations of the analog signal. Various exploit signal variants and crafting methods will be shown; we will review some of the popular "industry standard" ADC behaviors in case of such attacks. Also, we will discuss attack scenarios in the areas of ICS, embedded and Radio-Frequency systems. The talk will be concluded with possible consequences and mitigations.

Alexander Bolshev is a Security Consultant for IOActive. He holds a Ph.D. in computer security and also works as an assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, Server Side Request Forgery attacks, OLAP systems and ICS security. He has presented at conferences including Black Hat USA/EU/UK, ZeroNights,, CONFIdence, and S4.

Solving the t2'16 Challenge

Ludvig Strigeus & Timo Hirvonen

Classified information.

Classified information.