Speakers (preliminary) - DeepSec IDSC 2017 Europe

Advanced Penetration Testing In The Real World (closed)

Guillaume Lopes (Cisco) / Davy Douhine (RandoriSec)

A 2 days 100% “hands-on” workshop.

Main topics:

  •  Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections (because a lot of pentesters don’t even know how it works under the hood);
  •  Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite (Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand);
  • Network exploitation: Manually exploit network related vulnerabilities using Scapy, ethercap and Responder (Because it works so often when doing internal pentests);
  • Passwords: Optimize the way you attack offline and online passwords (0day is fun but the way guys come in most of the time is simply by using login/passwords);
  • iOS/Android app hacking: Find and exploit mobile app vulnerabilities using Needle, Frida, Cycript and Hopper (Companies move their apps in the cloud and in the mobile world so pentesters have to evolve … or die) ;

Founder of RandoriSec, a security focused IT firm, Davy Douhine is working in the ITSec field since almost fifteen years. He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security.

Guillaume Lopes is working in the pentest field for about 10 years.
He has written many ITSec articles and has attended many security conferences.

How To Be A Ghost

Rhett Greenhagen and Jean Yav (McAfee)

In the security community, most threat researchers are conducting research in an insecure and time-consuming environment. Whether intelligence is gathered from private communications over an IRC server or postings on an underground forum, researchers must be able to identify, document, and disseminate their findings quickly and without compromise. Having a secure and monitored enterprise covert communications framework in place will allow your researchers to focus on producing finished intelligence. In this workshop, we will discuss everything from creating/securing system architecture to developing methods for automation, all while staying protected.
The speakers will begin by detailing virtual server presence and configurations for virtual machines. The systems will be setup properly with tools and services commonly required by researchers. Network communications and anonymization techniques will also be covered in depth. This includes best practices for buying online services with Bitcoin and cash, the caretaking and sharing of online personas, and demonstrations on how actions done on a website, IRC server, forum, or gaming chat room can be tracked back to the researcher. Counter-log activities, the integration of mobile/social platforms, and legal implications/nuances will also be discussed.
The Advanced Programs Group within McAfee has experience in conducting sensitive and timely investigations in an enterprise environment. APG’s lessons learned in creating and maintaining these systems can assist research teams of any size in their endeavor to be more secure and deliver timely intelligence.

Presentation Outline
⦁ Introduction and key terms (VPN, VPS, COVCOM, COLLCO, etc…)
⦁ Basic terminology

⦁ ESXi Architecture and Hypervisor Support
⦁ How to install ESXi and lock it down for specific tasks
⦁ How to create different templates for different types of research
⦁ Disabling services and systems configuration to counter malware infections and stop infections from breaking out of the analyst’s virtual machine
⦁ Which services to enable to allow malware analysis to take place using tools such as Cuckoo Sandbox or Mcafee ATD

⦁ Creating Virtual Private Servers
⦁ How to purchase virtual private servers anonymously
⦁ Creating network communication between virtual private servers and virtual private networks for effective communication
⦁ Registering with a Regional Internet Registry and as well as Acquiring a /24 and /48 network
⦁ Getting connectivity between your Virtual Private Servers and the covert network
⦁ How to choose a secure address and BGP sessions based on pricing and anonymity

⦁ Social Media
⦁ Creating online personas for long term investigations, and how to document the usage of the persona so that any analyst can be assigned a persona
⦁ Behavior differences between online personas online, in things such as forums and IRC servers
⦁ How to track social media accounts being used by the analyst with alerts to keep a persona alive

⦁ Developing collections
⦁ How to run automated scrapes to gather intelligence for later investigations
⦁ How to log behavior within an IRC server covertly
⦁ Develop methods and working pipelines to gather information from closed sources regularly without being identified as a scheduled process

⦁ Ways how researchers get caught.
⦁ How researchers have been d0xed, case examples and how they could have been prevented
⦁ 10 commandments of things a researcher should always follow while ‘acting’ out an online persona
⦁ Using bitcoin to create and setup accounts/systems/network/etc

⦁ How to stay legal
⦁ General thoughts and ideas that might arise, situations such as being forced to attack a server to being sent unsolicited pictures
Attendee Takeaways
⦁ How to develop a secure environment that can be used to conduct online investigations and stay secure. How tools leave traces and how they interact with online instances.
⦁ How to conduct malware analysis within an enterprise network with systems put into place to help with automated malware analysis.
⦁ How to keep network communications secure and anonymous.
⦁ Understanding requirements for threat intelligence research and knowing how actions can be countered by forms of counter intelligence.

Rhett Greenhagen has worked in the NetSec/IC for over a decade. He specializes in open source intelligence, cyber counter-intelligence, profiling, exploitation, malware analysis, and technical research and development. Career highlights include Primary Forensic Investigator for the DoD’s largest data center as well as senior technical positions for multiple defense contracting companies. Rhett is currently working for the Advanced Programs Group at McAfee.

Jean Yav (@projekrex) is a Security Engineer at one of the world’s largest dedicated security technology companies. He has spent the last fifteen years supporting blue team operations in the healthcare and nonprofit industries. Jean Yav’s official billets have included System Engineer, Network Security Analyst, and System Administrator and his specialties include security, offensive techniques, virtualization, and automation. In his spare time, he also studies hardware and embedded device hacking. Jean is a Maryland native and occasionally speaks at local Linux User Groups and hacker spaces.

Hunting The Adversary: Developing And Using Threat Intelligence

John Bambenek (Fidelis Cybersecurity / SANS Internet Storm Center)

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus. Meanwhile, dedicated attackers are attempting intrusions over months and years while going undetected to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques, however, provide the ability to greatly enhance the security of an organization.

Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attackers and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.


- Critical Thinking, ACH and Threat Intelligence Models
- Intelligence Sharing Mechanisms
- Open Source Intelligence Gathering, Tools and Sources
- The Collective Intelligence Framework
- Malware Information Sharing Platform
- Yara Primer for Threat Intelligence
- Malware Surveillance Techniques
- Creating and Deriving Intelligence Data
- Identifying Adversarial Weaknesses and Disruption Operations
- Defensive and Offensive Deception Techniques


Investigators, network defenders, incident responders and anyone interested in how to use intelligence to get ahead of the adversary.


A laptop capable of running VMs (specific OSes and configs will be sent to students prior to class)


Basic scripting (bash or python), understanding of reverse engineering malware and sandboxing, knowledge of networking and DNS.

John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity, Lecturer in the Department of Computer Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. He has over 18 years experience in information security and leads several international investigative efforts tracking cybercriminals, some of which have lead to high profile arrests and legal action. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He produces some of the largest bodies of open-source intelligence used by thousands of entities across the world.

Open Source Defensive Security (closed)

Leszek Mis (Defensive Security)

Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated to professionals who want to close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity to create stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering real world scenarios in our Open Source Defensive Security hands-on lab provides you with a very practical knowledge you need to expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and these details make all the difference - in the offensive and defensive approach. Our high-tech workshop has a unique formula when it comes to “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration.

We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. We are providing a kind of knowledge-mix in these fields using Open Source software. Except for basic Linux skills and TCP/IP knowledge, most of the lab exercises require at least a basic understanding of how attacker techniques work and so we'll introduce you to it. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions.

1) Threats are everywhere - Introduction to the technical Open Source Defensive Security program.

2) Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:

Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based -mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based -mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
HTTPS – how to achieve status A+?:
MiTM: sslstrip
Mutual SSL
Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
Cookies:Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
HTTP header anomalies
Virtual patching
Full HTTP auditing
LUA/OpenResty support
Sensor approach - OWASP Appsensor
Web application security using Modsecurity - creating dedicated WAF rules against:
Null bytes
Path/directory traversal
LFI/RFI->Command Execution
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
HTTP Parameter Pollution (HPP)
Open Redirect
Insecure Direct Object Reference vs HMAC
Forceful Browsing
CSWSH - Cross Site Websocket Hijacking
Session Security
Brute force
Slow DOS
GEO restrictions
Error handling
Leakage detection
Secure file upload
Secure logout / forgot password form
Web honeypots
Bot/scan protection
AV protection
PHP Security
Tomcat Security
Sqlmap, sqlninja
ZAP / Burp
Joomla, wpscan
Dirbuster, dirb
3) Hardened Linux vs exploits/rootkits:

Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
Grsecurity / PAX
SELinux / Multi Category Security / sVirt
Apparmor, Tomoyo, Smack, RSBAC
GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
Linux Containers - Docker/LXC
LKM-off / YAMA / enforcing
Linux capabilities vs SUID and others
System call restriction - seccomp
Integrity checking - IMA/EVM
Package mgmt security
Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
Behavioural analysis - systemtap / LTTng / sysdig
Memory forensics - Volatility vs malware
System update vs reboot
4) Network security:

Vulnerability scanning:
Nmap NSE
Linux Domain Controller - IdM/HBAC/SUDO
SFTP/SCP - Secure SSH Relay
Restricted shells/commands
SSH tips and tricks
Public Key Infrastructure – SSL/TLS
NFS Security
Database Security
DNS Security
Mail Security
DOS / scanning / brute-force protection techniques
Advanced network firewall: iptables/nftables/ebtables
System honeypots
Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
shellshock and others
Security by obscurity
5) System Auditing, integrating & accounting:

OSSEC / Samhain / aide
SIEM: Splunk/ELK/OSSIM/osquery
6) Summary: offense vs defense. Additional labs:

GDB introduction LAB
Seccomp -> additional LABs
Apparmor policy development
Volatility LAB - diffing between infected and clean memory dumps
Malware PCAP analysis / tcpreplay / suricata+ELK(SELK) / cuckoo / limon sandbox
SELinux module development
PAX - policy development
PAM LAB: google-authenticator / yubikey
Simple kernel module development + hidding + detection
Suricata vs metasploit, PtH, heartbleed, shellshock and others
WLAN Security vs Evil Twin / Karma and others attack detection

Leszek Miś has over 11 years of experience in IT security technology, supporting some of the largest companies and institutions for implementation, consulting and technical training. Furthermore, he has 8 years of experience in teaching and transferring technical knowledge and experience. He trained more than 500+ persons with the average evaluation in a 1 to 5 scale of 4.9. He is an IT Security Architect with a love for pentestesting  and recognized expert of enterprise Open Source solutions, provides web application and infrastructure penetration tests and specializes in Linux/OS hardening and defensive security of web application platforms

He is a known and respected trainer/examiner of Red Hat products in Poland (RHCA, RHCSS, RHCE) and author of many IT Security workshops (ModSecurity, FreeIPA, SELinux, Linux Hardening).

As a speaker he attended many conferences like Confidence 2016 (“Honey(pot) flavored hunt for cyber enemy), PLNOG 2016 (“Yoyo! It’s us, packets! Catch us if you can”), NGSEC 2016 (“Many security layers for many defensive opportunities”), Open Source Day 2010/2011/2012/2013/2014, SysDay 2008 (“SELinux vs exploits”), Confitura 2014 (“Detection and elimination of threats in real time - OWASP Appsensor in action.”), Red Hat Roadshow 2014, OWASP Chapter Poland 2015(“Does your WAF can handle it?), ISSA InfoTrams 2015, BIN Gigacon 2015(“Mapping pen testers knowledge for the need to protect a critical IT infrastructure”).

Certifications :

Holder of OSCP, Red Hat Certified Architect, Red Hat Certified Security
Specialist, RHCDS, CompTIA Security +, Splunk Certified Architect and others.

SAP CTF Pentest : From Outside To Company Salaries Tampering (closed)

Yvan Genuer (Devoteam)

SAP is no longer an unknown black box for the security community and SAP products appear more and more often in audit requests. This training is focused on SAP Netweaver. Because we can't cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We'll provide different SAP Systems with different configuration issues in 'realistic' environment, and also a pre-configured attacker VM with all tools required to perform training activities. Few slides, lots of practice, that's the leitmotiv of this course. SAP knowledge is not required.

General knowledge on pentesting. SAP knowledges is NOT required.

Target audience:
Pentesters or security professional. Anyone interested to learn about SAP Security

Requirements / Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.

Similar works:
This course is an improved version of the training done during the Hack In Paris 2017 Conference. I've created two  'easy' SAP challenges for the free security platform ‘root-me’: https://www.root-me.org/en/Challenges/Realist/SAP-Pentest-007
These challenges are not the same than the ones in this course.

Detailed presentation material will be provided to attendees at the start of course.
Please find the course outline below: 

Day 1

Introduction to the world of SAP
SAP in numbers
SAP Netweaver ABAP?
Global technical concept
Technical component
SAP as user

Introduction to SAP Security
Latest changes in SAP Security
The SAP security parts
SAP Security Notes
Attack surface

Training infrastructure
Overview and warning
Hands-on : Tools, installation, setup
SAP cheatsheets for pentesters

What is SAProuter?
How SAProuters work
SAProuter vulnerabilities
   Hands-on : Discover internal SAP, discover SAP port, forward port Remediation

Overview & How to
   Hands-on : Moving around SAP Gui
SAP Gui information gathering
SAP Gui shortcut vulnerability
    Hands-on : Retreive information, crack user password
Lastest vulnerabilities found

SAP Netweaver ABAP
SAP authorization
Password and default accounts
    Hands-on : Find default account and password of target 
SAP Message Server
    Hands-on : Playing with Message Server
    Hands-on : Playing with ICM
    Hands-on : Playing with MMC
SAP RFC Gateway
    Hands-on : RCE through SAP Gateway

Day 2

SAP Secure Store
ABAP Secure Storage
   Hands-on : Decrypt ABAP Secure Storage
Secure Storage in File System
   Hands-on : Decrypt SSFS

Database level security
Focusing on Oracle
Oracle OPS$ attack
    Hands-on : Retrieve SAP database schema password

SAP Horizontal movement
Concept in SAP
RFC hardcoded credential
    Hands-on : Get access to trusted SAP system with diaglog user
    Hands-on : Get access to trusted SAP system with no-diaglog user
Pivot with SAP RFC Gateway
   RCE to trusted RFC SAP system

SAP Vertical movement
Concept in SAP
    Hands-on : SAP to OS
    Hands-on : OS to database
    Hands-on : SAP to database
    Hands-on : Database to SAP

ABAP Code vulnerability (Overview)
ABAP Minimum basis
ABAP injection
   Hands-on : Exploit abap injection
OS Command injection
   Hands-on : Exploit OS injection
Native SQL Injection
   Hands-on : Exploit SQLiAuthorization bypass
   Hands-on : Bypass authorization example
Directory traversal
   Hands-on : Exploit directory traversalCross client access
   Hands-on : Cross client access example
Understand SAP OSS Security Patch
   Hands-on : From SAP Security Patch to bind shell

5 Categories for 20+ tasks
    Hands-on : CTF time !

Conclusion & Questions

Yvan has nearly 15 years of experience in SAP. He started out as a SAP basis administrator for various well-known French companies. Since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a very discreet person, he received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir 2017, as well as a full training at Hack In Paris 2017.

Smart Lockpicking - Hands-on Exploiting Contemporary Locks and Access Control Systems

Slawomir Jasek (SecuRing; smartlockpicking.com)

There is no doubt electronic locks are among the most profitable smart devices to attack. And yet recent disclosures of multiple vulnerabilities clearly show there are not enough specialists able to help with software-related issues of so-far mostly hardware vendors.
This course is intended to fill this skills gap. Based on hands-on exercises with real devices (a dozen various smart locks), attendees will learn how to analyze their security and design them properly. The knowledge will then be applied to many other IoT devices.
During this course students will perform: wireless sniffing, spoofing, cloning, replay, DoS and authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking “military grade encryption”, abusing excessive services, triggering fallback open, brute-forcing PINs via voice calls and attacking building automation systems.
The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening a voice-controlled lock by remotely hacking speaker-enabled devices.
Several tasks will evolve around an electromagnetic lock guarding a special vault. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have a hidden reward.

Technologies covered will include Bluetooth Smart, Linux embedded, KNX, NFC, Wiegand, WiFi, P2P, GSM etc.

Each attendee will receive hardware with a value of about 100 EUR  (detailed below).

List of topics:

Bluetooth Smart - based on at least 7 various smart locks, and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi):
- passive sniffing
- static authentication password
- spoofing
- replay attacks
- command injection
- Denial of Service
- cracking "Latest PKI technology"
- other flaws of custom challenge-response authentication
- abusing excessive services (e.g. module's default AT-command interface).
- weaknesses of key sharing with guests functionality
- takeaway Hackmelock challenges for practicing later at home using provided hardware

NFC - based on hotel electronic door lock, access control reader, ski lift pass and a bus ticket
clone UID using "chinese magic" card and provided hardware
- cracking MIFARE Classic keys
- cloning card content
- decoding access control data stored on card by a hotel system
- how to emulate contactless cards and open UID-based lock using just a smartphone

Linux embedded - based on wireless door lock, alarm+home automation system and other devices:
- authentication bypass
- information disclosure
- telnet brute-force
- OS command injection

Proprietary network protocols - based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller
- various approaches to analyzing proprietary protocols
- step-by-step understanding packets and attacking - remote management binary communication of fingerprint sensor
- sniffing and decoding administrative credentials
- abusing improper session management (authentication bypass)
- unlock wireless alarm with a single packet
- P2P communication - how to attack devices hidden behind NAT

KNX home automation - an example installation connected to electromagnetic lock
- theory introduction, typical architecture, group address, device address...
- tools: ETS configuration suite vs open-source - knxd, knxmap, nmap scripts
how to locate and connect to KNX-IP gateway in LAN or remotely
- monitor mode - sniffing the bus communication
- write command to group address and open lock

