The course covers cryptographic pitfalls and issues every security developer should be aware of. To understand the discussed problems, many cryptographic attacks will be presented and the participants will get an opportunity to develop these attacks using scenarios prepared in our virtual machine.

The training is dedicated to two groups:
First, it is intended for security developers who want to design and develop their new crypto application properly.
Second, the training is intended for penetration testers since the course presents a bunch of practical crypto attacks generally applicable to standardized protocols as well as custom applications.

Contents
Day 1:
- Crypto APIs
- Basic Padding Oracle Attacks Vaudenay
- Hash functions and hash extension attacks
- How to Break XML Encryption Overview BEAST / CRIME / Poodle / RC4 

Day 2:
- RSA
- RSA fault attacks and RSA bad randomness
- Bleichenbacher's attack
- Breaking RSA in XML-EncryptionBackwards Compatibility attacks
- Invalid Curve Attacks

Requirements
- Basic programming skills
- Basic skills in math or crypto are recommended
(or at least, you should definitely know about XOR or modular exponentiation)
- A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). 
 VMWare and other virtualization software should also work but cannot be supported.

OVERVIEW

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this hands-on training!

I will discuss security bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

After completing this training, you will have learned about:

- tools/techniques for effective hacking of web applications
- non-standard XSS, SQLi, CSRF
- RCE via serialization/deserialization
- bypassing password verification
- remote cookie tampering
- tricky user impersonation
- serious information leaks
- browser/environment dependent attacks
- XXE attack
- insecure cookie processing
- session related vulnerabilities
- mixed content vulnerability
- SSL strip attack
- path traversal
- response splitting
- bypassing authorization
- file upload vulnerabilities
- caching problems
- clickjacking attacks
- logical flaws
- and more…

If you want to know what students from Oracle, Adobe, ESET and other companies say about this training, visit this page (https://silesiasecuritylab.com/services/training/#opinions) to learn more.

WHAT STUDENTS WILL RECEIVE

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

WHAT STUDENTS SHOULD KNOW

To get the most of this training basic knowledge of web application security is needed. Students should have some experience in using a proxy, such as Burp, or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed (64-bit version).

WHO SHOULD ATTEND

Pentesters, bug hunters, security researchers/consultants.

This training course shows you how to perform penetration testing on
IPv6 networks locally and remote - in theory and hands-on practice.
Learn at first hand from the developer of thc-IPv6 the tools and techniques that are
specific for IPv6.

IPv4 addresses have expired and IPv6 is now available on every
desktop and every server, as all operating systems support IPv6. Most
ISPs started to make IPv6 available and many Internet servers are
now reachable. This training explains the IPv6 issues, concentrating on
the security vulnerabilities inherent in the protocol as well as
configuration issues and implementation problems. Many known
vulnerabilities are presented and students will be able to try them out
themselves with supplied tools on the test network.
Then, switching sides, we see what can be done to configure IPv6
networks more securely, from design down to configuration.

On the first day the trainer will invite you for a free drink - so don't
plan anything else for the evening of the first training.

Overview

PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language, available by default in all modern Windows computers. It can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell.
This training is aimed towards attacking Windows network by using PowerShell and is based on real world penetration tests done by the instructor. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase. Some of the techniques used in the course:
- In-memory shellcode execution using PowerShell from a Word macro.
- Exploiting SQL Servers (more than executing commands)
- Using Metasploit shellcode with no detection
- Active Directory trust mapping and abuse.
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
- Network relays, port forwarding and pivots to other machines.
- Reboot and Event persistence
- Bypass security controls like Firewalls, HIPS and Anti-Virus.

The course is a mixture of demonstrations, exercises, hands-on and lecture. It has a live CTF which attendees can try while and after the training.
After this training the attendees will be able to write own scripts and customize existing ones for security testing.It aims to change how you test a Windows based environment.

