Speakers (preliminary) - DeepSec IDSC 2019 Europe

Analysing Intrusions with Suricata (closed)

Peter Manev & Eric Leblond (Open Information Security Foundation / Suricata)

Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as to identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce the course's concepts while utilizing the latest Suricata features. Come and see what you've been missing in your network and unlock the full potential of network security, detection, and response with Threat Hunting with Suricata.

In this course, students will learn through a combination of lecture and approximately 15 hands-on labs (depending on workshop duration):

- Identify key strategies for network security architecture and visibility
- Learn the fundamentals of rule writing and rule comprehension
- Understand how to manage rule sources and create effective rulesets
- Develop methods for establishing network baselines
- Recognize traffic anomalies
- Use Suricata to capture network traffic and replay PCAPS
- Utilize log aggregation and shipping services to build a complete picture
- Perform traffic analysis and create visualizations with Kibana
- Develop a custom network sensor with Suricata and ELK
- Analyze suspicious traffic to determine maliciousness
- Learn how to pivot off of key attack indicators using threat intelligence
- Analyze true positive and false positive alerts
- Leveraging rules specifically for threat hunting
- Deploying honey tokens

Peter Manev (aka pevma, in some countries also DonPedro / pevman)
Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS - an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Eric Leblond (aka regit)
Eric is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation

Dawid Czagan (Silesia Security Lab)

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities lie for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say no to classic web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- Bypassing Content Security Policy
- Server-side request forgery
- Browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- Type confusion vulnerability
- Exploiting race conditions
- Path-relative stylesheet import vulnerability
- Reflected file download vulnerability
- Subdomain takeover
- and more…

Students will receive a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.


The ticket price includes FREE access to Dawid Czagan’s 6 online courses:

  • Start Hacking and Making Money Today at HackerOne
  • Keep Hacking and Making Money at HackerOne
  • Case Studies of Award-Winning XSS Attacks: Part 1
  • Case Studies of Award-Winning XSS Attacks: Part 2
  • DOUBLE Your Web Hacking Rewards with Fuzzing
  • How Web Hackers Make BIG MONEY: Remote Code Execution


This training has been very well-received by students around the world. Here you can see testimonials.

To get the most out of this training intermediate knowledge of web application
security is needed. Students should be familiar with common web application
vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy,
or similar, to analyze or modify the traffic.

Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8
GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless
network adapter, administrative access, ability to turn off AV/firewall and
VMware Player/Fusion installed (64-bit version). Prior to the training, make
sure there are no problems with running 64-bit VMs (BIOS settings changes may
be needed). Please also make sure that you have Internet Explorer 11 installed
on your machine or bring an up-and-running VM with Internet Explorer 11.
(you can get it here via download).

Penetration testers, ethical hackers, bug hunters, security engineers / consultants 

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and the government sector. (Recommendations: https://silesiasecuritylab.com/services/training/#opinions).

Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses. To find out about the latest in Dawid Czagan’s work, you are invited subscribe to his newsletter and follow him on Twitter (@dawidczagan).

IoT/Embedded Development - Attack and Defense

Lior Yaari (Security Researcher and Founder of Imperium Security)

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they've accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers.

In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, - physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even the uncommon ones. We will learn both how to detect such mistakes, and how to prevent them.

Don't expect to learn the secure development basics you can find on Google. Meeting with dozens of developers we mapped development patterns and misconceptions that led to security issues, and hope to help you understand not just about the technical mistakes ("check the buffer size before coping") but to develop a thinking pattern that will help you to detect the next security flaw, use it or close it. Each lab day will consist of lectures and hands on hacking exercises , vulnerability mitigation exercises, along with tips on how to avoid and detect security flaws.

Who Should Attend

• Embedded/IoT engineers and developers who wish to understand security and avoid security coding mistakes
• Web/Network security experts who with to get the basics of low level security
• Everyone who is interested in embedded/IoT vulnerabilities, from the basics to advanced subjects.

Who Not Should Attend

• Experienced low level vulnerability researcher

Prerequisite Knowledge

• Knowledge in C/C++ and Python is recommended. If you miss one of them, it is OK. The workbook will guide you.
• Basic knowledge in Linux command line

Hardware/Software Requirements

• Laptop with 4GB+ RAM. Preferably with Windows OS
• Installing the software pack that will be supplied a few days before the training.



Day 1:

Morning: Introduction to Cyber Security:
- What are vulnerabilities
- Famous attacks
- How a vulnerability is created
- Vulnerabilities types and classification
- The mind of an attacker

Noon: Memory Corruption Vulnerabilities
- Complied programs memory layout
- Buffer overflows + Lab
- Format string attacks + Lab
- Integer overflows + Lab
- Command Injections
- Summary - how to find and avoid

Day 2:

Morning: Cryptographic Security Mechanisms and How To Use Them
- Hashes
- Encryption
- Signatures
- Common usage mistakes
- Summary - how to find and avoid

Noon: Embedded Devices Attacks
- TOCTOU attacks + Lab
- SPI intrusion
- Memory swaps
- Gliching + Lab
- Summary - how to find and avoid
- Final exercise - finding and fixing vulnerabilities in large code

Lior is an expert in embedded security research. After more than six years as a technological officer in the Israeli military, he joined the cyber security industry as a vulnerability researcher for autonomous vehicles. More than 40 vulnerabilities later he decided to share his knowledge in order to help the world avoid the next security breach. His consulting company, Imperium Security, aims to teach every developer to secure his own code.
Lior has been rated one of the top lecturers of Israeli military technological trainings for the past 5 years, every year.

About Imperium Security: Imperium is a consulting company that helps embedded devices companies globally to secure their products. The company performs security assessments
- finding vulnerabilities in source codes, security design consulting, and secure development training's for developers.

Mobile Hacking

Davy Douhine and Guillaume Lopes (RandoriSec)

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training.

Their goal is to introduce **tools** (Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc...) and **techniques** to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing.

# Agenda
2 days based mainly on pratical exercices:
- Day 1: Android Hacking
- Day 2: iOS Hacking

Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):
- Review the codebase of a mobile app (aka static analysis)
- Run the app on a rooted device (to check data security issues)
- Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
- MiTM all the network communications (aka inspect the traffic)

# Materials
A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.

Davy Douhine (@ddouhine) founder of RandoriSec an infosec company has been working in the information security field since almost fifteen years.
He mainly works for financial, banks and defense key accounts doing pentests and holding trainings to help them to improve their security.
He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practices Brazilian jiu-jitsu.

Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec he is also a member of the Checkmarx Application Security Research Team. He likes to play CTF (Hackthebox, Insomni'hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi'hack team.

Threat Hunting with OSSEC (closed)

Xavier Mertens (Freelance)

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds.

Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customers assets by applying “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT) but also "offensive” security (pentesting). However, his preferred domain is playing on the Blue Team side. Besides his daily job, Xavier is also a security blogger (https://blog.rootshell.be), a SANS Internet Storm Center handler (https://isc.sans.edu) and co-organizer of the BruCON security conference (https://www.brucon.org).

