Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as to identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce the course's concepts while utilizing the latest Suricata features. Come and see what you've been missing in your network and unlock the full potential of network security, detection, and response with Threat Hunting with Suricata.

In this course, students will learn through a combination of lecture and approximately 15 hands-on labs (depending on workshop duration):

- Identify key strategies for network security architecture and visibility
- Learn the fundamentals of rule writing and rule comprehension
- Understand how to manage rule sources and create effective rulesets
- Develop methods for establishing network baselines
- Recognize traffic anomalies
- Use Suricata to capture network traffic and replay PCAPS
- Utilize log aggregation and shipping services to build a complete picture
- Perform traffic analysis and create visualizations with Kibana
- Develop a custom network sensor with Suricata and ELK
- Analyze suspicious traffic to determine maliciousness
- Learn how to pivot off of key attack indicators using threat intelligence
- Analyze true positive and false positive alerts
- Leveraging rules specifically for threat hunting
- Deploying honey tokens

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities lie for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say no to classic web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- Bypassing Content Security Policy
- Server-side request forgery
- Browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- Type confusion vulnerability
- Exploiting race conditions
- Path-relative stylesheet import vulnerability
- Reflected file download vulnerability
- Subdomain takeover
- and more…

WHAT STUDENTS WILL RECEIVE
Students will receive a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

SPECIAL BONUS

The ticket price includes FREE access to Dawid Czagan’s 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• DOUBLE Your Web Hacking Rewards with Fuzzing
• How Web Hackers Make BIG MONEY: Remote Code Execution

WHAT STUDENTS SAY ABOUT THIS TRAINING

This training has been very well-received by students around the world. Here you can see testimonials.

WHAT STUDENTS SHOULD KNOW
To get the most out of this training intermediate knowledge of web application
security is needed. Students should be familiar with common web application
vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy,
or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING
Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8
GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless
network adapter, administrative access, ability to turn off AV/firewall and
VMware Player/Fusion installed (64-bit version). Prior to the training, make
sure there are no problems with running 64-bit VMs (BIOS settings changes may
be needed). Please also make sure that you have Internet Explorer 11 installed
on your machine or bring an up-and-running VM with Internet Explorer 11.
(you can get it here via download).

WHO SHOULD ATTEND
Penetration testers, ethical hackers, bug hunters, security engineers / consultants 

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they've accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers.

In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, - physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even the uncommon ones. We will learn both how to detect such mistakes, and how to prevent them.

Don't expect to learn the secure development basics you can find on Google. Meeting with dozens of developers we mapped development patterns and misconceptions that led to security issues, and hope to help you understand not just about the technical mistakes ("check the buffer size before coping") but to develop a thinking pattern that will help you to detect the next security flaw, use it or close it. Each lab day will consist of lectures and hands on hacking exercises , vulnerability mitigation exercises, along with tips on how to avoid and detect security flaws.

Who Should Attend

• Embedded/IoT engineers and developers who wish to understand security and avoid security coding mistakes
• Web/Network security experts who with to get the basics of low level security
• Everyone who is interested in embedded/IoT vulnerabilities, from the basics to advanced subjects.

Who Not Should Attend

• Experienced low level vulnerability researcher

Prerequisite Knowledge

• Knowledge in C/C++ and Python is recommended. If you miss one of them, it is OK. The workbook will guide you.
• Basic knowledge in Linux command line

Hardware/Software Requirements

• Laptop with 4GB+ RAM. Preferably with Windows OS
• Installing the software pack that will be supplied a few days before the training.

Agenda

Day 1:

Morning: Introduction to Cyber Security:
- What are vulnerabilities
- Famous attacks
- How a vulnerability is created
- Vulnerabilities types and classification
- The mind of an attacker

Noon: Memory Corruption Vulnerabilities
- Complied programs memory layout
- Buffer overflows + Lab
- Format string attacks + Lab
- Integer overflows + Lab
- Command Injections
- Summary - how to find and avoid

Day 2:

Morning: Cryptographic Security Mechanisms and How To Use Them
- Hashes
- Encryption
- Signatures
- Common usage mistakes
- Summary - how to find and avoid

Noon: Embedded Devices Attacks
- TOCTOU attacks + Lab
- SPI intrusion
- Memory swaps
- Gliching + Lab
- Summary - how to find and avoid
- Final exercise - finding and fixing vulnerabilities in large code

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training.