Course Content
- Introduction to PowerShell
- Language Essentials
- Using ISE
- Help system
- Syntax of cmdlets and other commands
- Variables, Operators, Types, Output Formatting
- Conditional and Loop Statements
- Functions
- Modules
- PowerShell Remoting and Jobs
- Writing simple PowerShell scripts
- Extending PowerShell with .Net
- WMI with PowerShell
- Playing with the Windows Registry
- COM Objects with PowerShell
- Recon, Information Gathering and the like 
- Vulnerability Scanning and Analysis
- Exploitation – Getting a foothold
- Exploiting MSSQL Servers
- Client Side Attacks with PowerShell
- PowerShell with Human Interface Devices
- Writing shells in PowerShell
- Using Metasploit and PowerShell together
- Porting Exploits to PowerShell
- Post-Exploitation – What PowerShell is actually made for
- Enumeration and Information Gathering
- Privilege Escalation
- Dumping System and Domain Secrets
- Backdoors
- Pivoting to other machines
- Poshing the hashes™
- Replaying credentials
- Network Relays and Port Forwarding
- Achieving Persistence
- Clearing Tracks
- Quick System Audits with PowerShell
- Detecting PowerShell attacks
- Security controls available with PowerShell

What's in it for you?
1. PowerShell Hacker’s Cheat Sheet, access to the online CTF, solutions to exercises, sample source code, updated tools and extra slides explaining things which could not be covered.
2. Attendees will learn a powerful attack method which can be applied from day one after the training.
3. They'll understand that it is not always required to use a third party tool or non-native code on the target machine for post exploitation.
4. And learn how PowerShell makes things easier than previous scripting options on Windows like VB.

Prerequisites
1. Basic understanding of how penetration test are done.
2. Basic understanding of a programming or scripting language could be helpful but is not mandatory.
3. An open mind.

System Requirements
Windows 7 or later system, with administrative access and ability to run PowerShell scripts.

Today, you can find many devices based on AVR microcontrollers, from arduino-based amateur projects to serious automotive, home automation or industrial control system controllers and gateways. You may find many talks about reversing and exploit development for AVR-based devices, however there is still a lack of a full-scale guide that answers the question: "I have an AVR device. I have firmware (?). I have found something that looks like a vulnerability. What should I do now?". The goal of this workshop is to give an answer to this question.

During this workshop, you will learn AVR firmwares reversing and exploitation specifics. We will talk about tools and technics, review AVR architecture, teach you how to write ROP chains for AVR and use other methods that enforces MCU to do what wasn't expected by firmware developers. Post-exploitation topics (like reflashing and altering the bootloader) will also be covered. We will start our journey with simple programs, quickly move on to popular Arduino libraries and finish it with case of a real exploitation of an industrial gateway. We will talk about how to use Radare2 and (a bit) IDA Pro in reversing and exploiting AVR firmwares, also we will show you how to develop tools that help you with your task.

To participate this class you will need just a basic understanding of reverse engineering and buffer overflow/memory corruption vulnerabilities. All topics will be divided into four equal parts: introduction to AVR architecture and assembly, pre-exploitation (firmware extraction, debugging technics, circuit reverse engineering, etc.), firmware reversing and exploitation (including some post-exploitation technics).

Please bring a laptop with at least 4 GB RAM, 15 GB free hard drive space, two USB ports and installed VMWare/VirtualBox or Parallels virtual machine. You will be supplied with all required software (virtual machine image) and hardware (debuggers and AVR development boards).

Social Engineering is a great method for hacking systems. Instead of attacking technical devices social engineers manipulate people to get what they want. Defending your organisation against social engineering attacks is vital, yet very hard to achieve. This workshop focuses on the psychological fundamentals of social engineering. I will show you how social engineering works, how psychology can be used to manipulate people and how social engineers use these skills to lever out security measurements. The second part of the workshop will focus on defence measures against social engineering attacks. I'll teach didactical methods and other skills required to train your users in a succesful, scientifically sound and empirically grounded security awareness campaign. Practical knowledge from human factors and organisational development research will top the workshop off.

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus software. Meanwhile, dedicated attackers attempt intrusions over months and years, while going undetected, to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques however, provide the ability to greatly enhance the security of an organization. Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attacks and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.

It is not a question of if, but rather when you have an incident that needs to be tackled. This workshops aims to provide you with a practical approach to the why, what, who and how of incident handling, including:
(1) why you need an incident handling process,
(2) how to argue the efforts necessary to build and run it,
(3) the practical details of preparation, identification, containment, eradication, recovery and lessons learned phases
(4) what works in practice and where are the pitfalls
(5) which helpful resources are available for free 
and applying this knowledge by going through a practical case study.

This training shows you how to attack and defend websites from the perspective of a Web developer. As a long lasting penetration tester and Web security trainer, Marcus will show you known and sometimes unknown attack techniques (and bugs).

DAY 1:
- Basic knowledge
-- HTTP, HTML, CSS, XML, and DOM
- Social Engineering and Information Disclosure
- Logical Flaws
- Same-Origin Policy
- Cross-Site Request Forgery
- Cross-Site Scripting
-- Reflective XSS
-- Stored XSS
-- DOM-based XSS
-- Self XSS
-- Mutation-based XSS
- Session Hijacking and Session Fixation

DAY 2:
- UI Redressing and Clickjacking
- File Inclusions and Path Traversal
- Remote Command and Code Execution
- SQL Injections
- Secure Coding
-- Fonts
-- DOCTYPE Switch
-- HTTP Parameter Pollution
-- Content Security Policy
-- Burp Suite
-- Security Requirements

WHAT STUDENTS SHOULD KNOW:
You should know the basics about HTML, JavaScript, and SQL.

WHAT STUDENTS SHOULD BRING:
Every participant needs an Internet connection and a laptop with Firefox. You will learn a lot - maybe you should bring some headache pills with you.

WHO SHOULD ATTEND
You should definitely attend if you are a Web developer. Depending on the level of knowledge, this workshop might also be interesting for penetration testers and security researchers (especially on day 2!).

Behind closed doors, ubiquitous surveillance systems have evolved in parallel to and hidden within the global communications infrastructure. Developments in signals intelligence (Sigint) technology and tradecraft have shadowed all new telecommunications developments. Sigint agencies have covertly sought to lead, change, and subvert arrangements that IT practitioners make for security and privacy.

Partly in consequence, in this decade, we have entered a period of frequent massive and damaging data losses.

In this talk, he will review the history of mass electronic surveillance in the post Edward Snowden world, and the technical challenges that can be examined with the benefit of new information.

The scale and intrusiveness of what has been found baked into the Internet has taken everyone by surprise. But it has not revealed magic. Instead, the security of the Internet and all connected to it has been broken by familiar, understandable techniques and technologies. Now we know their names.

In the transitions from analogue to digital, from the first days of C2C ("computer-to-computer") spying to DNI (Digital Network Intelligence) today, from the first automated surveillance system to today’s multinational behemoths, common tools are still in use 50 years after they were first invented. This talk will help dissect the obscure tradecraft terms that mask and obfuscate how Sigint works.







Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from an attacker's point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities, that lead, for example, to user impersonation, remote cookie tampering, XSS and more.

Developers tend to forget that multi-factor authentication does not help if cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with the secure processing of cookies in modern browsers. And browser dependent exploitation can be used to launch more powerful attacks.

That's why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented:

- cookie related vulnerabilities in web applications
- insecure processing of secure flag in modern browsers
- bypassing HttpOnly flag in Safari
- problems with Domain attribute in Internet Explorer
- cookie tampering in Safari
- underestimated XSS via cookie
- HTTP Strict Transport Security (HSTS)
- importance of regeneration
- and more

Mr. Bamford will discuss the “Athens Affair,” the subject of a recent investigation by him 
in The Intercept.  In 2004, the NSA and CIA worked secretly with the Greek 
government to subvert Vodafone and other telecom companies in order to conduct 
widespread eavesdropping during the 2004 Athens Summer Olympics. The NSA agreed, 
however, to remove the spyware once the games were over.  But rather than remove 
it, they instead secretly turned it on the top members of the Greek government 
and members of the Greek public, including journalists.  When the covert 
operation was accidentally discovered, however, a Vodafone engineer involved was 
found dead, either by suicide or murder, and the death was officially connected 
to the bugging operation.  I will show how the operation was pulled off, buy 
recruiting an inside person, then subverting the company’s “lawful intercept” 
program, and transferring the data back to NSA headquarters at Fort Meade.  The 
episode demonstrates the enormous vulnerability of widespread “lawful intercept” 
programs, and government backdoors in general, and also how the NSA often uses a 
“bate and switch” in its operations – promising to help find terrorists, but 
really spying on the host government and local population instead. This will be a PowerPoint presentation.

In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order toprotect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard.

Unfortunately, most of the current XML Encryption implementations do not support the newest standard and offer different XML Security configurations to protect confidentiality of the exchanged messages. Resulting from the attack and specification complexity, evaluation of the security configuration correctness becomes tedious and error prone.
In this talk, we will first give an overview on Web Service specific attacks. Afterwards, we present attacks on XML Encryption and how to evaluate security of XML Encryption interfaces automatically. Our algorithm can detect a vulnerability and exploit it to retrieve a plaintext from an encrypted message. To assess practicability of our approach, we implemented an open source attack plugin for Web Service attacking tool called WS-Attacker. With the plugin, we discovered new security problems in four out of five analyzed Web Service implementations, including IBM Datapower or Apache CXF. 

Software vulnerabilities are likely the biggest problem of information security, fueling a rapidly growing market for “0days”, “1days” and exploits alike.
It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there’s been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions that can be bypassed by any motivated attacker.
But almost nothing has changed at the core of the problem: software vendors still produce critical vulnerabilities, aren’t motivated to provide patches, and only a handful of them are capable of responding and delivering a security update when a 0day gets published. And then, when a vendor’s security update is available, it takes weeks or months before it gets applied throughout a corporate network as the risk of interrupting business processes requires testing and gradual deployment. (And do we need to mention that exploit kits tend to add exploits just a few days after official patches come out?)
Now, what if vendors didn’t have a monopoly on patching their code because any vulnerability researcher could write a patch instead of (okay, in addition to) writing an exploit? And what if admins weren’t afraid to apply the patches because patches could be applied instantly without relaunching applications or restarting computer, and could also be instantly un-applied if they turned out to be causing problems?
The technology for this exists, and will allow vulnerability researchers to not only research a vulnerability but also fix it with just a few well-chosen machine code instructions – and monetize their hard work in an unquestionably ethical way.
In this session, we will take apart a known vulnerability, determine its root cause and create a micropatch for it, which will then get applied to the vulnerable application while the application is running. We’ll look at the tools needed for this and hopefully turn some of the exploit developers in the audience into patch creators.

The presentation focuses on revealing a fuzzing approach that can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. The session will be targeted on exposing the general idea behind this approach and how it applies to several real-life targets from the Android OS, with examples of actual discovered vulnerabilities. These vulnerabilities affect critical components of the Android OS and the audience will have the opportunity to learn about the way they were discovered and possible exploit scenarios. The most important targets that will be included in the talk: the Android APK installer and the Stagefright media framework.

Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this talk we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.

Honeypots and honeypot networks help security researchers to get a good look at different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data.
Installing a network of honeypots to provide useful information should be an easy task, but there just isn't much to tie everything together in a useful manner.
In this presentation, I will demonstrate how I modify and use existing honeypot frameworks and applications with personal tools and techniques to process attack-related data, to automate analysis and create actionable intelligence.
All the code and instructions I use will be made available for others to work with.

This presentation will (try to) analyze those mistakes commonly done by MoDs while dealing with the so-called "Cyberwar". Cyberwar is not a terminology I agree with, since it’s not regulated (could it ever be?). Instead, I prefer to speak about “Information Warfare” or, “Information Offensive Operations”.

During this presentation I will pass through cultural, practical, logistics and narrow-minds issues I’ve been able to observe in the last five years, while training various military units in different countries.

In this talk we will look into how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. We will elaborate on the techniques that were used in this research to locate exploitable routers, discover 0day vulnerabilities and successfully exploit them on both the MIPS and ARM platforms.

The talk will cover the following topics:

- Dumping and analyzing router firmware from an ISP provided router.
- Tips and Tricks to discovering vulnerabilities on the router
- Identification of vulnerabilities
- Explanation of how to write ARM / MIPS exploits
- ROP Gadgets used for writing ARM and MIPS Proof-Of-Concept
- Post exploitation concepts – creative use of exploits

According to Virus Total, on January 4th, 2015 they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks.

Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.

OSINT Barn Cat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known malware and then strip out the configurations from them to produce near time intelligence of known malware command-and-control hostnames and IP addresses.

The goal is to create automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations.

This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.

Chroot syscall is part of POSIX. All Unix systems have this syscall, so it is possible to create separated environments. Until this presentation there was no documentation/tutorial about the techniques how to create a reasonably "secure" chroot environment or how to breakout from a misconfigured one. Now, with this presentation, I attempt to create a knowledge base for this topic. I've managed to collect 6 different techniques that are working fully on Linuxes (not all of them requires root privs). Furthermore I wrote a tool that automates the breakouts and helps the user to get a shell outside of the chrooted environment. This tool is an opensource tool, already released. The tool supports only Linux at the moment, but will be improved until the conference.
Additionally I tested 7 Unix systems overall and compared my findings there.
I'm going to explain all of the techniques that are implemented in the tool, how they work and why and about the difference between operating systems.

Many endpoint protection software like antivirus or firewall software offer a password protection in order to restrict the access to management functionalities to authorized users only, for example to deactivate protection features temporarily.

In this talk, it will be demonstrated how different popular, widely-used endpoint protection software products can be deactivated by low-privileged users or malware in an unauthorized manner.

This talk will present 50 (25*2) bypasses of Barracuda and Sucuri's WAF default signatures that deal with Cross-Site Scripting (XSS). 150,000 organizations worldwide including Fortune 1000 companies are using Barracuda while around 10,000 web applications are behind Sucuri's cloud-based WAF. The XSS bypasses we will present in this talk are also applicable to other WAFs. All bypasses were responsibly reported to the vendors and most of them were fixed. Further, we will show XSS in Barracuda's admin interface and in their web application. Finally, we will present one unfixed bypass of Barracuda and Sucuri and will see how quickly vendors will react to fix it, given it will make thousands of sites vulnerable.

Most organisations today accept that they have been compromised or will be compromised. To that end it is key to be able to gather the intelligence from all sides to take informed decisions on the next steps. The ability to understand the Hows, Whens and Whats can help to responsibly disclose but also to take future actions to better contain and prevent compromise.
By bringing back end point protection, using behaviour based techniques and real time or near real time local event correlation, as a keystone in security infrastructure, we start to answer questions like «how did it happen?» or «what did I lose?». This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring0makes it possible to see how a malicious process or party is acting and the information being touched.
Key step to moving forward and bringing better protection to the infrastructure is to move away from the traditional mechanism and bring forward behavioral detection through the real time or near real time identification and aggregation of the individual events happening on the host; identifying the malicious activities and blocking them.
This talk looks at how introducing endpoint protection can answer some of the most pertinent questions in the incident response process: When was I compromised? How did it happen? How to detect the next malicious agent or APT? And importantly what was ex-filtrated and how sensitive is it?
Using a simple tool like procmon will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that by living as close as possible to Ring0 makes it possible to see how a malicious process or party is acting as well as the information being touched: By building a map of the events that the attackers or malware undertake and with this visibility introduce a mechanism to be able to detect, log and block the activity where it counts – at the endpoint.
This presentation is targeted for forensics, incident response teams and IT security management who want a better understanding and control of what is going on at the end point.

Cryptography, social networks - today the use of online tools also serves to
protect the communications of terrorists and to affirm their membership
in terrorist organisations. The Internet is the method of choice for communication: the number of sites calling for a "jihad" rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication.

Studies of the Middle East Media Research Institute (MEMRI) show that Al-Qaeda uses encryption tools for a long time: "Since 2007, Al Qaeda's use of encryption technology has been based on the platform Mujahideen
Secrets, which has incorporated the support for mobile, instant
messaging, and Macs." Encrypting communications was only done for emails and within the "Mujahideen Secrets" platform itself.

However the year 2013 was a turning point in the spread of encryption: instant messaging in February with Pidgin, SMS in September with Twofish encryption, AES encrypted texts on web sites in December. Edward Snowden's revelations, which began in June 2013, are not the starting point of the "cryptodjihad" but seem to have acted as an accelerator.

MEMRI's researchers demonstrated the use of public cryptographic tools stemming from the family of Free Software: Pidgin instant messaging tool similar to MSN allows the terrorist movement Asrar al Dardashan to encrypt their communications with OTR (for off the record).

By analyzing the adoption of new tools and the use of Free Software, we
see that the focus is on cryptography for mobile tools.

Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data.
Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it's main ideas.
I will also show how it can be used to further IT security especially in the SME sector. This mostly refers to the identification and description of processes that work with data and therefore have to be protected.

Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework.

The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already?

We researched this scenario from a both experimental and speculative point of view. From the experimental standpoint, we submitted an entry to the first Underhanded Crypto Contest, aimed at making a technical point. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop on their communications (i.e., confidentiality loss).

illusoryTLS backdoor has some noteworthy properties:
1. NOBUS (Nobody But Us): The exploitation requires access to resources not embedded in the backdoor itself. In this case the secret resource is an elliptic-curve private key.
2. Indistinguishability: As long as a computational hardness assumption called Elliptic-Curve Decisional Diffie-Hellman (ECDDH) holds, the illusoryTLS backdoored key pairs appear to all probabilistic polynomial time algorithms like genuine RSA key pairs. Therefore black-box access to the key-generator does not allow detection.
3. Forward Secrecy: If a reverse-engineer breaches the key-generator the previously stolen information remains confidential (secure against reverse-engineering).
4. Reusability: The backdoor can be used multiple times and against multiple targets.

In the Internet X.509 PKI the security impact of such a backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security illusory. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.

Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation, but to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers.

At this time, Mac OS X Yosemite has 211 CA certificates installed.
A similar number of certificates is present in the Firefox, Google Chrome,
and Microsoft Windows certificate stores. Do we have sufficient assurance
about the tens or hundreds CA certificate we daily entrust our business to?

We reviewed the key-generation security requirements, set forth in the most relevant protection profiles in the Common Criteria certification processes and demanded by industry organizations and associations (i.e., CA/Browser Forum), and answer in the negative.

The conclusion is that, as long as the implementation of algorithms adopted by trusted entities (e.g., CAs) vulnerable to this class of backdoors cannot be audited by relying parties, the assurance provided by illusoryTLS (i.e., none whatsoever) is not any different from the assurance provided by systems relying upon TLS and the Web PKI for origin authentication, confidentiality, and message integrity guarantees.

Penetration testing is a subject that seems to has been discussed thoroughly. How to test, what tools to use and who is doing the testing .

But how do we connect all of the real issues around pen testing?
And how should we create a successful process that truly makes sure that the right part of our business are safely and securely tested?

I have been involved with the pen testing business for the better half of the last decade.
The target of this talk is to help security professionals to get an understanding of various approaches that are currently implemented around the world within leading companies, of how they test their business (and not their systems) and what process and controls they have in place to make sure they are on the right path to success.
We will discuss the common mistakes of security professionals when they approach penetration testing, and try to debunk some common myths around the business behind this practice.
This talk is aimed at security professionals that are a part of IT security operations and governance teams, but the benefits of the insights will assist client servicing professionals just as well.
I'll talk about some of the leading practices I have been exposed to and of some of the process and controls that the team I work with have been able to implement with some of the world’s largest and successful companies (or as we call them, “our clients”).
This talk will provide you with an overall understanding of why tests not always succeed - not because of a lack of a professional knowledge, but because of an unwelcome surprise, a root cause you didn’t think about…
We will review the world of pen testing from a global perspective; where do we find the best infrastructure testers, application testers, or reverse engineers? and why do we find them all in different geographic regions, scattered around the globe?
We will review how a cyber-security team can  communicate their findings to the company’s management in a non-technical manner, and how  pen testing can help you to get more budget and recognition within the organization.
Another aspect we'll talk about is what you can test, within your organization.
Or in other words, how to focus on testing the right issues, and, more importantly how not to focus on the wrong ones.  Tthere is only one thing better than learning how to do something, and that is how not to do it.
Another corner stone of this talk is automation. The technology is already available, and leading organizations, with adequate planning, have been using it correctly to automate all that can be automated. But there are still some processes which they don't automate. Some things are still considered to be tasks, no computing power is able to deal with.

This talk is in no way a sales talk. Besides the “EY” logo on the slide deck template I will not try to promote our business, I give this talk with the full intention of sharing the insights I have from seeing a wide range of pen testing processes with the clients I have worked for.

Application whitelisting is a concept which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. It works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. In this talk we discuss the general security of such a concept and what holes are still open to attacks. After that, we focus on a product which can be used for application whitelisting to see the bypasses in practice. This will include different techniques to bypass application whitelisting to achieve code execution, bypass read- and write-protections as well as a discussion on user account control (UAC) bypasses on such protected systems. Moreover the security of the memory corruption protections will be discussed. At the end some product related design flaws and vulnerabilities will be presented.

Continuous Integration (CI) tools provide excellent attack surfaces due to no/poor security controls, the distributed build management capability and the level of access/privileges in an enterprise.

This talk looks at the CI tools from an attacker’s perspective, using them as portals to get a foothold and for lateral movement. We will show how to execute attacks like command and script execution, credentials stealing and privilege escalation; how to not only compromise the build process but the underlying Operating System and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

Popular CI tools, open source as well as proprietary, will be the targets. The talk will be full of live demonstrations.

Workflows with Segregation-of-Duty requirements or involving multiple
parties with non-aligned interests (typically mutually distrustful) pose
interesting challenges in often neglected security dimensions.

Cryptographic approaches are presented to technically enforce strict
auditability, traceability and multi-party-authorized access control and
thus, also enable exoneration from allegations.

These ideas are illustrated by challenging examples - constructing various
checks and balances for Telecommunications data retention, a vividly
discussed and widely known issue.

This talk will examine the tools, methods and data behind the DDoS attacks that are prevalent in the news headlines.

Using collected information, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated DDoS attacker.

We will look at their motivations and rationale and try to give you some sort of understanding of what  patterns to be aware of for your own protection.

Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that the cyber domain is technically complex; there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve. This talk summarizes the current legal status of Cyber Attacks. It defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to different legal frameworks.

Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of this paper is to appraise SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosed security vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers have still much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research.

Outline of the talk:

1. Introduction. Brief explanation about the main goals of our research.

2. State of the art. Current progress in router security, including: previous investigations, cybercrime exploitation and manufacturers’ response to previously disclosed vulnerabilities.

3. Common security problems. 
a. Routers provide too many pointless services which largely increase attack surfaces. 
b. Routers still make use of default public credentials. This eases the attacks.

4. Security flaws. Main part of the presentation in which the discovered security problems are explained, including the following live demos:
a. DNS Hijacking exploiting a Cross Site Request Forgery vulnerability.
b. Infecting a browser exploiting a Unauthenticated XSS vulnerability by sending a DHCP Request PDU.
c. Bypassing the authentication in order to download the whole router filesystem (including passwd and configuration files) by exploiting a SMB misconfiguration vulnerability.
d. Causing a persistent DoS / restoring router to default settings without requiring any authentication process.

5. Developed tools

6. Mitigations. Security advices for both customers and manufacturers.

7. Results. Graphical explanation of the audit report.

8. Conclusion. Has SOHO router security improved over the last couple of years?

Despite decades of security research and authentication standards there's still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. Therefore this organisation is now able to integrate arbitrary web based systems. Moreover, others can follow the proposed approach and tailor similar solutions at low cost.

Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open Source area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards, correlate some interesting data and do some deep digging for Wi-Fi packets. It gives hackers and also administrators a quick view into Wi-Fi space and offers a range of new possibilities to get interesting data really fast.
One half of the talk will be dedicated to a presentation of how this can be done, telling you about some issues that we had and solutions to them, while the rest of the talk will be demonstrating the true power of our research.

ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices.
ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?
No, definitely not. Due to “requirements” on interoperability and compatibility as well as the application of ancient security concepts it is possible to compromise ZigBee networks and take over control of all included devices. For example it is easily possible for an external to get control over every smart light bulb that supports the ZigBee Light Link profile. Also the initial key transport is done in an unsecured way. It is even required by the standard to support this weak key transport. On top of that another vulnerability allows third parties to request secret key material without any authentication and therefore takeover the whole network as well as all connected ZigBee devices. Together with shortfalls and limitations in the security caused by the manufacturers itself the risk to this last tier communication standard can be considered as highly critical.
This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities. Therefore new features in the ZigBee security testing tool SecBee will be demonstrated and made public available.

In this talk we discuss remote device fingerprinting techniques for SOHO routers and other network-connected devices offering a browser-based configuration interface. While consumer network devices provided to customers by their ISPs are typically based on very few different hardware platforms, they are equipped with highly customized firmwares and thus contain different vulnerabilities. The knowledge of a specific device's vulnerabilities is vital to the success of a remote attack. In a live demo we show how a remote attacker can exploit the feature-richness of modern web technologies (HTML5, WebRTC, JavaScript, CSS) to perform device discovery and fine-grained device fingerprinting in a local network over a web browser in preparation of a targeted attack.

One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps.

We investigate attack models for Smart TVs and their apps, and systematically analyze the security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of the market share leader Samsung can gain access to the credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices, like smartphones and tablets, connected with it. Based on our findings, we provide recommendations of general importance and applicable to areas beyond Smart TVs.

IntelMQ is a solution for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

Tor is an anonymisation network and by design doesn't know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, Tor is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries.

Tor's measurement team tries to give answer to those (and more) questions.

The talk explains the collection of different data and how measurement is done inside the network. I'll talk about some of the challenges the measurement team has faced and what results it delivers. Tor has currently more than 30 different measurement tools. The talk will introduce you to some of them and show what you can do to profit from them.

There is no need to make a long introduction when speaking about the famous Remote Control System (RCS), the product of the Italian company Hacking Team. The huge amount - 400 GB - of leaked data gives rise to lengthy discussion and is extremely concerning for every part of the professionally, politically or even those superficially interested only.

This presentation has three parts: The first is a quick introduction, what the concept and the environment look like (Exploit Delivery Network - Android, Fake App Store...), how the malware was delivered to the targets; and how the infected devices were controlled through the proxy chain.
The second is a detailed analysis of the exploits which were used to infect Android devices. We will give a step-by-step description of the installation (infection) process. Hacking Team has many 0day exploits to install the application and to elevate privileges on those devices. These exploits will also be presented.
The third part is a collection of the interesting techniques that were used to keep the application as silent and undetectable as possible (VM and Cuckoo evasion, Anti-Virus detection project… etc.).

Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively.
This talk will help security engineers, developers and product owners and developers understanding both technical and operational security in Agile. Removing bottlenecks of security processes, eliminating security risks hidden inside of Agile methods, increasing the visibility of security tasks, in addition to how to perform the traditional security duties only in a faster, efficient pace - All of this will be covered in the talk, preventing possible fails and unexpected faults in your SDLC.

We present HORNET, a system that enables high-speed end-to-end anonymous channels by leveraging next generation network architectures. HORNET is designed as a low-latency onion routing system that operates at the network layer thus enabling a wide range of applications. Our system uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes. This design enables HORNET nodes to process anonymous traffic at over 93 Gb/s. HORNET can also scale as required, adding minimal processing overhead per additional anonymous channel. We discuss design and implementation details, as well as a performance and security evaluation.