Thursday Oct 25, 2018
08:30 Registration and Morning Coffee: Powered by Unknown sponsor
09:15 Opening Words, Tomi Tuominen
09:30 Keynote
Halvar Flake
10:30 Coffee: Powered by Unknown sponsor
10:50 JARVIS never saw it coming: Hacking ML in images - and everywhere else
Guy Barnhart-Magen & Ezra Caltum
11:50 Lunch: Powered by Viria
13:00 Machine learning stories in cyber security
Nikolaj Tatti
Pure In-Memory (Shell)Code Injection In Linux Userland
Reenz0h Black
14:00 Break
14:20 An ice-cold Boot to break BitLocker
Olle Segerdahl
Erlamsa: make 'dumb' fuzzing smart again
Alexander Bolshev
15:20 Coffee: Powered by Unknown sponsor
15:50 Not having a total breakdown
Mark D
16:50 Closing Words for the 1st day, Tomi Tuominen
17:00 Cocktails & Networking: Powered by Nixu
18:30 Cocktails & Networking ends
19:00 Afterparty: Powered by F-Secure
21:00 Afterparty ends

Friday Oct 26, 2018
09:30 Morning Coffee: Powered by Unknown sponsor
10:00 How did I get here?
Dan Tentler
Phobos Group
11:00 Coffee: Powered by Unknown sponsor
11:20 Big Game Fuzzing: Going on a Pwn2Own Safari
Alex Plaskett & Fabian Beterke
MWR InfoSecurity
Path Of LeAst Resistance - Accelerating the search for vulnerable functions.
Ezra Caltum
Intel/Independent Research
12:20 Lunch: Powered by Viria
13:20 Mystery talk
Frans Rosén
Assessing digital physical access control systems
Knud Hojgaard
14:20 Coffee: Powered by Unknown sponsor
14:40 Ghost in the locks -- Owning electronic locks without leaving a trace
Tomi Tuominen & Timo Hirvonen
15:40 Closing Words, Tomi Tuominen
16:00 Conference Ends


Halvar Flake @ Google

Keynote speakers are bad at providing advice, and you should not heed their advice. If they knew how to make good life decisions, they would not keynote ;)

Exceptions for T2.

Thomas Dullien / Halvar Flake started work in reverse engineering and digital rights management in the mid-90s, and began to apply reverse engineering to vulnerability research shortly thereafter. He pioneered early windows heap exploitaiton, patch diffing / bindiffing and various other reverse engineering techniques.

In 2004, he started zynamics, a company focused on reverse engineering technologies. He continued to publish about reverse engineering, ROP gadget search, and knowledge management technologies in relation to reverse engineering. In 2011, zynamics was acquired by Google, and Halvar spent the next few years working on defensive technologies that leveraged the then hot buzzwords "big data" and "machine learning". In summer 2015, Halvar received the lifetime achievement Pwnie, and decided to take a year off to travel, read, and surf.

Since November 2016, he is back at Google, this time in Project Zero.

JARVIS never saw it coming: Hacking ML in images - and everywhere else

Guy Barnhart-Magen & Ezra Caltum @ Intel

Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of machine learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.

The study of Adversarial Machine Learning (ML) allows us to leverage the techniques used by ML algorithms to find weak points and exploit them in order to achieve:

* unexpected consequences (why did it decide this rifle is a banana?)
* data leakage (how did they know Joe has diabetes)
* and influence the output

In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and control the system. This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others - hopefully, a demo will be shown on stage!

Guy is a member of the BSidesTLV organizing team and recipient of the Cisco “black belt” security ninja honor – the highest cyber security advocate rank. With over 15 years of experience in the cyber-security industry, he held various positions in both corporates and start-ups. He is currently a security research manager at Intel, where he focuses on AI Security, reverse engineering and researching various embedded systems.

Ezra is an information security practitioner, with a passion for reverse engineering, data analysis, and exploitation. He is the leader of the Tel Aviv DC9723 Defcon group and a co-founder and organizer of BSidesTlv. Currently, he works as a Security Research Manager at Intel.

Machine learning stories in cyber security

Nikolaj Tatti @ F-Secure

The F-Secure Rapid Detection and Response Service is an intrusion detection service provided by F-secure to companies. In this solution, we analyze the events generated by the clients, and raise an alarm when suspicious behavior occurs. These alarms are further analyzed by experts, and if needed, a client is contacted. The data volume in this service is so large that it cannot be analyzed reliably by hand. This is where data mining techniques come in.

