Thursday Oct 26, 2017
08:30 Registration and Morning Coffee: Powered by Forcepoint
09:15 Opening Words, Tomi Tuominen
09:30 Keynote
David Aitel
Immunity
10:30 Coffee: Powered by Accenture Security
10:50 Social engineering - Hacking your mind
Pete Poskiparta
Pete Poskiparta Ky
11:50 Lunch
13:00 T vs T or Why my offensive punch beats your forensics stance
Hugo Teso
F-Secure
Exploring enterprise Wi-Fi security with Aruba
Christoffer Jerkeby
F-Secure
14:00 Break
14:20 T vs T or Why my offensive punch beats your forensics stance
Hugo Teso
F-Secure
Lua code: security overview, practical approaches to static analysis, MSL tool
Andrei Costin
University of Jyvaskyla
15:20 Coffee: Powered by Accenture Security
15:50 Black Hat Locksmithing (with added Abloy)
Matt Smith
Citadel Locktools
16:50 Closing Words for the 1st day, Tomi Tuominen
17:00 Cocktails & Networking: Powered by Nixu
18:30 Cocktails & Networking ends
19:00 Afterparty: Powered by F-Secure
21:00 Afterparty ends

Friday Oct 27, 2017
09:30 Morning Coffee: Powered by Beyond Security
10:00 Red Teaming Probably Isn't For You
Toby Kohlenberg
11:00 Coffee: Powered by Accenture Security
11:20 Amazon Web Services Security Tips
Dave Walker
Amazon Web Services
Offensive Malware Analysis
Patrick Wardle
Synack
12:20 Lunch
13:20 Breaking Tizen
Amihai Neiderman
tl;dr
A little review of security challenges in Silicon Photonics integrated circuits.
Alexander Bolshev
IOActive
14:20 Coffee: Powered by Accenture Security
14:40 Death By 1000 Installers; on macOS, it's all broken
Patrick Wardle
Synack
15:40 Closing Words, Tomi Tuominen
16:00 Conference Ends

Keynote

David Aitel @ Immunity

It's a Keynote!

Dave Aitel is known for founding Immunity, writing both the DailyDave and CyberSecPolitics blogs, and being at the forefront of offensive information security for two decades.


Social engineering - Hacking your mind

Pete Poskiparta @ Pete Poskiparta Ky

Why social engineering is possible? How it works, why it works and what is the psychology behind it. The process is like magic. You see something but you can not see it.

Mentalist and entertainer who's very interested about psychology and human mind. Worked around the world on stage, TV and radio for past 20 years.


T vs T or Why my offensive punch beats your forensics stance

Hugo Teso @ F-Secure

Last year, right after 2016 edition of t2 infosec, a challenge was placed, and accepted. The presenter was challenged by the infamous t2 founder, Mr. Touminen, to try to defeat his memory forensic skills in an epic duel that will take place, one year later, at this t2 edition. The contenders, that once used to be friends, will have a fierce battle during the presentation in order to finally answer the question: are the presenter offensive skills better than the host forensic ones? One year of preparations, research and development will be unleashed in the arena of the mighty t2 conference, and the attendees will be the ones to decide the outcome of the match!

Or to put it in a less dramatic way, in this presentation the speaker will show the results of his research in the field of memory forensics, specifically on how to *defeat* that field of incident investigation. All the previous literature about the duel is, nonetheless, true and the match will take place, followed right after the contest by a extensive technical overview of the methodology, tools, techniques and other resources developed on purpose for that challenge. The efficiency of the research will be proven during the duel but, successful or not, all of it will be explained. Although the code developed for this research will be made available to the attendees *during* the presentation, after it the attendees will have the chance to try them by themselves in a couple of environments that will be made available for them during the conference coffee breaks.

What to expect from this presentation? Low level research, Vulnerabilities, Exploits, Tools, GUIs and some fun war stories with the ever present offensive approach of this speaker’s presentations.

Round one. Fight!

Hugo Teso works as Head of Aviation Cyber Security Services at F-Secure, he hates talking about himself in 3rd person, and he has been working on IT security for the last 17 years.