SMS and DTMF remote control over GSM - based on remote control alarm system
- theory introduction to GSM interception
- brute-force alarm administrative PIN via automated remote SMS and voice calls from the cloud API

Wiegand - wired access control transmission standard
- sniff the data transmitted from access control reader using Raspberry Pi GPIO
- decode card UID from sniffed data, clone the card
- replay card data on the wire to open lock

Moreover, each student will also be able try for himself to:
- open a smart lock using special strokes of a strong magnet which turns the motor inside     the device
- cheat on a fingerprint biometric sensor - we can make your own fingerprint clone during training
- open a voice-controlled lock by hacking a nearby speaker-enabled device

What students should bring?
- contemporary laptop capable of running Kali Linux in virtual machine
- Android > 4.3 smartphone. If you don't have one, please inform in advance - a few will be available for students.
- basic familiarity with Linux command-line, Kali, Wireshark
- scripting skills or pentesting experience will be an advantage, but is not crucial

What will be provided?
- course materials in PDFs (several hundred pages)
- all required additional files: source code, documentation, installation binaries
- Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
- 2 Bluetooth Low Energy USB dongles
- Raspberry Pi 3 with assessment tools and Hackmelock for further hacking at home.
- NFC NXP PN532 board + "magic UID" card - which will allow you to clone most common Mifare Classic contactless cards

Provided hardware picture:

Slawomir is an IT security consultant with over 10 years of experience. He participated in many assessments of systems' and applications' security for leading financial companies and public institutions across the world, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics and loves to hack various devices, gadgets, home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting secure solutions for various software and hardware projects. Speaker at BlackHat USA (new Bluetooth Smart Man-in-the-middle proxy tool), Appsec EU (insecurity of proprietary network protocols), HITB (HCE contactless payments), Confidence (IoT), Devoxx and other conferences for developers (SDLC, mobile application security). Trainer at Deepsec, Appsec EU, HackInParis, HackInTheBox, Confidence.

Workshop On Advanced Social Engineering (closed)

Dominique Brack (Reputelligence)

For the first time Dominique Brack, the author of the Social Engineering Engagement Framework (SEEF), offers an in-person public workshop. Normally his  workshops and briefings are closed-group private enterprises or Government only workshops. Attendees will profit from the first-hand knowledge and experience of a social engineering and information security professional with 20 years of experience.

What you will learn: Tools and techniques to plan, execute and manage social engineering engagements. What can and will be used against you, your employees and your organization? This training will provide the skills to detect, defend and assess social engineering attacks and its associated risks. You will learn about the motivations and methods used by social engineers - knowledge which will enable you to better protect yourself and your organization.

Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within IT security, risk and project management and in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, authentic, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly - inspire and empower action.

Mobile App Attack

Sneha Rajguru (Payatu software labs llp)

Mobiles Apps are the most preferred way of delivering attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast the training 'Mobile App Attack' is of definite interest to you, as the course familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them, along with various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using  real-world vulnerable Android and iOS apps intentionally crafted by the trainer, Sneha Rajgura, attendees shall look into some of the common ways of how malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that trainees shall have a brief understanding of what is so special about the latest Android 8 and iOS 10 security and the relating flaws.

Sneha works as a Security Consultant with Payatu software labs LLP. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and many opensource wordpress plugins and many more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp#6, Nullcon, BSidesLV and DefCon 24.

The ARM IoT Exploit Laboratory (Three-Day Workshop) (closed)

Saumil Shah (Net-Square Solutions Pvt. Ltd.)

NOTE: This is a Three-Day Workshop, starting on the 13th of November, one day earlier than the other trainings.



ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The all new ARM IoT Exploit Laboratory is a fast paced 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end "Firmware-To-Shell" hack, where we extract the firmware from a popular SoHo router, build a virtual environment to emulate and debug it, and then use the exploit to gain a shell on the actual hardware device.

* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* Understanding how functions work on ARM
* Debugging on ARM systems
* Exploiting Stack Overflows on ARM
* Writing ARM Shellcode from the ground up
* Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
* Introduction to Return Oriented Programming
* Bypassing exploit mitigation on ARM using ROP
* Practical ROP chains on ARM
* An introduction to firmware extraction
* Emulating and debugging an IoT device firmware in a virtual environment
* Case Study: From Firmware to Shell - exploiting an ARM router's embedded firmware

- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
- Red Team members, who want to pen-test custom binaries and exploit custom built applications.
- Bug Hunters, who want to write exploits for all the crashes they find.
- Members of military or government cyberwarfare units.
- Members of reverse engineering research teams.
- People frustrated at IoT devices to the point they want to break them!

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

Social Science First!

Dr. Jessica Barker (Co-Founder, Redacted Firm)

Bruce Schneier popularised the concept in 1999: cyber security is about people, process and technology. Yet almost two decades later, the industry still focuses so much more on technology than the other two dimensions of our discipline. For a long time, when the cyber security community has considered the human nature of cyber security, it has been within the context of a narrative that ‘humans are the weakest link’. In this talk, Dr Jessica Barker will argue that, if that is the case, then that is our failing as an industry. With reference to sociology, psychology and behavioural economics, Jessica will discuss why social science needs to be a greater priority for the cyber security community.

Dr Jessica Barker is a leader in the human nature of cyber security. Equipped with years of experience running her own consultancy, she recently co-founded a new cyber security company, Redacted Firm. Her consultancy experience, technical knowledge and sociology background give her unique insight, and she has a talent for translating technical messages to a non-technical audience.
Jessica delivers thought-provoking and engaging presentations across the world, at corporate events as well as practitioner and academic conferences. She also frequently appears on the BBC, Sky News, Channel 4 News, Channel 5 News, Radio 4’s Today programme, Radio 2’s Jeremy Vine show and more. She has been published in the Sunday Times and the Guardian, and frequently in industry press. She is regularly commissioned to write cyber security blog posts, and runs the website www.cyber.uk, dedicated to cyber security news, information and guidance.

Don't Let The Cuteness Fool You - Exploiting IoT's MQTT Protocol

dalmoz (Moshe Zioni) (VERINT)

"Connect all the things!" - for some time now, this is the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, and at times innovative, ways to make anything suitable to the anthem of the internet is a great promise for malicious activity.

As these devices are supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT.

We will go deep into protocol details, observe how common it is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".

Moshe (dalmoz) have been researching security since youth, professionally since he was 18, when was actually surprised to find a place for his enthusiasm and talent. Consultant to many industry leaders, banks, software vendors, insurance companies, health organizations, governments and telecommunication service providers, both domestic and international.
Interested in all security aspects, keeping his aperture wide and viewing the whole picture, while he can talk the talk and walk the walk when it comes to bits & bytes.
Moshe have published research on various topics and presented at many conferences – including CCC in Germany, Hack-in-Paris in France, 44CON in the UK and others.

Paying The Price For Disruption: A FinTech Allowed Account Takeover

Vincent Haupert, Dominik Maier, and Tilo Müller (FAU, TU Berlin, FAU)

In this paper, we look at N26, a pan-European banking startup and the poster child for young FinTechs, to see how security is treated by startups that provide disruptive technologies in the financial sector. We find out that, in an area that has been committed to security, FinTechs focus on modern designs and outstanding user experience as their main priority. Even though this strategy is rewarded by a rapidly increasing number of customers, it reveals a flawed understanding of security. We analyzed all aspects of security, including the frontend, backend, protocols, human factors and underlying design concepts, and found issues in all of them. We succeeded to leak customer data, to manipulate transactions, and even to entirely take over foreign accounts, ultimately issuing arbitrary transactions. We reported those findings to N26 and did not disclose them before they have been fixed. Hopefully, by publishing this case study now, we raise awareness for security considerations in the critical banking sector also for other FinTech startups.

Vincent Haupert is a research fellow and PhD candidate with the Security Research Group at Friedrich-Alexander University Erlangen-Nürnberg. His main interests are authentication, system security and software protection of mobile devices. Particularly the security of online and mobile payment solutions is one of his major research subjects.

Next-Gen Mirai

Balthasar Martin & Fabian Bräunlein (SRlabs)

Badly secured embedded devices enabled the largest DDoS attack on critical networks seen to date: The Mirai attacks in 2016 were largely pegged on Internet-exposed telnet with default credentials. While such telnet accounts are hopefully on their way out, we had a look at the next available hacking options to compromise masses of IoT devices.
It turns out that IP cameras can still be compromised remotely in many other ways - even if they are not exposed directly to the internet. In particular, we found issues in communication protocols, control servers and infrastructure design.
This talk details how we found such next-gen Mirai vulnerabilities, and will demonstrate a number of them. After seeing what we saw, you will have little doubt that there will always be a bot army of compromised embedded devices.