Their goal is to introduce **tools** (Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc...) and **techniques** to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing.

# Agenda
2 days based mainly on pratical exercices:
- Day 1: Android Hacking
- Day 2: iOS Hacking

Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):
- Review the codebase of a mobile app (aka static analysis)
- Run the app on a rooted device (to check data security issues)
- Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
- MiTM all the network communications (aka inspect the traffic)

# Materials
A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds.

Defenses focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaires in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both windows and linux client, we’ll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.  Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

• Intro to threat hunting

• Threat hunting and the IR process 

• Understanding the requirements 

• Backend Tools 

• Detection/Reporting tools like Mitre ATT&CK and Sigma 

• Endpoint tools: osquery and sysmon 

• Hands on exercise will be spread across the 2 days

Participant Requirements

• Working knowledge of Windows (no OSQuery experience required); 

• Working knowledge of the Linux shell (no OSQuery experience required); 

• Basic SQL, 

• Laptop with a SSH client



In this intense 2-days training, you will learn everything you need to start pentesting Industrial Control Networks.

We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise:
The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

Everything has to start at some point, and so DeepSec 2019 will start with a short overview on what has been done in the past year, what will happen over the course of the conference, and what's in store for 2020.

Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. Technical knowledge is important in those systems, but on its own, it accomplishes very little -- as the sorry state of the computer security in the world demonstrates. Knowing how computers work doesn't gives us an empirical knowledge of what people do with their devices, what their job is, what context they live in, what their adversaries want from them, what their capabilities or resources are.
In this talk we will explain why listening is the most important part of practical security, and how to listen effectively and efficiently.
We will touch on practical examples from our own life experience, from helping journalists, activists, and lawyers, to students, sex workers, and survivors of partner abuse. We will explain why in the end, information security may have more in common with anthropology -- investigation and analysis of practices in the real world -- than it does with math and software.

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging.

Malware analysis is a key process for knowledge gain on infections and cybersecurity overall improvement. Analysis tools have been evolving from complete static analyzers to partial code decompilers. Malware decompilation allows for code inspection at higher abstraction levels, facilitating incident response procedures. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others.

In this talk, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges.

We name this approach "DoD—debug-oriented decompilation", in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tools, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time de-compilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered "clean" by all VirusTotal's AVs.

This talk is a summary of three different security audits with an interesting background:

First, CloudPets, their epic track record, what we found and what happened afterwards.
Next, two mobile apps by Chinese Police: "BXAQ" and "IJOP", both related to surveillance of ethnic minorities, but in different ways. Stay tuned.

Part 1: CloudPets

Wouldn't it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That's the idea of CloudPets. Children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short :)

Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!

Part 2: Chinese Police

This part talks about two mobile surveillance apps that Chinese authorities employ to spy on the Muslim minorities of China's Xinjiang region, the applications: "IJOP" and "BXAQ". These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF). The Chinese government faced international criticism when the results of these audits became public.

While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and which were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.

This talk will be an interesting learning experience as it combines technical security vulnerabilities with political and commercial background implications.

In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN secure communication mechanisms, and disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We present the new results of our research, consider some technical details of secure and insecure designs, weak attestation, zero-touch provisioning vulnerabilities, and non-TLS related padding oracle attacks.

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on nearly arbitrary frequencies, but they output sine waves that have to be demodulated. This demodulation process slows down security investigations because it forces researchers to start on the physical layer while the real reverse-engineering is performed on the logical layer.

We contribute an auto-detection system that estimates all demodulation parameters of a wireless signal and, additionally, explicitly returns all these parameters so that they can be fine-tuned afterwards.
This allows security researchers to skip the physical layer and work with the bits and bytes instead of sine waves.
The contributed system is evaluated with both simulated signals and ten real-world signals captured from various IoT devices with SDRs.
Furthermore, we show how parameters can be estimated during recording time and evaluate this technique by attacking an AES secured wireless door lock.
Our solution is available as part of the open source software Universal Radio Hacker and follows the ergonomic philosophy of the main application.

There have been patterns that have been found in AWS environment while exploring insecure S3 buckets, misconfiguration and compromised credentials flaws. These flaws are an outcome of the way the particular environment was configured and is not a flaw in AWS services itself, and are therefore inevitable. Finding the flaws relies on specific knowledge and approach as these attacks are specific.
.
There has been increasing use of AWS services,migration has increased multifold as well. As a result, it is important to challenge existing AWS security measures to be able to detect potential issues.
.
Description of Research Topic
The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS IAM keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs.

Takeaway for the Audience from the Talk:
There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owner’s organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner.
The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this an exhaustive toolset for a comprehensive pentest.

1) Developing an approach toward pentesting a specific cloud environment
2) Different tools available for pentesting cloud-specific environments,short demo on couple of tools.
3) Areas to look in an AWS for flaws and misconfiguration, understanding shared responsibility model.

The Launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: "Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories... ‘Everything’ stores in iCloud service".

Both cases are the same, designed in the same manner and driven by a similar idea to simplify the devices usage. It went even further with iOS and Android OS.
Eventually, MS and Apple have boldly described their OS as “the most secure OS ever.”

This research is based on three things: data leaks, hardening, and forensics.

Combining data leaks and hardening gives a data set with a goal and a vision of how to protect a system and make your use cases transparent. Forensics gives us excellent knowledge about valuable device security settings. Empowering the hardening with these anti-forensics techniques in terms of 'anti-forensics hardening' of a system makes it transparent what, when and why the whole device or its parts can or can not be accessed. To be entirely sure that all insecure gaps are closed and to verify how secure your system is, there is the option to rely on penetration testing additionally. Further more, we will talk about which insecure services are used to receive tracking data from your system, and which of them can be blocked without breaking the system and user use cases.

Outline
This talk will systematically review
• Pentest to fix gaps of security & privacy. What tools to use and why you should perform pentesting, how to read and use security report.
• Content Filtering. Mapping rogue sites, analytics and tracking services into granular activities to leverage privacy risks
• Easy exploitation & post exploitation. Limits of AV solutions, risk of one vs. many browsers, add-ons & firewalls.
• Host & On-host network activities monitoring. Disassembling features of big enterprise solutions into lightweight tools and bring it to in-home/small companies 
• Data Protection. The security & privacy features hidden across different OS editions and builds, plus overlapping features & dependences
• On the way to dedicated and centralized manageable solutions. Pentesting of dedicated solutions, automating security, whitelisting (native vs. vendor vs. third-party tools)
• Profiling and Use cases. The Future of forensically protected OS & devices

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The SDKs for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.

In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices.
With the Harzer Roller, we hook instrumentation code into function call and return.
The hooking not only applies to the user application code but to the SDK used to build firmware as well.
While we keep the design of the Harzer Roller's general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.

We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows.
Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis.
This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.

With the current trends towards zero trust networks, deployment of billions of IoT devices, interconnection of critical infrastructure to the cloud, well-organised threat agents, and the rise of fully autonomous systems, both the control of our environments and the security of our networks/systems are hard to achieve. As a matter of fact, it will not be manageable with traditional security safeguards and practices.

In our 1 ½ years of research we had the target to build not just another SIEM and so we have identified, modified and combined the best available technologies and practices, providing an alternative capability to master the current and future security challenges, all without any log, IDS/IPS, AV or EP data feeds. We've focused on network-related information analytics, combining technologies such as deep packet inspection, big data search, graph databases and machine learning to identify technologies and malicious intent.

We have analysed more than 20 billion flows in all kind of networks and would like to share our results and findings, how to apply such approaches to a security analytics system, a hunting platform or a security safeguard, identifying analyze attacks and compromises not detected by other state of the art safeguards. Furthermore we want to speak about the often propagated “end of DPI” as a result of encrypted traffic. We think our work might change the view on such predictions.

Android malware is evolving every day and is everywhere, even in Google Play Store.
Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc.

The talk will cover

1. Techniques to analyze samples: Unencrypted samples are often used to retrieve personal
information to sell and do not have obfuscation. Encrypted samples however are used for
sophisticated tasks like stealing banking information. They decrypt themselves by
getting the key from a twitter account owned by the malware developer and operate by
communicating with the C&C. Also,most banking samples are using techniques like screen
injection and dependency injection which is mostly used by android application developers.

2. Bypassing Anti-* Techniques: To be able to dynamically analyze the samples, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common uses of anti-* checks malware.

3. Extracting IoCs: Extracting twitter accounts as well as C&C from encrypted samples is often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active has been crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization techniques to extract twitter account, decryption key and C&C address.

4. Extract stolen information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of the extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations.

The samples and information presented in the talk are the product of our research on many bankbots – such as Anubis, Red Alert and Exobot — as well as other Turkish malware developer actors’ samples. All IoCs in this talk have been shared with the relevant third parties and are now inactive.

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company has launched a public challenge to encourage researchers to bypass their (three) ML-based static malware detectors. Our research group teamed to participate in this challenge in August/2019, accomplishing the bypass of all 150 tests proposed by the company. To do so, we implemented an automatic exploitation method which moves the original malware binary sections to resources and includes new chunks of data to it to create adversarial samples that not only bypassed their ML detectors, but also real AV engines as well (with a lower detection rate than the original samples). In this paper, we detail our methodological approach to overcome the challenge and report our findings. With these results, we expect to contribute to the community and provide better understanding on ML-based detectors weaknesses. We also pinpoint future research directions toward the development of more robust malware detectors against adversarial machine learning.

Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Windows 8 and beyond. PowerShell has become the default “command line” management tool for windows administrators. These tools provide both a wealth of information into what has happened and is present on the system.

For Forensics and even Incident Response, these tools are now a go to built-in option to bootstrap and drive the forensics process including opening access to artefacts that an overzealous user or even a “smart” attacker has removed. SRUM for instance can provide data points ranging from network to process activitiy providing insight into what, who, when and how an attacker or malicious process introduced itself into the environment.

This talk will help the participants build the foundations to identify which built-in tools can assist in the Windows Forensics process and the data points that are available, as well as examine, how services such as SRUM can be used to extract key data points to provide information for incident response or threat hunting activities.

At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure.
Our investigation revealed a complete picture of how the Nansh0u campaign operates, which victims are in the crosshairs and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads - these are only a portion of the attacker’s assets we managed to put our hands on. The real icing on the cake, however, are the signed rootkit and sophisticated privilege escalation exploits dropped onto each one of the 50k infected victim machines.
In this talk, we will walk our listeners through the Nansh0u campaign from beginning to end - starting with the port scanning phase and ending with the exploit, miner payload and rootkit running on the compromised machines.
This attack pattern resembles that of many campaigns targeting data-centers nowadays. Our goal is to demonstrate how even a common Cyber criminal wishing for TurtleCoin, has access to the toolsets of an experienced Ninja-hacker.

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.
Some things never die. In this session, we'll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.
Our mindset was - choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We're only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

Emoji are used everywhere these days and cannot be retracted from our daily communication. But how do the work and where did Emoji originate from? Join this talk and learn about their security relevance and the semiotics in the 21st century.

# Emoji

Where do they come from? How did they develop historically and how is that related to Asia?
How do Emoji work technically and why are they relevant for IT-Security?
Which cultural and linguistic entanglements do Emojis cause in our daily communication and why?

To prevent boringness and terrible technicalities there will be lots of obscure trivia regarding these most beloved Unicode characters.

This workshop is a hands-on task-based study of the Diffie-Hellman protocol and its modern extensions focusing on vulnerabilities and attacks.

Some of the topics that will be highlighted:
Diffie-Hellman key exchange
Elliptic-curve Diffie-Hellman
Variants of Diffie-Hellman protocol: Ephemeral, static, anonymous,
authenticated Diffie-Hellman
X3DH, Noise and SIGMA protocols
Forward secrecy and post-compromise security
Small-subgroup attack
Gelfond-Shanks algorithm
Pohlig-Hellman algorithm
Pollard’s rho and lambda algorithms
Invalid curve attack
Curve twist attack
Protocol attacks (MitM, replay, KCI, UKS)

Labs:
Small subgroup attack against multiplicative group DH
Invalid curve attack against ECDH
Twist attack
KCI attack
Key Takeaways
Learn about Diffie-Hellman key exchange
Learn about applying Diffie-Hellman in modern protocols
Hands-on experience in implementation of the classic attacks

Target Audience
Anyone who has a strong interest in cryptography and prefers "learning by doing" approach. The workshop is suitable for software developers, penetration testers,
reverse engineers, quality assurance engineers and students. No specific background or explicit knowledge of group theory or number theory is required. Attendees should be familiar with Python or Golang. Some experience with
programming or hacking is recommended.

Skill Level
Beginner/Intermediate
What Students Should Bring
A laptop prepared with Python 3, Sage, Docker and Golang 1.12.

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press.

A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected.
In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner.
Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as at desktops and embedded solutions like industrial equipment or IoT-Devices.

Afterwards you can visit us at our booth to see market leading HSMs in action and you will have the possibility to discuss features and functions with long-term crypto experts.

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol

Working as a security researcher for the automotive industry, I received futuristic equipment to test. Test? Hack!
In two or three years from now, our vehicles will be full of communication interfaces to the outside world. V2X technologies, smart batteries with PLC communication, wireless car keys and more. Each new feature brings threats with it.

In this talk I will talk about the new automotive technologies and the vulnerabilities already found in them. I hope to make people understand the cyber opportunities and threats of 2023. The future is going to be interesting.

This talk will not cover zero days, since the devices are not yet on the market. But it will cover sample attacks performed over the test equipment, and will explain the threat these devices pose to the vehicle.

This talk will show lessons learnt from awareness campaigns I ran in several organisations.
The focus lies on the instructional design of staff training to motivate the staff, enable them
to work with complexity and helping them to transfer the new knowledge to their job.
Some practical examples with regards to teaching password rules will be shown.

Hands-On Workshop: Attacks on the Diffie-Hellman Protocol

In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years.

In 2016, we published the results of our research project "Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets" and publicly disclosed several security vulnerabilities in wireless desktop sets using AES encryption of different manufacturers. In the same year, Bastille Research independently published security vulnerabilities in wireless mice and keyboards of different manufacturers, too. As time went by, we have learned more about the (in)security of further wireless input devices like mice, keyboards, and presenters using different 2.4 GHz radio-based technologies, and want to share our experiences and gained knowledge concerning these devices.

In our talk, we want to present answers to unanswered questions of our previous wireless desktop set research, raise the awareness of security issues and practical attacks against vulnerable wireless input devices, and tell some interesting tales.

In this talk I want to shed some light on data science’s place within security. You can expect to learn how to see through common data science jargon that’s used in the industry, as well as to get a high level understanding of what’s happening behind the scenes when data science is successfully applied to solve complex security problems.

The talk is aimed at anyone who's been curious or had questions about the rise of things like "machine learning" or "big data" in the context of security. No prior data science knowledge is required.

GSM-devices become more popular. Users can set them up fast, use them without landline internet and Wi-Fi, and control them remotely. But now they are also an interesting target for hackers. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands). This talk will cover the question of mass attacks on these devices. There are some main questions:

1) Which devices are in danger?
2) How can hackers attack them?
3) What about mass attacks and botnets?
4) What can hackers do after a successful hack?
5) How can you protect yourself?


1) There are several popular types of GSM-devices:

* GSM-alarms
* Smart homes control systems
* Industrial GSM-control systems
* Access control systems and locks
* Some communication systems
* Smartwatches for kids

There are different models for every type of devices. I will tell you about several models, which are more secure, which are insecure.

2) I will make a short introduction on attacks on GSM-devices:

The main idea of attacks is easy: make a call to a device, bypass an authorization, perform actions.
Main questions of this chapter:
* When is it necessary to spoof a Caller ID? When can an attacker make a call with a random number?
* How to bypass authorization? Security of Caller ID check.
* Brute-force attacks: typical rules for passwords (several popular GSM-alarms only allow to use a 4-digit password). An attacker can silently find it in less than 24 hours.

These methods (spoofing Caller ID and brute-force) allow to hack most of GSM-alarms and some other GSM-devices fast.

3) The hacking of one device is easy. So, is it possible to perform a mass attack and create a botnet? This question will be covered in the following chapter.

There are two main steps for a mass attack:
* Find devices.
* Hack found devices.

I will tell you how attackers can find devices: from scanning all phone numbers to a more effective combination of OSINT methods, data leakages and small vulnerabilities at mobile operators systems.

For example, an attacker can scan all live mobile numbers in Russia (my country) and spend less than 10 000 USD.

After a successful scanning an attacker can hack most devices with methods from the previous chapter.

I will show the estimated time for attacks, estimated costs and an estimated amount of victims. These results show that it is faster and less expensive than you might expect.
So, this problem of security of GSM-devices should be considered.

Also, I will show a faster method of mass hacking of GSM-devices. It's based on data leakages of contact lists from people. The main idea is to check data leakages (for example, applications like GetContact) and try to find contacts with titles, related with devices (like "home", "door", "car", "village", "alarm", "pump"). This method allows to find devices fast, but the results are not so full.

4) After a successful mass hack, an attacker will control thousands of GSM-devices. I will tell in this chapter, what s/he can do.

There are some different effective and dangerous methods of exploitation:

* Firstly, an attacker can control thousands GSM-alarms. S/he can do anything: switch on and switch off an alarm, listen in to rooms, switch on and switch off connected devices. This can be used to collect confidential data (such as conversations in an apartment or office). Also, an attacker can use it for effective burglary (s/he can listen in to rooms to find a moment, when everybody leaves home, disable the alarm and do anything). Also, s/he can sell this information to other burglars.

* S/he can hack some smart home system and perform all available actions.
* An attacker can attack some industrial GSM-controllers. It allows to destroy business process in some cases or can cause an emergency.
* An attacker can use it to scare people. What about an alarm alert every night?
* Some devices are locks. An attacker can remotely open or close doors.
* An attacker can use a botnet of GSM-devices to perform DDOS attacks with SMS or calls.
* Finally, some devices allow to perform USSD or SMS commands. An attacker can use it to gain access to an account at an mobile operator site to steal money.


5) In the last chapter, I will talk about how you can protect yourself or your company when you use GSM-systems. Also, I will tell you what you should consider if you want to create your own device.


Short brief: these attacks methods allows to gain full access to thousands GSM-devices, use it to get private data, hack user's accounts, use as botnet, and perform dangerous actions in the real world.

During an independent security assessment of several pacemaker vendors multiple lethal and highly critical vulnerabilities were found. Based on previous experience with one specific vendor a new way of monetising vulnerabilities has been chosen. After going public a huge discussion on vulnerability disclosure ethics and responsibilities began. The stock value of the affected vendor dropped by 2 billion Dollar just in one single day. The security researchers got discredited and a huge lawsuit was started. After a year of mutual accusations and denial more than 500.000 pacemakers got recalled. This talk will provide insights into pacemaker security and share first-hand experience gathered during this project. A special focus will also be on ethical vulnerability disclosure and lessons learned for future security research.

Mobile networks have gone through a decade of security improvements ranging from better GSM encryption to stronger SIM card and SS7 configurations. These improvements were driven by research at this and other hacking conferences.
Meanwhile, the networks have also mushroomed in complexity by integrating an ever-growing number of IT technologies from SIP to WiFi, IPSec, and most notably web technologies.
This talk illustrates the security shortcomings when merging IT protocols into mobile networks. We bring back hacking gadgets long thought to be mitigated, including intercepting IMSI catchers, remote SMS intercept, and universal caller ID spoofing.
We explore together which protection measures were forgotten in the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he's stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can't be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings?

iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the basis of the threats that exist, how iOS malware is implanted, what its capabilities are and how it can be detected simply and quickly in future. This will increase the safety and security of the workers we rely on to make the world a better place.

Mobile networks and their security have been part of DeepSec conferences since day one. The panel discussion will feature our speakers with expert knowledge in the field along with Jim and René as moderators and input from the audience. It's not only about 5G, it's about the role of mobile networks in today's infrastructure and daily life.

We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on Siem solution, hard to be maintained at scale, leading to reduce the amount of information at disposal.
The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can optimize the maintenance but add the problem on updating the rules or accessing raw data.
Both of the approaches are inefficient and expensive.

What we want from logs collection:
- comparability
- accessibility
- Inference and baselines
- replication on topics
- on demand access and drilldown with hashable/forensic history of status
- ownership: data need to point 1:1 to endpoint/people

Goal:
Granting access to all endpoints hosts logs, grant at least the requirements above, with 0 storage cost and low maintenance.

How:
This can be achieved applying the logic of non-centralized web distribution used in IPFS/IPNS protocol to log collection . https://ipfs.io/#why

What are you going to get from the talk?
IPFS protocol explanation and feature
How to modify the FOSS ipfs client, to make it "log friendly" and transparent to the user
How to define a private cluster, key mgmt., IPNS(dns): This will grant encryption on transit and on storage
How to define a IPFS gw to collect the information using classic HTTP API
How to integrate the solution via the SIEM solution you have in place: This will grant the possibility to use the playbook already designed

Properties protocol-granted:
Each log file and all of the blocks within it are given a unique fingerprint called a cryptographic hash.
IPFS removes duplications across the network.
Each network node stores only content it is interested in, and some indexing information that helps figure out who is storing what.
When looking up files, you're asking the network to find nodes storing the content behind a unique hash.
Every file can be found by human-readable names using a decentralized naming system called IPNS.

The talk will present a new tool for pentesters called "Lauschgerät". This python script acts as a convenient man-in-the-middle tool to sniff traffic, terminate TLS encryption, host malicious services and bypass 802.1X - provided you have physical access to the victim machine, or at least its network cable.

There are three ways to run it: Either on its own dedicated device like a Raspberry Pi or Banana Pi, in a virtual machine with two physical USB-NICs attached, or on your regular pentest system in its own network namespace. It will look like a completely transparent piece of wire to both victim systems you are getting in the middle of, even if they are using 802.1X because it is implementing the ideas presented in a talk by Alva Lease 'Skip' Duckwall IV.

The Lauschgerät operates with three interfaces: Two interfaces going to the victim client and the victim switch respectively, and one management interface which you can connect to and initiate the redirection of traffic, inject your own traffic, start and stop malicious services, and so forth. It comes with a few services included, such as a service that terminates TLS encryption (which will of course cause a certificate warning on the victim's end) or a service that performs the classic "SSL strip" attack. And more to come!

An optional wireless interface can either be used as another management interface or for intercepting traffic of wireless devices. The management can be done via SSH or via a web application, making sure you can hit the ground running.

Details on its challenges regarding the implementation will be covered in the talk, focusing on the 802.1x bypass and the transparent TLS proxy, including a demo that shows how a man in the middle can modify traffic by flipping images in web pages.

Panel Discussion: Mobile Network Security

Half a billion users worldwide use WinRAR for creating and extracting archives.
This usually is assumed to be a safe procedure, however, we found a critical vulnerability that results in RCE by simply using WinRAR to extract an archive.
After we published some of the details regarding the vulnerability it quickly spread through the cyber-crime world.

In this talk we tell the story of how exactly we found the vulnerability and how we exploit it.
This is no ordinary story as you can imagine that finding a 19 year old bug in such a high profile software isn't.

We will share the fuzzing process using WinAFL, the way of thinking, and the evolution of our fuzzer/harness until we found the critical bug.
We will fully disclose the root cause the exploitation process and the mitigations we had to overcome, as well as speaking about the aftermath of such mainstream event.

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program.

Cryptography is not your enemy it is a real problem solver. Some modern industrial standards like the IEC-62443 are defining requirements which are among others solvable with cryptography - if you have the right tools. We will take a journey from the basics of cryptography to the real-world-use cases including cloud or IT connections. And what about cryptography and industrial real-time-applications? We will not only answer the question of what secure elements and embedded HSMs are, but also discuss the benefits of using them. You will learn about the different algorithm and technologies in conjunction with example use-cases to focus on best practices and avoid major mistakes. We will also oversee the risks and attacks to consider when using this technology. Our objective is not to discuss the mathematics, but we want to give you the skill set to ask the right questions when starting a design and discuss about future requirements and define target you would like to protect.

Companies engage security experts to penetrate their infrastructures and systems in order to find vulnerabilities before malicious persons do. During these penetration tests, security experts often encounter Windows endpoints or servers and gain low privileged access to these. To fully compromise a system, privileges have to be escalated.

Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and apply these.

This talk imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most relevant privilege escalation methods and techniques and names suitable tools and commands. These methods and techniques have been categorized, included into an attack tree and were tested and verified in a realistic lab environment. Based upon these results, a systematic and practical approach for security experts on how to escalate privileges was developed.

Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?

The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?

This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.

On a technical level, the following concepts are covered
- covert data flow
- deep call stacks
- circular calls
- source mining
- counter-encoding
- data laundering

Based on this, I will provide some code snippets as proof of concept for the audience to test at home.

This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.

Just like in Old West movies, we are going through a land riddled with well-known gunmen: OceanLotus, DNSpionage and OilRig, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway.

WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.

WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented in the handshake phase, while the subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.

We will talk about CSRF issues, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the SDLC process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scailable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We will discuss how to architect a robust Threat Modeling framework to be part of an Secure SDLC approach.

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it's possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

Adversaries will always be able to compromise us, but that doesn't mean that the adversaries reach their goals. In order to prevent an adversary to be successful, the speed of our detection and response processes are key for a Security Operations Center (SOC). To support the SOC in this battle, the right tools and log sources need to be identified.
This presentation tackles this problem by introducing a threat based security monitoring approach using the Mitre ATT&CK Matrix, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This approach combines the information about the Advanced Persistent Threats (APT) in the Mitre ATT&CK Matrix with its used techniques resulting in a comprehensive list of tools and log sources needed for security monitoring. Subsequently, Sigma, as a universal language for detection rules, is introduced to detect the identified threats. The threat based security monitoring approach using Mitre ATT&CK Matrix is conducted based on a fictional company, evil bank.

TLS fingerprinting maps data contained within the TLS ClientHello to a set of possible applications or TLS libraries such as Chrome 74.0 or OpenSSL 1.1.0k. We have developed a system that continuously fuses endpoint and network data from real-world networks and a malware analysis sandbox to automatically generate up-to-date and representative TLS fingerprint databases. Each fingerprint has a list of processes observed using the fingerprint, where each process object contains the SHA-256, process name, a sorted list of destinations/counts, a sorted list of OSes/count, and any antivirus signatures associated with the SHA-256.

Recently, TLS fingerprinting has gained traction as a mean to efficiently identify encrypted malicious traffic. In this talk, we use our databases to highlight some limitations of TLS fingerprint-only malware detection due to the large number of false positives introduced when malicious and benign applications use the same TLS libraries. To overcome these limitations, we have developed a simple and explainable method using naïve Bayes that incorporates destination information and leverages the additional details introduced by our TLS fingerprint database. Finally, we show how to generalize these techniques by defining equivalence classes for the destinations, e.g., by mapping destination IP address to autonomous systems. Real-world examples and results based on our open source project will be presented throughout the talk.

In this talk, Robert introduces the various operations that Trace Labs has performed to help illustrate OSINT techniques used in finding details on real human subjects.
Trace Labs is a non-profit organization that crowdsources open source intelligence to help law enforcement find missing persons. Trace Labs is non-theoretical and its members are conducting OSINT on real people.
Robert lifts the curtain on successful OSINT techniques that can be used to pull up important information on individuals. Many of the slides show specific tools and techniques that can immediately be used to improve your OSINT results.

The talk starts with a brief introduction to Trace Labs and its mission of helping law enforcement through a crowdsourced, open source intelligence. It then moves into a technical discussion on how to setup and operate. The presentation includes real world examples of subjects that the Trace Labs team searched for. It will also go over the tools and techniques used to find valuable details on subjects. Various tools are recommended and shown as a base, but the techniques are most important, as new and better tools are continually being introduced. Robert will also show various techniques that were used by subjects to evade being detected.
Robert wraps up the talk with the ethical questions around using these techniques so attendees can consider this as they proceed.
The talk is for anyone interested in OSINT. It will provide value to everyone, from seasoned intelligence operators to people, who just want to OSINT their potential date or tenant.