Also being a commercial pilot, he soon focused his attention on aviation security. Together with the development of some open source projects, like Iaitō and Bokken, he has spent a lot of time on aviation security research and has presented some of the results in conferences like RootedCon, HITB, T2, SEC-T and CyCon but never BlackHat or Defcon... and perfectly happy with it :-)


Exploring enterprise Wi-Fi security with Aruba

Christoffer Jerkeby @ F-Secure

Gaining keys to the castle through enterprise Wi-Fi. Access points designed to add mobility to a traditional 802.11 set up require control-channel data-channel and heartbeat communications. When establishing a backbone for enterprise Wi-Fi the protection of the control channel and heartbeat mechanism become an attack surface for device and network integrity. This talk show recent security flaws in Aruba AP series devices and how they are exploited.

Passionate Senior Security Consultant with a taste for standards, security and OpenSource. Many years’ experience of working in both Research and Development in telecom, various services, programming, design and architecture. Long term focused and creative.


Lua code: security overview, practical approaches to static analysis, MSL tool

Andrei Costin @ University of Jyvaskyla

Abstract—Lua is an interpreted, cross-platform, embeddable, performant and low-footprint language. Lua's popularity is on the rise in the last couple of years. Simple design and efficient usage of resources combined with its performance make it attractive for production web applications even to big organizations such as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is one of the preferred choices for programming embedded and IoT devices. This context allows to assume a large and growing Lua codebase yet to be assessed. This growing Lua codebase could be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function for example in automotive or home-automation domains.

However, there is a substantial and obvious lack of static analysis tools and vulnerable code corpora for Lua as compared to other increasingly popular languages, such as PHP, Python and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not support Lua static code analysis.

In this paper we present the first public Static Analysis for Security Testing (SAST) tool for Lua code that is currently focused on web vulnerabilities. We show its potential with good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we synthesized for our experiments. We also present and release our synthesized corpus of intentionally vulnerable Lua code, as well as the testing setups used in our experiments in form of virtual and completely reproducible environments. We hope our work can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as motivate community's contribution to these open-source projects. The tool, the samples and the testing VM setups will be released and updated at http://lua.re and http://lua.rocks

Andrei is an Assistant Professor within the Cyber Security Group which is part of the Information Technology Faculty at the University of Jyvaskyla (Finland). He earned his PhD degree at EURECOM/TelecomParisTech (France), where he developed internationally recognized research and expertise in the field of security of embedded and IoT devices and firmwares.

Andrei presented his research at more than 40 international computer security events including BlackHat, CCC, and HITB. His work was featured in numerous digital media publications, including respected media outlets such as Forbes, Wired, and TV France3.

During his career, he found and demonstrated multiple serious vulnerabilities within a wide range of embedded devices such as printers/MFPs, CCTV systems, pyrotechnic devices, and avionics/air-traffic control systems. For his responsible disclosure and discovered CVEs, Andrei was acknowledged in various security bulletins and "Hall of Fame" boards, including ones by the leading companies such as HP, Xerox, Google, and Microsoft.

Currently, Andrei runs Firmware.RE where he develops cutting edge research and techniques related to embedded and IoT security, and also guides towards success new generations of cyber security experts as part of his teaching for the master and bachelor programs at the University of Jyvaskyla.


Black Hat Locksmithing (with added Abloy)

Matt Smith @ Citadel Locktools

When locksmiths go bad. Black hat lockpicking has been around forever but it is very rarely spoken about. It is the elephant in the lockpicking room. Using some real-life examples, the murky world of the black hat locksmith is explored.

As this talk will be in Finland, it is fitting that I have found myself specialising in Abloy over the last 8 years or so (purely because nobody else had (seemingly) done so). Starting with the 110 year-old Abloy Classic, I have worked my way up the Abloy food chain and now make tools to do open the whole family. Abloy have a mythical status as unpickable locks, so it might be a shock to the average Fin that this is even possible. I will show some weaknesses in Abloy locks and how Abloy have fixed them over the years and why picking Abloy is so difficult.

