Participants will learn how to reverse engineer the wireless communication between Internet Of Things devices with Software Defined Radios (SDR) using the Universal Radio Hacker (URH). The workshop covers required HF basics such as digital modulations and encodings and shows how to reveal the protocol logic step by step and, finally, develop attacks against devices. For demonstration we will investigate and attack a wireless socket and a smart home door lock.

During the course of the workshop the communication of the two devices will be analyzed and reverse engineered. In conclusion, attacks on both devices will be developed.
By the end of the workshop we'll be able to switch the socket and open the door lock with SDRs.

This of course requires knowledge in the field of modulation, coding and Log formats, which will be pracitcally conveyed during the workshop. "Learning by doing" is the motto.
For this to work, the participants need their own computer to operate the software (Universal Radio Hacker) which we use to analyze the signals and bring them back in.

If attendees already own a software defined radio (f.ex.HackRF), they can record the signals and attack the devices themselves. If that's not the case, I can make the signals available online so participants can download and import them into the Universal Radio Hacker.

In short:

What do I need?
Must have: laptop / calculator
Nice to have: Software Defined Radio (f.ex. HackRF)

What awaits me?
- Picking up of raw signals with Software Defined Radios
- Demodulation of raw signals to get Bits
- Decoding of the Bits
- Reverse engineering of the protocol format (where are addresses,sequence numbers etc.)
- Developing of attacks with fuzzing and simulation
We will elaborate this on the basis of two practical examples.

In this intense 2-day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs, students will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network infrastructure. Students will leave the class with a good understanding of how to configure and operate routing and switching protocols as well as how to attack and defend the control, management and data planes in their organization networks.

Requirements: Students will need to bring a computer with Windows and VMware installed.
The students should have administrative privilege for installing software and configuring
VM’s. The Cisco CCNA simulator by Wendell Odem will be used for the majority of the lab
scenarios. Additional labs may utilize Mininet VM for SDN and NRL CORE for BGP.

Student software requirements for labs: CCNA Routing and Switching 200-125 Network Simulator, Download Version orderable at http://www.ciscopress.com/ or http://www.amazon.com/.

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this workshop, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc...

With Malware featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will

• learn how easy it is to get infected by malicious software,

• learn to assess what’s possible and what isn’t,

• gain a comprehensive overview of the various malware categories and their according specifics,

• learn about the individual phases of malware analysis and according tools including hands-on experience,

• find out what malware analysts (are able to) do,

• develop and hence understand typical strategic concepts and tactics in reverse engineering,

• build a basic understanding of typical activities when dealing with cyber security incidents,

• develop a realistic perspective regarding possibly upcoming malware incidents regarding their company,

• learn a lot about the ”hidden“ gears under the hood of Microsoft Windows and modern operating systems in general and to locate and fill in gaps in their knowledge accordingly,

• gather/train their abilities to deal with unforeseeable and even chaotic situations in a flexible and constructive manner thinking outside the box,

• and, last but not least, build a stable foundation and therefore an ideal "trampoline" for next steps and further advancement in malware analysis.

Agenda

Station 1: Prologue – Who? How? What? Malware categories, adversaries, motives

Station 2: The Lab – Setup, concepts, strategies, pitfalls and common mistakes

Station 3: Initial Incident Handling – The first encounter

Station 4: Sample Extraction – The needle in the haystack

Station 5: Behavioral Analysis – Eavesdropping the OS

Station 6: Code Analysis – Machinecode, portable executables, disassemblers, debuggers, strategies

Prerequisites

A laptop!!! As this workshop also features hands-on sessions students are expected to bring a laptop matching the following requirements: During the workshop we will work with virtual machines based on Oracle’s free virtualization software VirtualBox. In this respect, please be sure that the laptop matches the according requirements (https://www.virtualbox.org/wiki/End-user documentation).

General requirements for your laptop:

• At least 80 GB free diskspace

• At least 8 GB RAM

• Activated virtualization support options in BIOS

• Installed (!!) 7-Zip Tool (http://www.7-zip.org/)

• Installed (!!) Oracle VirtualBox (https://www.virtualbox.org/)

This workshop describes security shortcomings in mobile networks, both in the core network and in radio network, for GSM, UMTS, and LTE. The purpose of this workshop is to educate the audience on the range of security risks associated with using mobile devices.

The workshop will start with a general overview of cellular technology, the structure and function of mobile networks, and types of security flaws common to all mobile networks, some of which are unavoidable. We will then proceed to specific examples of security failures for different technology types and different services. The workshop will include live demonstrations of some of these security failures. This workshop covers the mobile network and handset baseband only, and does not address Android, iOS, or application-layer security.

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities lie for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

- REST API hacking

- AngularJS-based application hacking

- DOM-based exploitation

- Bypassing Content Security Policy

- Server-side request forgery

- Browser-dependent exploitation

- DB truncation attack

- NoSQL injection

- Type confusion vulnerability

- Exploiting race conditions

- Path-relative stylesheet import vulnerability

- Reflected file download vulnerability

- Subdomain takeover

- and more…

WHAT STUDENTS WILL RECEIVE

Students will receive a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

WHAT STUDENTS SHOULD KNOW

To get the most out of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING

Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11. (You can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

WHO SHOULD ATTEND

Penetration testers, bug hunters, security researchers/consultants



Mobile Apps are the most preferred way of delivering attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for app developers & testers. So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then ’Mobile App Attack’ is of definite interest to you. The training familiarizes attendees with in-depth technical explanations of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them, along with the various Android, iOS application analysis techniques, inbuilt security schemes and teachings how to bypass those security models on both platforms.

The labs are equipped with intentionally crafted real-world vulnerable Android and iOS apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications.

The platforms used for the trainings will be iOS 11 and Android 8.

Course Content:

Android Exploitation

– Introduction to ARM CPU

– Architecture, Registers and Modes of Operations

– ARM Assembly

– Debugging

– Stack Overflow in ARM

– Writing your first shellcode

ARM Exploitation

– Introduction to ARM CPU

– Architecture, Registers and Modes of Operations

– ARM Assembly

– Debugging

– Stack Overflow in ARM

– Writing your first shellcode

iOS Exploitation

– Getting started with iOS

– iOS Security Basics

– Setting up the Lab

– Reverse Engineering iOS Applications

– Static Analysis and Dynamic Analysis of iOS Apps

– Jailbreak Detection and Bypass

– Identifying and Exploiting Flaws in iOS Apps

– Findings security flaws in real world iOS Apps

Hands on CTF Challenge!

What Students will be provided with:

• Training Material / Slide Decks


• Mobile Application Hacking Lab Manual


• DIVA iOS Vulnerable iOS Application


• DIVA Android Vulnerable Android Application


• VM

Who should take this course?

Penetration testers/security professionals, mobile developers, anyone interested to learn mobile application security.

What should students bring?

• A jailbroken iPhone/iPad/iPod for iOS testing is must for hands-on.

• Laptop with 20+ GB free hard disk space 4+ GB RAM

• Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)

• Android SDK , Genymotion installed.

• Intel / AMD Hardware Virtualization enabled Operating System

• Administrative access on your laptop with external USB allowed

What will be provided?

Slides (PDF), Lab manuals, practice apps, VM for pen testing mobile apps


==============
Course Outline
==============

Note: This is a fast paced version of the original 4 day class, cut down to 2 days. To fit the entire training material within 2 days, some of the exercises have been replaced by demos which will be shown by the instructor. Students will receive FREE 1 month lab access to practice each exercise after the class.

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices.

While prior pentest experience is not a strict requirement, familiarity with both Linux and Windows command line syntax will be greatly beneficial. The following is the syllabus for the class:

Day 1:
* IPv4/IPv6 Basics
* Host Discovery & Enumeration
* OSINT & Asset Discovery
* Hacking Application and CI Servers
* Oracle Database Exploitation
* Windows Vulnerabilities and Configuration Issues
* Windows Desktop 'Breakout' and AppLocker Bypass Techniques
* A/V & AMSI Bypass Techniques
* Offensive PowerShell Tools and Techniques
* Local Privilege Escalation
* Post Exploitation Tips, Tools and Methodology
* An Introduction into Active Directory Delegation
* Pivoting, Port Forwarding and Lateral Movement Techniques

Day 2:
* Linux Vulnerabilities and Configuration Issues
* User/Service Enumeration
* File Share Hacks
* SSH Hacks
* Restricted Shells Breakouts
* Breaking Hardened Webservers
* Local Privilege Escalation
* MongoDB, TTY, Reverse tunneling
* Post Exploitation
* VLAN Hopping
* Docker breakout
* Kubernetes vulnerabilities
* Hacking VoIP
* Exploiting Insecure VPN Configurations

Guillaume and Davy, senior pentesters, will share many techniques, tips and tricks with pentesters, red teamers, bug bounty researchers or even defenders during a 2-day 100% “hands-on” workshop. This is the very training you'd like to have instead of wasting your precious time trying and failing while pentesting.

The main topics of the training are:
- Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections.
(A lot of pentesters don’t even know how it works. So let's have a look under the hood);

- Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite.
(Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand);

- Network exploitation: Manually exploit network related vulnerabilities using Scapy, ethercap and Responder. (Because it works so often when doing internal pentests);

- Passwords: Optimize the way you attack offline and online passwords. (0day is fun, but the way attackers gain access most of the time is simply by using login/passwords);

- Mobile app hacking: Find and exploit Android/iOS app vulnerabilities using Needle, Frida, Cycript and Hopper. (Companies move their apps into the cloud and the mobile world so pentesters have to evolve with that… or die);

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.
It provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.
You will understand why even strict user roles and profiles are not enough to protect a SAP system, and how malicious attackers could break into the system anonymously, even without having a valid user.
With a strong focus on the SAP application layer, you will learn the key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAPWeb Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more! You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platforms. Previous SAP expertise is NOT required!