Incident Response Detection and Investigation with Open Source Tools

Thomas Fischer & Craig Jones (FVT SecOps Consulting, Sophos)

Defenses focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaires in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both windows and linux client, we’ll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.  Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

  • Intro to threat hunting
  • Threat hunting and the IR process 
  • Understanding the requirements 
  • Backend Tools 
  • Detection/Reporting tools like Mitre ATT&CK and Sigma 
  • Endpoint tools: osquery and sysmon 
  • Hands on exercise will be spread across the 2 days
Participant Requirements
  • Working knowledge of Windows (no OSQuery experience required); 
  • Working knowledge of the Linux shell (no OSQuery experience required); 
  • Basic SQL, 
  • Laptop with a SSH client


Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.​@albanwr​​​

Pentesting Industrial Control Systems

Arnaud Soullie (RS Formation & Conseil)

In this intense 2-days training, you will learn everything you need to start pentesting Industrial Control Networks.

We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise:
The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 9 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON…
He is also the creator of the DYODE project, an open-source data diode aimed at ICS.

Opening Ceremony

René Pfeiffer (DeepSec In-Depth Security Conference)

Everything has to start at some point, and so DeepSec 2019 will start with a short overview on what has been done in the past year, what will happen over the course of the conference, and what's in store for 2020.


René was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit micro-controller with 256 byte RAM and a 4096 byte operating system, forcing him to learn assembler before any other language.

After finishing school he went to university in order to study physics. He then collected experiences with a C64, a C128, two Amigas, DEC's Ultrix, OpenVMS and finally GNU/Linux on a PC in 1997. He is using Linux since this day and still likes to take things apart und put them together again.
Freedom of tinkering brought him close to the Free Software movement, where he puts some effort into the right to understand how things work – which he still does.


Computer Security is simple, the World is not.

Raphaël Vinot and Quinn Norton (-)

Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. Technical knowledge is important in those systems, but on its own, it accomplishes very little -- as the sorry state of the computer security in the world demonstrates. Knowing how computers work doesn't gives us an empirical knowledge of what people do with their devices, what their job is, what context they live in, what their adversaries want from them, what their capabilities or resources are.
In this talk we will explain why listening is the most important part of practical security, and how to listen effectively and efficiently.
We will touch on practical examples from our own life experience, from helping journalists, activists, and lawyers, to students, sex workers, and survivors of partner abuse. We will explain why in the end, information security may have more in common with anthropology -- investigation and analysis of practices in the real world -- than it does with math and software.

Raphaël Vinot & Quinn Norton

Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs

Hans Freitag (Conesphere GmbH (CEO), Metalab (Hackspace), CCC)

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging.

Born in Celle, Germany in 1980.
Found out about Open Source around 1997.
Attended the first Chaos Communication Congress in 1999.
Self employed as consultant and developer since 2001.
CEO/CTO and owner of Conesphere GmbH since 2017.

RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly

Marcus Botacin (Federal University of Paraná / UNICAMP / University of Campinas - Institute of Computing / UFPR)

Malware analysis is a key process for knowledge gain on infections and cybersecurity overall improvement. Analysis tools have been evolving from complete static analyzers to partial code decompilers. Malware decompilation allows for code inspection at higher abstraction levels, facilitating incident response procedures. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others.

In this talk, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges.

We name this approach "DoD—debug-oriented decompilation", in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tools, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time de-compilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered "clean" by all VirusTotal's AVs.

Marcus is a Computer Engineer (UNICAMP, Brazil), Master in Computer Science (UNICAMP, Brazil) and CS PhD Student (UFPR,Brazil). His research interests are reverse engineering, malware analysis and systems security.

Chinese Police and CloudPets

Abraham Aranguren (7ASecurity)

This talk is a summary of three different security audits with an interesting background:

First, CloudPets, their epic track record, what we found and what happened afterwards.
Next, two mobile apps by Chinese Police: "BXAQ" and "IJOP", both related to surveillance of ethnic minorities, but in different ways. Stay tuned.

Part 1: CloudPets

Wouldn't it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That's the idea of CloudPets. Children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short :)

Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!

Part 2: Chinese Police

This part talks about two mobile surveillance apps that Chinese authorities employ to spy on the Muslim minorities of China's Xinjiang region, the applications: "IJOP" and "BXAQ". These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF). The Chinese government faced international criticism when the results of these audits became public.

While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and which were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.

This talk will be an interesting learning experience as it combines technical security vulnerabilities with political and commercial background implications.

After 13 years in Itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “Practical Web Defense” - a hands-on eLearn security attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader of an OWASP flagship project (owtf.org), major degree and diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Some presentations, pentest reports and recordings can be found at https://7asecurity.com/#publications

SD-WAN Secure Communications Design and Vulnerabilities

Denis Kolegov (Bi.Zone,Tomsk State University)

In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN secure communication mechanisms, and disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We present the new results of our research, consider some technical details of secure and insecure designs, weak attestation, zero-touch provisioning vulnerabilities, and non-TLS related padding oracle attacks.

Denis Kolegov is a principal security researcher at BI.ZONE and an associate professor in computer security at Tomsk State University. His research focuses on network security, web application security, cryptography engineering, and covert communications. He holds a PhD and associate professor degree in Computer Security. Denis has presented at different international security conferences including Power of Community, Area41, Zero Nights, Positive Hack Days, InsomniHack, and SibeCrypt.

Automatic Modulation Parameter Detection In Practice

Johannes Pohl (University of Applied Sciences Stralsund)

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on nearly arbitrary frequencies, but they output sine waves that have to be demodulated. This demodulation process slows down security investigations because it forces researchers to start on the physical layer while the real reverse-engineering is performed on the logical layer.

We contribute an auto-detection system that estimates all demodulation parameters of a wireless signal and, additionally, explicitly returns all these parameters so that they can be fine-tuned afterwards.
This allows security researchers to skip the physical layer and work with the bits and bytes instead of sine waves.
The contributed system is evaluated with both simulated signals and ten real-world signals captured from various IoT devices with SDRs.
Furthermore, we show how parameters can be estimated during recording time and evaluate this technique by attacking an AES secured wireless door lock.
Our solution is available as part of the open source software Universal Radio Hacker and follows the ergonomic philosophy of the main application.


Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.

Mastering AWS Pentesting and Methodology

Ankit Giri (Independent Security Researcher)

There have been patterns that have been found in AWS environment while exploring insecure S3 buckets, misconfiguration and compromised credentials flaws. These flaws are an outcome of the way the particular environment was configured and is not a flaw in AWS services itself, and are therefore inevitable. Finding the flaws relies on specific knowledge and approach as these attacks are specific.
There has been increasing use of AWS services,migration has increased multifold as well. As a result, it is important to challenge existing AWS security measures to be able to detect potential issues.
Description of Research Topic
The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS IAM keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs.

Takeaway for the Audience from the Talk:
There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owner’s organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner.
The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this an exhaustive toolset for a comprehensive pentest.