Matt Smith started out as a Software dev (in COBOL no less) and then worked as a SCADA Systems Engineer. His love of subverting security covers his whole life and has taken him from social engineering, to hacking digital systems to hacking physical systems.

His locksmithing career started as a black hat, with a taste for vending machines (and not the candy). This morphed into locksmith work, and now he makes bespoke locktools to open very specific, high security locks. When not toolmaking he enjoys finding physical 0-days, especially in Abloy. Any system has its holes, no matter physical, digital, social...you just have to find them and leverage them.

He has a Bsc (Hons) Comp Sc from Staffordshire University and has demonstrated the opening of several locks that were previously thought impossible to open without force. Ask him about locks/tools!


Red Teaming Probably Isn't For You

Toby Kohlenberg

This talk will be an overview of what red teaming actually is; where it came from, why the majority of people using the term are doing it wrong, how to decide where and when to use it, and where to go to learn how to do it right.

Toby has been working in information security since 1999. During that time he's done every aspect of defensive information security and in some cases published books on the topics. In 2015 he was tasked with standing up a Red Team and since then has been focused on red teaming philosophy and methodology (in between actual engagements)


Amazon Web Services Security Tips

Dave Walker @ Amazon Web Services

In addition to discussing various AWS authorisation tips and tweaks to ensure API and asset access authorisation is scoped to a minimum, I'll be introducing the use of AWS Organizations for Mandatory Access Control and an early look at how to integrate compliance measures into a multi-account logging and analysis architecture.

Dave Walker is a Specialist Solution Architect for Security and Compliance at AWS.

Dave helps customers to not only meet their compliance requirements, but also to characterise and assess their further threats and design and build the means of addressing them using AWS technology.

Before joining AWS, Dave worked on technical security standards and frameworks for a number of UK and US “4-letter organisations”. Originally a Security Subject Matter Expert at Sun Microsystems by way of Acorn Computers, he has been helping companies and public sector organisations to meet industry-specific and Critical National Infrastructure security requirements since 1993, and has filed a number of patents on cloud-focussed security technologies. He has a BSc in Chemical Physics and an MSc in the Physics of Advanced Electronic Materials from the University of Bristol.

Dave has an executive role on Security and e-Crime at the Conservative Science and Technology Forum, and occasionally contributes to technical security initiatives at the British Computer Society and the Information Assurance Advisory Council.


Breaking Tizen

Amihai Neiderman @ tl;dr

Tizen​ ​is​ ​samsung's​ ​newest​ ​OS​ ​for​ ​it's​ ​devices​ ​and​ ​considered​ ​by​ ​them​ ​as​ ​the​ ​operation system​ ​of​ ​everything,​ ​aiming​ ​to​ ​run​ ​on​ ​every​ ​device​ ​from​ ​simple​ ​IoT,​ ​mobile​ ​phones, televisions​ ​to​ ​even...Cars.

Over​ ​the​ ​last​ ​few​ ​months​ ​I​ ​observed​ ​that​ ​samsung​ ​is​ ​laying​ ​the​ ​groundwork​ ​for​ ​a​ ​larger expansion​ ​of​ ​tizen​ ​in​ ​the​ ​mobile​ ​world.​ ​It​ ​appeared​ ​that​ ​samsung​ ​is​ ​adding​ ​more​ ​servers​ ​and more​ ​infrastructure​ ​to​ ​support​ ​an​ ​upcoming​ ​growth​ ​in​ ​the​ ​amount​ ​of​ ​tizen​ ​users​ ​worldwide and​ ​is​ ​planning​ ​to​ ​expand​ ​to​ ​new​ ​markets.

