|Thursday Oct 24, 2019|
|08:30||Registration and Morning Coffee: Powered by Unknown sponsor|
|09:15||Opening Words, Tomi Tuominen|
|10:30||Coffee: Powered by Unknown sponsor|
|10:50||5G Security Architecture & Vulnerabilities
Ravishankar Borgaonkar & Altaf Shaik
|13:00||V2G Injector: Whispering to cars and charging units through the Power-Line
|Virtualization Assisted Cheats in Online Multiplayer Games
Rick Deist & Vincent Friedling
|14:20||USB armory reloaded
F-Secure | Inverse Path
|Gone with the wind: a tale about windfarm network security
Alexander Bolshev & Tao Sauvage
|15:20||Coffee: Powered by Unknown sponsor|
|15:50||New Tales of Wireless Input Devices
|16:50||Closing Words for the 1st day, Tomi Tuominen|
|17:00||Cocktails & Networking: Powered by Nixu|
|18:30||Cocktails & Networking ends|
|19:00||Afterparty: Powered by F-Secure|
|Friday Oct 25, 2019|
|09:30||Morning Coffee: Powered by Unknown sponsor|
|11:00||Coffee: Powered by Unknown sponsor|
|11:20||Detecting Sophisticated Threat Actors in AWS
Nick Jones & Alfie Champion
|Static Binary Instrumentation
Nguyen Anh Quynh & Do Minh Tuan
|13:20||Using Machines to exploit Machines - harnessing AI to accelerate exploitation
|Opening PANdora's Box - Endeavors in Exploiting and Securing VPN Client Software
|14:20||Coffee: Powered by Unknown sponsor|
|14:40||Abusing Azure Active Directory: Who would you like to be today?
|15:40||Closing Words, Tomi Tuominen|
KeynoteJohn Lambert @ Microsoft Corporation
It's a keynote. More info will follow.
John Lambert holds the title of Distinguished Engineer and is the General Manager of the Microsoft Threat Intelligence Center. The Center is responsible for detecting and disrupting adversary based threats aimed at Microsoft and its customers. Its mission is to drive detective innovations into products and services to raise the ability for every defender to deal with adversary based threats through security research, threat intelligence, forensics, and data science.
Previously at Microsoft, Lambert worked in the Trustworthy Computing group for ten years and the Windows Security group on features related to cryptography and security management. Lambert holds a bachelor’s degree in computer science from Tulane University and is named on more than nine software patents and seven pending applications.
5G Security Architecture & VulnerabilitiesRavishankar Borgaonkar & Altaf Shaik
There are so much discussions around 5G security than its benefts to our digital society. Though 5G security architecture has been evolved from 4G, it does introduce a new service-based architecture to the existing complex and multi- layer cellular networks. This talk will provide some ground truth on 5G security evolution and outline potential risks in the post-deployment era. In addition, we reveal vulnerabilities in different parts of the 5G network.
Ravishankar Borgaonkar works as a research scientist at Sintef Digital and undertakes research in securing next generation digital communication. His primary research themes are related to mobile telecommunication and involved security threats. This ranges from 2G/3G/4G/5G network security to end-user device security.
After receiving his PhD in 'security in telecommunication' area from the technical university of Berlin, he was a security researcher at Deutsche Telekom’s lab for 3 years. Since that time he has worked for Intel Collaborative Research Institute for Secure Computing at Aalto University, as well as for the University of Oxford.
He has found several protocol flaws in 3G/4G technologies. The demonstrated vulnerabilities affected billions of 3G/4G devices and resulted a change in the existing 3G/4G communication standards.
Altaf Shaik is a principal security researcher at Kaitiaki Labs and currently pursuing PhD at the Technical University of Berlin. He is experienced in analyzing cellular network technologies from radio to networking protocol layers. His recent renowned research includes low-cost 4G IMSI catchers and security issues in several cellular baseband chipsets.
V2G Injector: Whispering to cars and charging units through the Power-LineSébastien Dudek @ Synacktiv
Since vehicles became connected to a bus called CAN (Con- troller Area Network), many “garage” hackers got interested in investigating the different controllers, known as ECUs (Engine Control Units), and accessible via the On-Board Diagnostics (OBD) port. Among those different controllers, some of them are accessible via Wi-Fi, others via GPRS, 3G and 4G mobile networks, that could be attacked during a radio interception attack. Moreover, another little-known vector of attack will appear with the deployment of V2G (Vehicle-to-Grid) systems that communicate via power lines support. Nevertheless, no public tool exists to interface with these systems, but also to analyse and to inject V2G traffic. That is why we have developed a tool called V2G Injector to attack these systems.
In this article, we will briefly introduce the V2G concept and its similarities with domestic Power-Line Communication systems. Then, we will present the techniques we use in our tool that aim to interface with the system, monitor and inject traffic. We will also present a new specification vulnerability in the communication medium we have been able to exploit to intrude the V2G network. To finish, we will talk about issues we have found during our tests on real equipment, and mitigations we can encounter, or apply, in some contexts as well as possible bypasses.
Information security expert working for Synacktiv company. For over 7 years he has been particularly passionated about problems in radiocommunication. Author of several presentations on security in mobile telephony (Baseband fuzzing, interception, mapping, etc.) and in data transmission systems with power lines (Power-Line Communication HomePlug AV). He is also interested in other possibilities of attacks, which he could practically implement via Wi-Fi, RFID and other emission systems during his Red Team penetration tests performed professionally.
USB armory reloadedAndrea Barisani @ F-Secure | Inverse Path
We will explore the journey which lead to the USB armory Mk II R&D to illustrate how state-of-the-art hardware security can be achieved on all kind of embedded systems.
We will analyze the interaction of Secure Boot and FDE schemes to understand common patterns in breaking, and fixing, all kind of implementations, whether employed in automotive, consumer or industrial systems.
We will delve into the engineering challenges (say Type-C one more time...) that the USB armory Mk II security goals entailed, exploring how this open hardware has been developed.
We will release a new Open Source operating environment framework, shaping the development and rollout of secure firmware on the USB armory and (hopefully) many additional embedded systems.
Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure defense, penetration testing and code auditing with particular focus on safety critical environments, with more than 15 years of professional experience in security consulting.
Being an active member of the international open source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team.
He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded system security and many other topics.
Virtualization Assisted Cheats in Online Multiplayer GamesRick Deist & Vincent Friedling @ Epic Games
Developing and selling cheats for competitive online PC games is a big business which left unchecked can become very harmful for legitimate users. As in anti-virus software, most runtime countermeasures involve customized kernel services to prevent or detect attacks. Some enterprising cheat developers have moved on to the next privilege frontier by using hardware virtualization features to expand their capabilities and gain a leg up, but all hope is not lost.
Rick is Game Security Lead at Epic Games and his work currently centers around Easy Anti-Cheat, an anti-cheat middleware that has helped to protect the multiplayer experiences of over a hundred million players across dozens of PC games. With an early background in game modding followed by stints in software and hardware engineering, he found a calling at the intersection in anti-cheat.
Vincent Friedling is a game security engineer at Epic Games working on the Easy Anti-Cheat solution.
Gone with the wind: a tale about windfarm network securityAlexander Bolshev & Tao Sauvage @ IOActive
Over the past decade, the energy industry has focused its effort towards renewable energies. Worldwide installed capacity of wind power represented 564 GW in 2018, with countries such as Denmark where it met more than 40% of its electricity demand.
However, very little research has been conducted regarding the security of wind farm installations. And none focusing on their network infrastructure and specificities. In this talk, we are attempting to address this gap by digging deeper inside the backbone of wind farm network architecture and their equipment.
During the presentation, we are going to focus on low-level network components (switches, protocol/media converters) and demonstrate how a vulnerability affecting them could have critical or disastrous consequences. Various real-world vulnerabilities are going to be presented, along with their respective theoretical attack scenarios and paths.
We will end the talk with a demonstration of a proof-of-concept “worm” targeting L3 switches installed in several green power plants, able to automatically compromise vulnerable switches located in their network infrastructure.
Alexander is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He has presented at various conferences including BlackHat USA/EU/UK/Asia, t2.fi, hardwear.io, ZeroNights, CONFIdence, and S4.
Tao is a Sr. Security Consultant for IOActive. He is interested in code review, firmware analysis and embedded systems. He enjoys finding new vulnerabilities and exploiting them. He maintains CANToolz in his spare time, a python framework for black-box CAN bus analysis.
New Tales of Wireless Input DevicesMatthias Deeg @ SySS GmbH
In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years.