1) Developing an approach toward pentesting a specific cloud environment
2) Different tools available for pentesting cloud-specific environments,short demo on couple of tools.
3) Areas to look in an AWS for flaws and misconfiguration, understanding shared responsibility model.

Speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs. A penetration tester by profession with 4+ years of experience. Part time bug bounty hunter. Featured in Hall of fame of EFF,GM,SONY, HTC, Pagerduty, HTC, AT&T,Mobikwik and  multiple other Hall Of Fames. He loves speaking at conferences, has given talks at RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun,Cyber Square Summit, OWASP Jaipur and has been a regular feature at Infosec meetups like Null and OWASP Delhi Chapter. He also leads the show for Peerlyst Delhi-NCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS pentesting and methodology.

Still Secure. We Empower What We Harden Because We Can Conceal

Yury Chemerkin (Advanced Monitoring)

The Launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: "Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories... ‘Everything’ stores in iCloud service".

Both cases are the same, designed in the same manner and driven by a similar idea to simplify the devices usage. It went even further with iOS and Android OS.
Eventually, MS and Apple have boldly described their OS as “the most secure OS ever.”

This research is based on three things: data leaks, hardening, and forensics.

Combining data leaks and hardening gives a data set with a goal and a vision of how to protect a system and make your use cases transparent. Forensics gives us excellent knowledge about valuable device security settings. Empowering the hardening with these anti-forensics techniques in terms of 'anti-forensics hardening' of a system makes it transparent what, when and why the whole device or its parts can or can not be accessed. To be entirely sure that all insecure gaps are closed and to verify how secure your system is, there is the option to rely on penetration testing additionally. Further more, we will talk about which insecure services are used to receive tracking data from your system, and which of them can be blocked without breaking the system and user use cases.

This talk will systematically review
• Pentest to fix gaps of security & privacy. What tools to use and why you should perform pentesting, how to read and use security report.
• Content Filtering. Mapping rogue sites, analytics and tracking services into granular activities to leverage privacy risks
• Easy exploitation & post exploitation. Limits of AV solutions, risk of one vs. many browsers, add-ons & firewalls.
• Host & On-host network activities monitoring. Disassembling features of big enterprise solutions into lightweight tools and bring it to in-home/small companies 
• Data Protection. The security & privacy features hidden across different OS editions and builds, plus overlapping features & dependences
• On the way to dedicated and centralized manageable solutions. Pentesting of dedicated solutions, automating security, whitelisting (native vs. vendor vs. third-party tools)
• Profiling and Use cases. The Future of forensically protected OS & devices

Yury Chemerkin has ten years of experience in information security. He is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He's published many papers on mobile and cloud security, and speaks regularly at conferences such as CyberCrimeForum, DefCamp, HackerHalted, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, RootCon, PHDays, etc.

Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing

Katharina Bogad (Fraunhofer Institute for Applied and Integrated Security)

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The SDKs for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.

In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices.
With the Harzer Roller, we hook instrumentation code into function call and return.
The hooking not only applies to the user application code but to the SDK used to build firmware as well.
While we keep the design of the Harzer Roller's general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.

We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows.
Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis.
This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.


There’s nothing much to say about myself, I've spent my school years hacking and reverse engineering Pokemon games instead of paying attention in geography, later found out that people actually have hacking competitions where one can capture flags and started participating. Currently I’m pursuing my master’s degree in computer science at TUM and doing what some people apparently call „research“ 😉 as a research assistant at Fraunhofer AISEC.


Security Analytics and Zero Trust - How Do We Tackle That?

Holger Arends (Telstra)

With the current trends towards zero trust networks, deployment of billions of IoT devices, interconnection of critical infrastructure to the cloud, well-organised threat agents, and the rise of fully autonomous systems, both the control of our environments and the security of our networks/systems are hard to achieve. As a matter of fact, it will not be manageable with traditional security safeguards and practices.

In our 1 ½ years of research we had the target to build not just another SIEM and so we have identified, modified and combined the best available technologies and practices, providing an alternative capability to master the current and future security challenges, all without any log, IDS/IPS, AV or EP data feeds. We've focused on network-related information analytics, combining technologies such as deep packet inspection, big data search, graph databases and machine learning to identify technologies and malicious intent.

We have analysed more than 20 billion flows in all kind of networks and would like to share our results and findings, how to apply such approaches to a security analytics system, a hunting platform or a security safeguard, identifying analyze attacks and compromises not detected by other state of the art safeguards. Furthermore we want to speak about the often propagated “end of DPI” as a result of encrypted traffic. We think our work might change the view on such predictions.

Being a lifelong enthusiast for computer security and emerging technologies, Holger started his IT Security career in the German army in 1997. Since then, Holger has continued to strengthen his professional skill set by being involved in many security projects around the globe. While working with industry leaders such as Microsoft, he’s had several years of experience running his own IT Security business. Holger has always been passionate about innovating and developing new security solutions, and this has led him to Telstra where he is the Principal Security Domain Cyber Security expert at the Centre of Excellence, Technology & Innovation. His current role focuses on futuristic and real-world security analytics solutions in the fields of IoT and Cyber Security.

Android Malware Adventures: Analyzing Samples and Breaking into C&C

Kürşat Oğuzhan Akıncı & Mert Can Coşkuner (STM AS & Trendyol)

Android malware is evolving every day and is everywhere, even in Google Play Store.
Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc.

The talk will cover

1. Techniques to analyze samples: Unencrypted samples are often used to retrieve personal
information to sell and do not have obfuscation. Encrypted samples however are used for
sophisticated tasks like stealing banking information. They decrypt themselves by
getting the key from a twitter account owned by the malware developer and operate by
communicating with the C&C. Also,most banking samples are using techniques like screen
injection and dependency injection which is mostly used by android application developers.

2. Bypassing Anti-* Techniques: To be able to dynamically analyze the samples, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common uses of anti-* checks malware.

3. Extracting IoCs: Extracting twitter accounts as well as C&C from encrypted samples is often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active has been crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization techniques to extract twitter account, decryption key and C&C address.

4. Extract stolen information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of the extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations.

The samples and information presented in the talk are the product of our research on many bankbots – such as Anubis, Red Alert and Exobot — as well as other Turkish malware developer actors’ samples. All IoCs in this talk have been shared with the relevant third parties and are now inactive.

Kürşat Oğuzhan Akıncı is a Cyber Security Engineer at Trendyol. He is also a team leader of Blackbox Cyber Security which is Turkey's first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff.

Mert Can Coşkuner is a Security Engineer at Trendyol. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner.

Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors

Fabricio Ceschin (Federal University of Parana / University of Waikato)

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company has launched a public challenge to encourage researchers to bypass their (three) ML-based static malware detectors. Our research group teamed to participate in this challenge in August/2019, accomplishing the bypass of all 150 tests proposed by the company. To do so, we implemented an automatic exploitation method which moves the original malware binary sections to resources and includes new chunks of data to it to create adversarial samples that not only bypassed their ML detectors, but also real AV engines as well (with a lower detection rate than the original samples). In this paper, we detail our methodological approach to overcome the challenge and report our findings. With these results, we expect to contribute to the community and provide better understanding on ML-based detectors weaknesses. We also pinpoint future research directions toward the development of more robust malware detectors against adversarial machine learning.