Opening Ceremony DeepSec 2018 In-Depth Security Conference

Let’s kick off this conference with a frank frolic into the future. What better way to start the morning than investigating several ways our civilisation could end, including, of course, Cybergeddon.

ICT and Internet started out with a promise of a utopian future, where all we humans had to do was lay back, sip a drink, and tweet a bit. And everybody believed it. Except you of course. Well, they have been tricked. Again…

But now that the dark side of ICT raises its ugly head so high that maybe even those outside the security community can smell its foul breath we will all surely wake up, get together, and create a safer world.

Nah… Probably not. On the contrary: it is only getting worse. And in this uplifting and inspiring talk I will tell you exactly why.

Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.

This talk will expose multiple underlying exploitable vulnerabilities in secure pieces of code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities.

Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.

The automatic exploitation of vulnerabilities has long been a holy grail for software security.
However, even manual exploitation by experienced security analysts and researchers has become ever more challenging due to the increased complexity of software systems and the introduction of security defenses.

In this keynote, we will orientate ourselves on where we are on the path to automatically "popping root shells with theorems."
We will recap the DARPA Cyber Grand Challenge, a competition organized by the United States' Defense Advanced Research Projects Agency, in which competitors were required to develop and implement a self-contained system that automatically finds, patches, and exploits vulnerabilities in software, and which spurred research on automatic exploitation because of its high stakes.
We will look into the automatic exploitation systems that Shellphish fielded in the DARPA Cyber Grand Challenge (CGC), the Mechanical Phish, which exploited more binary executables than any other team in the CGC's final event.
Finally, we will learn what research came after the DARPA Cyber Grand Challenge, the limitations of current approaches, and what the next challenges that we need to tackle are.

Cybercrime is a worldwide and diverse phenomenon, which needs multidisciplinary and global prevention and intervention strategies. Regarding the situation in Austria, no evidence-based scientific analysis exists that depicts the bright field of Cybercrime.
Therefore an interdisciplinary research group investigated the phenomenon cybercrime regarding the questions:
(1) Who are the offenders and the victims? (2) Which initiation and realisation strategies of Cybercrime can be identified? (3) Which offender-structure can be found? (4) Which investigation methods, performed by the police, can be identified as useful and what can be said about the further prosecution of the identified offenders? To address these questions, court files of the last ten years (2006-2016) have been analysed and considered through a crime-sociological, legal, technical and economical perspective.

In recent years the internet of things has slowly creeped into our daily life and is now an essential part of it, whether you want it or not. A long-existing sub category of the internet of things is a mysterious area called teledildonics. This term got invented about 40 years ago and described (at this time fictional) devices, allowing their users to pleasure themselves, while being interconnected to a global network of plastic dongs. In the 21st century, teledildonics actually exist. Multiple devices are on the (multi-million dollar) market, offering the ability to pleasure an individual, while being connected to the internet. Those devices offer functionalities like remote pleasuring over local links as well as over the internet. They implement social media-like functionalities such as friends lists, instant messaging, movie chats and explicit-image sharing.

With great pleasure comes great responsibility. A responsibility, which is not taken enough into consideration by the smart sex toy manufacturers as much as it should be while handling extremely sensitive data. As long as there is no serious breach there is no problem, right?
This was the basis for a research project called “Internet of Dildos, a long way to a vibrant future”, dealing with the assessment of smart sex toys and the identification of vulnerabilities in those products, including mobile apps, backends and the actual hardware.

After the assessment of a selection of multiple smart sex toys an abyss of vulnerabilities was revealed. The identified vulnerabilities range from technically interesting vulnerabilities to vulnerabilities which affect the privacy of the users in extreme and explicit ways. It was possible to gain access to thousands of users’ data records, including cleartext passwords, explicit images, real-world names, real-world addresses, and many more specific facts. Furthermore, we were able to remotely pleasure individuals without their consent over the internet, or over a local link.

Talk outline:
1. Why?
o Explanation as to why it is necessary to conduct penetration tests in the area of teledildonics and why the topic was chosen for further research.
2.Quick introduction into basics like
o Internet of Things (IoT)
o Sextech
o Teledildonics
o Internet of Dongs (IoD)
3.The “Test Devices”
o A quick introduction of the test devices examined during this project.
o Explanation of their feature set including areas of application and use-cases.
4.Let’s get dirty – An overview of the identified vulnerabilities
o .DS_STORE File Information Disclosure
o Customer Database Credential Disclosure
o Unrestricted Access to administrative interfaces
o Weird authentication implementation
o Unauthenticated Bluetooth LE Connections
o Missing Authentication in Remote Control
o And many more…
5.Bluetooth LE Protocol exploitation
o Brief overview over Bluetooth LE security features
o Brief overview over Bluetooth LE authentication/pairing methods
o Brief overview over Bluetooth LE exploitation Hardware
o Brief overview over Bluetooth LE exploitation Software
o Hands-on example
6. The “Swinger Club Problem”
o How the manufacturers tried to downplay the vulnerabilities.
7.Legal Issues – Rape over the wire?
o How are current laws dealing with sexual pleasure without consent over the internet?
8.Responsible Disclosure Process
o Coordinated vulnerability remediation with the German CERT-Bund and why it was necessary to consult an independent 3rd party.
9. Ongoing/Similar Research

Android's accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications.

This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features. Starting with an app store centered overview of how accessibility services are used we will continue with currently unpatched flaws in the accessibility design of Android discovered during our assessment. These flaws and vulnerabilities allow information leakages and denial of service attacks up until Android 8.1. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android's own lock screen.

To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25% of them to be vulnerable to at least one of the attacks covered in this talk. In the end possible countermeasures are discussed and we shed some light on the reporting process of Android vulnerabilities.

It's a rare glimpse of an otherwise tightly guarded datastore - and it's worrying: many innocent people and organizations find themselves in the World Check database, which protects banks against potentially dangerous customers. This was the outcome of joint research by The Times of London (Great Britain), NDR / Süddeutscher (Germany), NPO Radio 1 (Netherlands), De Tijd (Belgium), La Repubblica (Italy) and The Intercept (USA). For the first time, they had comprehensive insight into World Check thanks to a leaked copy of the dataset containing more than two million profiles as of 2014.

The World Check database is a service of the global information and media group Thomson Reuters and one of only a few major offerings for identifying potentially problematic customers for banks and financial service providers: Politically Exposed Persons (PEPs), as well as individuals and organizations in the categories of crime, money laundering and terror. Under anti-money laundering and corruption laws, banks are required to scrutinise in advance those with whom they do business. If suspicion arises, they may refuse even a basic account. The banks are required to watch closely those customers with international connections, and cross-border transfers must be considered carefully.
However, the journalists revealed that many individuals and organizations were wrongly listed: Many are demonstrably innocent, such as people and organizations against whom allegations have not been proven or that are controversial and uncomfortable, but not criminal. Examples include the human rights organization Human Rights Watch, the animal welfare organization Peta, the environmental group Greenpeace, opposition politicians from Sri Lanka and Eritrea, and American whistleblower Chelsea Manning, whose entry points to financial crime. The reason for these listings was often in the sources, which are added to a profile without any rating or weighting. Among them are state propaganda, conspiracy, even right-wing extremist sites. Official government sources from around the world are used – but activity deemed criminal in one country may be perfectly legal in another.

Confronted with the research results, Thomson Reuters spoke cautiously, citing data protection reasons. The company said the information underlying World-Check comes primarily from hundreds of government and judicial databases, regulatory and law enforcement agencies, the EU and the United Nations. It said further information, such as from blogs, only flows in to confirm other findings and is clearly marked. The findings would also be brought together by teams of specialized staff. Thomson Reuters promotes its service boasting sophisticated algorithms and a team of 250 analysts who create 25,000 new profiles and update a further 40,000 existing profiles every month.

Investigative journalists Jasmin Klofta (Germany) and Tom Wills (UK) explain how, as part of an international collaboration, they exposed World-Check. They will show how they used data mining, OSINT and traditional investigative techniques to analyse this database and discover the human impact of this Kafkaesque system, which is used by almost every major bank and many other institutions including law enforcement agencies.

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection.

Over the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising
adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and "class-dump".

In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are
not known statically. This type information is rich enough to allow an almost full recovery of the definition of most Swift data types, e.g. including even the names and offset of the members of compound data types.

Based on these findings, we introduce the open source swift-frida library for iOS built on top of the Frida instrumentation framework. It provides this information about all public and many private Swift data types in a process. It allows transparent read/write access to Swift variables and their data members with known type and memory location.

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?

While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an "introspecting" hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn't.

We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system, which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.

The Efail bug against encrypted e-mails showed a variety of problems with the interaction of outdated cryptography and HTML e-mails. This talk will give an overview of the flaws that led to Efail and some other fun attacks that followed it.

Efail is an attack against E-Mail encryption with both S/MIME and OpenPGP. It often allows attackers, able to observe the encrypted message, to construct modified messages that will send the encrypted content back to the attacker. When Efail was published earlier this year only incomplete fixes were available. For S/MIME the issue is still completely unfixed and it's likely to stay that way.

Efail combines two weaknesses: Both E-Mail encryption standards use outdated cryptography, particularly they don't use proper authenticated encryption. This allows attackers to modify transmitted messages. HTML mails give the sender of a mail a huge amount of control over what happens when rendering a mail. This can be abused in a variety of ways to send decrypted e-mail content to the attacker. After the first incomplete fixes for Efail the speaker was able to bypass the implemented fixes in Enigmail multiple times. The talk will go over the basics of Efail, discuss attacks and variations that followed it, and discuss some further attacks including SigSpoof and two yet undisclosed attacks.

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this paper, we argue that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS
shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast (sublinear) snippet identification.
We use statistical test to show that its code snippet recognition is tremendously successful while having a close to the lowest theoretical bound of false positives. Finally, we also demonstrate how our approach improves the security of existing techniques as our design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently rosen to a problem for malware analysts with existing identification solutions.

ICS attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. When looking at the situation from a defender's perspective, nothing could be further from the truth. Attacking and potentially taking down an ICS network requires - and probably operates best - via permutations of 'pen tester 101' actions combined with some knowledge of the environment and living off the land.

In this talk, we will explore some concrete ICS attack examples to explore just what is needed to breach and impact this environment. More importantly, using malware and data captured from recent attacks - specifically TRISIS and CRASHOVERRIDE - we'll see how the attackers 'messed up' their attacks and why a more simplified and direct approach to achieving offensive goals would not only be more effective, but likely far more difficult for defenders to catch as well. To close the conversation, we'll explore what defensive measures can be applied - and are necessary - to detect and stop such attacks in their tracks.

SS7 is to the PSTN what BGP is for the Internet. In this presentation Paul will explain the fundamentals of the SS7 protocol and telecommunications architecture. An overview of how SS7 is utilized by large enterprises, mobile networks and service providers will be discussed. Security issues with the SS7 protocol will be covered with real world examples of how a service provider network may be targeted to gain access to the SS7 network.

On Linux, most---if not all---debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.

Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.

We show how plutonium-dbg's design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak "Hello?" barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong...

Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired.

Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center, and the many lessons learned from some of the greats in IR around the company this talk will delve into:

• Human psychological response to stressful and/or dangerous situations
• Strategies for effectively managing human factors during a crisis
• Polices and structures that set up incident response teams for success
• Tools for building a healthy and happy incident response team

Effectively navigating the human element is a critical skill for anybody who may be called upon to manage or participate in a security incident. This talk is geared toward occasional or full-time responders who are looking for practical human-management skills.

It is now 3:05AM. Everything has gone horribly wrong. A room full of panicked engineers await. It is your time to sink or swim. Good luck.

Structure of the talk:
- Introduction & background
- Introduction to interconnection network (What is it, how does it work)
- Why is it important for all of us?
- Where does it come from? (Basics to understand the problems)
- Existing attacks (Focus on 3G/4G)
- Who are the attackers?
- What is done against them? (Focus on EU ENISA, USA FCC and GSMA work)
- How do they get in (Real examples will be shown)
- Attacks & Countermeasures
- Introduction to network set-up (So the demonstration is understandable)
- Presentation of high level attack scenarios for DoS / Fraud / Data Interception using the charging system
- Demonstration of those attacks in testlab 
- User impacts (What do these attacks mean on a personal level?)
- Countermeasures and fixes
- Wrapping up
- Outlook for 5G - Main security challenges
- Summary
- Q&A

SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from an attacker’s point of view and SQL injection is still King. Something else must be done.

What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolute must-have, and which additional security measures do you need to take into account?

These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this talk to explore security vulnerabilities from a different angle. As part of this briefing, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify them.

We will flip security from focusing on vulnerabilities (which are measured at the end) on focusing on techniques familiar to developers, which can be done from the beginning of the software and measured throughout SDLC.

The security of Internet-based applications fundamentally rely on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak off-path attacker can effectively subvert the trustworthiness of popular and commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificate market. The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains that the attacker does not own. Namely, certificates binding the attacker’s public key to victim domain.

Our work is the first to weaponise DNS cache poisoning and to apply it to circumvent security of a critical PKI system.

This talk explores the growing tension between recent changes to customer and employee expectations of privacy, and the need for organizations to gather and examine data in order to detect and respond to information security incidents. This talk highlights specific areas that cause issues, including examples of where security teams have deliberately subverted data privacy controls to do their job, and proposes some potential solutions to the issues.

Details:

This talk is derived from an earlier project which explored how security teams violate rules and laws in order to accomplish their mission. During the previous project, there were several examples of teams which violated privacy controls because they felt that they had to in order to do their job.

The talk starts with examples of how information security teams have run into privacy issues while attempting to detect and respond to intrusions, and gives examples about where some teams have deliberately circumvented privacy controls in order to meet requirements to detect and respond to security incidents.

While this talk briefly reviews the various privacy laws that exist, as well as the privacy drivers of EU businesses, its primary focus is on the actual mechanisms where information security team members attempt to subvert or work around privacy controls.

It will also explain some of the reasons for the perceived need of information security teams to gather and analyze data used to detect and respond to security incidents, by walking through the use of netflow, full packet capture, weblog, E-mail, and endpoint data acquisitions to support detection and analysis of potential or actual security incidents.

The talk closes by demonstrating some alternatives to analyzing these types of data and further exploration of potential future technical and policy changes. These changes can help to strike a better balance between the need to protect employee and customer privacy, and the need to detect, analyze, and respond to computer intrusions and incidents.

I'd like to offer an introduction into Network System Monitoring using different open tools available in linux. The talk is a technical approach to identify the best sniffing points in a network and how to orchestrate a full analysis of the content to secure the network, as well as showing ideas of collaborative and distributed hacking.

Also, for a better performance, the talk includes a brief guide into configuring a Raspberry PI for creating a simple Network Capture Probe.

The main point of the talk is to show how open source tools are a nice option for this kind of security assessment.

I'd like to talk about telecom security.

My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities.

This presentation will consist of three main parts:

First, I will share information on the security of mobile operators in general. I'll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones).

During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I will refer to were found in systems of mobile operators from Russia and the Ukraine. I will speak about the classic vulnerabilities I found (XXS, CSRF and HTTPS issues) that allow attackers to gain access to subscribe accounts through a mobile operators site or an application.
Also, I will talk about authorisation issues (SMS codes, bruteforce, etc).
Then I will tell you about new attack vectors (or very rare ones): attacks via IVR (at call centers), problems in operator services, that allow to send SMS from user numbers, and problems in operator applications (which allow attackers to intercept calls and SMS).
I also will speak about attacks on sim-card change systems (how I can gain access to information that I can use to change sim-cards and gain access to calls and SMS).
Of course, I will show demos and PoC (images, video or real-time demonstration) of some attacks.

In the final part of the talk I will talk about post-exploitation. The main idea of this part is to show how I can use the vulnerabilities, adressed in the second part of my talk, to gain access to private data (including SMS-content), intercept calls and SMS, send fake SMS, gain access to email, messenger, and social network accounts (using restore via SMS), to steal money from bank accounts (using account restore or SMS-banking) and for some other ideas.

Attacks on IVR systems and call centers of bank are interesting and funny, but 
sometimes they are not so effective. Usually hacker should know some user's 
information for authorization. So, hacker can gain access to private information 
and money (sometimes) of one known person, but what he can do, if he want to 
attack thousands users? Luckily (or no) many people share their information in 
the Internet.

In this talk I will show, how and where attacker can gather information, which 
can be used for attack on IVR systems. At the final I will show practical case 
from one private bank.

A long long time ago any results from security research were mainly communicated via message boards and mailing lists such as full-disclosure. Today, researchers and academics have new ways to make their work known to a wider audience by establishing relationships with journalists and other intermediaries. This can cause problems if researchers with no prior exposure to journalists and other media representatives get into contact with media who are more focused on producing fancy headlines and where accuracy often takes second place. The problem goes both ways: Jounalists or editors with no knowledge or experience in infosec can - sometimes inadvertently - interpret something as the "hack of the century", when in fact it isn't. A prime example of this is The Guardian's coverage of what they thought was a backdoor in Whatsapp.

This talk wants to address the problem and offer some advice to both parties. For example the relevant questions that should be asked by a journalist prior to publishing any research they were handed. It will also look at where potential overlaps in the interests of both parties are and how those can lead to an unwanted outcome, e.g. if media outlets quote proper academic research out of context. We will present disclaimers and other useful tools that can help to get the public informed in a better way about the critical field of IT security research.

HiTag2 is an RFID technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions - the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2. They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools. Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but until recently none had been forthcoming. In 2016, Garcia et al released the paper 'Lock It And Still Lose It' offering a fast correlation attack against HiTag2 but again did not release any tools.

In this talk I will explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The second, third and fourth attacks use time/memory trade-off brute force, cryptanalytic attacks and a fast correlation attack to recover the key, such that the contents of the read-protected pages can also be accessed. The attacks are weaponised and permit cloning of tags, which I will demonstrate.

All tools are publicly available on the ApertureLabs/RFIDler github.

The ultrasonic frequency band represents a novel and so far hardly used channel for the communication between different devices, such as mobile phones, computers, TVs, and personal assistants like Google Chromecast. Ultrasonic communication is a promising technology since it requires only a standard loudspeaker and a microphone (as built into our phones) for communication. While offering a number of opportunities for innovative services (e.g. in the domain of Internet of Things), the technology, however, also bears a number risks, such as being exploited as a covert channel. Companies like Silverpush, for example, employed ultrasonic data exchange to track users across devices and to collect information about their behavoir without their knowledge. Furthermore, the acoustic channel can be used to exfiltrate information from IT infrastructures and to de-anomymize users. In my talk I will present the novel technology of ultrasonic communication, show how it works and which risks and chances are linked to it. Additionally, I will present the project "SoniControl" which aims at the development of an ultrasonic firewall to protect the privacy of users as well as the project "SoniTalk" which aims at developing a safe and privacy-oriented protocol for ultrasonic communication.

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts.

The tour guide will convoy you thru 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter.

This briefing will conclude on: classical XSS is here to stay while Redmond's outbreak "... was like a storm. But storms, they can come back. Can't they? The question is, if they come back, is it the same storm, or has something changed?"

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this we will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate.

In this talk, I will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type. We will also cover the drawbacks of what's not a fully inline solution and speak about possible improvements of this architecture.

• There’s a huge difference between threat data, information, and intelligence. Understanding the difference is essential to getting the most out of your cybersecurity efforts.
• In the progression from data to information to intelligence, the volume of outputs reduces while the value of those outputs increases.
• Threat intelligence platforms produce data and information, which human analysts can use to produce actionable (operational) threat intelligence and to share that intelligence.
• A computer can never produce threat intelligence, but humans are unsuited to the task of collecting and processing huge volumes of threat data.
• Action must always be the end goal. Threat intelligence is useless unless it can be used to improve cybersecurity.

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any trace behind. You need to run additional tools, but you don't want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?

This talk will show how to bypass execution restrictions and run code on the machine, using only tools available on the system. It's a bit challenging in an everything-is-a-file OS, but doable if you think outside the box and use the power this system provides.

Anyone interested in offensive security should find the talk sexy, especially since it's not theoretical mumbling but a demo-rich journey through the inner workings of Linux and some old-school hacks.

DeepSec 2018 focuses heavily on mobile security, especially mobility. As part of the outstanding group of speakers and papers submitted for DeepSec we are exploring a roundtable/panel discussion on Mobile security that would extend to SIM card security, application security, lawful intercept and telecom operator relationships, privacy and network infrastructure.

Topics to be discussed with relation to mobile security include:
- where the responsibility to protect the end user lies within the chain: on the sim card, on the physical device, within the software, on the leased/towers, within the government regulatory scheme, etc.
- to what extent should a user expect privacy over security of the majority (lawful intercept, national security, etc.)
- what is a reasonable expectation for a mobile user in terms of their own security? How knowledgeable does a average user have to be to ensure their own mobile security?
- how do we as a community oversee and ensure things like mobile applications are safe/secure for users?

Chipping humans can be seen as one of the most invasive biometric identification technologies. RFID (Radio Frequency Identification) as the key technology in the field of the Internet of Things produces many applications.

For example, human implants are used by scientists in the fields of cyborgism, robotics, biomedical engineering and artificial intelligence, by hobbyists for identification reasons to start their computers, cars, for smart home applications or to pay by credit card, by hospitals for the control of human biological functions of patients, but also by companies to tag their employees for security reasons and workplace surveillance.

All in all, worldwide human implants are mainly used for security, healthcare, and private (individual) reasons. Beside some positive individual or organizational outcomes, implants may compromise privacy and raise manifold ethical questions.

For example, research in the field of information security has shown that RFID implants can be hacked to gain sensitive data stored on such chips. From an ethical point of view, other questions refer to its influence on a person’s identity and body, as well as to how individuals are probably able to resist such a surveillance technology against the background of felt pressure in an organizational or societal environment.

This talk focuses on the current state of the discussion and the applications of human implants, used for various reasons. It discusses triggers mainly from an individual and organizational point of view, and analyzes some already existing and upcoming ethical-, legal- and privacy-related aspects in the field. We will present results from a qualitative study with managers in Austria and close the talk with some theses for future research, applications and related individual and societal outcomes.

The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring.
Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer.
Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and, since all the traffic is routed through the DNS, it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities.
DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.

In this talk we examine the following:

• About DNS
A brief introduction to DNS and how it works.

• Types of DNS-based attacks
A brief introduction to the type of attacks on DNS.
 DNS Cache Poisoning
 Denial of Service
o DNS Flood Attacks
o DNS Reflection Attacks
o DNS Amplification Attacks


• DNS Tunneling
A brief introduction about DNS Tunneling and the negligence of the DNS port 53 in the security posture of organizations due to the large size.

• Data exfiltration using DNS
How attackers and malwares are targeting DNS for exfiltration of data.

• Case Study of DNSMessenger
DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.

• Out of band attacks
A description of “out of band” attacks.
o SQL Injection
How SQL injections can be used to fetch information through DNS queries.

o XML Injection
How XML-Injections can be used to get information from the server.
• Magic of Burp
Showcase of how to use Burp for carrying out DNS based attacks and gain information.

• DNS Exfiltration Restrictions
About limitations of DNS based exfiltration.

• Best practices for using DNS data to enhance investigations
We will give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.

• Conclusion

We introduce global deep scans that provide insights into the security hygiene of all organizations exposed to the Internet. Our presentation discusses vulnerability levels across different groups of organizations and points out differences in the underlying maintenance processes.
We find that different industries have a lot to learn from each other and provide the necessary measurements to start these dialogues.

In our day to day we constantly see how most of the organisations fail to respond properly to real incidents and a lot of times this is due to the lack of visibility on endpoints.

The aim of this talk is to help the Blue teams to understand what they can do in order to improve their detection mechanisms, and at the same time to show what is important when responding to a real incident.

We have built a lab with an Active Directory and other common crown jewels found in most organisations. From this point of consideration we have chosen some of the attacks and techniques that we've faced during incident response cases, from Threat Financial groups to some APTs ones. Next, we have ingested the logs produced on the different endpoints and used different incident response techniques to find multiples IOCs that would detect the different attacks.

Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released.

We wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one Lambda function: a trigger, processing and analysis, and output. The plugins, such as static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda.

The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas.

In this talk you'll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to easily deploy complex serverless systems and step functions for your own automated tooling.

I will talk about drones. Drone risks and countermeasures. Drones have become an inherent risk not just for critical infrastructure but also public events (sports, concerts) and privacy. I will speak about the exclusive risk catalogue I have developed for a small highly secialised startup called DroneGuard. The catalogue contains over 140 detailed drone related risks. From payload of drones (explosives, chemicals, etc.) to cyberrisks like Signal Hacking & Disruption (WiFi, GSM, Bluetooth, RFID, etc.). Since Deepsec is a more technically oriented event I will highlight the risk management frame work, my experience with our personal payload drone and the cyber risks. This talk will help you if you have to protect critical infrastructure from a physical perspective, or if you have to protect yourself or your company from privacy implications.

This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation.

Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence services to phishing attacks, hacking team-type of malware, ... etc. Yet the advice they have received so far has been solely focused on end users, not organisations. This talk will highlight our journey towards challenging this situation and our take on attempting to help small organisations with network security.

Detecting malware infections is one of the most challenging tasks in modern computer security. Although there exist tools that can help the analysts in this task, such as Snort/Bro/Suricata, truth is that most of the analysis is done by hand. Most of the automation focuses on organizing and visualizing data, but not on detection. When it comes to machine learning for detection, the most common approach in most security companies is to run an anomaly detection algorithm as a first layer and then complement the results with a classification algorithm. An anomaly detection method is designed to model normal traffic and then to find deviations from that model. Although widely used, anomaly detection techniques usually come with different problems, such as the difficulty to obtain labels for a good verification, and a large amount of false positives. We propose and describe a new user profile-based method to detect anomalous changes in the network behavior of users. The profiles have multiple features used to describe the behavior of a wide range of actions of the users from different perspectives in the network. Each profile encapsulates what the user did during a period of time. Compared to other feature-based anomaly detectors, our profiles offer a more high-level view of the behaviors.
Since the datasets used for training and evaluating a method are very important, we created our complex datasets of malware attacks. Our datasets contain real normal actions of a human user, while the user is infected with real malware. Our anomaly detection method was trained using these datasets with our own assigned labels. These datasets are the first of their kind and are available for download.
Results show that our method can accurately detect attacks (anomalies recognized as attacks) and keep a very low false positive rate. Despite not finding each and all of the anomalies, our method shows that it is possible to detect almost all malware infections within a short time period. We also tested our algorithm for monitoring IoT devices, such as cameras, and we were able to recognize unauthorized login attacks. We believe that our method can show the community an advanced technique and tool to implement into their own networks. The complete detection method and dataset is freely available for download.

Plant operators and manufacturers are currently faced with many challenges in the field of automation. Issues such as digitization, Industry 4.0, legal requirements or complex business processes that connect IT and OT are paramount. Related security problems and risks need to be addressed promptly and lastingly. Existing and newly created industry security standards (such as 62443, 61508 and 61511, 27001, ...) are designed to help to improve security. But do the different approaches of these standards fit together? Are managers of the companies and manufacturers supported or rather confused by them? The presentation provides an overview of the key security industry standards, discusses the dependency and coverage of the standards, and aims to encourage discussion about if the standards optimize general security in industrial control systems.

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all the devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or what if you want to know when a certain someone's cell phone is nearby? Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?

For all these use-cases, I've developed a new tool called "trackerjacker". In this talk we'll use this tool to explore some of the surprisingly informative data floating around in radio space, and you'll come away with a new skill or two adding to your radio hacking skill tree, as well as a new magical weapon... I mean tool.

The human memory is very volatile and not really trustworthy. Judges, interrogators and scientists know that humans often mix up or straight up create new false memories. In this talk I will show what we know about how the human memory works, which factors lead to a loss of quality of stored memories and how they can be altered or manipulated for social engineering attacks. Since, ethically, this is a very controversial topic, I will also speak about the ethics behind this. And be advised that I will not talk about NLP (Neuro Linguistic Programming), as this stuff is unsubstantiated, unscientific esoteric charlatanry.