Balthasar lives in Berlin where he pursues a Masters in IT-Systems engineering while working at SRLabs. He is fascinated by a world populated by "smart" devices that turn out to be as smart as a slice of bread. After the DDoS on Brian Krebs, he got curious about additional ways to disturb the global Internet matrix.

Fabian studied IT-Systems Engineering at HPI in Potsdam, but was always more curious about taking such systems apart. He now works as a Security Researcher and Consultant at Berlin-based hacker collective SRLabs. Fabians previous talks include hacking payment systems at 32c3 and travel systems at HEUREKA.

A Survey On Automated Dynamic Malware Analysis Evasion And Counter-Evasion: PC, Mobile, And Web

Alexei Bulazel & Bulent Yener (River Loop Security, LLC, Rensselaer Polytechnic Institute)

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has pushed each to continually evolve their tactics for countering the other.

In this paper we systematically review i) "fingerprint" -based evasion techniques against automated dynamic malware analysis systems for PC, mobile, and web, ii} evasion detection, iii} evasion mitigation, and iv} evasion "in the wild." We also discuss difficulties in experimentation evaluation, highlight future directions in offensive and defensive research, and briefly survey related topics in anti-analysis.


XFLTReaT: A New Dimension In Tunnelling

Balazs Bucsay (NCC Group)

This presentation will sum up how to do tunnelling with different protocols and will feature different perspectives in detail. For example, companies are fighting hard to block exfiltration from their network: They use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. During this presentation we'll show you some mitigation and bypass techniques, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.

In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.

This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past, like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, this changes now:

After taking a look at these tools it was easy to see some commonality. All of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, so there is no need for any low-level packet fu and hassle.

I guarantee that you won’t be disappointed with the tool and the talk, actually you will be an open-source tool richer.

Balazs Bucsay (@xoreipeip) is a Senior Security Consultant at NCC Group in the United Kingdom who does research and penetration testing for various companies. He has presented at many conferences around the world including Honolulu, Atlanta, London, Oslo, Moscow, and Vienna on multiple advanced topics relating to the Linux kernel, NFC and Windows security. Moreover he has multiple certifications (OSCE, OSCP, OSWP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics; and has degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things in life, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology, he starts his second shift in the evenings, right after work to do further research.

Lock, Stock And Two Smoking Apples - XNU Kernel Security

Alex Plaskett & James Loureiro (MWR InfoSecurity)

This talk will aim to cover the research which has been undertaken following on from the Defcon presentation on MWR's platform agnostic kernel fuzzing, to automatically identify critical flaws within Apple macOS.

It was observed that there have been limited attempts to create automated kernel fuzzing solutions for macOS, hence the drive to modify our existing frameworks to support the platform and develop support utility tooling to aid vulnerability research.

This talk will focus on how the researchers approached developing fuzzing automation to test the core subsystems of the XNU kernel and the insights gained. The talk will also highlight architectural differences between other supported platforms which needed to be addressed whilst performing integration into the framework.

The old adage of 'different fuzzers find different bugs' will also be explored, as we look into the effectiveness of using targeted fuzzing for specific components considered most likely to yield vulnerabilities.

An in-memory fuzzer based on a combination of static and dynamic analysis was also constructed to target these components with the aim to achieve greater code coverage, efficiency and to allow attacks on other privileged components within macOS via IPC.

Finally we will discuss the issues discovered by the fuzzers and highlight future improvements which could be made to the tooling going forward to increase coverage and effectiveness.

It is also the aim to release the code developed, to make it easier for other researchers who may wish to develop similar fuzzers and provide additional tooling to the macOS research community to aid in vulnerability hunting. Specifically, we will release python tooling for capture, replay and mutation of macOS IPC based communication, corpus generation and monitoring, together with the existing kernel fuzzer platform integration targeting core kernel subsystems.

Alex is Head of Technical Research at MWR InfoSecurity in the UK. Alex is best known for mobile and embedded vulnerability research and exploitation. Alex has previously presented at Deepsec, TROOPERS16, BlueHat, T2.Fi, Confidence, 44con and SyScan.

James is a senior researcher at MWR InfoSecurity, and has interests in vulnerability research and reverse engineering. James has previously presented on Windows Kernel fuzzing at DefCon in 2016 and on Adobe Reader in 2015

Dynamic Loader Oriented Programming On Linux

Julian Kirsch, Bruno Bierbaumer, Thomas Kittel, Claudia Eckert (Technical University of Munich)

Memory corruptions are still the most prominent venue to attack
otherwise secure programs. In order to make exploitation of soft-
ware bugs more difficult, defenders introduced a vast number of
post corruption security mitigations, such as w⊕x memory, Stack
Canaries, and Address Space Layout Randomization (ASLR), to only
name a few. In the following, we describe the Wiedergänger 1 -Attack,
a new attack vector that reliably allows to escalate unbounded array
access vulnerabilities, occurring in specifically allocated memory
regions, to full code execution on programs running on i386 / x86_64
Wiedergänger-attacks abuse determinism in Linux ASLR imple-
mentation, combined with the fact that (even with protection mecha-
nisms such as relro and glibc’s pointer mangling enabled) there exist
easy-to-hijack, writable (function) pointers in application memory.
To discover such pointers, we use taint analysis and backwards
slicing at the binary level and calculate an over-approximation of
vulnerable instruction sequences.
To show the relevance of Wiedergänger, we exploit one of the
discovered instruction sequences to perform an attack on Debian 10
(Buster) by overwriting structures used by the dynamic loader (dl)
that are present in any application depending on glibc and the
dynamic loader. In order to show generality, we solely focus on
data structures dispatched at program shutdown, as this is a point
that arguably all applications eventually have to reach. This results
in a reliable compromise that effectively bypasses all protection
mechanisms deployed on x86_64 / i386 Linux to date.
We believe Wiedergänger to be part of an under-researched
type of control flow hijacking attacks, targeting internal control
structures of the dynamic loader, for which we propose to use the
terminology Loader Oriented Programming (LOP).


Behavior Based Secure And Resilient System Development

Dr. Muhammad Taimoor Khan (Alpen-Adria University, Klagenfurt, Austria)

We introduce a design methodology to develop reliable and secure systems based on their functional and non-functional behaviour. The methodology has 3 independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure systems.

First, we introduce reliable-and-secure-by-design development of secure applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce functional and non-functional (e.g. security and safety) properties of the applications.

Second, we present a run-time security monitor at the middleware level that protects system operation in the field through comparison of the application execution and the application specification execution in real-time; the run-time security monitor can be synthesized from the executable specification.

Finally, based on the specification, we perform a vulnerability analysis for false data injection attacks, which leads to application designs that are resilient to this type of attacks. We demonstrate the methodology through its application to a basic and typical industrial control system example application, describing all the tools used and ARMET, the middleware monitor that constitutes the core component of the methodology.

Muhammad Taimoor Khan is a post-doc assistant with Institute of Informatics, Alpen-Adria University Klagenfurt. He holds a PhD from Research Institute for Symbolic Computation (RISC), Johannes Kepler University, Austria (2014) and a Masters in Advanced Distributed Systems from University of Leicester, UK (2008). Prior to that, he graduated from Islamia University Bahawalpur (2001) in Computer Science. He has won various research awards including best paper award(s). In the last decade, he has been applying formal methods as a powerful tool to assure reliability and security of various software systems, for instance, industrial control systems and computer mathematics based systems, to name a few. He has extensive experience in the both, software industry and research institutes. He has been working as a scientist in various premier international research institutes, including INRIA, France and MIT CSAIL, USA; he is jointly working with these institutes now.

ML Clustering Attacks: A Walk outside the Lab

Gilad Yehudai (Imperva)

A lot of research was done about clustering attacks of different types using many Machine Learning algorithms, with high rates of success. These were mainly done from the comfort of a research lab, with specific datasets and no performance limitations.
In this session I will share my experience with dealing with clustering of attacks in near real-time scenarios where performance is a key factor, and where the reality punches lab statistics in the face.
I will discuss some of the challenges we experienced during the research like:
1) Applying a clustering algorithm to a stream of data.
2) Extracting meaningful features from limited data.
3) Translating different features into something we can calculate distance from.

Gilad Yehudai is an algorithm developer and security researcher at Imperva’s web application research group. Gilad develops algorithms and solutions using state-of-the-art machine learning algorithms, and also researches new security threats and vulnerabilities.
Gilad holds a B.Sc. and a M.Sc. in Mathematics from Tel Aviv University. He has a very analytical and technical background with experience in both statistics and machine learning. A math geek by day and an avid Snooker player by night (And vice versa).