Fabrício Ceschin is a Ph.D. student and master's degree in informatics at Federal University of Parana, Brazil (UFPR). Currently interested in machine learning and deep learning applied to security. Supported student by the program Google LARA (Latin America Research Awards) 2017.


Beyond Windows Forensics with Built-in Microsoft Tooling

Thomas Fischer (FVT SecOps Consulting)

Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Windows 8 and beyond. PowerShell has become the default “command line” management tool for windows administrators. These tools provide both a wealth of information into what has happened and is present on the system.

For Forensics and even Incident Response, these tools are now a go to built-in option to bootstrap and drive the forensics process including opening access to artefacts that an overzealous user or even a “smart” attacker has removed. SRUM for instance can provide data points ranging from network to process activitiy providing insight into what, who, when and how an attacker or malicious process introduced itself into the environment.

This talk will help the participants build the foundations to identify which built-in tools can assist in the Windows Forensics process and the data points that are available, as well as examine, how services such as SRUM can be used to extract key data points to provide information for incident response or threat hunting activities.

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.

The Turtle Gone Ninja - Investigation of an Unusual Crypto-Mining Campaign

Ophir Harpaz, Daniel Goldberg (Guardicore)

At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure.
Our investigation revealed a complete picture of how the Nansh0u campaign operates, which victims are in the crosshairs and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads - these are only a portion of the attacker’s assets we managed to put our hands on. The real icing on the cake, however, are the signed rootkit and sophisticated privilege escalation exploits dropped onto each one of the 50k infected victim machines.
In this talk, we will walk our listeners through the Nansh0u campaign from beginning to end - starting with the port scanning phase and ending with the exploit, miner payload and rootkit running on the compromised machines.
This attack pattern resembles that of many campaigns targeting data-centers nowadays. Our goal is to demonstrate how even a common Cyber criminal wishing for TurtleCoin, has access to the toolsets of an experienced Ninja-hacker.

Ophir Harpaz is a security researcher at Guardicore Labs. At work, she delves into Cyber attacks targeting data centers and analyzes malware. BSc in Computer Science and Linguistics from Tel Aviv University.
She also runs and maintains the popular https://begin.re workshop for reverse engineering newcomers.

Daniel Goldberg is a security researcher at Guardicore, where he is responsible for tracking the security intelligence, including detailed analysis of hackers' methodologies, for use in implementing countermeasures into Guardicore products and services. Daniel has over 10 years of cyber security research experience and his research has been presented in security conferences such as Black Hat USA. He also maintains the Infection Monkey, an open source breach and attack simulation tool. 

30 CVEs in 30 Days

Eran Shimony (CyberArk)

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.
Some things never die. In this session, we'll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.
Our mindset was - choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We're only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

Eran Shimony is a security researcher at CyberArk.
Eran has an extensive background in security research, that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities he has made lots of disclosures across multiple vendors.

Emoji, how do they even work and how they break Security

MacLemon (-)

Emoji are used everywhere these days and cannot be retracted from our daily communication. But how do the work and where did Emoji originate from? Join this talk and learn about their security relevance and the semiotics in the 21st century.

# Emoji

Where do they come from? How did they develop historically and how is that related to Asia?
How do Emoji work technically and why are they relevant for IT-Security?
Which cultural and linguistic entanglements do Emojis cause in our daily communication and why?

To prevent boringness and terrible technicalities there will be lots of obscure trivia regarding these most beloved Unicode characters.


Sysadmin by trade, strong supporter of anonymity and privacy, that odd person doing strange things with Macs, Hackspace and community affiliations: Chaos Computer Club Vienna; BSidesVienna, BSDStammtisch Wien, Metalab, Cocoaheads


Hands-On Workshop: Attacks on the Diffie-Hellman Protocol

Denis Kolegov, Innokentii Sennovskii (BiZone LLC / Tomsk State University)

This workshop is a hands-on task-based study of the Diffie-Hellman protocol and its modern extensions focusing on vulnerabilities and attacks.

Some of the topics that will be highlighted:
Diffie-Hellman key exchange
Elliptic-curve Diffie-Hellman
Variants of Diffie-Hellman protocol: Ephemeral, static, anonymous,
authenticated Diffie-Hellman
X3DH, Noise and SIGMA protocols
Forward secrecy and post-compromise security
Small-subgroup attack
Gelfond-Shanks algorithm
Pohlig-Hellman algorithm
Pollard’s rho and lambda algorithms
Invalid curve attack
Curve twist attack
Protocol attacks (MitM, replay, KCI, UKS)

Small subgroup attack against multiplicative group DH
Invalid curve attack against ECDH
Twist attack
KCI attack
Key Takeaways
Learn about Diffie-Hellman key exchange
Learn about applying Diffie-Hellman in modern protocols
Hands-on experience in implementation of the classic attacks

Target Audience
Anyone who has a strong interest in cryptography and prefers "learning by doing" approach. The workshop is suitable for software developers, penetration testers,
reverse engineers, quality assurance engineers and students. No specific background or explicit knowledge of group theory or number theory is required. Attendees should be familiar with Python or Golang. Some experience with
programming or hacking is recommended.

Skill Level
What Students Should Bring
A laptop prepared with Python 3, Sage, Docker and Golang 1.12.


Innokentii Sennovskii has 5 years of information security experience primarily in the fields of reverse engineering and system programming. He is a senior computer forensics specialist at BiZone LLC and a visiting lecturer at
Harbour.Space University for Technology and Design (Barcelona, Spain). His primary interests lie in the fields of cryptography, reverse engineering, and exploitation.
He discovered a vulnerability in Intel CPUs (Meltdown Variant 3a, CVE-2018-3640). Innokentiy is a part of LCBC CTF team; before joining BiZone, he won first place as
part of this team in CTFZone competition. This year he won Insomnihack CTF as a part of the LCBC team. He has also placed second in PHDays VI car hacking competition as well as the latest PHDays’ HackBattle competition.

Denis Kolegov is a principal security researcher at BiZone LLC and an associate professor of Computer Security at Tomsk State University. His research focuses on network security, web application security, cryptography engineering,
and covert communications. He holds a PhD and an associate professor degree. Denis presented at various international security conferences including
Power of Community, Area41, SecurityFest, Zero Nights, Positive Hack Days, InsomniHack, and SibeCrypt.


“The Daily Malware Grind” – Looking Beyond the Cybers

Tim Berghoff, Hauke Gierow (G DATA Software AG)

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press.

Hauke is a spokesperson for G DATA Software AG. Before, he worked as a journalist with Golem.de as well as Head of Internet Freedom Desk at Reporters Without Borders Germany and a China Think Tank in Berlin.

Tim is a Security Evangelist at G DATA Software AG and frequently speaks about security at conferences and gatherings.He previously consulted companies and the public sector on IT-security questions.