I​ ​then​ ​decided​ ​to​ ​start​ ​and​ ​research​ ​tizen​ ​due​ ​to​ ​the​ ​fact​ ​that​ ​it​ ​seems​ ​that​ ​nobody​ ​is​ ​doing​ ​it! The​ ​tizen​ ​mobile​ ​firmware​ ​was​ ​obtained​ ​pretty​ ​quickly​ ​and​ ​from​ ​a​ ​thorough​ ​investigation​ ​it seems​ ​that​ ​samsung​ ​hasn't​ ​learned​ ​anything​ ​from​ ​the​ ​publications​ ​about​ ​0days​ ​in​ ​the​ ​past few​ ​years.​ ​The​ ​code​ ​is​ ​not​ ​designed​ ​with​ ​security​ ​in​ ​mind,​ ​is​ ​not​ ​up​ ​to​ ​any​ ​modern​ ​security standards​ ​(you​ ​can​ ​find​ ​strcpy,​ ​memcpy,​ ​sprintf​ ​almost​ ​anywhere.​ ​and​ ​always​ ​to​ ​a​ ​fixed​ ​size buffers). during​ ​the​ ​course​ ​of​ ​a​ ​few​ ​days​ ​I​ ​found​ ​over​ ​40​ ​different​ ​vulnerabilities​ ​in​ ​tizen​ ​-​ ​some​ ​logical and​ ​some​ ​just​ ​classic​ ​(really​ ​classic!)​ ​memory​ ​corruptions​ ​bugs.​ ​Almost​ ​every​ ​system​ ​app​ ​is vulnerable.

My name is Amihai Neiderman, 27 years old. I worked with computers for the last 20 years, doing everything from high-level programming to bare metals electronics. I've always programmed for fun and problem solving and eventually found myself in the world of information security after finding "bugs" in websites competing with my own one. In the past 8 years I mostly do vulnerability research in windows, Linux and various embedded devices

Today I work as a security researcher for Azimuth security.


Offensive Malware Analysis

Patrick Wardle @ Synack

In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products. We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script. While this dropper component also communicates with the C&C server and supports some basic commands, it drops a binary payload in order to perform more complex actions.

However, instead of fully reversing this piece of the malware, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal it's full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects.

Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

While some of this talk is FruitFly and/or macOS specific, conceptually it should broadly apply to analyzing other malware, even on other operating systems.

Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.


A little review of security challenges in Silicon Photonics integrated circuits.

Alexander Bolshev @ IOActive

Silicon photonics is the study and application of photonic systems which use silicon as an optical medium. This is kind of new technology, which grows and develops very fast. For example, this year, several vendors started to sell first silicon photonics devices, and silicon photonics computing circuits (e.g. one of them do optical solution of traveling salesman problem, based on neural networks) were presented. So far, the security areas of this technology remains in shadow. But with this talk, let's try to uncover some of them. Brief introduction to the silicon photonics devices will be given, we will discuss reverse engineering approaches to the silicon photonics ICs and talk about possible ways of exploiting optical photonics switch circuits. In the end of the talk, we will discuss how to defend against this attack vector.

Alexander is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He has presented at conferences including  t2.fi, Black Hat USA/EU/UK/Asia, ZeroNights, hardwear.io, CONFIdence, and S4.


Death By 1000 Installers; on macOS, it's all broken

Patrick Wardle @ Synack

Ever get an uneasy feeling when an installer asks for your password?

Well, your gut was right! The majority of macOS installers & updaters are vulnerable to a wide range of priv-esc attacks. It began with the discovery that Apple's OS updater could be abused to bypass SIP (CVE-2017-6974). Next, turns out Apple's core installer app may be subverted to load unsigned dylibs which may elevate privileges to root. And what about 3rd-party installers? I looked at what's installed on my Mac, and ahhh, so many bugs!

Firewall, Little Snitch: EoP via race condition of insecure plist Anti-Virus, Sophos: EoP via hijack of binary component Browser, Google Chrome: EoP via script hijack Virtualization, VMWare Fusion: EoP via race condition of insecure script IoT, DropCam: EoP via hijack of binary component and more! ...and 3rd-party auto-update frameworks like Sparkle -yup vulnerable too!

Though root is great, we can't bypass SIP nor load unsigned kexts. However with root, I discovered a few other bugs that could now be triggered - such as SIP bypass and a ring-0 heap-overflow that provides complete system control. We'll talk about these too! Though the talk will discuss a variety of discovery mechanisms, 0days, and macOS exploitation techniques, it won't be all doom and gloom. We'll end by discussing ways to perform authorized installs/upgrades that don't undermine system security.

Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.