In 2016, we published the results of our research project "Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets" and publicly disclosed several security vulnerabilities in wireless desktop sets using AES encryption of different manufacturers. In the same year, Bastille Research independently published security vulnerabilities in wireless mice and keyboards of different manufacturers, too. As time went by, we have learned more about the (in)security of further wireless input devices like mice, keyboards, and presenters using different 2.4 GHz radio-based technologies, and want to share our experiences and gained knowledge concerning these devices.
In our talk, we want to present answers to unanswered questions of our previous wireless desktop set research, raise the awareness of security issues and practical attacks against vulnerable wireless input devices, and tell some interesting tales.
Matthias is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.
Since 2007 he has worked as an IT security consultant for the IT security company SySS GmbH and is head of R&D.
His research results concerning different IT security topics were presented on different international IT security conferences (Chaos Communication Congress, CONFidence, DeepSec, Hacktivity, ZeroNights, PHDays, Ruxcon, Hack.lu, BSidesVienna). He also published several IT security papers and security advisories.
45Sami Laiho @ Adminize
45 life hacks of the Windows OS in 45 minutes Do you believe you know a lot about Windows but you would be eager to learn more? Sami Laiho, one of the world's leading operating system experts, shows you 45 tips and tricks about the Windows OS that you didn't even know existed! You will walk out thinking "OMG.. How did I miss that for all these years!" Sami's session was evaluated as the Best Session at Ignite 2018 so you can rest assured that you will learn a lot and have fun while doing it!
Sami Laiho is one of the world’s leading professionals in the Windows OS and Security. Sami has been working with and teaching OS troubleshooting, management, and security since 2001. Sami’s session was evaluated as the best session in TechEd North America, Europe and Australia in 2014, and Nordic Infrastructure Conference in 2016 and 2017. At Ignite 2017, the world’s biggest Microsoft event, Sami was evaluated as the Best External Speaker. At Ignite 2018 Sami’s sessions were ranked as #1 and #2 out of 1708 sessions!! This was the first time in the history of the conference that anyone has been able to do this!
Detecting Sophisticated Threat Actors in AWSNick Jones & Alfie Champion @ F-Secure Consulting
Many modern cloud environments make heavy use of containerisation, serverless functions and other cloud-native services. As such, many of the data sources used for threat hunting in traditional environments are no longer available. In addition, most attacks consist of abusing legitimate functionality, making it challenging at times to differentiate the malicious from the benign. Based on ﬁrst-hand experience attacking and defending large enterprises, this talk will share what we've learned about detecting attacks against cloud-based environments. This includes an open-source framework for deﬁning, executing and evaluating detection of malicious activity in AWS. We'll also be sharing an open-source AWS native SIEM that we've built to validate this tooling, which could also be used to threat hunt in AWS.
Nick Jones is a senior security consultant at F-Secure Consulting (formerly MWR InfoSecurity), where he leads the cloud security team, in addition to developing and delivering attack detection services. His research time is spent developing tools and techniques for assessing, exploiting and defending cloud deployments.
Alfie Champion is a cyber defence consultant for F-Secure Consulting (formerly MWR InfoSecurity). He has a background in software development and DevOps and now helps lead the global delivery of attack detection services. He has a keen interest in infrastructure-as-code and the use of software development principles to enable the scalability and repeatability of attack detection assessments.
Using Machines to exploit Machines - harnessing AI to accelerate exploitationGuy Barnhart-Magen
Imagine yourself looking through a myriad number of crash dumps trying to find that one exploitable bug that has escaped you for days! And if that wasn’t difficult enough, the defenders know that they can make us chase ghosts and red herrings, making our lives waaaay more difficult (Chaff Bugs: Deterring Attackers by Making Software Buggier)[https://arxiv.org/pdf/1808.00659.pdf] Offensive research is a great field to apply Machine Learning (ML), where pattern matching and insight are often needed at scale.
We can leverage ML to accelerate the work of the offensive researcher looking for fuzzing–>crashes–>exploit chains. Current techniques are built using sets of heuristics. We hypothesized that we can train an ML system to do as well as these heuristics, faster and more accurately. Machine Learning is not the panacea for every problem, but an exploitable crash has multiple data points (features) that can help us determine its exploitability. The presence of certain primitives on the call stack or the output of libraries and compile-time options like libdislocator, address sanitizer among others, can be indicators of “exploitability”, offering us a path to a greater, more generalized insight. A demo would be shown live on stage (and if the gods permit, a tool released)!
Guy is a member of the BSidesTLV organizing team and recipient of the Cisco “black belt” security ninja honor – the highest cyber security advocate rank. With over 15 years of experience in the cyber-security industry, he held various positions in both corporates and start-ups. He is currently a security research manager at Intel, where he focuses on AI Security, reverse engineering and researching various embedded systems. Guy has presented at T2 Infosec Conference, BSidesLV, 44CON, Skytalks, DefCon CPV, IMWorld, AppsecIL, and numerous corporate events.
Static Binary InstrumentationNguyen Anh Quynh & Do Minh Tuan @ NTU university
Static binary instrumentation is a technique to permanently patch executable file to observe or modify its behavior at run-time. From an attacker's perspective, this is helpful to build persistent infection. From the point of defense, this plays an crucial role in binary analysis. Unfortunately, existing static instrumentation tools are seriously lacking: they either support just some platforms, or limit to few CPU processors.
Our research looks at the technical issues of creating a static binary instrumentation framework that work on multiple platforms and architectures. We will present solution for each problem, ranging from how to extend target binary to inject external callbacks, to how we instrument the target, and how to put all of these together to build such a framework.
This talk will be concluded with some nice demos.
Dr.Nguyen Anh Quynh is a regular speaker at numerous industrial cybersecurity conferences such as Blackhat USA/Europe/Asia, Defcon, Recon, Eusecwest, Syscan, HackInTheBox, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Opcde, Shakacon, Brucon, Zeronights, Tensec, H2HC, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS. His contribution to the filed lays foundation for various innovative works in the industry and academia.
As a passionate coder, Dr. Nguyen is the founder and maintainer of several open source reversing frameworks: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) and Keystone (http://keystone-engine.org).
Do Minh Tuan is a security researcher of CyStack, Vietnam. Soon going to finish his university study, he already has 4 years of working experience. A passionate member of BabyPhD CTF team, Tuan also enjoys exploring deeply technique of fuzzing and software exploitation.
Opening PANdora's Box - Endeavors in Exploiting and Securing VPN Client SoftwareHanno Heinrichs @ CrowdStrike
Corporate VPN client software is commonly distributed across a company to at least all portable corporate clients. It plays a critical role for any employee working remotely; its failure might cut one off from the company’s network and resources. Similarly, it plays a critical role from an attacker’s perspective as well: Being such a widely distributed piece of software, typically running with UID 0 or SYSTEM privileges, any vulnerabilities within it pose the risk of impacting a company’s security posture significantly.
In this talk we would like to present our endeavors in evaluating suitable solutions that address both of the aforementioned risks. Starting with a FOSS client that is compatible with the corporate VPN protocol in place at our company, we found it to contain various bugs that prompted us to go back to evaluating the official COTS client. We will explain our reverse engineering efforts into the COTS client and present multiple bugs we found in both clients, allowing us to develop LPE exploits that target the COTS client on both Windows and Linux. We will also showcase more bugs yet to be weaponized and will finally present a method for dockerizing the COTS client to yield an attack surface reduced version that entails the least amount of drawbacks for usability.
Hanno is a Security Researcher at CrowdStrike's Advanced Research Team with a master's degree in Chemistry. When he is not blowing up adversaries during working hours, his interests include reverse engineering, binary exploitation and malware analysis.
Abusing Azure Active Directory: Who would you like to be today?Nestori Syynimaa @ Gerenios Ltd
Azure AD is used my Microsoft Office 365 and over 2800 third-party apps. Although Azure AD is commonly regarded as secure, there are serious vulnerabilities regarding identity federation and pass-through authentication. In this session, using AADInternals toolkit, I will demonstrate how to exploit these vulnerabilities to create backdoors, impersonate users, and bypass MFA.
Dr Nestori Syynimaa is one of the leading Azure AD/Office 365 experts in the world. He holds MCITP and MCSA in Office 365, is certified Microsoft 365 Enterprise Administrator and has been an MCT since 2013. Currently, Dr Syynimaa works as a CIO for eight cities and municipalities surrounding Tampere, the largest inland city in Nordic countries. He also runs his own consulting business, Gerenios Ltd.
Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, and university lecturer for almost 20 years. Dr Syynimaa has been speaking in many scientific and professional conferences, including IEEE TrustCom 2018 and Black Hat USA Arsenal 2019.