Demystifying Hardware Security Modules - How to Protect Keys in Hardware

Michael Walser (sematicon AG)

A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected.
In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner.
Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as at desktops and embedded solutions like industrial equipment or IoT-Devices.

Afterwards you can visit us at our booth to see market leading HSMs in action and you will have the possibility to discuss features and functions with long-term crypto experts.

Michael Walser is a member of the executive board and CTO of the Munich based security company sematicon AG. In this function, he is responsible for the company's technical business strategy and advises customers how to securely implement the digital transformation in industry and IT.
After graduating in electrical engineering, he was working as a consultant and advisor on successful IT security and digital payment projects - always focusing on cryptography - for many years. He supported many customers worldwide and was also responsible for the projects' implementation.

sematicon AG is a Munich-based company specialised in IT security and cryptography. We support our customers in mastering digital transformation successfully and securely in their operations. With a focus on IT, industry and electrical engineering, we offer highly specialised security solutions, which have been developed on the basis of industrial and IoT requirements. For example, our solution for secure and isolated remote access to industrial plants and systems has been declared to be innovative by our customers. Furthermore, we support and advise you in the planning and implementation processes of your security concepts. In our in-house training centre - the sematicon academy - we aim at qualifying employees in all relevant IT security areas. Thus, we offer comprehensive security services for the industrial and electronics sectors from a single source.

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol

Denis Kolegov, Innokentii Sennovskii (BiZone LLC / Tomsk State University)

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol


Denis Kolegov, Innokentii Sennovskii


The Future Is Here - Modern Attack Surface On Automotive

Lior Yaari (Cymotive & Imperium Security)

Working as a security researcher for the automotive industry, I received futuristic equipment to test. Test? Hack!
In two or three years from now, our vehicles will be full of communication interfaces to the outside world. V2X technologies, smart batteries with PLC communication, wireless car keys and more. Each new feature brings threats with it.

In this talk I will talk about the new automotive technologies and the vulnerabilities already found in them. I hope to make people understand the cyber opportunities and threats of 2023. The future is going to be interesting.

This talk will not cover zero days, since the devices are not yet on the market. But it will cover sample attacks performed over the test equipment, and will explain the threat these devices pose to the vehicle.

Lior is an expert in embedded security research. After more than six years as a technological officer in the Israeli military, he joined the cyber security industry as a vulnerability researcher for autonomous vehicles. More than 40 vulnerabilities later he decided to share his knowledge in order to help the world avoid the next security breach. His consulting company - Imperium Security, aims to teach every developer to secure his own code.
Lior is one of the top rated lecturers of the Israeli military technological trainings for the past 5 years, every year.

Practical Security Awareness - Lessons Learnt and Best Practices

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

This talk will show lessons learnt from awareness campaigns I ran in several organisations.
The focus lies on the instructional design of staff training to motivate the staff, enable them
to work with complexity and helping them to transfer the new knowledge to their job.
Some practical examples with regards to teaching password rules will be shown.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since, he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he's leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security.
He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol

Denis Kolegov, Innokentii Sennovskii (BiZone LLC / Tomsk State University)

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol


Denis Kolegov, Innokentii Sennovskii


New Tales of Wireless Input Devices

Matthias Deeg (SySS GmbH)

In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years.

In 2016, we published the results of our research project "Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets" and publicly disclosed several security vulnerabilities in wireless desktop sets using AES encryption of different manufacturers. In the same year, Bastille Research independently published security vulnerabilities in wireless mice and keyboards of different manufacturers, too. As time went by, we have learned more about the (in)security of further wireless input devices like mice, keyboards, and presenters using different 2.4 GHz radio-based technologies, and want to share our experiences and gained knowledge concerning these devices.

In our talk, we want to present answers to unanswered questions of our previous wireless desktop set research, raise the awareness of security issues and practical attacks against vulnerable wireless input devices, and tell some interesting tales.

Matthias is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.

Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is head of R&D.

His research results concerning different IT security topics were presented on different international IT security conferences (Chaos Communication Congress, DeepSec, Hacktivity, ZeroNights, PHDays, Ruxcon, Hack.lu, BSidesVienna). He also published several IT security papers and security advisories.

What Has Data Science Got To Do With It?

Thordis Thorsteins (Panaseer)

In this talk I want to shed some light on data science’s place within security. You can expect to learn how to see through common data science jargon that’s used in the industry, as well as to get a high level understanding of what’s happening behind the scenes when data science is successfully applied to solve complex security problems.

The talk is aimed at anyone who's been curious or had questions about the rise of things like "machine learning" or "big data" in the context of security. No prior data science knowledge is required.

A background from mathematics and an interest in computer science led me into a field that sits nicely in the intersection of the two - data science. Before applying data science to security I worked in risk management, but a year and a half ago I joined Panaseer where I work with the rest of the team to derive useful insights for customers from their security data.

How To Create a Botnet of GSM-devices

Aleksandr Kolchanov (Independent security researcher)

GSM-devices become more popular. Users can set them up fast, use them without landline internet and Wi-Fi, and control them remotely. But now they are also an interesting target for hackers. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands). This talk will cover the question of mass attacks on these devices. There are some main questions:

1) Which devices are in danger?
2) How can hackers attack them?
3) What about mass attacks and botnets?
4) What can hackers do after a successful hack?
5) How can you protect yourself?

1) There are several popular types of GSM-devices:

* GSM-alarms
* Smart homes control systems
* Industrial GSM-control systems
* Access control systems and locks
* Some communication systems
* Smartwatches for kids

There are different models for every type of devices. I will tell you about several models, which are more secure, which are insecure.

2) I will make a short introduction on attacks on GSM-devices:

The main idea of attacks is easy: make a call to a device, bypass an authorization, perform actions.
Main questions of this chapter:
* When is it necessary to spoof a Caller ID? When can an attacker make a call with a random number?
* How to bypass authorization? Security of Caller ID check.
* Brute-force attacks: typical rules for passwords (several popular GSM-alarms only allow to use a 4-digit password). An attacker can silently find it in less than 24 hours.

These methods (spoofing Caller ID and brute-force) allow to hack most of GSM-alarms and some other GSM-devices fast.

3) The hacking of one device is easy. So, is it possible to perform a mass attack and create a botnet? This question will be covered in the following chapter.

There are two main steps for a mass attack:
* Find devices.
* Hack found devices.

I will tell you how attackers can find devices: from scanning all phone numbers to a more effective combination of OSINT methods, data leakages and small vulnerabilities at mobile operators systems.

For example, an attacker can scan all live mobile numbers in Russia (my country) and spend less than 10 000 USD.

After a successful scanning an attacker can hack most devices with methods from the previous chapter.

I will show the estimated time for attacks, estimated costs and an estimated amount of victims. These results show that it is faster and less expensive than you might expect.
So, this problem of security of GSM-devices should be considered.

Also, I will show a faster method of mass hacking of GSM-devices. It's based on data leakages of contact lists from people. The main idea is to check data leakages (for example, applications like GetContact) and try to find contacts with titles, related with devices (like "home", "door", "car", "village", "alarm", "pump"). This method allows to find devices fast, but the results are not so full.