We present several data mining approaches that we use to understand the undelying data, as well as improve the quality of the service. These approaches include

* automatically clustering computers based on their behaviour,
* predicting whether the raised alarm was a false positive,
* grouping automatically alarms. Here we use classic data analysis techniques such as latent dirichlet analysis, logistic regression, and naive bayes classifiers.

Furthermore, we discuss on lessons learned on doing real-world data analysis.

Nikolaj Tatti is Senior Data Scientist at F-Secure. He received his PhD in 2008 from Helsinki University of Technology. Prior to joining F-Secure, he held a Flemish science foundation postdoctoral fellowship at University of Antwerp, and a research fellowship at Helsinki Institute of Information Technology. Dr. Tatti’s research focus is on developing theoretically sound data mining methodology that is at the same time scalable and practical for large data sets, with topics, such as pattern mining, graph mining, and temporal mining.

An ice-cold Boot to break BitLocker

Olle Segerdahl @ F-Secure

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems[1]. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as "they are not possible using published techniques"[2].

We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.


Olle is a veteran of the IT-security industry, having worked with both "breaking" and "building" security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure's technical security consulting practice.

Pure In-Memory (Shell)Code Injection In Linux Userland

Reenz0h Black @ Sektor7

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any traces behind. You need to run additional tools, but you don't want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?

This talk will show how to bypass execution restrictions and run code on the machine, using only tools available on the system. It's a bit challenging in an everything-is-a-file OS, but doable if you think outside the box and use the power this system provides.

Anyone interested in offensive security should find the talk sexy, especially that it's not theoretical mumbling but demo-rich journey through the inner workings of Linux and some old-school hacks.

Geek by passion, engineer by profession since last millennium. For many years he's been working in global red team simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon - IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.

Erlamsa: make 'dumb' fuzzing smart again

Alexander Bolshev @ IOActive

Several years ago I needed to fuzz several hundred devices, and each one of them could run own implementation and subset of industrial protocol. Generation-based fuzzer was not rapid a solution, because the number of unique grammars exceeded two hundreds, and project time was limited. Tyying to solve unsolvable, I've ported radamsa, that famous Finnish mutational-based fuzzer, to erlang, in a way of re-inventing some kind of fuzzing-as-a-service system. Along with making it multi-threaded and distributed, additional features were added to make fuzzing unknown protocols more effective, including automatic format detection and prediction, locating and exploiting sizers and CRC fields, working with layered data incapsulation (e.g. automatically fuzz binary data inside base64 value of XML document), etc.

That made erlamsa possibly the smartest of 'dumb' fuzzers. Since that time a lot of new features were added to it, from on-the-fly protocol proxying and crash dump analysis, to hardware/RF fuzzing and target behaviour monitors. This talk is about how you could use erlamsa in you project/research, its internals, capabilities and extensions. And of course, almost every feature demonstation will be accompanied with discovered vulnerabilities in a lot of different areas -- from industrial hardware and wireless home gateways to mobile applications and high frequency trading libraries.

Alexander is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He has presented at conferences including, Black Hat USA/EU/UK/Asia, ZeroNights,, CONFIdence, and S4.

Not having a total breakdown

Mark D

A walk through the first 72 hours of being hit at scale and in parallel by ’an attack’ last year and the recovery and rebuild of both people and systems that was undertaken in the weeks that followed.

My usual ‘no PPT slides’. High chance of bunny rabbit pictures.

A serial T2 speaker, attendee and consumer of reindeer. Currently working for a media company where I help deal in times of ‘adversity’, which last year meant getting to experience a rather large and impactful event. Which, after working at both Microsoft and Sony, you would think I’d have avoided being around for!

How did I get here?

Dan Tentler @ Phobos Group

In 2017 we saw a large amount of massive, significant breaches. After every breach, we routinely see large, expensive incident response and remediation campaigns.

Despite those efforts, many of the same vulnerabilities discoverable on the external perimeter remain, and only the ones that were in the news disappear. This continues to leave organizations vulnerable, after spending millions of dollars on remediation. We'll be covering several of these examples on stage, with findings discovered after major remediation campaigns, some tricks on how to find companies that are getting remediated live, and a live demonstration on stage.

I will ask the crowd for a company name (think of one with a huge external surface) and we will dive into them live on stage to find weaknesses on their perimeter.

Daniel Tentler is the executive founder and offensive security practice director of The Phobos Group. Dan has an established reputation in the industry for his innovative risk surface discovery projects and numerous speaking engagements. Dan and his team have conducted unique targeted attack simulations for companies in sectors including financial, energy, manufacturing and industrials, and varied platform service providers. Dan routinely appears in the press on new security risks and security industry development.

