Speakers (preliminary) - DeepSec IDSC 2020 Europe

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation

Dawid Czagan (Silesia Security Lab)

LIVE ONLINE TRAINING

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities are for you in the upcoming years.

What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training.

After completing this training, you will have learned about:

- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- Bypassing Content Security Policy
- Server-side request forgery
- Browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- Type confusion vulnerability
- Exploiting race conditions
- Path-relative stylesheet import vulnerability
- Reflected file download vulnerability
- Subdomain takeover
- and more…

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training.


WHAT STUDENTS WILL RECEIVE
Students will receive a VMware image with a specially prepared testing
environment to play with the bugs. What's more, this environment is
self-contained and when the training is over, students can take it home (after
signing a non-disclosure agreement) to hack again at their own pace.

SPECIAL BONUS
The ticket price includes FREE access to Dawid Czagan's 6 online courses:

  • Start Hacking and Making Money Today at HackerOne
  • Keep Hacking and Making Money at HackerOne
  • Case Studies of Award-Winning XSS Attacks: Part 1
  • Case Studies of Award-Winning XSS Attacks: Part 2
  • DOUBLE Your Web Hacking Rewards with Fuzzing
  • How Web Hackers Make BIG MONEY: Remote Code Execution

WHAT STUDENTS SAY ABOUT THIS TRAINING
This training has been very well-received by students around the world. Here you can see testimonials.

WHAT STUDENTS SHOULD KNOW
To get the most out of this training intermediate knowledge of web application
security is needed. Students should be familiar with common web application
vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy,
or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING
Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8
GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless
network adapter, administrative access, ability to turn off AV/firewall and
VMware Player/Fusion installed (64-bit version). Prior to the training, make
sure there are no problems with running 64-bit VMs (BIOS settings changes may
be needed). Please also make sure that you have Internet Explorer 11 installed
on your machine or bring an up-and-running VM with Internet Explorer 11.
(You can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

WHO SHOULD ATTEND
Penetration testers, bug hunters, security researchers/consultants

Dawid Czagan (@dawidczagan) is an internationally recognized security
researcher and trainer. He is listed among the Top 10 Hackers (HackerOne). Dawid
Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft,
Twitter and other companies. Due to the severity of many bugs, he received
numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on
trainings "Hacking Web Applications - Case Studies of Award-Winning Bugs in
Google, Yahoo, Mozilla and More" and "Bug Hunting Millionaire: Mastering Web
Attacks with Full-Stack Exploitation". He delivered security training courses
at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest
(Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC
(Singapore), BruCON (Gent) and for many corporate clients. His students
include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend
Micro, Philips and the government sector. (Recommendations:
https://silesiasecuritylab.com/services/training/#opinions).

Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which
delivers specialized security testing and training services. He is also an
author of online security courses at Pluralsight. To find out about the latest
of Dawid Czagan's work, you are invited to follow him on Twitter (@dawidczagan).

Defending Industrial Control Systems

Tobias Zillner & Thomas Brandstetter (Limes Security)

Smarter industrial systems require smarter defenses. In addition to increased security requirements on manufacturers, system integrators and operators of industrial plants, technical changes in the area of industrial security have become a new challenge. These rapid changes lead to the fact that industrial security today works completely different compared to the familiar world of automation of the past decades. In this training we provide clarity by giving guidelines for action on how to correctly handle security issues in an industrial environment. Technicians and engineers in particular are increasingly required in industrial operations to make or prepare the right decisions concerning appropriate technical security measures and security technologies. This requires deeper security knowledge and a good understanding – be it of threats, current attack campaigns or the use of technical protection measures. Thus, the contents of the “Defending ICS” trainings have been selected based on the experience gained from many industrial projects and are aimed at the challenges that technicians in the industry face in practice today. Through practical examples the participants develop all the skills required for secure digitization in industry. The training is aimed at persons that want to deepen their existing knowledge in IT and OT security and improve their skills regarding how to technically implement security measures in OT operations. The central theme of the training is securing an initially insecure OT network architecture. The training starts with a risk analysis to define possible impacts and identify threats and risks. After that the training is divided in chapters covering the most important security measures in OT. Every chapter starts with imparting theoretical know how regarding the topic, paired with hands-on exercises for better understanding and ends with the definition of additional threats based on the covered topics. In this way the security aspects of industrial protocols such as

- the choice of most common wired and wireless industrial protocols,
- how to secure insecure industrial protocols,
- vital OT network security topics like
Network segmentation,
ICS firewalls, and
Honeypots,
- and well-established network-based attacks such as
denial of service,
man in the middle,
spoofing, and
smb relay
are covered.


The last chapter is dedicated on how to implement certain security measures in OT. For this we have chosen the most common problem areas and the corresponding security measures in ICS:

Defense in depth (what is it and how is is relevant for OT)
User Management (centralized vs. decentralized user management, advantages of separate user management for OT, how to securely configure user management)
Credential Management (what is credential management, ways for implementing credential management in OT, consideration for ICS)
Host Hardening (most important hardening measures, considerations for OT)
System Monitoring and Network Detection (importance for OT, what to consider when implementing network monitoring and detection)
Remote Access (policies for implementing secure remote access for OT, discussion of TeamViewer for remote access)
Backup and Recovery (definition of RTO und RPO, common pitfalls, considerations for OT)

By the end of the training the participants have a basic understanding of OT transmission technologies and protocols as well as different network protection measures. Furthermore, they know the procedure for partitioning and zoning of an architecture according to the IEC 62443 standard. In addition, the participants acquire the knowledge on how to start implementing the most important security measures in their own OT as well as what to consider when doing so.

Tobias Zillner is general manager and IT/OT-Security specialist at Limes Security, specialized in consulting for industrial security and security assessments. In addition to industrial security Tobias mainly focuses on current hacking techniques and reverse engineering wireless communication. He has been speaking at several international security conferences (Black Hat, Defcon, DeepSec, BSides,...) and is engaged in teaching at the University of Vienna and the University of Applied Sciences in St. Pölten.

Prof. Thomas Brandstetter is a widely-recognized industrial cybersecurity
expert, with more than 15 years of industry experience. He is well known for being the founder of the Siemens Hack-Proof Products Program, the incident handler for the Stuxnet incident as well as the founder of the Siemens Product Cyber Emergency Readiness Team, which is still one of the most effective industrial vulnerability and incident response teams worldwide today.

Since 2013, he is the co-founder and managing director of Limes Security, one of Europe’s leading cyber security companies specializing in top-class industrial security consulting and secure software development coaching. He also holds a Professorship in IT Security at University of Applied Sciences St. Poelten and was appointed as Honorary Professor for Cyber Security at the esteemed Cyber Technology Institute of DeMontfort University Leicester, UK.

Thomas was a speaker at security conferences like Blackhat USA, Blackhat Europe and SANS SCADA, Meridian, IFIP WG11.10 CIIP and CIRED. He is conference chair of the industrial control system cyber security research (ICS-CSR) research conference series as well as ITSECX conference. He served as program committee member of the International Conference on Availability, Reliability and Security (ARES) and editorial board member of the European Alliance for Innovation's (EAI) endorsed Transactions on Security and Safety.