4) After a successful mass hack, an attacker will control thousands of GSM-devices. I will tell in this chapter, what s/he can do.

There are some different effective and dangerous methods of exploitation:

* Firstly, an attacker can control thousands GSM-alarms. S/he can do anything: switch on and switch off an alarm, listen in to rooms, switch on and switch off connected devices. This can be used to collect confidential data (such as conversations in an apartment or office). Also, an attacker can use it for effective burglary (s/he can listen in to rooms to find a moment, when everybody leaves home, disable the alarm and do anything). Also, s/he can sell this information to other burglars.

* S/he can hack some smart home system and perform all available actions.
* An attacker can attack some industrial GSM-controllers. It allows to destroy business process in some cases or can cause an emergency.
* An attacker can use it to scare people. What about an alarm alert every night?
* Some devices are locks. An attacker can remotely open or close doors.
* An attacker can use a botnet of GSM-devices to perform DDOS attacks with SMS or calls.
* Finally, some devices allow to perform USSD or SMS commands. An attacker can use it to gain access to an account at an mobile operator site to steal money.

5) In the last chapter, I will talk about how you can protect yourself or your company when you use GSM-systems. Also, I will tell you what you should consider if you want to create your own device.

Short brief: these attacks methods allows to gain full access to thousands GSM-devices, use it to get private data, hack user's accounts, use as botnet, and perform dangerous actions in the real world.

Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering.

500.000 Recalled Pacemakers, 2 Billion $ Stock Value Loss – The Story Behind

Tobias Zillner (Alpha Strike Labs GmbH)

During an independent security assessment of several pacemaker vendors multiple lethal and highly critical vulnerabilities were found. Based on previous experience with one specific vendor a new way of monetising vulnerabilities has been chosen. After going public a huge discussion on vulnerability disclosure ethics and responsibilities began. The stock value of the affected vendor dropped by 2 billion Dollar just in one single day. The security researchers got discredited and a huge lawsuit was started. After a year of mutual accusations and denial more than 500.000 pacemakers got recalled. This talk will provide insights into pacemaker security and share first-hand experience gathered during this project. A special focus will also be on ethical vulnerability disclosure and lessons learned for future security research.

Tobias Zillner is co founder and IT-Security specialist at Alpha Strike Labs, specialized in consulting for industrial security and security ratings. In addition to industrial security Tobias mainly focuses on current hacking techniques and reverse engineering wireless communication. He has been speaking at several international security conferences (Black Hat, Defcon, DeepSec, BSides,...) and is engaged in teaching at the University of Vienna and the University of Applied Sciences in St. Pölten.

Mobile Network Hacking, All-over-IP Edition

Luca Melette, Sina Yazdanmehr (Security Research Labs)

Mobile networks have gone through a decade of security improvements ranging from better GSM encryption to stronger SIM card and SS7 configurations. These improvements were driven by research at this and other hacking conferences.
Meanwhile, the networks have also mushroomed in complexity by integrating an ever-growing number of IT technologies from SIP to WiFi, IPSec, and most notably web technologies.
This talk illustrates the security shortcomings when merging IT protocols into mobile networks. We bring back hacking gadgets long thought to be mitigated, including intercepting IMSI catchers, remote SMS intercept, and universal caller ID spoofing.
We explore together which protection measures were forgotten in the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.

Luca Melette is a security researcher with focus on all sorts of telecommunication networks.
In the past years, together with Karsten Nohl, he discovered and disclosed several security vulnerabilities in mobile networks, from low-cost radio attacks to more sophisticated interconnect abuse.
Luca's one of the maintainers of the website gsmmap.org and the related mobile app SnoopSnitch.

Sina Yazdanmehr is a penetration tester and information security consultant. Since 2009, he has worked for different security firms and CERT, developing a strong expertise in web and mobile applications security. His research about Android fingerprint authentication security and JavaScript deobfuscation has been presented at security conferences. Recently, his expertise extended to mobile networks security, discovering issues that will be presented at this conference.

Saving Private Brian

Michael Burke (Grant Thornton)

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he's stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can't be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings?

iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the basis of the threats that exist, how iOS malware is implanted, what its capabilities are and how it can be detected simply and quickly in future. This will increase the safety and security of the workers we rely on to make the world a better place.

I am Ireland's most active digital forensic investigator working on a wide variety of cases for Grant Thornton but specialise in MacOS and iOS forensics.
I am an external expert for the EU in cybersecurity funding decisions.
I have lectured at third level, spoken at conferences and briefed the Irish national cybercrime unit on my research in digital forensics.
I hold Masters degrees in both Forensic Computing and International Security Studies.
I am a former member of the Irish national police service as well as a reformed member of the start up world.

Panel Discussion: Mobile Network Security

Jim Swiatko, Aleksandr Kolchanov, Luca Melette & René Pfeiffer

Mobile networks and their security have been part of DeepSec conferences since day one. The panel discussion will feature our speakers with expert knowledge in the field along with Jim and René as moderators and input from the audience. It's not only about 5G, it's about the role of mobile networks in today's infrastructure and daily life.




IPFS As a Distributed Alternative to Logs Collection

Fabio Nigi (Philip Morris international)

We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on Siem solution, hard to be maintained at scale, leading to reduce the amount of information at disposal.
The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can optimize the maintenance but add the problem on updating the rules or accessing raw data.
Both of the approaches are inefficient and expensive.

What we want from logs collection:
- comparability
- accessibility
- Inference and baselines
- replication on topics
- on demand access and drilldown with hashable/forensic history of status
- ownership: data need to point 1:1 to endpoint/people

Granting access to all endpoints hosts logs, grant at least the requirements above, with 0 storage cost and low maintenance.

This can be achieved applying the logic of non-centralized web distribution used in IPFS/IPNS protocol to log collection . https://ipfs.io/#why

What are you going to get from the talk?
IPFS protocol explanation and feature
How to modify the FOSS ipfs client, to make it "log friendly" and transparent to the user
How to define a private cluster, key mgmt., IPNS(dns): This will grant encryption on transit and on storage
How to define a IPFS gw to collect the information using classic HTTP API
How to integrate the solution via the SIEM solution you have in place: This will grant the possibility to use the playbook already designed

Properties protocol-granted:
Each log file and all of the blocks within it are given a unique fingerprint called a cryptographic hash.
IPFS removes duplications across the network.
Each network node stores only content it is interested in, and some indexing information that helps figure out who is storing what.
When looking up files, you're asking the network to find nodes storing the content behind a unique hash.
Every file can be found by human-readable names using a decentralized naming system called IPNS.

Fabio Nigi, head of security operation at Philip Morris Digital, former security investigator at Cisco CSIRT. During and after his engineering degree in Computer Science, Fabio focused on Ethical Hacking, spent 10 years researching, analyzing and solving ICT Governance, Risk, Compliance, Information Security and Privacy issues as SMEs in Enterprise global environments.
Linkedin Profile: https://www.linkedin.com/in/fabionigi/

Lauschgerät - Gets in the Way of Your Victim's Traffic and Out of Yours

Adrian Vollmer (SySS R&D)

The talk will present a new tool for pentesters called "Lauschgerät". This python script acts as a convenient man-in-the-middle tool to sniff traffic, terminate TLS encryption, host malicious services and bypass 802.1X - provided you have physical access to the victim machine, or at least its network cable.