Reverse Engineering a Code without the Code

Mesbah Abdelhak (Université de Boumerdes), Jean-Louis Lanet (LHS INRIA)

Retrieving assets inside a secure element is a challenging task. The most attractive assets are the cryptographic keys stored into the Non Volatile Memory (NVM) area but also the algorithms executed. Thus, the confientiality of binary code embedded in that device in the Read Only Memory (ROM) must be protected. Thanks to a previous attack we succeeded in having access to a dump of the NVM. We try here to take advantage of the object oriented features of the platform to provide a means to speed up the reverse engineering of the dump. The idea here is to reverse engineer an algorithm without having access to the code. We have only access to the data. We use a specifially designed graphic tool to reason about the data such that we are able to understand the principle of the algorithm. Then, we are able to bypass the protection mechanism in order to get access to the binary code.

Co-authors of the publication are Abdelhak Mesbah and Mohamed Mezghiche (University of Boumerdes).

Mesbah Abdelhak write about himself: I'm a PhD student with the LIMOSE research laboratory at the University of M’HAMED BOUGARA, Algeria. I received my master’s degree in Software Engineering and Information Processing at the same university. My research interests focus on Attacks, the security of embedded software, Reverse Engineering as well as Security of smart card’s Applications and Systems...

Mr Lanet joined INRIA- Rennes Bretagne Atlantique in September 2014 to lead the High Security Labs (LHS) for a four years period.

He is also Professor at the University of Limoges (2007-2014) at the
Computer Science department, where he leads the team SSD (Smart Secure
Device). He was also associate professor of the University of Sherbrooke
and he was in charge of the Security and Cryptology course of the USTH
Master (Hanoi). His research interests included the security of small
systems like smart cards, but also software engineering.

Prior to that, he was senior researcher at Gemplus Research Labs
(1996-2007) the smart card manufacturer. During this period he spent two
years at INRIA (2003-2004) as an engineer at DirDRI (Direction des
Relations Industrielles) and senior research associate in the Everest
team at INRIA Sophia-Antipolis. He got its Habilitation à Diriger des
Recherches (HdR) during the first INRIA period.
He was researcher at the Advanced Studies Labs of Elecma, Electronic division of the Snecma, now part of the Safran group.
He's worked on hard real time techniques for jet engine control (1984-1995). 

A Song of Botnets and Power: Blackout is coming

Adrian Dabrowski (SBA Research)

Power grids are a prime example of large-scale decentralized critical infrastructure pre-dating modern telecommunication by decades. The volatility of grids is often underestimated: to stabilize the nominal frequency power production and consumption have to be continuously kept in balance. As consumers are predominantly uncontrolled, operators have to adapt power plants' output to the demanded power using elaborated models including parameters like weather, season, and time of the day. These models are based on the premise of a large number of small consumers averaging out their energy consumption spikes. However, an adversary in control of a sufficiently large number of computers can break this premise by synchronizing their load patterns and create artificial load spikes, pushing the grid out of its operational limits.
Before that, grid security was often understood in a classic IT or CPS sense, i.e., attacking components over their digital interfaces. Our adversary does not have to rely on any current or future smart grid features for a successful attack.

Adrian Dabrowski is a researcher at SBA Research and lecturer at TU Wien and FH Campus. Besides playing CTFs, his main topic is security and privacy in large-scale infrastructures such as the radio-side of mobile phone networks and control-systems behind power grids.

Who Hid My Desktop – Deep Dive Into hVNC

Or Safran & Pavel Asinovsky (IBM Security Trusteer)

Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts.

Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate account holders is based on detecting whether the transaction is made from the legitimate user’s machine or from an untrusted endpoint.

Going back 10 years, and still today, some checks are based on the IP/Geolocation of the machine performing the transaction and comparing it with the user’s typical whereabouts. In order to overcome this identifier, malware authors easily turned the user’s machine into a proxy, making the transaction appear to originate from the same IP address.

Device identification became increasingly sophisticated over the years, adding many parameters of the user’s environment to fingerprint trusted devices. But cybercrime is an arms race, and malware developers did not stay behind. To completely disregard device fingerprinting, they have devised their own circumvention technique: hidden VNC (Virtual Network Computing) that enables them to commit the fraudulent transaction from the user’s own machine without ever being noticed.

In this lecture, we will talk about hVNC in general, but also present and demo the specific use case of Gozi’s proprietary hVNC tool which we reversed and broke in our labs. Gozi is one of the most advanced financial crime tools. It is operated by a cybergang and sees constant innovation and upgrades.

In this talk, we will elaborate on the following subjects:

a. What is VNC and its inherently legal uses
b. What is hVNC and why is it used in crime
c. Which financial malwares use hVNC
d. Show some of the hVNC dirty tricks and explain them.
e. Explain the reversing of Gozi ISFB’s hVNC module (architecture & structure)
f. Live Demo [1/2] - execute the hVNC module and present a live session
g. Live Demo [2/2] - Seeing the actual fraudster session (the hidden part) - script and demo.
h. Provide audience with detection/Mitigation advice.

This session is best suited for stakeholders who work in the anti-fraud departments of their organizations, malware researchers, analysts, and cybercrime investigators. The session requires basic understanding of what banking Trojans are, but does not require specific technical knowledge beyond an information security background.

Or Safran is a malware researcher at IBM Trusteer since three years and holds a Bachelor of Science degree in computer software engineering.

Pavel Asinovsky is a malware researcher at IBM Trusteer for the last two years. Prior to that Pavel worked as a malware researcher for F5 networks and as a malware analyst at RSA-EMC. Pavel has a wide experience and interest in malware analysis.

Insecurity In Information Technology

Tanya Janca (Canadian Government)

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training.  Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

This talk will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products.  This is not a soft talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal clear expectations.

Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, trainer, public speaker, an ethical hacker, the Co-Leader of the OWASP Ottawa chapter, an effective altruist and has been developing software since the late 90’s.  She has worn many hats and done many things, including; Web App PenTesting, Technical Training, Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech Support. She is currently helping the Government of Canada to secure their web applications. 

How To Hide Your Browser 0-days: Free Offense And Defense Tips Included

Zoltan Balazs (MRG Effitas)

Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. Whenever a new 0-day becomes known by the security industry, protections against the exploit are shared, AV/IDS signatures made, patches deployed, and the precious 0-day loses its value.

For example, when Ahmed Mansoor was targeted by an iOS 0-day exploit (August 2016). the Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days (http://bit.ly/2bm8ueo). Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.

In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish a key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit, and the shellcode. This idea was first published by me (http://bit.ly/2mnvfYE), and quickly adopted by exploit kit developers in-the-wild.

During my presentation, I will propose solutions for defenders to analyze these attacks, countermeasures for attackers to further complicate this kind of analysis and release a POC Ruby code which can be integrated into Metasploit. So far, no encrypted browser exploit delivery code is available in the public to test or implement these attacks.
In addition to protecting the 0-day exploits from analysis, my proposed solution is also able to stay under the radar in IDS systems or Next Generation IDS systems (a.k.a. breach detection systems, APT detection systems). This is aligned with the trend that perimeter security is becoming less effective due to mobile devices and the increasing number of encrypted channels.

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandboxes. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon, Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.
Zoltan passed OSCE recently, and he is very proud of it.

Repairing The internet With Responsible Disclosures

Victor Gevers (0xDUDE) (GDI.foundatoin)

In 2016 a non-profit organization, GDI.foundation, operated by volunteers, started reporting vulnerabilities as responsible disclosures (coordinated vulnerability disclosures) and helping victims of ransom attacks worldwide under the name PROJECT366.

As chairman & co-founder of that organization I would like to share the experiences and challenges they have faced so far. In the last 19 years I, Victor Gevers (@0xDUDE) have made over 5,250 security reports without getting in trouble with the law. In this talk, you’ll be taken through the experiences of the last 19 years in “how you could report ‘bad news’ and show our attempts to report as many vulnerabilities as humanly possible and how to deal with those on the other side, the organizations who receive these reports and the challenges each side faces.

Victor Gevers (also known as 0xDUDE) is a senior security specialist working as innovation manager for the Dutch Government, specialized in network, mobile, and web application security.He performs research on state-of-the-art attack and defense mechanisms, hacking techniques and OSINT. In his free time he is a vulnerability researcher and hunts down weak security implementations.On several occasions he has being pointed out to be a true responsible disclosure evangelist, practicing the art over 19 years and has made over five thousand responsible disclosures world-wide.