Big Game Fuzzing: Going on a Pwn2Own Safari

Alex Plaskett & Fabian Beterke @ MWR InfoSecurity

This talk will discuss the trials and tribulations of our Pwn2Own preparation this year for targeting Apple macOS Safari. Both in terms of the tools we have developed for browser vulnerability research and the experience gained whilst exploit writing for the latest version of Safari on macOS.

We will discuss the need for continuous development of tooling, the ability to spin up new automation and react to changes such as updates. We will also discuss the death of the first vulnerability (5 mins after completing the exploit!) and our rapid need to find a replacement issue.

The talk will then discuss the specific vulnerabilities used within this year’s successful Pwn2Own and exploitation techniques used. This will include both the browser (heap underflow) vulnerability and sandbox breakout (uninitialized memory) vulnerability.

Alex Plaskett is a security researcher for MWR InfoSecurity in the UK. Alex recently won both Mobile Pwn2Own 2017 (Huawei Mate 9 Pro) and Desktop Pwn2Own 2018 (Apple macOS Safari). Alex’s has previously presented at conferences including 44CON, Warcon, BlueHat, TROOPERS, Deepsec etc. Alex’s main research interests are browser, mobile and operating systems security.

Fabian Beterke is a security researcher for MWR InfoSecurity’s bytegeist. Currently based in Germany, he won this year’s Pwn2Own together with Alex and Georgi. Fabi’s research interests include everything low-level as well as Machine Learning, craft beer and Drum’n’Bass.

Mystery talk

Frans Rosén @ Detectify

Mystery talk -- we will publish more information as soon as the research is out.

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Path Of LeAst Resistance - Accelerating the search for vulnerable functions.

Ezra Caltum @ Intel/Independent Research

When developing exploits for complex platforms, finding a function relationships between dynamically compiled binaries and its corresponding libraries is of utmost importance to focus the exploitation efforts.

By modeling the relationships as a Graph, and leveraging the power of Graph Databases we can quickly identify these relationships and answer some critical questions:

* Are known vulnerable/problematic functions in use?
* Which binary uses a vulnerable function inside a library?
* What (unidentified) function imports a vulnerable function in a binary?
* Which is the most used imported symbol?

In this talk, I'll discuss Graphs, Binary Relationships and Vulnerable Functions. The talk will be accompanied by a new version of

Ezra is an information security practitioner, with a passion for reverse engineering, data analysis, and exploitation. He is the leader of the Tel Aviv DC9723 Defcon group and a co-founder and organizer of BSidesTlv. Currently, he works as a Security Research Manager at Intel.

Assessing digital physical access control systems

Knud Hojgaard @ F-Secure

This presentation aims to describe the methodology used when auditing / evaluating an access control system used for securing your premises. Common issues and shortcomings will be discussed covering the entire technology stack, backend <-> accesspanel <-> reader <-> card

Knud lives in Denmark where he works in the exciting field of information security. He enjoys security, both digital and physical.

Ghost in the locks -- Owning electronic locks without leaving a trace

Tomi Tuominen & Timo Hirvonen

A little over ten years ago, a friend of ours returned to his hotel room to find that his laptop was gone. The door to his room showed no signs of forced entry; there was no record that the electronic lock had been accessed while he was away; and there was certainly no evidence that this electronic lock, deployed on millions of doors in more than 150 countries worldwide, could have been hacked.

Sometimes hacking boils down to spending more time on something than anyone could reasonably expect. This talk is an ode to that cliché. It is the culmination of a decade-long quest to find out whether the most widely used electronic lock in the world can be bypassed without leaving a trace. And in this adventure, breaking into hotel rooms is only the beginning. But lucky for all of us, unlike most cases of theft from hotel rooms, this story has a happy ending.

Tomi is known as the “InfoSec Swiss Army Knife” because when it comes to defending computers, he’s done a little bit of everything. In his more than two decades in the industry, he has taken part in breakthrough research on Windows networking, physical accesss control systems and electronic voting.

As F-Secure’s Head of Technical Security Consulting, he specializes in protecting enterprises – often by breaking into them before anyone else can. The founder of the t2 infosec conference, Tomi has twice been named one of the Top 100 IT Influencers in Finland.

Timo has been with F-Secure since 2010. While working in Labs, Timo kept the good guys safe by studying the latest tricks the bad guys used. He spealized in exploit analysis. Timo joined Cyber Security Services in 2016, and nowadays he enjoys protecting the enterprises by working on various types of assessments, including incident response and red team excercises. Timo has presented at Black Hat USA 2014, Microsoft Digital Crimes Consortium 2014, CARO 2013, and Scandinavian Cybercrime Conference 2013, and T2 Infosec Conference.