There are three ways to run it: Either on its own dedicated device like a Raspberry Pi or Banana Pi, in a virtual machine with two physical USB-NICs attached, or on your regular pentest system in its own network namespace. It will look like a completely transparent piece of wire to both victim systems you are getting in the middle of, even if they are using 802.1X because it is implementing the ideas presented in a talk by Alva Lease 'Skip' Duckwall IV.

The Lauschgerät operates with three interfaces: Two interfaces going to the victim client and the victim switch respectively, and one management interface which you can connect to and initiate the redirection of traffic, inject your own traffic, start and stop malicious services, and so forth. It comes with a few services included, such as a service that terminates TLS encryption (which will of course cause a certificate warning on the victim's end) or a service that performs the classic "SSL strip" attack. And more to come!

An optional wireless interface can either be used as another management interface or for intercepting traffic of wireless devices. The management can be done via SSH or via a web application, making sure you can hit the ground running.

Details on its challenges regarding the implementation will be covered in the talk, focusing on the 802.1x bypass and the transparent TLS proxy, including a demo that shows how a man in the middle can modify traffic by flipping images in web pages.

Formerly an astrophysicist focusing on cosmology, Adrian Vollmer has been working as an IT security consultant for the Germany-based pentest company SySS since 2015. His specialty is hacking Windows networks and performing all kinds of man in the middle attacks.

Panel Discussion: Mobile Network Security

Jim Swiatko, Aleksandr Kolchanov, Luca Melette & René Pfeiffer

Panel Discussion: Mobile Network Security




Extracting a 19-Year-Old Code Execution from WinRAR

Nadav Grossman (Check Point Software Technologies)

Half a billion users worldwide use WinRAR for creating and extracting archives.
This usually is assumed to be a safe procedure, however, we found a critical vulnerability that results in RCE by simply using WinRAR to extract an archive.
After we published some of the details regarding the vulnerability it quickly spread through the cyber-crime world.

In this talk we tell the story of how exactly we found the vulnerability and how we exploit it.
This is no ordinary story as you can imagine that finding a 19 year old bug in such a high profile software isn't.

We will share the fuzzing process using WinAFL, the way of thinking, and the evolution of our fuzzer/harness until we found the critical bug.
We will fully disclose the root cause the exploitation process and the mitigations we had to overcome, as well as speaking about the aftermath of such mainstream event.

Nadav is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Research. He started his career in an elite Israeli military cyber unit as Research and Development Engineer. Before Check Point, he worked at Akamai as a security researcher and at IBM as a malware researcher. Nadav is passionate about vulnerability research and reversing and in his spare time he loves to play billiards.

Setting up an Opensource Threat Detection Program

Lance Buttars (Ingo Money)

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program.

Lance works as a software engineer in the payment industry developing software that transfers money between banking systems. He is a founding member of 801 Labs; a hackerspace located in Salt Lake City and is an active member of his local Defcon group DC801. Lance has a BS in Computer Science and a Master’s Degree in Cybersecurity and Info Assurance.

Workshop: Applied Cryptography for Embedded Engineers - No fear about cryptography

Michael Walser (sematicon AG)

Cryptography is not your enemy it is a real problem solver. Some modern industrial standards like the IEC-62443 are defining requirements which are among others solvable with cryptography - if you have the right tools. We will take a journey from the basics of cryptography to the real-world-use cases including cloud or IT connections. And what about cryptography and industrial real-time-applications? We will not only answer the question of what secure elements and embedded HSMs are, but also discuss the benefits of using them. You will learn about the different algorithm and technologies in conjunction with example use-cases to focus on best practices and avoid major mistakes. We will also oversee the risks and attacks to consider when using this technology. Our objective is not to discuss the mathematics, but we want to give you the skill set to ask the right questions when starting a design and discuss about future requirements and define target you would like to protect.


Michael Walser is a member of the executive board and CTO of the Munich based security company sematicon AG. In this function, he is responsible for the company's technical business strategy and advises customers how to securely implement the digital transformation in industry and IT.
After graduating in electrical engineering, he was working as a consultant and advisor on successful IT security and digital payment projects - always focusing on cryptography - for many years. He supported many customers worldwide and was also responsible for the projects' implementation.

sematicon AG is a Munich-based company specialised in IT security and cryptography. We support our customers in mastering digital transformation successfully and securely in their operations. With a focus on IT, industry and electrical engineering, we offer highly specialised security solutions, which have been developed on the basis of industrial and IoT requirements. For example, our solution for secure and isolated remote access to industrial plants and systems has been declared to be innovative by our customers. Furthermore, we support and advise you in the planning and implementation processes of your security concepts. In our in-house training centre - the sematicon academy - we aim at qualifying employees in all relevant IT security areas. Thus, we offer comprehensive security services for the industrial and electronics sectors from a single source.


Well, That Escalated Quickly! - A Penetration Tester's Approach to Windows Privilege Escalation

Khalil Bijjou (SEC Consult)

Companies engage security experts to penetrate their infrastructures and systems in order to find vulnerabilities before malicious persons do. During these penetration tests, security experts often encounter Windows endpoints or servers and gain low privileged access to these. To fully compromise a system, privileges have to be escalated.

Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and apply these.

This talk imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most relevant privilege escalation methods and techniques and names suitable tools and commands. These methods and techniques have been categorized, included into an attack tree and were tested and verified in a realistic lab environment. Based upon these results, a systematic and practical approach for security experts on how to escalate privileges was developed.

Khalil is a passionate penetration tester and security consultant with a big curiosity for technical topics, especially in the field of IT security. He performs security assessments for major companies especially in the field of web, infrastructure and SAP security. Placed 2nd in the German Post IT Security Cup 2015 and carries the Mint award 2016 in the field of Cybersecurity. Author of the “Web Application Firewall Bypassing – an approach for penetration testers” paper which was presented at several international conferences. Publisher of the open-source tool WAFNinja which is used by security experts world-wide.

S.C.A.R.E. - Static Code Analysis Recognition Evasion

Andreas Wiegenstein (SERPENTEQ GmbH)

Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?

The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?

This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.

On a technical level, the following concepts are covered
- covert data flow
- deep call stacks
- circular calls
- source mining
- counter-encoding
- data laundering

Based on this, I will provide some code snippets as proof of concept for the audience to test at home.

This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.

Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. His current research is focused on malware.

Once Upon a Time in the West - A story on DNS Attacks

Valentina Palacín, Ruth Esmeralda Barbacil (Deloitte)

Just like in Old West movies, we are going through a land riddled with well-known gunmen: OceanLotus, DNSpionage and OilRig, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.

Valentina is a Deloitte Threat Intelligence Senior Analyst, specializing in tracking APTs worldwide and using the ATT&CK Framework to analyze their tools, tactics and techniques. She is a self-taught developer with a degree in Translation and Interpretation from the Universidad de Málaga (UMA), and a Cyber Security Diploma from the Universidad Tecnológica Nacional (UTN).