Open Hardware Hacking

Paula de la Hoz Garrido (Telefonica TECH)

When designing redteam attacks, the scope can be quite complex. We are not only speaking about websites and pentesting, but finding and exploiting human vulnerabilities. Most of the social engineering attacks imply using gadgets: from mock "pendrives" to sniffing, hardware plays a very important part in real life scenarios. For this purpose, there are tons of gadgets from official trade marks such as Hak5, The Hacker Warehouse, Dangerous things and others. Although this gadgets usually work like a charm, sometimes we have to rely on more flexible gadgets, designed for a specific purpose in specific scenarios. And in that case we should know a bit about electronics and open source hardware for building our own gear.

Relying on Open source Hardware is a good idea as it's easier to find manuals, support, community help and more. A lot of pentestings most used tools are open source and we love them, so why not do the same with open sourced hardware? The maker community is one of the most friendly in tech, let's take advantage of it!

Once you complete the training you will have learned about:

  • Electronics and basic circuits physics
  • C for electronics
  • Choosing from different kind of boards for a (security) project
  • Setting up a Rasperry Pi
  • Use and configure Arduino IDE for different kind of projects
  • Using DFIR for Arduino
  • Using Bluetooth in Arduino
  • WiFi in RPI and Arduino
  • How facial recognition works
  • Using Attiny85 as a rubber ducky
  • GSM and geofencing
  • Looking for circuit designs and ordering custom boards
  • Hardware debugging
  • The steps for designing a whole hardware project
  • Usability and how to build hardware not only for you but for your team
  • Understanding the risks and limits of using hardware
  • Maker community and the importance of keeping open sourced stuff

WHAT WILL STUDENTS USE

I will lend hardware hacking kits to groups of students that will be organized in the training, they will need to return the stuff when the class finishes. This kit will include: Attiny85 and nano boards, Bluetooth, DFIR, and others components/sensors, resistors, wires and other assisting components. They will have to use their own computers, preferably Linux based.

During the training I will do some capture the flag-like activities in which the students will be able to win some stuff from the training.

WHAT STUDENTS SHOULD KNOW

A bit of C knowledge is recommended, but knowing programming in general is the true requirement. The training is meant to be available to those who haven't used C as well. Basic Linux commands are strongly recommended, as that's what I will be using and it might be confusing for those who haven't used it before.

WHAT STUDENTS SHOULD BRING

They should bring their computers. I personally recommend Linux based (mostly because this way they will follow the exact steps I take and I will be most likely able to solve issues) and they should install Arduino. If they already have any board they are willing to learn about (Arduino, RPI 4/Zero, ESP8266, etc) they are encouraged to bring it.

WHO SHOULD ATTEND

Anyone interested in Hardware or Redteam, both students and professionals are welcomed.

24 years old senior Redteam offensive security expert at Telefonica TECH. Previously worked as a redteam member for another company, as a pentester, security and systems auditor. Also worked as a robotics teacher at a private school in Switzerland. Writing about security in English, Spanish and Japanese at dev.to/terceranexus6 and speaking about technology on a social radio in Madrid. Co-founded a digital rights and privacy awareness association in Spain called Interferencias with more than 1k members.

Also tattooing.

Open Source Intelligence Gathering on Human Targets

Robert Sell (Trace Labs)

In this workshop I provide the class with real human targets and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.

Robert is the founder and president of Trace Labs which is a non profit organization that crowd sources open source intelligence (OSINT) to help locate missing persons.
He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security and other topics.
Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world.
In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years) and since then has been teaching organizations how to defend against social attacks and how to reduce their OSINT footprint. In 2018, he actually ran a CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas.
Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his SAR capacity, Robert specializes in tracking lost persons.

Threat Modeling: The Ultimate "Shift Left"

Irene Michlin & Kreshnik Rexha (IBM)

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises.


The curriculum of the training:
- Threat modelling: introduction and motivation
- Data Flow Diagrams
- STRIDE
- Beyond STRIDE
- Prioritization
- Mitigations
- Integrating threat modelling in SDLC

This training targets mainly blue teamers, as well as software developers, qa engineers, and architects; but will be also beneficial for scrum masters and product owners.

Irene Michlin is a security consultant at IBM. Before going into application security consultancy, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles and architectures.

Kreshnik Rexha is a consultant security architect at IBM Security. Before joining the consultancy practice Kreshnik has worked in multiple roles in industry including software development, infrastructure engineering, architecture and risk & compliance mainly in large enterprises in the financial sector. He has also spend a considerable part of his career teaching security in various UK educational institutions. Kreshnik's professional interests are DevSecOps and Key /Secret Management.

Incident Response Detection and Investigation with Open Source Tools

Thomas Fischer & Craig Jones (FVT SecOps Consulting, Sophos)

Defenses focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even your people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaires in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the "why?". This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both windows and linux client, we'll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.

Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

Intro to threat hunting
Threat hunting and the IR process
Understanding the requirements
Backend Tools
Detection/Reporting tools like Mitre ATT&CK and Sigma
Endpoint tools: osquery and sysmon
Hands on exercise will be spread across the 2 days


Participant Requirements:
Working knowledge of Windows (no OSQuery experience required);
Working knowledge of the Linux shell (no OSQuery experience required);
Basic SQL,
Laptop with a SSH client

Thomas Fischer has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.​@albanwr​​​

Mobile Security Testing Guide Hands-On

Sven Schleier & Ryan Teoh

LIVE ONLINE TRAINING

Did you ever struggle to use Frida?

Do you ever wanted to know how to intercept traffic on a Fluter App and bypass SSL Pinning on Android and iOS?

Or were just curious if it's possible to do a proper penetration test on a non-jailbroken iOS device?

If so, this training is perfect for you. All of these topics and more will be covered during our hands-on course that is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide on modern mobile security testing for both iOS and Android. This course will provide a customized mobile testing environment including many hands-on mobile security challenges. Wide ranges of topics will be covered such as Mobile Operating System fundamentals to using Frida (Dynamic Instrumentation Framework) to bypass client-side security controls.

What attendees will learn

This course is developed for:
- Penetration Testers that want to achieve full coverage when testing a mobile app and know how to work with an accepted industry standard for mobile testing
- Developers that want to understand how attacks against their mobile apps are executed and how they can be improved by implementing security best practices.


The goal of this course is to learn:
- the technical skills to execute a penetration test against iOS and Android mobile applications
- utilise the OWASP Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.
- How to mitigate vulnerabilities in mobile apps and implement the latest best practices


This training will mainly focus on:
- iOS and Android security fundamentals to understand the security mechanisms that are in place by the OS
- Preparing a penetration testing environment for iOS and Android and clarifying the limitations and benefits of each (real device, emulator, jailbroken, rooted etc.)
- Hands-on exercises that are based on iOS and Android Apps that are build specifically for each test case to gain an understanding of different vulnerabilities
- Demonstrate implementation of the latest security best practices to mitigate vulnerabilities in mobile apps or reduce the attack surface
- Demonstrating methodology on conducting iOS application testing with a jailbroken and non-jailbroken device
- Introduction into dynamic instrumentation by using Frida and different tools powered by Frida (e.g. objection)
- Reverse Engineering of iOS and Android Apps to bypass client-side security controls, such as disabling Root Detection or SSL Pinning


Attendees will be provided with the following content:
- All slides in PDF format used for Day 1 and Day 2
- Toolkit including all tools and scripts used during the training (Access to private Github repo)
- Several iOS and Android Apps that are used for the exercises (Access to private Github repo)


Prerequisites
The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:
- MacBook with at least 8 GB Ram, 40GB of free disk space and a stable internet connection
- Full administrative access to disable AV or Firewall in case of any issues with the environment
- VirtualBox installed
- Xcode installed


An iOS or Android hardware device is not needed by the participants and will also not provided. The hands-on exercises for the Android training will instead be executed in a cloud-based, virtualized environment that allows attendees to access a rooted Android device. One Android instance will be provided for each participant.


The iOS training will be executed with the iOS Simulator. The source code of the vulnerable apps will be shared with the students and different attacks can be executed and fixes can be applied.


We will also offer 20 min support windows, 1 week before the training for all students, to make sure that the setup is up and working prior to the training.


The participants should have a basic understanding of mobile apps, interest in security and learning new things and basic experience with the command line.


Detailed Outline


Day 1 – Android:


Module 1: Overview of Android Platform and Security Mechanisms:
- Android Security Architecture (Bootloader, Permission model, Sandboxing etc.)
- App Communication with the Operating System (IPC, Intent etc.)
- Runtime Environment (Dalvik vs. ART)


Module 2: Creating an Android Testing Environment
- Android Debug Bridge (ADB)
- Setting up an Android Genymotion instance in the cloud for testing
- Differences and limitations between testing in an emulator/simulator and a physical device


Module 3: Android Application Structure
- Decompiling an APK
- APK file structure
- Understanding and analysing the AndroidManifest.xml
- Repackaging and analysing an app with Network Security Configuration


Module 4: Static Analysis
- Identifying a Deeplink vulnerability in a Kotlin App
- Exploiting the Deeplink vulnerability
- Automated Static Analysis with MobSF; showing quick wins and it's limitations to identify the Deeplink vulnerability


Module 5: Analysis of Network Traffic
- Proxying HTTP traffic by using Burp Suite
- Analysing apps build on frameworks that are not using the system Proxy; Students will be intercepting an app build with Flutter
- Capturing all outgoing (non-HTTP) traffic on the Android device, by chaining tcpdump, netcat, adb and Wireshark together
- Piping network traffic from an Android device to your laptop through USB by using adb reverse, e.g. in case of client isolation in the Wifi network


Module 6: Dynamic Instrumentation 101 Android
- Introduction into Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.)
- Identify and hook functions of an Android App
- Using Frida Server on a rooted device


Module 7: Reverse Engineering - Bypassing Root detection
- Introduction into various ways of implementing root detection
- Using Dynamic Instrumentation to bypass multiple root detection functions and compare it to other techniques, such as patching Smali and using Xposed (Pros/Cons)


Module 8: Bypassing SSL Pinning
- Overview of SSL Pinning functionality and implementation
- Show different ways of bypassing SSL Pinning, by using Xposed (rooted device) and Objection (non-rooted device)
- Show ways of bypassing Network Security Configuration


Module 9: Testing for Sensitive Data in Local Storage (Shared Preferences, SQLite Databases, Internal and External Storage) and secure usage of KeyStore


CTF: Investigate an app with the newly learned skills and win a price!

 

Day 2 – iOS


Module 1: Overview of iOS Platform and Security Mechanisms
- iOS Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave)
- Explaining IPA Container and Structure on the iOS File System


Module 2: Creating an iOS Testing Environment
- Testing with and without Jailbreak and it's limitations
- Testing in an emulator compared to a real device
- Setting up the iOS Simulator and Xcode
- Describing various ways of installing iOS Apps

Module 3: Demonstration of testing iOS Apps without Jailbreak:
- Repackaging an IPA with the Frida Gadget by using Objection
- Overview of Objection and it's limitations


Module 4: Static Analysis
- Decrypting an app with Fairplay Encryption by using clutch or frida-ios-dump
- Using class-dump
- Analyzing 3rd party libraries in iOS Apps for vulnerabilities
- Automated Static Analysis with MobSF
- Review Info.plist for misconfigurations, such as App Transport Security (ATS)


Module 5: Dynamic Instrumentation 101 iOS
- Recap of Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.)
- Identify and hook functions of an iOS App
- Using Frida for testing iOS Apps


Module 6: Dynamic Analysis
- Capturing HTTP traffic through Burp Suite
- Piping network traffic from an iOS device to the laptop via USB by using usbmuxd, e.g. in case of client isolation in the Wifi network
- Analysing all non-HTTP traffic through a remote virtual interface on macOS


Module 7: Bypassing SSL Pinning
- Identifying usage of SSL Pinning
- Lab to show different ways of bypassing SSL Pinning, by using SSL Kill Switch (jailbroken device) and by using Objection (non-jailbroken device)


Module 8: Testing for Touch ID /Face ID Bypass
- Overview of Touch ID / Face ID functionality and implementations
- Bypassing Biometric authentication through Needle and Objection


Module 9: Testing for Sensitive Data in Local Storage
- Explanation of different ways to store data on iOS (Core Data, plist, Sqlitedb etc.) and how to store it securely by using the Keychain
- Analyse local storage by using Objection, Passionfruit and Xcode


Module 10: Testing Stateless Authentication with JSON Web Token (JWT) in an iOS App
- Dynamic Testing by using Burp Suite
- Analyse storage for access tokens
- Apply known attacks against JWT


Module 11: Hands-on: Reverse Engineering
- Basic Reverse Engineering of an iOS app
- Bypassing Client-Side Security controls such as jailbreak or simulator detection through dynamic instrumentation with Frida


CTF: Investigate an app with the newly learned skills and win a price!

Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.
LinkedIn: https://www.linkedin.com/in/sven-schleier-98259194/

 

Ryan Teoh (OSCE, OSCP, CRT) is a Security Engineer at Grab with a strong focus on Mobile Security. He spends a considerable amount of time in iOS kernel exploitation, contributing to the iOS security testing chapter and the iOS Crackmes which are part of the OWASP Mobile Security Testing Guide. That aside, he is active on both private and public bug bounty programs and has successfully bagged several critical mobile security bugs. Ryan is a strong believer in knowledge sharing - initiated a security blog on top of facilitating workshops to security engineers, developers and students about mobile security, dynamic instrumentation and reverse engineering of mobile applications.
LinkedIn: https://www.linkedin.com/in/ryan-teoh/

 

DeeSec 2020 Opening

René Pfeiffer (DeepSec Organisation Team)

Everything has a beginning. Just like the universe, the DeepSec conference has one, too. This is it.

René (also know as Lynx) was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn assembler before any other language. He spends a lot of time with system administration, teaching, occasional research, coding, and checking if the doors are properly locked.

How To Combat Risks Directly From Within Your IDE

Christian Schneider (Schneider IT-Security)

If we can build software in a reliable, reproducible and quick way at any time using Pipeline-as-Code and have also automated security scans as part of it, how can we quickly capture the risk landscape of agile projects to ensure we didn't miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard with boxes, lines and clouds. It's just a pity that it often stops then: Instead of a living model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like "Threat-Model-as-Code" in the DevSecOps sense. The open-source tool Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

The open-source Threagile toolkit can be executed as a simple docker container and runs either as a command line tool or a full-fledged server with a REST-API: Given information about your data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of over 40 built-in risk rules and optionally your custom risk rules against the processed model. The resulting artifacts are diagrams, JSON, Excel, and PDF reports about the identified risks, their rating, and the mitigation steps as well as risk tracking state.

Agile development teams can easily integrate threat modeling into their process by maintaining a simple YAML input file about their architecture and the open-source Threagile toolkits handles the risk evaluation.

Christian Schneider has pursued a successful career as a freelance Java software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian regularly conducts in-house training courses on topics like web application security and coaches agile projects to include security as part of their process by applying DevSecOps concepts. Christian regularly enjoys speaking and giving trainings at major national and international conferences.

EPP/EDR - Unhooking Their Protections

Daniel Feichter (Strong-IT Innsbruck)

EPP/EDR Systems use different static and dynamic mechanisms for detecting malicious behavior. Especially EDR Products use a technique called API-Hooking for intercepting code flow to analyse code on malicious sections/strings/behavior etc. Generally not the badest method, but since the introduction of Kernel Patch Production trough Microsoft in Windows OS, EPP/EDR products are forced to set their API-Hooks in user mode. This leads to one problem, user mode applies to everyone the same rules. So their methods to unhook hooked API-Calls and the EPP/EDR go blind. Another technique to detect malicious behavior in kernel mode used by EPP/EDR products are Kernel Callbacks. This technique is a good alternative to user mode hooks, but also there are weaknesses which can be abused.

- Daniel Feichter 34 Years old
- Lives in Innsbruck/Tyrol, works for the company Strong-IT, is an ethical hacker/IT-Sec researcher
- Main emphasis on EPP/EDR and Win OS research

Abusing Azure Active Directory: Who Would You Like To Be Today?

Dr. Nestori Syynimaa (Gerenios Ltd)

Azure AD is used by Microsoft Office 365 and over 2900 third-party apps. Although Azure AD is commonly regarded as secure, there are serious vulnerabilities regarding identity federation, pass-through authentication, and seamless single-sign-on.

In this session, using AADInternals PowerShell module, the exploitation of these vulnerabilities to create backdoors, impersonate users, and bypass MFA are demonstrated.

The purpose of this session is to raise awareness of the importance of the principle of least privilege and the role of on-prem security to cloud security.

Dr Nestori Syynimaa is one of the leading Office 365 experts in the world and the developer of AADInternals toolkit. He has worked with Microsoft cloud services over a decade and has been MCT since 2013. Currently, Dr Syynimaa works as a CIO for eight cities and municipalities in Finland and runs his own consulting business. Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, researcher, and university lecturer for almost 20 years.

Dr Syynimaa has been speaking at many international scientific and professional conferences, including IEEE TrustCom 2018, TechMentor Orlando 2017 & 2018, TechMentor Seattle 2018, and Black Hat USA & Europe 2019

Improve Your Threat Hunt With Adversary Emulation

Thomas V Fischer (FVT SecOps Consulting)

Adversary Emulation is a type of ethical hacking engagement where the Red or Purple Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organisation. The goal of these engagements is to train and improve people, process, and technology. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organisation.


In this presentation, end-to-end methodology and tools will be introduced to help security operations and defence teams. The methodology will cover how to organise cyber threat intelligence and leverage it to conduct adversary emulation and hunting using a framework like ATT&CK. Hunters, incident responders and SOC teams will learn how to use emulation to gain a better understanding of adversary TTPs and help identify gaps in controls as well as prioritise hunting and mitigation activities.

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

How To Cause (or Prevent) A Massive Data Breach. Secure Coding And IDOR

Anna Bacher (Jaroona GmbH)

Most infosec professionals are aware of the massive First Financial Corporation data breach that leaked 885 million sensitive documents in 2019. The damage was caused by a vulnerability called IDOR (Insecure Direct Object Reference) that was present in a First Financial Corporation web application.

OWASP (the Open Web Application Security Project) recognizes IDOR as one of the top 10 security vulnerabilities for 2020. IDOR falls into the OWASP category known as Broken Access Control. IDOR is arguably one of the most difficult vulnerabilities to systematically detect and defend against in an enterprise codebase. Its ease of exploitation and potential high impact makes it a very high-risk vulnerability.

What should developers do? Most industry experts advise them to “think like a hacker,” actively exploring possible attack vectors and implementing access control checks before manipulating resources. They also recommend manual code reviews.

While these are good recommendations, they require developers to know how, when, and where to implement access control checks. And, they create a lot of additional manual work.

Industry recommendations for QA are somewhat similar: think about attack vectors and make sure to write an extensive set of test cases to cover all potential scenarios. The number of necessary test cases can be immense as IDORs appear in URL parameters, form field parameters, file paths, headers, and cookies. Again, the recommended “best practice” involves a lot of additional manual work.

Security officers are encouraged to arrange for manual code audits, which do not scale easily and are expensive. Commercial classic rule-based static code analyzers (SAST) should be able to help in theory, but they produce a lot of false positives and often prove more trouble than they are worth. Modern dynamic code analyzers (DAST) are based on traditional fuzzing techniques and are not suitable for IDOR. This is because traditional fuzzing seeks to break an application with the assumption that crashes indicate the presence of vulnerabilities. This is ineffective since IDOR does not typically crash an application but allows a malicious action to succeed.

Our goal is to break through the manual work and provide an efficient automated detection and remediation solution that is effective against IDOR. We were inspired by recent academic advances in defining patterns of vulnerabilities from code representation graphs, the rise of graph query languages (Semmle, ...), advances in graph neural networks, and the recent Microsoft research paper (2019) that describes a fuzzer able to detect IDOR in REST APIs. Integrating all these ideas, we started our journey to automatically find IDORs in targets ranging from applications, libraries, APIs and microservices.

In this talk I would like to share our findings and insights regarding:

· Our proven Security Framework for systematically and automatically detecting IDOR that includes advanced static and dynamic analysis built on top of the latest academic research and available open source solutions. Benchmarks of implemented IDOR detection techniques based on a wide range of targets (real world applications, libraries, APIs and micro-services):

o modelling IDOR with code property graphs

o detecting IDOR using pre-trained neural network models

o detecting IDOR using the new generation greybox IDOR fuzzer

· How our work brings developers a step closer to fully owning the security of their applications, without having to become hackers. This new generation of developer-friendly automated tools reduces the barriers to entry that have prevented developers from using security tools in development.

We will release and share with the conference participants:

· Scripts for detecting IDORs by querying a code property graphs based on Fraunhofer-AISEC library (an open source library to extract a code property graph from source code)

· Pre-trained neural network for the detection of IDOR vulnerabilities

· Scripts for detecting IDOR with open source fuzz-lightyear

This talk will feature demos, CVEs, and highlights of what we have learned over the last two years of research. Participants can use our released tools and findings to automatically detect IDORs in their applications.

Anna Bacher is co-founder and CTO of Jaroona GmbH, a pioneer on the advanced machine-learning based enterprise application security platform. She‘s an ethical hacker, CTO and a developer with nineteen years experience developing and penetrating complex systems for top 100 international banks, telecom companies and payment processors. Anna is a co-author of a patent for peer-to-peer network security. Throughout her career as a security architect, she has been an innovator in the fields of network security, end point protection, security analytics, machine learning and threat defense portfolios.
In her current position at Jaroona, she manages a team of highly skilled professionals in cybersecurity, ethical hacking and deep learning, focusing on creating developers’ tools for source code protection. They have built an AI-based vulnerability detection and repair tool that alerts developers to critical vulnerabilities in their code while they are writing it, and provides automated fix suggestions.

Security Model Of Endpoint Devices

Martin Kacer (Mobileum)

Have you ever asked these questions? You are using the latest mobile and using your laptop with the latest and patched OS, running antivirus: Do you need to worry about security? Isn’t there still something broken in the entire security and permission model? Why can the desktop application, that is not an internet browser, access and communicate by using any IP address? Why can the application access your whole filesystem and collect the files from there? Why can an android app with internet permission communicate using any arbitrary IP, even a private one? Why can the app communicate by using different domains? Isn't the app market ecosystem creating a friendly environment for botnets? This talk will shed some light on these issues and propose some mitigation strategy.

Martin Kacer is a Security Researcher, dedicated to telecom security. He made key contributions to GSMA security guidelines documents related to interconnect signalling security for 2G, 3G, 4G and 5G networks. Regarding open source work, Martin is author of open source Signalling firewall and was speaker at the BlackHat USA conference. Additionally he contributed to the wireshark project and published a few tools.

Ransomware: Trends, Analysis and Solutions

Josh Pyorre (Cisco)

Ransomware is one of the most damaging variations of malware to date, extorting individuals, companies, and governments. This presentation will cover a history of Ransomware and related malware, the types of extortion that are used, and the effects it has had on victims. An analysis of tools, tactics, infrastructure, malware used in attacks, and specific ransomware variants will be presented, along with where different types of solutions can be used to stop infection. Additionally, techniques for recovery and remediation will be discussed.


While it may be impossible to stop a determined ransomware infection, there are many ways to prepare and possibly prevent them. This talk will help to bring clarity to this problem, leaving attendees better informed and capable of fighting back.

Josh Pyorre is a senior security research analyst with Cisco Umbrella. Previously, he was a threat analyst at NASA, working as part of the team that built and ran the NASA Security Operations Center at Ames Research Center. He has worked with Mandiant, helping to build their SOC while conducting incident response for multiple clients. Before working in security, Josh was the technical director for a non-profit providing assistance to the homeless in San Francisco. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.

DarkCrewBot – The Return Of The Bot Shop Crew

Adi Ikan (Check Point Software Technologies)

Check Point Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can be leveraged for several purposes such as monetization and shutting down critical services.

DarkCrewFriends has been quite active over the last few years. The group offers a variety of services ranging from bots to traffic services for websites, and was mentioned as the party responsible for causing a data breach in an Italian news site.

The attack chain of the current campaign includes exploiting an unrestricted file upload vulnerability, uploading a malicious PHP web shell, and communicating with a C&C server using an IRC channel. The attackers can leverage the malware’s capabilities for various scenarios, such as DDoS attack types and shell command execution.

In the presentation we will present our findings, from the detailed entire attack chain walk through to sharing unique insights on the threat actors.

Network Research & Protection Group Manager at Check Point Software Technologies. NRPG is focused on analyzing the threat landscape, and developing the relevant security coverage for our customers. Prior to Check Point, I served as an Officer in the IDF Intelligence Corps 8200 Unit in various research and development positions - From Product Manager through Security Researcher to Software Engineer. In addition, I Hold an M.Sc. in Financial Mathematics (Graduated cum laude) and B.Sc. in Applied Mathematics (Graduated while high school studies) at Bar-Ilan University.

I have already presented our research in conferences, such as BSides San Francisco, CircleCityCon, and CPX Vienna.

These (Secure) Boots Were Made For Walking.

Lior Yaari (Imperium Security)

Do you want to hack your Xbox One for FREE GAMES?? Well you can't. The reason for that is that someone did a really good job protecting the device's boot sequence. But this isn't a story of "that one time that someone did a good job"; it's a collective of all the other stories when people screwed up.

Secure boot is a process where boot images and code are authenticated before they are allowed to be used in the boot process. Optimally, this creates a chain of trust engulfing all code run on embedded device. This prevents rogue code from executing within the system without the manufacturers approval. Examples include DRM on gaming consoles, root-prevention in smart phones and protection from supply-chain attacks. But not only high-end systems like phones and PCs are using Secure Boot these days - it is used to protect many devices, from smart homes and cities to automotive ECUs from malicious intent.

As embedded vulnerability researchers, who are exploiting Automotive and IoT devices, one of our primary targets are secure boot solutions. The earlier in the boot process we manage to manipulate code executed by the system, the greater the power of our attack becomes. Bypassing software protections placed at later stages of the boot process our only limitations remain hardware protections.

In this talk we will give an overview of common secure boot mechanisms and examples of vulnerabilities found within these systems. We will share our methodology in analyzing boot processes and exploiting them. This talk is based on research we conducted on numerous IoT and Automotive systems and our findings within.

Added in the workshop application

Journey Into Iranian Cyber Espionage

Chris Kubecka (Hypasec)

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs; teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge.

Chris is the founder and CEO of HypaSec, she has practical and strategic hands-on experience in several cyber warfare and cyber terrorism incidents. Previous USAF aviator and USAF Space Command. Detecting and helping to halt the July 2009 Second Wave attacks from the DPKR against South Korea and helping to recover and reestablish international business operations after the world’s most devastating cyber warfare attack Shamoon in 2012. Leading the incident management when the Saudi Arabian Embassy in the Netherlands was hacked in 2014 which involved the ISIS terrorist group, the city of The Hague, all embassies in the city, negotiating and discovery of evidence of a diplomatic insider that saved over 400 dignitaries lives.

Efficient Post-quantum Digital Signature

Maksim Iavich (DeepSec Scholar 2020)

Active work is being done to create and develop quantum computers.
Traditional digital signature systems, which are used in practice, are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the
alternatives are hash based digital signature schemes. Merkle digital signature scheme is the very promising alternative to the classical digital signature schemes. It must be emphasized, that the scheme has efficiency problems and can not be used in practice. Major improvements of the scheme lead to security vulnerabilities. I will show that Merkle uses hash functions many times. I will offer the improved implementation of the hash function. I will integrate it into Merkle scheme. By means of this function, I will offer the secure and efficient Pseudo Random Number Generator (PRNG). I will offer the optimized approach for the generation of the seed for this PRNG by quantum source of randomness (using the simulation). During my talk, I will offer the efficient and secure implementation of Merkle signature. This scheme will use the optimized approaches discussed above. The implementation will be significantly speeded up using the threads of CPU. I will analyze the efficiency and the security of the scheme.

Maksim Iavich is PH.D. in mathematics and professor of computer science. He is CEO & President of Scientific Cyber Security Association (SCSA). Maksim is an affiliate professor and the head of cyber security direction at Caucasus University. In 2018 he was acknowledged as the best young scientist in the field of technology and engineering directions in Georgia.

Maksim is a cyber security consultant in Georgian and international organizations. He is a speaker at international cyber security conferences and is the organizer of many scientific cyber security events. He has scientific awards in the cyber security field. Maksim is the author of many scientific papers. The topics of the papers are: cyber security, cryptography, post-quantum cryptography, quantum cryptography, security of 5G cellular networks, mathematical models and simulations.

“I Told You So!” – Musings About A Blameless Security Culture

Tim Berghoff, Hauke Gierow (G DATA CyberDefense)

The concept of a blameless culture is familiar to agile software development teams the world over. Going blameless has lots of merits, yet in many organizations and management teams true blamelessness is far from being the norm. This is especially true for the security sector, where the thinking is perhaps even more linear than elsewhere in an organization. This way of thinking is not necessarily bad, but not always helpful. On the other hand, sugarcoating any shortcoming will not help things along either. In truth, the security industry is still facing a lot of work when it comes to dealing with people. This talk will address and explore some of the fundamental problems of corporate security culture and why it keeps companies from moving forward.

Tim has been working for G DATA in several capacities for more than 10 years, in support, international consulting and public relations. In his current role, he gives talks as well as TV and radio interviews on security related topics.

Hauke has taken on the role of Head of Corporate Communications at G DATA after having worked as a journalist for Golem.de. He has also worked for Reporters without Borders and the Mercator Institute for China Studies (MERICS).

Street Cred: Fixing Authentication From Passwords To Passwordless

Wolfgang Goerlich (Duo)

Don’t say no one likes passwords. It isn’t true. Criminals love them. Passwords are easy to steal, copy, and re-use. Who wouldn’t like that? Well, I mean, other than victims and those in charge of protecting systems. Between user complaints about complex password policies and admin complaints about help desk calls and password resets, perhaps it is time for a change. After all, for as long as people have been securing IT, the credentials have been the first and last line of defense.

This talk provides a walking tour of the authentication landscape. Red versus blue style, we’ll compare attacks and defenses and walk along the evolution of strong authentication. To the left, we’ll see multi-factor with SMS, soft tokens, push authentication, and biometrics. To the right, we’ll see single sign-on with SAML and OIDC. Look straight ahead for passwordless methods such as Windows Hello and FIDO2. This session will conclude with the latest practices for protecting authentication and give a glimpse of the changes to come. Attendees will be able to provide authentication that even a criminal could love.

J. Wolfgang Goerlich is an Advisory CISO for Duo Security. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading advisory and assessment practices. He is an active part of the security community, co-founding and organizing security conferences. Wolfgang regularly advises on and presents on the topics of security architecture and design, identity and access management, data governance, secure development life cycles, zero-trust security, and more.

The Art Of The Breach

Robert Sell (Trace Labs)

The Art of the Breach is designed to be a journey for anyone interested in physical security. Robert takes the audience on a trip from a public sidewalk outside a target organization all the way to the executive filing cabinet in the President’s office. During this adventure, Robert discusses everything from successful reconnaissance prior to the breach to ensuring an easy exit afterwards.
Robert spends time at each step to go over the various options for moving forward. Some of these options are easy and straight forward while others require preparation and planning. Since every business is different, Robert brings in many different obstacles a physical penetration tester might face. This includes steel doors, cameras, armed guards and aware employees.
While many physical security talks focus strictly on the information security aspect of breaching, Robert will combine this with techniques used by first responders to enter a building.
If you want to up your game on physical security or at the very least gain some ideas for improving your company’s defenses, this talk is for you.

Robert is the founder and president of the Trace Labs which is a non profit organization that crowd sources open source intelligence (OSINT) to help locate missing persons.
He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security and other topics.
Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world.
In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years) and since then has been teaching organizations how to defend against social attacks and how to reduce their OSINT footprint. In 2018, he actually ran a CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas.
Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his SAR capacity, Robert specializes in tracking lost persons.

What's Up Doc? - Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis

Shyam Sundar Ramaswami (Lead Threat Researcher - Umbrella Security org - Cisco Systems)

"Catch me if you can!" is the right phrase to describe today's malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too. 

What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in "H.E.L.E.N" and "Dummy" and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key "attributes" that are extracted are used for ML, how we build bipartite graphs, build instruction based sequence detection models and win32 api based detection models "leveraging HELEN's intelligence".

Shyam Sundar Ramaswami is a TEDx speaker, Black Hat speaker, GREM certified malware analyst, Cisco Security black belt Ninja and teaches cyber security using "Batman" & "Avengers" characters. Shyam leads the Threat research group for Umbrella Asia Pacific and is a threat researcher at Cisco.
Shyam has delivered talks at several conferences and universities like Black Hat (Las Vegas), Stanford University (Cyber Security Program), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), IRespond (San Francisco), Defcon Packet Village (remote) and at several IEEE forums in India.
Shyam also teaches cyber security " Advanced malware attack and defences" at Stanford's Cyber security program and runs a mentoring program called "being Robin" where he mentors students all over the globe on cyber security.

Faulting Hardware from Software

Daniel Gruss (Graz University of Technology)

Fault attacks induce incorrect behavior into a system, enabling the compromise of the entire system and the disclosure of confidential data. Traditionally, fault attacks required hardware equipment and local access. In the past five years multiple fault attacks have been discovered that do not require local access, as they can be mounted from software.
We will discuss the Rowhammer attack and how it can subvert a system. We then show that a new primitive, Plundervolt, can similarly lead to a system compromise and information disclosure.

Daniel Gruss (@lavados) is an Assistant Professor at Graz University of Technology. He finished his PhD with distinction in less than three years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and security on the hardware-software boundary. His research team was involved in several vulnerability disclosures, including Meltdown and Spectre. He has co-authored more than 20 top-tier academic publications in the past five years and received several prizes for his research.

The Great Hotel Hack: Adventures In Attacking The Hospitality Industry

Etizaz Mohsin

Have you ever wondered if your presence might be exposed to an unknown entity even when you are promised full security and discretion at a hotel? Well, it would be scary to know that the hospitality industry is a prime target nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests' private information was compromised is one of the best examples.

Besides data compromise, surgical strikes have been conducted by threat actors against targeting guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victims to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and its prevalence seems to have no end yet. 


For a broader outlook, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research, reverse engineering. He holds a Bachelors in Software Engineering and started his career in Penetration Testing. He is an active speaker at international security conferences. He has achieved industry certifications, of which OSCP, OSCE, OSWP, OSWE, OSEE, CREST CRT, CPSA, EWPTX, CEH are the most prominent ones.

Security of Home Automation Systems – A Status Quo Analysis For Austrian Households

Edith Huber, Albert Treytl (Donau-Universität Krems)

Home Automation System (HAS) are a growing market, which is very diverse ranging from consumer electronics like TVs, mobile phones and gaming consoles via WLAN connected sensors, power plugs or lightbulbs to building automation devices for HVAC systems  or access solutions. Beside "classical" network technologies IoT technologies gain increasing spread and importance.

This paper presents results of a representative survey analyzing the security awareness and perception as well as susceptibility to cybercrime of HAS users in Austria. The aim of this survey is to investigate the spread of the device types, cybercrime attacks and security risks.
These results are compared with technical vulnerabilities of such devices to identify relevant security risks and countermeasures.


Additionally, a concept to protect sensor values directly in the analog circuit is presented as an outlook to ongoing research.

Dr. Edith Huber is a senior researcher at the Danube University Krems Her research focuses on Cyber Security, CERTs, Information Security, Communication, Cybercrime, Cyberstalking, New Media, Social Science and Criminology. She has more than 15 years of experience as a security researcher, working in national and international research projects. She is the author of more than 30 peer-reviewed articles and has published numerous books on cybercrime, including the latest book "Einführung Cybercrime".

Albert Treytl is senior researcher in the area of communication technologies and security. He received his master degree in electrical engineering (focus on computer technology) at the Vienna University of Technology in 2001 with distinction. His research focused on security and communication for resource limited devices in distributed systems.
From 1996 to 2000 he led the development of a bank simulation software for a continuing education network of the Austrian government. End of 2000 he joined the Institute of Computer Technology at the Vienna University of Technology as a research assistant in the area of building control, energy management systems and security. His focus was on security of automation networks such as field busses and wireless ad-hoc networks. The topics of his research projects included web-based interfacing of energy management systems, electronic payment, smart card application development and research, and smart grid security measures.
2006 he joined the Institute for Integrated Sensor System at the Austrian Academy of Sciences, where he is lead the security and vertical integration activities and group. He co-developed an architecture of an agent-based distributed manufacturing execution system including a complete FIPA compliant agent platform hosted on an active RFID supporting full security and continued his work on Smart Grid Security, e.g., in DLC+ VIT4IP (FP7). Additionally, he investigated the security of clock synchronization systems.
Since 2013 he is head of the Center for Distributed Systems and Sensor Networks and deputy head of the Department for Integrated Sensor Systems at the Danube University Krems. His research is dealing with distributed data management and processing in sensor networks and the integration of sensor systems. This comprises securing sensor networks, distributed energy optimization in industrial and office buildings as well as integration of sensors in intelligent traffic systems. Recent research is on digital twins and applications of AI methods for model predictive control strategies.
He is author of more than 50 peer reviewed scientific publications and leader of multiple national and international projects, e.g., REMPLI(FP5), PABADIS PROMISE (FP6) and I3E (SEE).Aside this, he engages himself in various technical committees (IEEE, CEN TC 247 WG4, IEEE1588 standardisation), scientific conferences, and is co-lecturer at the Vienna University of Technology.

Scaling A Bug Bounty Program

Catalin Curelaru (Visma)

Bug bounties have started to make headlines over the past years and currently we can see a constant growth of it. Implementing a Bug Bounty Program can be challenging and requires some understanding of the nuances on how to make it successful or not. Actually running a successful bug bounty program starts far before it is launched officially. During this talk you will find out how a successful program looks like and also there will be some practical tips and tricks to optimize your program.

Catalin is a passionate cybersecurity professional for whom security is more than a job, it's a habit. He works at Visma as a Product Security Engineer, enjoying his time at the Product Security Operations team and is the OWASP Timisoara Chapter Leader aiming to create a strong local security community focused on improving the application security world. He has also several recognized certifications in the security field like: MCSA, MCSE, Security+, CASP, CEH and is seeking to constantly learn in this wonderful area.

Oops! Look twice

Paula de la Hoz Garrido (Telefonica TECH)

Targeted cyber attacks sometimes imply to investigate and mimic the people who work in a physical environment, who their clients are, what are their most common suppliers or services and more. Knowing about them and about your team (including yourself) can lead to a successful phishing or physical social engineering attack. Hardware hacking is usually related to this, as most of the gadgets need to be used physically close to the target. In this talk I'd like to explain how to investigate, profile a character, disguise the devices I build and use all public resources to make other people think I am someone that I'm not.

24 years old senior Redteam offensive security expert at Telefonica TECH. Previously worked as a redteam member for another company, as a pentester, security and systems auditor. Also worked as a robotics teacher at a private school in Switzerland. Writing about security in English, Spanish and Japanese at dev.to/terceranexus6 and speaking about technology on a social radio in Madrid. Co-founded a digital rights and privacy awareness association in Spain called Interferencias with more than 1k members.

Also tattooing.

No IT Security Without Free Software

Max Mehl (Free Software Foundation Europe)

IT security is one of the most challenging global issues of recent years. But apart from the establishment of countless "cyber security" authorities, politics doesn't seem to come up with something substantial. However, Free Software can be the solution to many pressing security problems. In this session, we will look at pros and cons and use concrete examples to illustrate why security and openness are not contradictory.

For security professionals, the growing complexity of today's digital world is no big surprise. But decision-makers are often overwhelmed by these new challenges and the uncertainties they entail. As a result, many fall for cheap selling arguments for blackboxed solutions and lose sight of a general strategy.

We don't know the exact security threats in five or ten years, but it is obvious that nobody can face them alone. This is where Free and Open Source Software comes into play. However, transparency and openness may seem contra-intuitive when it comes to security.

Together, we will explore how this riddle can be solved sustainably. The talk will also cover potential disadvantages and cases of consideration as well as typical counterarguments.

Max Mehl is programme manager at the Free Software Foundation Europe (FSFE) and coordinates initiatives in the areas of politics, public awareness and licensing. But he is also frequently to be found in the virtual server room of the FSFE. He sees Free Software as an important component to solve urgent technical and social problems. Every day he is fascinated how many advantages software freedom brings for different aspects - from ethics to politics and economy to security technology.

RedTeamOps

Mert Can Coskuner, Caglar Cakici (Trendyol)

Red team operations involve many skills, the operation requires a lot of monitoring, consolidating and caution. In order to perform red team operations faster and stealthier, without thinking about the infrastructure, every team has its' own habits and standards.

However, there is a problem with those habits and standards:
- There are tons of tools but no operation management,
- No aggregation between these tools,
- When OPSEC fails due to problems above or any other reason, it's essential to possess the capability of maintaining robust infrastructure which can be recreated if discovered, and more importantly, without any issues upon deployment.


In this talk, infrastructure challenges we face as a red teamer will be discussed. Along with challenges, a solution will be proposed based on DevOps practices such as:
- Design your infrastructure based on the standards and habits which your team has
- Create playbooks which suit your needs based on your design
- Create CI pipeline to test and maintain your playbooks

Mert Can Coskuner is a Security Engineer at Trendyol. He is publishing a security blog at medium.com/@mcoskuner. In his free time Mert Can is performing malware, red team and threat intelligence research.

Caught in the Middle with You: Examining the Implications of Adversary Midpoint Collection

Joe Slowik (Dragos Inc, Paralus LLC)

Information security typically focuses on endpoint exploitation and manipulation. However, adversaries increasingly migrate attacks to cover “midpoint” techniques (DNS manipulation, router exploitation, and traffic shaping mechanisms) to circumvent both endpoint and network defenses. Although receiving attention that such attacks take place, most threat analysis provides little information on the implications of such attacks or defensive strategies to meet them.

Starting with revelations emerging from various NSA-related leaks through several campaigns exploiting vulnerabilities in enterprise network devices and multiple examples of DNS traffic hijacking, this talk will examine how adversaries are migrating attack vectors to infrastructure or services beyond the perimeter of intended victims. Examples will include the alleged QUANTUM program associated with US government operations, network device attacks linked to Russian state interests targeting the energy sector, and several waves of DNS manipulation including the SeaTurtle and DNSpionage campaigns. Each illustrates one “layer” of midpoint attack possibility, with different implications in terms of both the threat and its possible mitigation.

The discussion will conclude with security recommendations, examination of risks, and how privacy-oriented discussions such as debates over encryption may influence these types of attacks moving forward. Specifically, organizations face a dilemma of attacks manifesting outside the network perimeter (both endpoint and company-owned network infrastructure), making defense difficult. Yet options exist, from communication security through persistent network traffic monitoring and analysis. Through this discussion, entities will be better prepared to defend against, detect, or even eliminate such risks from harming their operations.

Joe Slowik hunts ICS-specific adversaries and campaigns as part of Dragos Inc. Joe has led investigations into various intrusions, including original research on the 2016 Ukraine power event, the 2017 Triton/Trisis incident, and the ransomware event at Norsk Hydro in 2019. Prior to these roles, Joe ran incident response operations at the US Department of Energy's Los Alamos National Laboratory and served as a Cyber Warfare Officer in the US Navy.

Am I really becoming a cyborg? Human implants as the next big Security, Privacy and Ethics Debate

Prof. Ulrike Hugl (University of Innsbruck)

Many say “We will all, probably, be chipped”, others say “Never”! However, chipping humans can be seen as one of the most invasive biometric technologies. Radio Frequency Identification (RFID) and Near Field Technology (NFC) as related key technologies in the field of human implants are being used by hobbyists, scientists and companies. Reasons to use implants mainly refer to security reasons (identification, workplace surveillance), to healthcare (control of human biological functions of patients) or “just for fun” (to operate smart home applications, to pay by credit card, etc.).
One the one hand, current challenges in human chipping show positive corporate and individual (estimated) advantages; on the other hand, research in security and privacy has shown a high potential of negative impacts. Thus, beside a next big security and privacy debate in the field, also ethical and societal questions arise.
The presentation is organized as follows: The first part identifies current (surrounding) trends of the “Internet of bodies” like biohacking, body enhancement, and cyborgism. The second section discusses triggers for human chipping from an individual and corporate point of view. Existing and potentially upcoming issues of security, privacy and ethics are analyzed in the next part. Finally, theses for further corporate, individual, and also societal developments as well as potential new fields for research are being identified.

 
 
 

Prof. Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is a member of various scientific committees of international conferences and a reviewer of several journals. Her research mainly focuses on new technologies with impacts on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

 
 
 

Practical Mobile App Attacks By Example

Abraham Aranguren (7ASecurity)

A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This talk aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.

If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this talk is for you. This talk is all action, no fluff :)

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused. This is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Examples will include very interesting scenarios of copy-paste attacks, calling premium numbers from the phone, custom URLs, Deep Links, XSS, SQLi, RCE, MitM attacks, path traversals, and data leak examples from real-world mobile apps, Apart from that, many other issues, including interesting scenarios chaining several vulnerabilities, such as achieving RCE via SQLi, persistent XSS, data exfiltration, etc. are also addressed.

Vulnerability chaining in mobile apps is covered not only for the fun of it but also to demonstrate impact: Mobile app findings are typically downplayed given their relative lower impact compared to server vulnerabilities (i.e. pwn 1 user vs. everybody).

Obviously, almost no modern mobile app stands offline nowadays, so this presentation would be incomplete without covering some nice attacks against those mobile APIs everybody forgot to test.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment and there may be giveaways to the winners :)

Keywords
- Mobile app security
- Static analysis
- Dynamic analysis
- File storage
- Instrumentation
- Repackaging
- Patching
- Root / Jailbreak detection bypasses
- Signing
- Pinning
- Man-in-the-Middle (MitM)
- Crypto
- Mobile app vulnerability patterns
- XSS
- SSRF
- SQLi
- RCE
- Data exfiltration

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Through the Looking-Glass, And What A Hacker Found There

Andrea Valori (Vergilie)

My research is focusing on social engineering attacks conducted against the healthcare sector in stressful situations.
The study involved doctors, healthcare workers, administrative staff, researchers and even university students in medicine. Through simulated social engineering attacks at different levels of complexity, we measured the risk thresholds in the various categories and identified strengths and weaknesses in their approach of technology.


The study involved over 500 people (different in age, gender and IT skills) and was conducted between May and June, to avoid creating problems during the most severe phase of the COVID-19 pandemic.


Despite the many critical issues that emerged from the analysis (statistically, over 62% of the subjects involved failed to recognize and neutralize at least one of the attacks), there are also positive results that allow us to identify virtuous users and privileged practices in defying social engineering.

Doctor of jurisprudence, doctor of administrative sciences, over the years I have followed advanced courses in telecommunications and in law in health emergencies.
Former scholarship holder for MIUR (The Italian Ministry of Education, University and Research), European LLP IP, Volkswagenstiftung and PON-FESR program.
Currently my activity mainly concerns the law applied to cybernetics and new technologies, copyright and open access.

TaintSpot: Practical Taint Analysis and Exploit Generation for Java

Dr. -Ing. Mohammadreza Ashouri (University of Potsdam)

According to the report published by the Common Vulnerabilities and Exposures (CVE) organization, the number of reported vulnerabilities in software systems in 1999 was less than 1600. The number of the same organization report in 2019 is nearly 100,000, approximately 60 times higher. Consequently, facing many continually growing software vulnerabilities, security experts have neither adequate time nor sufficient resources to analyze, detect, and fix these issues promptly and accurately. Hence, this situation has provided an extraordinary opportunity for cybercriminals to exploit zero-day vulnerabilities and perform attacks successfully. Consequently, the presence of practical, scalable, and precise security tools for performing genuine, in-depth, and detailed security analysis on real-world software seems to be an indispensable requirement for today's cybersecurity situation.

A useful security analysis tool should identify zero-day vulnerabilities, exploits, and unseen attacks in real-world software quickly and precisely before being exploited by cyber attackers.
Moreover, such a tool should be easy-to-use and deploy, cost-effective, and result in a few false positives and false negatives. Considering the facts mentioned earlier, in this work, we aim to introduce a practical framework for delivering effective security testing and automatic exploit generation for real-world software without requiring the source code or debugging information. We particularly focus on the Java ecosystem due to its prevalence and extensive impact on enterprise software systems, web applications, and the Android ecosystem. Our proposal framework, which is called "TaintSpot", will be deployed without special firmware modifications or root privileges on various hardware (e.g., x86, ARM) and standard operating systems (e.g., Linux, Windows, and FreeBSD).

 
 
 

Mohammadreza Ashouri holds a Ph.D. degree in Software Security, and is particularly interested in program analysis, designing secure compilers, and program fuzzing. He has some scientific records on designing cryptographic algorithms, blockchain security testing, and web privacy in addition to these domains. Regarding his working experience, he had a chance to work as a cybersecurity analyst and researcher at CISPA (Helmholtz Center for Information Security) and the University of Potsdam. He's also the founder of PersimmonWeb, which is a software development startup. Mohammadreza Ashouri lives in Berlin and likes cycling, photography, writing, and creating electronic music. You can get more information about him by checking his webpage, and if you would like to know more, please don't hesitate to contact him.

Pivoting - As an Attack Weapon

Filipi Pires (-)

Demonstrating an exploit in a container environment (three dockers) across three different networks, I will demonstrate different pivot, vulnerability exploit, and privilege escalation techniques on all machines using Alpine linux, Gogs app, and other Linux platforms using Pentest methodologies such as recon, enumeration, exploitation, post exploitation.


By the end of this presentation everyone will be able to see different ways that exist in working with a single form of pivot and how to overcome different obstacles in different networks within this "new" environment called Docker.

Filipi has been working as a Senior Security Systems Engineer (Pentester) at EPAM Systems in Kraków-Poland and Global Research Manager at Hacker Security, worked for 4 years as a Cyber Security Specialist at Trend Micro in São Paulo-Brazil, and also served as University Professor for Information Security Courses - Graduate and Postgraduate (FIAP and UNIBTA). Postgraduate in Systems Engineering, where he defended the theme "RANSOMWARE: How to protect your company from this cybernetic pest", he has lectured on the awareness in companies explaining about the "Dangers of the Internet!" and "Malware Analysis". In addition, he gave talks at some security events in Brazil such as BHack/Mind the Sec and Roadsec (Belo Horizonte / Porto Alegre / Curitiba). Creator and Technical Trainer of the Course - Malware Analysis Fundamentals.