Malware Analysis: A Machine Learning Approach

Chiheb Chebbi (TEK-UP University)

Threats are a growing problem for people and organizations across the globe.With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based detection arises ... A good understanding of malware analysis and Machine learning models is vital to ensure taking wise decisions and building a secure environment by being capable of correctly identifying and mitigating such potential threats

Chiheb Chebbi is an InfoSec enthusiast and Security Researcher with experience in various aspects of Information Security, focusing on investigation of advanced cyber attacks and researching cyber espionage and APT attacks.His core interest lies in "Web Applications security" and "Industrial Control Systems”. 2016 he was included in the Alibaba Security Research Center Hall Of Fame. He gave talks at the 4th Annual BSides Tampa IT Security Conference 2017 Florida USA, Black Hat Europe London 2016, NASA Space Apps Challenge 2015 and 2016, Global Windows Azure Boot camp 2014: Revolutionizing Education using cloud Computing, International Institute of technologies Sfax 2014: Introduction to Cloud Computing, Research Center in Informatics, Multimedia and Digital Data Processing of Sfax
2014: the future of Software industry

PeopleSoft: Hack The Planet's Universities

Dmitry Yudin (https://erpscan.com)

The PeopleSoft Campus Solutions is used in more than 1000 universities worldwide. In this presentation we will show how to use several vulnerabilities to gain access to the entire information system of the University. And it means grade fraud, sabotage, access to student information, access to credit cards, bills, payment plans, fees, etc. In this presentation, we'll look at the architecture of peoplesoft products, its strengths and weaknesses. We show attack surface, and demonstrate a practical attack on the system. We also prove how one vulnerability affects a whole family of products, Oracle PeopleSoft, not just PeopleSoft Campus Solutions.

Dmitry Yudin is a security researcher at ERPScan. Exploit developer, bug hunter, Linux fan.

Skip Tracing For Fun And Profit

Rhett Greenhagen (McAfee)

This talk covers skip tracing TTPs and countermeasures in the digital and human domains. The audience will be guided through two real world examples of how a regular citizen can use open source tools, exploits, and social engineering to assist law enforcement and profit. Some examples include phishing websites tailored to a fugitive’s resume, geolocating a target through video game clients, and using social media meta-data to build pattern-of-life. As the audience is moved through the process step by step, online and offline countermeasure such as USPS forwarding, false resume writing, and secure communications will also be covered.

Rhett Greenhagen has worked in the NetSec/IC for over a decade. He specializes in open source intelligence, cyber counter-intelligence, profiling, exploitation, malware analysis, and technical research and development. Career highlights include Primary Forensic Investigator for the DoD’s largest data center as well as senior technical positions for multiple defense contracting companies. Rhett is currently working for the Advanced Programs Group at McAfee.

The Future of the Internet

Josh Pyorre (Cisco/OpenDNS)

Where are we headed with all our things as they become connected to the internet? Everything is already so vulnerable, but companies are building convenient products and services so fast without thinking about the security issues. This talk is a little bit technical and a bit philosophical. I'll be walking through some interesting technology and the issues they're causing as we adopt a lifestyle of technological convenience.

Josh Pyorre has worked in security for over 14 years. Prior to working with Cisco Umbrella, he was a threat analyst at NASA and part of the team that built the NASA Security Operations Center. He has worked with Mandiant, helping to build their SOC and conducting incident response. Before working in security, Josh was the technical director for a non-profit providing assistance to the homeless in San Francisco.
His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.

Josh has presented at Defcon, B Sides (Austin, Las Vegas, Chicago, San Francisco, Los Angeles, Amsterdam, Vienna), Source (Boston, Seattle), Derbycon, InfoSecurity World Europe, DeepSec (Vienna), Qbit (Prague), NASA (Ames Research Center) and other locations for law firms and government entities.

Publication and media:
Podcasts: He hosted season 1 of rootaccesspodcast.com and was a guest on Security Weekly #435: https://www.youtube.com/watch?v=38y8jGT-UJs

Uncovering And Visualizing Botnet Infrastructure And Behavior

Josh Pyorre & Andrea Scarfo (OpenDNS/Cisco)

How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)?
What kind of behavior can be determined when looking at attacker and victim infrastructure?

In an attempt to discover and analyze the infrastructure behind large-scale malware activity, we began our research with known indicators from popular botnets, such as Necurs.

Our presentation will highlight co-occuring malicious activities observed on the infrastructure of popular botnets.
We will demonstrate practical techniques for analyzing botnet and malware traffic to provide context that can be used in identifying actor and victim infrastructure and to discover additional IOC's.
We will also show how political and societal world events may influence specific types of malware activity based on locations and times of malware events.
Finally, we will demonstrate a visualization framework that can be used to better understand the connections between infrastructure, threats, victims, and malicious actors.

Josh and Andrea are Security Researchers with Cisco Umbrella (formerly OpenDNS).

Andrea began her career in Support and worked as a Sysadmin for 12 years. She has worked with Hewlett Packard and the Town of Danville, California. Security has always been her passion. She began working with OpenDNS as a Security Researcher on the Security Research team in 2015 and spends her days working to make the Internet a safer place by hunting attackers and malware. She presented at B Sides Las Vegas in 2016.

Josh has worked in security for around 14 years. He's been a threat analyst at NASA, where he was part of the team that built the NASA Security Operations Center. He also helped to build the SOC at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh has presented at Defcon, B Sides Austin, Chicago, San Francisco, Los Angeles and Vienna, Source Boston, Source Seattle, Derbycon, InfoSecurity World, DeepSec Vienna and Qbit Prague. He hosted season 1 of rootaccesspodcast.com

Intel AMT: Using & Abusing The Ghost In The Machine

Parth Shukla (Google)

Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.

In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds - either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.

In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.

What is Intel AMT?

Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.

Parth Shukla is a Security Engineer and member of Google's Infrastructure Protection team. He works on efforts related to improving firmware integrity, verification and transparency.

Prior to Google, Parth was an Information Security Analyst at the Australian Computer Emergency Response Team (AusCERT). While at AusCERT, Parth analysed the non-public data of the Carna Botnet that he obtained exclusively from the anonymous researcher of Internet Census 2012. Parth released a white paper on this analysis (bit.ly/carna-paper) and presented on it at various conferences, including: DeepSec 2013 in Vienna, Austria; Blackhat Sao Paulo 2013 in Sao Paulo, Brazil; APNIC 36 in Xi’an, China and AusCERT 2013 in Gold Coast, Australia.

Normal Permissions In Android: An Audiovisual Deception

Constantinos Patsakis (University of Piraeus)

Marshmallow was a significant revision for Android. Among the new fea-
tures that were introduced one of the most significant is without any doubt the
runtime permissions. The permission model was totally redesigned categorising
the permissions into four main categories. The main concept of this categorisa-
tion is to how much risk a user is exposed to when permissions are granted. Normal permissions imply the least risk for the user. However, there are some
important issues in this case. Firstly, these permissions are not actually dis-
played to the user; they are not displayed upon installation and the user needs
to dig into several menus to find them for each app. Most importantly though,
these permissions cannot be revoked. Unlike dangerous permissions, where the
user can grant or revoke a permission whenever deemed necessary, the normal
persmissions are automatically granted and cannot be revoked, unless the user
uninstalls the app that uses them. The research question that arises from this
change is whether the apps that request only normal permissions are benign.
Note that an app requesting only normal permissions will never request any
alerting action from the user, hence the user is more probable to install it and
not worry about it. Furthermore, since these persmissions are automatically
granted, this means that any malicious action that could be made with such
permissions can be ported to any installed app as they will not require any user
Our extensive experiments have shown that apps based only on the normal
permissions are far from being considered benign as they can exploit many na-
tive Android mechanisms to perform many malicious actions. More precisely, we
present many methods which exploit the capabilities of user interface, voice as-
sistants and intents in Android that lead to serious security issues. An overview
of where these actions can be applied will be illustrated, indicating where
Nougat is still vulnerable. The attacks which will be presented have already been disclosed to Google and Microsoft, and in some of these cases the appropriate patches have been made.

Assistant Professor Constantinos Patsakis (male) holds a B.Sc. in Mathematics from the University of Athens, Greece and a M.Sc. in Information Security from Royal Holloway, University of London. He obtained his PhD in Cryptography and Malware from the Department of Informatics of University of Piraeus. His main areas of research include cryptography, security, privacy, data anonymization and malware analysis.
He is the author of more than 70 publications in peer reviewed international conference proceedings and journals and has been teaching computer science courses at European universities for more than a decade. Dr Patsakis has been working in the industry as a freelance developer and security consultant. He has participated in several national (Greek, Spanish, Catalan and Irish) and European R&D projects. Additionally, he has worked as researcher at the UNESCO Chair in Data Privacy at the Rovira i Virgili University (URV) of Tarragona, Catalonia, Spain and as a research fellow at Trinity College, Dublin Ireland.

Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications

Sophia d’Antoine, Jeremy Blackthorne, Bülent Yener (Trail of Bits, Rensselaer Polytechnic Institute)

Given the rise in popularity of cloud computing and platform-as-a-
service, vulnerabilities, inherent to systems which share hardware
resources, will become increasingly attractive targets to malicious
software authors.
In this paper, we introduce a novel side channel across virtual
machines through the detection of out-of-order execution. We cre-
ate a simple duplex channel as well as a broadcast channel. We
discuss possible adversaries for this channel and propose further
work to make this channel more secure, efficient and applicable
in realistic scenarios. In addition, we consider seven possible mali-
cious applications of this channel: theft of encryption keys, program
identification, environmental keying, malicious triggers, denial of
service attacks, determining VM co-location, malicious data injec-
tion, and side channels.


Hacking The Brain For Fun And Profit

Stefan Hager (DATEV eG)

When we're talking and thinking about security, we very often have a rather fixed mindset and keep using what we think are proven methods. We tend not to question our decisions and thoughts, and the way how our brains work reaffirms our bias and our mediocre choices. In this talk we take a closer look at how we are thinking, and how we can change or expand this as well as our perception, by hacking into our own brains in order to get a clearer picture of what we really want and need. New ways of thinking and creativity can be a vital new asset for blue and red teams.

Stefan is a member of the Internet Security team at the software company DATEV eG. After starting out as a programmer in the nineties he switched to cybersecurity shortly afterwards. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is threat research, raising security awareness and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, fiddling around with hardware or trying to beat some hacking challenge. Stefan also writes blog posts (in English and German) on his site cyberstuff.org.

Forensic Accounting – The What, Why And How

Ulrike Hugl (University of Innsbruck)

As of late, Forensic Accounting seems to be the fastest growing area of accounting. The Association of Certified Fraud Examiners (ACFE) - the world’s largest anti-fraud organization - states that “Forensic Accountants combine their accounting knowledge with investigative skills in various litigation support and investigative accounting settings”; or more detailed: they are performing forensic research to trace funds and identify assets for recovery, conducting forensic analysis of financial data, and preparing forensic accounting reports from financial findings and analytical data for litigation. All in all, they are forced to grasp the substance of situations and look beyond the numbers. (http://www.acfe.com) In the Guide to Forensic Accounting Investigations (edited by Golden et al., 2011), Skalak et al. state that an audit responds to the risk of fraud, while forensic accounting investigation responds to allegation, suspicions, or evidence of fraud. The latter is examined by various current studies.
This contribution gives an overview of “What” is forensic accounting, “Why” it is needed, “What” techniques and practices exist and skills of accountants are important, as well as “How” it works (forensic data analysis) and may benefit business. Furthermore, ways of prevention, risk factors, indicators for internal offenders as well as starting points for trends and future research will be presented.

University of Innsbruck, Dr. Ulrike Hugl
Prof. Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is a member of various scientific committees of international conferences and a reviewer of several journals. Her research mainly focuses on new technologies with impacts on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

On The (In-)Security Of JavaScript Object Signing and Encryption

Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov, Jörg Schwenk (Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum)

JavaScript Object Notation (JSON) has evolved to the de-
facto standard file format in the web used for application
configuration, cross- and same-origin data exchange, as well
as in Single Sign-On (SSO) protocols such as OpenID Con-
nect. To protect integrity, authenticity and confidentiality
of sensitive data, JavaScript Object Signing and Encryp-
tion (JOSE) was created to apply cryptographic mechanisms
directly in JSON messages.
We investigate the security of JOSE and present different
applicable attacks on several popular libraries. We introduce
JOSEPH (JavaScript Object Signing and Encryption Pen-
testing Helper) – our newly developed Burp Suite extension,
which automatically performs security analysis on targeted
applications. JOSEPH’s automatic vulnerability detection
ranges from executing simple signature exclusion or signa-
ture faking techniques, which neglect JSON message integrity,
up to highly complex cryptographic Bleichenbacher attacks
breaking the confidentiality of encrypted JSON messages. We
found severe vulnerabilities in six popular JOSE libraries.
We responsibly disclosed all weaknesses to the developers
and helped them to provide fixes.


Making Security Awareness Measurable

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

Security awareness campaigns aim at educating and training your workforce with regards to IT security. Those trainings take time and can be rather complex - which makes them also expensive. However, we still lack the scientific base of how to design a successful security awareness campaign and how to evaluate it's success. Especially when it comes to elaborate social engineering attacks. In this talk I will introduce scientific sound methods and tools from industrial and organisational psychology and industrial education to measure the success of security awareness campaigns. I will show human factors that enable or limit the success of training campaigns and how to enhance future campaigns based on lessons learned from former campaigns. All while keeping in mind that humans are not the weakest link in a security system, but the only defensive measure we have.

Stefan Schumacher is the president of the Magdeburg Institute for Security
Research and editor of the Magdeburg Journal for Security Research in
Magdeburg/Germany. He started his hacking career before the fall of the
Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive.
Ever since he liked to explore technical and social systems, with a focus on
security and how to exploit them. He was a NetBSD developer for some years and
involved in several other Open Source projects and events. He studied Educational
Science and Psychology, has done a lot of unique research about the Psychology of
Security with a focus on Social Engineering, User Training and Didactics of
Security/Cryptography. Currently he's leading the research project Psychology of
Security,focusing on fundamental qualitative and quantitative research about the
perception and construction of security.
He presents the results of his research regularly at international conferences like
AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp,
DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays
Luxembourg and in security related journals and books.

I Wrote my Own Ransomware; Did Not Make 1 Iota Of A Bitcoin

Thomas Fischer (Digital Guardian)

2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conducted last year, I wanted to understand why there's such a drive and lure for ransomware, outside of the victims payment, as well as have some way of properly testing "anti-ransomware" solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.

With over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from risk management, secure development to incident response and forensics. In his career, he's held varying roles from incident responder to security architect for fortune 500 companies as well as industry vendors and consulting organizations. Currently he plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. He's also a strong advocate of knowledge sharing and mentoring through being an active participant in the infosec community, not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.

Enhancing Control Flow Graph Based Binary Function Identification

Clemens Jonischkeit, Julian Kirsch (Technical University of Munich)

Detection of binary functions in compiled code is a major stepping
stone towards any advanced binary analysis technique. Nucleus [1]
is a novel algorithm based on the idea of using the interprocedural
control flow graph to detect function boundaries. Building upon this
technology we propose a new approach to solve the related problem
of identifying previously-seen known functions within a binary.
Our idea is based on comparing the control flow graphs (CFGs)
of unknown functions from a binary to known functions from a
previously generated database. Compared to traditional approaches,
our method is aware of the underlying graph matching problem
being performed on CFGs of binary code: First, it utilizes instruction
level knowledge about basic blocks as additional constraints for
graph isomorphism. Second, optimizations and transformations
introduced by different compilers affecting the shape of the CFG
are taken into account.
Our approach aims to avoid false positives (wrongly assigning a
known function symbol to an unknown function) at all cost: The
evaluation shows that this method is very effective in reducing false
positive matches (below one percent in most cases) maintaining
recall rates as high as 72.8% when matching functions across two
different nginx versions (1.12.1 and 1.10.3).


Cloud Of Suspicion: Scaling Up Phishing Campaigns Using Google Apps Scripts

Maor Bin (Proofpoint)

Google Apps Scripts is a JavaScript cloud scripting language that provides easy ways to automate tasks across Google products and third party services and build web applications. However, it also provides relatively easy ways for attackers to automate infiltration, propagation, exfiltration and maintaining access to a compromised G Suit powered organization. While the platform has been used successfully for C&C (Carabank) previously, we feel it only scratched the surface as potential vectors go.

In this talk we'll present original and innovative methods of launching classical attacks using Google Scripts as well as possible ways of detecting and preventing those attacks.

Presentation Outline

1. Scripts intro & background.
- Types of scripts
- Capabilities & limitations 

2. Infiltration examples
- Standalone/URL — direct script sent to a victim, using the Google domain as the trust vehicle
- Bounded scripts — scripts can be embedded to documents, much like Office Macros, having similar capabilities,

3. Exfiltration / Communication Examples
- Auto forward emails — bypass Google forward limitation, forward users email to us, remove traces of sent email
- Post to external URL — post selected files contents via encoded headers to a remote drop location of our choice
- Google scripts as C&C — (Carabank discussion?)

** DEMO ** Use Google apps script as a self executing javascript inside a Google Doc and send it to multiple users as a phishing campaign.

4. Propagation - “Google Docs” worm discussion. Creating “Google Docs” worm with Google Apps Scripts

5. Detecting and preventing malicious scripts
- Whitelist / Blacklist, permission based, pre-defined
- Scripts Static Analysis, enumeration based on scripts contents

Maor works as a research lead at Proofpoint, as part of the SaaS Protection product. 
We are researching customers' data in order to identify risks and threats in their
cloud environment. We're also researching new and innovative attack vectors,
so we would be able to block it when it becomes active. 
Prior he used to work as a mobile researcher and (reverse eng) for several years.

BITSInject - Control Your BITS, Get SYSTEM

Dor Azouri (Security researcher @SafeBreach)

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman?

We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file.
Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path...) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0.

So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.
Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow;
We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.

Dor's a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently he's doing security research @SafeBreach.

Security Analysis Of The Telegram IM

Tomas Susanka & Josef Kokeš (Czech Technical University in Prague)

Telegram is a popular instant messaging service, a self-described fast and secure solution. It introduces its own home-made cryptographic protocol MTProto instead of using already known solutions, which was criticised by a significant part of the cryptographic community. In this talk, we will briefly introduce the protocol and then present two major findings we discovered as part of our security analysis performed in late 2016. First, the undocumented obfuscation method Telegram uses, and second, a replay attack vulnerability we discovered. The analysis was mainly focused on the MTProto protocol and the Telegram's official client for Android.

Tomas Susanka interested in computer security and cryptography, mostly trying to understand the world of applied cryptography – cryptographic protocols, instant messengers, sometimes cryptocurrencies.

How Secure Are Your VoLTE And VoWiFi Calls?

Sreepriya Chalakkal (ERNW GmbH)

Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this talk, we identify five different attacks on VoLTE/VoWiFi.

This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi.As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS. 

We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace.
We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks.

It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus understanding the attacks and mitigating them is of high relevance.

This is a continuation of the work presented by Schmidt et.al in the talk IMSecure – Attacking VoLTE at Areas41 conference, 2016.

Sreepriya works at ERNW GmbH as a security researcher focused on Telecommunication security.  She completed her masters from Technical University of Berlin and University of Trento with a dual degree in Computer Security and Privacy in March 2017.
Passionate about the security aspects of softwares and protocols. These days, she spends her time playing with telecommunication devices and sim cards. Sreepriya likes to do security analysis of large code bases, packet captures and logs.She's inspired by the mission "Making the world a safer place" and loves to work towards fulfilling that goal.

Essential Infrastructure Interdependencies: Would We Be Prepared For Significant Interruptions?

Herbert Saurugg (Cyber Security Austria)

Cyber Security and Critical Infrastructure Protection (CIP) are major topics almost everywhere. Its priority has also increased during recent years because of rising incidents, even if the focus is still on a sectoral approach and on prevention. And there's the issue of delayed detection.How to cope with significant infrastructure interruptions if protection efforts fail and possible cascading effects occur is hardly public knowledge, nor do people have the necessary capabilities to deal with them. The shared belief that it won’t happen is still overwhelming. But it could be a Turkey-Illusion.
DDoS, IoT-attacks, ransomware, vulnerabilities, unpatchable IT-systems, ... the list of current IT-problems and challenges is endless. Every security expert is daily fighting an unwinnable battle. But what would it mean to our society, if infrastructure systems fail on a broad scale? How can we reduce these risks? And how can we make infrastructures more robust and people resilient?
This talk will look at cyber security from a different perspective and open your eyes to a hardly recognised danger to our modern and heavily interconnected world.

Herbert Saurugg has been a career officer in the ICT-Security Section of the Austrian Armed Forces until 2012. Since then he has been on leave and is engaged in raising awareness about the increasing systemic risks due to the rising interconnections and dependencies between many Critical Infrastructures, which is contributing to extreme events. He is known as an expert on the topic of blackout: a Europe-wide power-cut and infrastructure collapse. He is also a founding member of the association Cyber Security Austria which is the mastermind behind the European Cyber Security Challenge. As a result of his systemic reflections he is calling for more efforts to raise awareness and resilience throughout our societies to face major extreme events in the foreseeable future.

BitCracker: BitLocker Meets GPUs

Elena Agostini (National Research Council of Italy)

BitLocker is a full-disk encryption feature available in recent Windows versions. It is designed to protect data by providing encryption for entire volumes and it makes use of a number of different authentication methods. In this work we present a solution, named BitCracker, to attempt the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker with a user supplied password. To that purpose, we resort to GPU (Graphics Processing Units) that are, by now, widely used as general-purpose coprocessors in high performance computing applications.
BitLocker decryption process requires the execution of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. In addition we take the advantage of a weakness in the BitLocker decryption algorithm to speed up the execution of our attack.
We benchmark our solution using the three most recent Nvidia GPU architectures (Kepler, Maxwell and Pascal), carrying out a comparison with the Hashcat password cracker.
Finally, our OpenCL implementation of BitCracker has been recently released within John The Ripper, Bleeding-Jumbo version.

Elena Agostini received her PhD in Computer Science from the University of Rome “La Sapienza” in collaboration with the National Research Council of Italy. The main topics of her research are GPUs used both for cryptanalysis or communications and wireless network protocols.

Bypassing Web Application Firewalls

Khalil Bijjou (EUROSEC GmbH)

This talk will teach you how to attack applications secured by a WAF. The presenter will describe the newest WAF bypassing techniques and provide a systematic and practical approach on how to bypass WAFs. WAFNinja, a tool that helps to find vulnerabilities in WAFs, will be introduced.

Khalil Bijjou is an enthusiastic ethical hacker, bug hunter and penetration tester for the german IT security consulting firm EUROSEC. He performs security assessments for major companies especially in the field of web, mobile and SAP security. Khalil reached the 2nd place in the German Post IT Security Cup 2015 and was a speaker at PHDays, Moscow and DefCamp, Bucharest.

OpenDXL In Active Response Scenarios

Tarmo Randel (CCDCOE)

Automating response to cyber security incidents is the trend which is - considering increasing amount of incidents organizations handle and ever-increasing attack surface - already becoming mainstream.

In this talk I explore the options for exploiting OpenDXL in the real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing and future cyber security system components for coordinated information exchange and orchestrating incident response actions.

Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He's also a developer at the Estonian eHealth Foundations, "Kickstarting" in-house development team. Tarmo's creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He's Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE, creating new tools and implementing existing to understand what is going on in networks. Tarmo's detecting and mitigating cyberattacks, analysing malware, planning and executing public awareness raising campaigns and supporting building trusted information security community network.

System administrator at Tele2 & Trigger Software, Converting legacy systems to modern, expandable high availability systems. Coding in PHP, C. Looking for and eliminating performance bottlenecks. Supporting development infrastructure.

How I Rob Banks

Freakyclown (Redacted Firm)

A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists.

FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years and excels at circumventing access controls. He has held positions in his career such as Senior Penetration Tester as well as Head of Social Engineering and Physical Assessments for renowned penetration companies. As the former Head of Cyber Research for Raytheon Missile Systems, and having worked closely alongside intelligence agencies, he has cemented both his skillset and knowledge as well as helped steer governments take correct courses of action against national threats.
As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices and government facilities in the UK and Europe. His work demonstrating weaknesses in physical, personnel and digital controls assists organisations to improve their security. He is motivated by a drive to make individuals, organisations and countries more secure and better-able to defend themselves from malicious attack.
Now Co-Founder and Head of Ethical Hacking at Redacted Firm, he continues to perform valuable research into vulnerabilities. His client list involves major high-street banks in the UK and Europe, FTSE100 companies and multiple government agencies and security forces. FC frequently gives talks at corporate events, security conferences, universities and schools and focuses on teaching people of all ages the art of security in an engaging and impactful way. He co-founded the Surrey and Hampshire Hackspace as well as Defcon 441452. He has co-hosted many podcasts, been featured in the press and regularly writes articles for journals and blogs.

Securing The Darknet

Jens Kubieziel (TorServers.net)

Tor's Onion Services are often labeled as "The Darknet". The place where people can do all sorts of things without the possibility of being discovered. In practice those services have quite a number of weaknesses and people do actively exploit them. This talk will present some of those attacks and countermeasures which are currently deployed.

Jens Kubieziel is a supporter of The Tor Project and helps to run several relays with TorServers.net. In his daytime job he helps to readjust the security assumptions of some companies.

A Story Of A Vulnerability: How To Execute Code On A Forensic Workstation

Wolfgang Ettlinger (SEC Consult)

EnCase Forensic Imager is a tool used by forensic investigators to gather evidence from storage media. We used a custom tool to fuzz the file system parser code of this product and found a buffer overflow vulnerability in the LVM2 parser. We demonstrate our approach we used to fuzz EnCase Forensic Imager, describe the technical details of the vulnerability and show how this vulnerability can be exploited to execute arbitrary code on the investigator's machine. We wrap up our talk by discussing the impact of this vulnerability on forensic evidence.

Wolfgang Ettlinger has worked as a technical security consultant for SEC Consult for the past 4 years. He graduated MSc Secure Information Systems at the University of Applied Sciences Upper Austria. He has an interest in many information security topics ranging from binary exploitation to cryptography. In the past years, Wolfgang Ettlinger published several security advisories demonstrating vulnerabilities in multiple software products.

Building Security Teams

Astera Schneeweisz (SoundCloud)

While 'security is not a team', you'll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team - it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone's concern. In this talk, we will review what the purposes of a security team can be, which challenges you'll face, how you can make it scale beyond the team's boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you'll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.

Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she's grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this frontier. She works as the Director of Security at SoundCloud's Berlin headquarters, overseeing the Security, User Auth, Anti-Abuse, and Corporate IT teams.