Ruth is an information systems engineering student from the Universidad Tecnológica Nacional (UTN). She has been working at Deloitte's Argentina Cyber Threat Intelligence area as the Threat Library Team Leader. She has gained experience related to Tactics, Techniques and Procedures (TTPs) investigation, Advanced Persistent Threats (APTs), Campaigns, Incidents and Tools to help mitigation and defense.

What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs.

Mikhail Egorov (Independent security researcher)

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway.

WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.

WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented in the handshake phase, while the subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.

We will talk about CSRF issues, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.

Whitehat, security researcher, bug hunter, conference speaker. Active on Bugcrowd and H1 platforms. Researching security of clouds, web and mobile applications. Acknowledged by Microsoft, Adobe, RedHat, SAP, AT&T, Atlassian, Uber, Netflix, Tesla, General Motors, Western Union, Sophos, Netgear, etc. for reported vulnerabilities. Gave technical talks at LevelUp, Troopers, Hack In The Box, Hacktivity, ZeroNights, PHDays, and HighLoad conference.

Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code

Vitaly Davidoff (Citi Bank Security Innovations Lab TLV)

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the SDLC process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scailable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We will discuss how to architect a robust Threat Modeling framework to be part of an Secure SDLC approach.

I have about 15 + years’ experience as a developer and more than 7 years in the application security field. Applications Products Security Expert at Citi Bank Innovations Lab TLV Israel. In this position I am responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modelling and many other activities.

Certifications: CISSP, CSSLP

Abusing Google Play Billing for Fun and Unlimited Credits!

Guillaume Lopes (RandoriSec)

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it's possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently he's working as a Senior Penetration Tester at RandoriSec and also as a member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni'hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi'hack team.

A Threat-based Security Monitoring Approach Using Mitre ATT&CK Matrix

Patrick Bareiß (Splunk)

Adversaries will always be able to compromise us, but that doesn't mean that the adversaries reach their goals. In order to prevent an adversary to be successful, the speed of our detection and response processes are key for a Security Operations Center (SOC). To support the SOC in this battle, the right tools and log sources need to be identified.
This presentation tackles this problem by introducing a threat based security monitoring approach using the Mitre ATT&CK Matrix, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This approach combines the information about the Advanced Persistent Threats (APT) in the Mitre ATT&CK Matrix with its used techniques resulting in a comprehensive list of tools and log sources needed for security monitoring. Subsequently, Sigma, as a universal language for detection rules, is introduced to detect the identified threats. The threat based security monitoring approach using Mitre ATT&CK Matrix is conducted based on a fictional company, evil bank.

2009 - 2013 B.Sc. Mechanical Engineering University Stuttgart
2013 - 2016 M.Sc. Mechanical Engineering Technical University Munich
2013 - 2019 B.Sc. Computer Science FernUniversität Hagen

Work Experience:
2016 - 2017: Field Application Engineer for Hardware Security in Infineon Technologies
2017 - 2018: Cyber Security Integrator in Airbus CyberSecurity
since 2018: Cyber Security Engineer in Airbus CyberSecurity
since October 2019: Senior Security Researcher, Splunk

Overcoming the Limitations of TLS Fingerprinting for Malware Detection

Blake Anderson (Cisco Advanced Security Research)

TLS fingerprinting maps data contained within the TLS ClientHello to a set of possible applications or TLS libraries such as Chrome 74.0 or OpenSSL 1.1.0k. We have developed a system that continuously fuses endpoint and network data from real-world networks and a malware analysis sandbox to automatically generate up-to-date and representative TLS fingerprint databases. Each fingerprint has a list of processes observed using the fingerprint, where each process object contains the SHA-256, process name, a sorted list of destinations/counts, a sorted list of OSes/count, and any antivirus signatures associated with the SHA-256.

Recently, TLS fingerprinting has gained traction as a mean to efficiently identify encrypted malicious traffic. In this talk, we use our databases to highlight some limitations of TLS fingerprint-only malware detection due to the large number of false positives introduced when malicious and benign applications use the same TLS libraries. To overcome these limitations, we have developed a simple and explainable method using naïve Bayes that incorporates destination information and leverages the additional details introduced by our TLS fingerprint database. Finally, we show how to generalize these techniques by defining equivalence classes for the destinations, e.g., by mapping destination IP address to autonomous systems. Real-world examples and results based on our open source project will be presented throughout the talk.

Blake Anderson currently works as a Senior Technical Leader in Cisco’s Advanced Security Research team. Since starting at Cisco in early 2015, he has participated in and led projects aimed at improving (encrypted) network traffic analysis, which has resulted in open source projects, academic publications, and some patents. He and his collaborators published the initial research that eventually became Cisco’s Encrypted Traffic Analytics (ETA) solution. Before Cisco, Blake received his PhD in machine learning/security from the University of New Mexico and worked at Los Alamos National Laboratory as a staff scientist.

Techniques and Tools for Becoming an Intelligence Operator

Robert Sell (Trace Labs)

In this talk, Robert introduces the various operations that Trace Labs has performed to help illustrate OSINT techniques used in finding details on real human subjects.
Trace Labs is a non-profit organization that crowdsources open source intelligence to help law enforcement find missing persons. Trace Labs is non-theoretical and its members are conducting OSINT on real people.
Robert lifts the curtain on successful OSINT techniques that can be used to pull up important information on individuals. Many of the slides show specific tools and techniques that can immediately be used to improve your OSINT results.

The talk starts with a brief introduction to Trace Labs and its mission of helping law enforcement through a crowdsourced, open source intelligence. It then moves into a technical discussion on how to setup and operate. The presentation includes real world examples of subjects that the Trace Labs team searched for. It will also go over the tools and techniques used to find valuable details on subjects. Various tools are recommended and shown as a base, but the techniques are most important, as new and better tools are continually being introduced. Robert will also show various techniques that were used by subjects to evade being detected.
Robert wraps up the talk with the ethical questions around using these techniques so attendees can consider this as they proceed.
The talk is for anyone interested in OSINT. It will provide value to everyone, from seasoned intelligence operators to people, who just want to OSINT their potential date or tenant.

Robert is the founder and president of the Trace Labs Organization which organizes crowdsourced OSINT for locating missing persons. Robert defines Trace Labs as the catalyst which will change the industry and how we solve problems at a larger scale.
Robert is also Senior IT Manager in the aerospace industry. He works at an international level and spends most of his time managing information security teams. While these teams focus on traditional risk mitigation, most of Robert’s focus is on finding better ways of securing the business.
Robert has spent an increasing amount of time building defenses against social engineering. He has spoken about the rising social risk at numerous events and on different security podcasts.
In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He was placed third in this contest (both years) and since then has been teaching organizations how to defend against social attacks and how to reduce their OSINT footprint. In 2018 he actually managed a CTF while participating in a CTF at Defcon Vegas.
Robert is also a ten year volunteer with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker.