LIVE ONLINE TRAINING

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities are for you in the upcoming years.

What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training.

After completing this training, you will have learned about:

- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- Bypassing Content Security Policy
- Server-side request forgery
- Browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- Type confusion vulnerability
- Exploiting race conditions
- Path-relative stylesheet import vulnerability
- Reflected file download vulnerability
- Subdomain takeover
- and more…

Watch 3 exclusive videos (~1 hour) and feel the taste of this live online training.

WHAT STUDENTS WILL RECEIVE
Students will receive a VMware image with a specially prepared testing
environment to play with the bugs. What's more, this environment is
self-contained and when the training is over, students can take it home (after
signing a non-disclosure agreement) to hack again at their own pace.

SPECIAL BONUS
The ticket price includes FREE access to Dawid Czagan's 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• DOUBLE Your Web Hacking Rewards with Fuzzing
• How Web Hackers Make BIG MONEY: Remote Code Execution

WHAT STUDENTS SAY ABOUT THIS TRAINING
This training has been very well-received by students around the world. Here you can see testimonials.

WHAT STUDENTS SHOULD KNOW
To get the most out of this training intermediate knowledge of web application
security is needed. Students should be familiar with common web application
vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy,
or similar, to analyze or modify the traffic.

WHAT STUDENTS SHOULD BRING
Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8
GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless
network adapter, administrative access, ability to turn off AV/firewall and
VMware Player/Fusion installed (64-bit version). Prior to the training, make
sure there are no problems with running 64-bit VMs (BIOS settings changes may
be needed). Please also make sure that you have Internet Explorer 11 installed
on your machine or bring an up-and-running VM with Internet Explorer 11.
(You can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

WHO SHOULD ATTEND
Penetration testers, bug hunters, security researchers/consultants

Smarter industrial systems require smarter defenses. In addition to increased security requirements on manufacturers, system integrators and operators of industrial plants, technical changes in the area of industrial security have become a new challenge. These rapid changes lead to the fact that industrial security today works completely different compared to the familiar world of automation of the past decades. In this training we provide clarity by giving guidelines for action on how to correctly handle security issues in an industrial environment. Technicians and engineers in particular are increasingly required in industrial operations to make or prepare the right decisions concerning appropriate technical security measures and security technologies. This requires deeper security knowledge and a good understanding – be it of threats, current attack campaigns or the use of technical protection measures. Thus, the contents of the “Defending ICS” trainings have been selected based on the experience gained from many industrial projects and are aimed at the challenges that technicians in the industry face in practice today. Through practical examples the participants develop all the skills required for secure digitization in industry. The training is aimed at persons that want to deepen their existing knowledge in IT and OT security and improve their skills regarding how to technically implement security measures in OT operations. The central theme of the training is securing an initially insecure OT network architecture. The training starts with a risk analysis to define possible impacts and identify threats and risks. After that the training is divided in chapters covering the most important security measures in OT. Every chapter starts with imparting theoretical know how regarding the topic, paired with hands-on exercises for better understanding and ends with the definition of additional threats based on the covered topics. In this way the security aspects of industrial protocols such as

- the choice of most common wired and wireless industrial protocols,
- how to secure insecure industrial protocols,
- vital OT network security topics like
Network segmentation,
ICS firewalls, and
Honeypots,
- and well-established network-based attacks such as
denial of service,
man in the middle,
spoofing, and
smb relay
are covered.

The last chapter is dedicated on how to implement certain security measures in OT. For this we have chosen the most common problem areas and the corresponding security measures in ICS:

Defense in depth (what is it and how is is relevant for OT)
User Management (centralized vs. decentralized user management, advantages of separate user management for OT, how to securely configure user management)
Credential Management (what is credential management, ways for implementing credential management in OT, consideration for ICS)
Host Hardening (most important hardening measures, considerations for OT)
System Monitoring and Network Detection (importance for OT, what to consider when implementing network monitoring and detection)
Remote Access (policies for implementing secure remote access for OT, discussion of TeamViewer for remote access)
Backup and Recovery (definition of RTO und RPO, common pitfalls, considerations for OT)

By the end of the training the participants have a basic understanding of OT transmission technologies and protocols as well as different network protection measures. Furthermore, they know the procedure for partitioning and zoning of an architecture according to the IEC 62443 standard. In addition, the participants acquire the knowledge on how to start implementing the most important security measures in their own OT as well as what to consider when doing so.

When designing redteam attacks, the scope can be quite complex. We are not only speaking about websites and pentesting, but finding and exploiting human vulnerabilities. Most of the social engineering attacks imply using gadgets: from mock "pendrives" to sniffing, hardware plays a very important part in real life scenarios. For this purpose, there are tons of gadgets from official trade marks such as Hak5, The Hacker Warehouse, Dangerous things and others. Although this gadgets usually work like a charm, sometimes we have to rely on more flexible gadgets, designed for a specific purpose in specific scenarios. And in that case we should know a bit about electronics and open source hardware for building our own gear.

Relying on Open source Hardware is a good idea as it's easier to find manuals, support, community help and more. A lot of pentestings most used tools are open source and we love them, so why not do the same with open sourced hardware? The maker community is one of the most friendly in tech, let's take advantage of it!

Once you complete the training you will have learned about:

• Electronics and basic circuits physics
• C for electronics
• Choosing from different kind of boards for a (security) project
• Setting up a Rasperry Pi
• Use and configure Arduino IDE for different kind of projects
• Using DFIR for Arduino
• Using Bluetooth in Arduino
• WiFi in RPI and Arduino
• How facial recognition works
• Using Attiny85 as a rubber ducky
• GSM and geofencing
• Looking for circuit designs and ordering custom boards
• Hardware debugging
• The steps for designing a whole hardware project
• Usability and how to build hardware not only for you but for your team
• Understanding the risks and limits of using hardware
• Maker community and the importance of keeping open sourced stuff

WHAT WILL STUDENTS USE

I will lend hardware hacking kits to groups of students that will be organized in the training, they will need to return the stuff when the class finishes. This kit will include: Attiny85 and nano boards, Bluetooth, DFIR, and others components/sensors, resistors, wires and other assisting components. They will have to use their own computers, preferably Linux based.

During the training I will do some capture the flag-like activities in which the students will be able to win some stuff from the training.

WHAT STUDENTS SHOULD KNOW

A bit of C knowledge is recommended, but knowing programming in general is the true requirement. The training is meant to be available to those who haven't used C as well. Basic Linux commands are strongly recommended, as that's what I will be using and it might be confusing for those who haven't used it before.

WHAT STUDENTS SHOULD BRING

They should bring their computers. I personally recommend Linux based (mostly because this way they will follow the exact steps I take and I will be most likely able to solve issues) and they should install Arduino. If they already have any board they are willing to learn about (Arduino, RPI 4/Zero, ESP8266, etc) they are encouraged to bring it.

WHO SHOULD ATTEND

Anyone interested in Hardware or Redteam, both students and professionals are welcomed.

In this workshop I provide the class with real human targets and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises.

The curriculum of the training:
- Threat modelling: introduction and motivation
- Data Flow Diagrams
- STRIDE
- Beyond STRIDE
- Prioritization
- Mitigations
- Integrating threat modelling in SDLC

This training targets mainly blue teamers, as well as software developers, qa engineers, and architects; but will be also beneficial for scrum masters and product owners.

Defenses focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even your people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaires in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the "why?". This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both windows and linux client, we'll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.

Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

Intro to threat hunting
Threat hunting and the IR process
Understanding the requirements
Backend Tools
Detection/Reporting tools like Mitre ATT&CK and Sigma
Endpoint tools: osquery and sysmon
Hands on exercise will be spread across the 2 days

Participant Requirements:
Working knowledge of Windows (no OSQuery experience required);
Working knowledge of the Linux shell (no OSQuery experience required);
Basic SQL,
Laptop with a SSH client

LIVE ONLINE TRAINING

Did you ever struggle to use Frida?

Do you ever wanted to know how to intercept traffic on a Fluter App and bypass SSL Pinning on Android and iOS?

Or were just curious if it's possible to do a proper penetration test on a non-jailbroken iOS device?

If so, this training is perfect for you. All of these topics and more will be covered during our hands-on course that is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide on modern mobile security testing for both iOS and Android. This course will provide a customized mobile testing environment including many hands-on mobile security challenges. Wide ranges of topics will be covered such as Mobile Operating System fundamentals to using Frida (Dynamic Instrumentation Framework) to bypass client-side security controls.

What attendees will learn

This course is developed for:
- Penetration Testers that want to achieve full coverage when testing a mobile app and know how to work with an accepted industry standard for mobile testing
- Developers that want to understand how attacks against their mobile apps are executed and how they can be improved by implementing security best practices.

The goal of this course is to learn:
- the technical skills to execute a penetration test against iOS and Android mobile applications
- utilise the OWASP Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.
- How to mitigate vulnerabilities in mobile apps and implement the latest best practices

This training will mainly focus on:
- iOS and Android security fundamentals to understand the security mechanisms that are in place by the OS
- Preparing a penetration testing environment for iOS and Android and clarifying the limitations and benefits of each (real device, emulator, jailbroken, rooted etc.)
- Hands-on exercises that are based on iOS and Android Apps that are build specifically for each test case to gain an understanding of different vulnerabilities
- Demonstrate implementation of the latest security best practices to mitigate vulnerabilities in mobile apps or reduce the attack surface
- Demonstrating methodology on conducting iOS application testing with a jailbroken and non-jailbroken device
- Introduction into dynamic instrumentation by using Frida and different tools powered by Frida (e.g. objection)
- Reverse Engineering of iOS and Android Apps to bypass client-side security controls, such as disabling Root Detection or SSL Pinning

Attendees will be provided with the following content:
- All slides in PDF format used for Day 1 and Day 2
- Toolkit including all tools and scripts used during the training (Access to private Github repo)
- Several iOS and Android Apps that are used for the exercises (Access to private Github repo)

Prerequisites
The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:
- MacBook with at least 8 GB Ram, 40GB of free disk space and a stable internet connection
- Full administrative access to disable AV or Firewall in case of any issues with the environment
- VirtualBox installed
- Xcode installed

An iOS or Android hardware device is not needed by the participants and will also not provided. The hands-on exercises for the Android training will instead be executed in a cloud-based, virtualized environment that allows attendees to access a rooted Android device. One Android instance will be provided for each participant.

The iOS training will be executed with the iOS Simulator. The source code of the vulnerable apps will be shared with the students and different attacks can be executed and fixes can be applied.

We will also offer 20 min support windows, 1 week before the training for all students, to make sure that the setup is up and working prior to the training.

The participants should have a basic understanding of mobile apps, interest in security and learning new things and basic experience with the command line.

Detailed Outline

Day 1 – Android:

Module 1: Overview of Android Platform and Security Mechanisms:
- Android Security Architecture (Bootloader, Permission model, Sandboxing etc.)
- App Communication with the Operating System (IPC, Intent etc.)
- Runtime Environment (Dalvik vs. ART)

Module 2: Creating an Android Testing Environment
- Android Debug Bridge (ADB)
- Setting up an Android Genymotion instance in the cloud for testing
- Differences and limitations between testing in an emulator/simulator and a physical device

Module 3: Android Application Structure
- Decompiling an APK
- APK file structure
- Understanding and analysing the AndroidManifest.xml
- Repackaging and analysing an app with Network Security Configuration

Module 4: Static Analysis
- Identifying a Deeplink vulnerability in a Kotlin App
- Exploiting the Deeplink vulnerability
- Automated Static Analysis with MobSF; showing quick wins and it's limitations to identify the Deeplink vulnerability

Module 5: Analysis of Network Traffic
- Proxying HTTP traffic by using Burp Suite
- Analysing apps build on frameworks that are not using the system Proxy; Students will be intercepting an app build with Flutter
- Capturing all outgoing (non-HTTP) traffic on the Android device, by chaining tcpdump, netcat, adb and Wireshark together
- Piping network traffic from an Android device to your laptop through USB by using adb reverse, e.g. in case of client isolation in the Wifi network

Module 6: Dynamic Instrumentation 101 Android
- Introduction into Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.)
- Identify and hook functions of an Android App
- Using Frida Server on a rooted device

Module 7: Reverse Engineering - Bypassing Root detection
- Introduction into various ways of implementing root detection
- Using Dynamic Instrumentation to bypass multiple root detection functions and compare it to other techniques, such as patching Smali and using Xposed (Pros/Cons)

Module 8: Bypassing SSL Pinning
- Overview of SSL Pinning functionality and implementation
- Show different ways of bypassing SSL Pinning, by using Xposed (rooted device) and Objection (non-rooted device)
- Show ways of bypassing Network Security Configuration

Module 9: Testing for Sensitive Data in Local Storage (Shared Preferences, SQLite Databases, Internal and External Storage) and secure usage of KeyStore

CTF: Investigate an app with the newly learned skills and win a price!

Day 2 – iOS

Module 1: Overview of iOS Platform and Security Mechanisms
- iOS Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave)
- Explaining IPA Container and Structure on the iOS File System

Module 2: Creating an iOS Testing Environment
- Testing with and without Jailbreak and it's limitations
- Testing in an emulator compared to a real device
- Setting up the iOS Simulator and Xcode
- Describing various ways of installing iOS Apps

Module 3: Demonstration of testing iOS Apps without Jailbreak:
- Repackaging an IPA with the Frida Gadget by using Objection
- Overview of Objection and it's limitations

Module 4: Static Analysis
- Decrypting an app with Fairplay Encryption by using clutch or frida-ios-dump
- Using class-dump
- Analyzing 3rd party libraries in iOS Apps for vulnerabilities
- Automated Static Analysis with MobSF
- Review Info.plist for misconfigurations, such as App Transport Security (ATS)

Module 5: Dynamic Instrumentation 101 iOS
- Recap of Frida and it's basics (hooking, overloading, usage of Frida CLI and Frida scripts etc.)
- Identify and hook functions of an iOS App
- Using Frida for testing iOS Apps

Module 6: Dynamic Analysis
- Capturing HTTP traffic through Burp Suite
- Piping network traffic from an iOS device to the laptop via USB by using usbmuxd, e.g. in case of client isolation in the Wifi network
- Analysing all non-HTTP traffic through a remote virtual interface on macOS

Module 7: Bypassing SSL Pinning
- Identifying usage of SSL Pinning
- Lab to show different ways of bypassing SSL Pinning, by using SSL Kill Switch (jailbroken device) and by using Objection (non-jailbroken device)

Module 8: Testing for Touch ID /Face ID Bypass
- Overview of Touch ID / Face ID functionality and implementations
- Bypassing Biometric authentication through Needle and Objection

Module 9: Testing for Sensitive Data in Local Storage
- Explanation of different ways to store data on iOS (Core Data, plist, Sqlitedb etc.) and how to store it securely by using the Keychain
- Analyse local storage by using Objection, Passionfruit and Xcode

Module 10: Testing Stateless Authentication with JSON Web Token (JWT) in an iOS App
- Dynamic Testing by using Burp Suite
- Analyse storage for access tokens
- Apply known attacks against JWT

Module 11: Hands-on: Reverse Engineering
- Basic Reverse Engineering of an iOS app
- Bypassing Client-Side Security controls such as jailbreak or simulator detection through dynamic instrumentation with Frida

CTF: Investigate an app with the newly learned skills and win a price!

Everything has a beginning. Just like the universe, the DeepSec conference has one, too. This is it.

Information security is a field of many skills. There is no doubt about this. Modern technology and the digital world we all live in require a decent set of varying talents. So what do you really need to know? How can you accumulate all this knowledge without being reborn twice? Do we stop at DevSecBioLawOps, or can we add some more words as German native speakers routinely do?

The presentation will take you through the wonderful world of information security throughout the decades. You will arrive at a model of today's infosec world - or at least at the picture found in advertising. We will compare this to reality and see if we can derive any meaningful conclusion from historic and current facts.

In the spirit of BSidesLondon's Rookie Track: Rookies and long-time infosec veterans welcome!

More and more we see in our penetration tests, that companies do not just rely on the traditional endpoint protection (EPP), instead they began to use additional an EDR to the existing EPP or the use an EPP/EDR combination from different vendors like, Microsoft, CrowdStrike, Endgame etc.. Compared to an EPP, an EDR is not designed for the prevention of malware, but for detection, response and hunting. EDR systems have a high process visibility at the endpoint. This makes it possible to conduct malware analysis based on the monitored behavior. For that, some EPP/EDR products under Windows rely on the technique API-Hooking. API-Hooking is a method to check executed code (via APIs) for malicious content by interception. For this purpose, the EPP/EDR software injects its own .dll into the address memory of a process. In simple terms, the executed code is redirected to the EPP/EDR .dll so that the code can be analyzed for malicious content. 

However, Kernel Patch Protection (KPP) aka Patch Guard forces the EPP/EDR software to perform API Hooking in user-mode. This makes it possible to bypass user-mode API-Hooking, by techniques like ntdll.dll mapping or direct system calls.

There are some EDR products which rely heavily on user-mode API-Hooking. Depending on the product we could observe that for example ntdll mapping can have a very heavily impact on the further recognition by the EDR system.

However, testing of different EPP/EDR products also showed that EPP/EDR manufacturers rely not only on user-mode mechanisms, instead the use kernel-mode mechanisms like kernel callbacks. Depending on the product, it may be sufficient in the context of credential dumping to bypass the user-mode component (API-hooking) for successful credential dumping. For other EPP/EDR products, however, it is not sufficient to bypass only the user-mode API-hooking. In order to successfully dump credentials using Direct System Calls, for example, the kernel callbacks registered by device drivers must be removed.

If we can build software in a reliable, reproducible and quick way at any time using Pipeline-as-Code and have also automated security scans as part of it, how can we quickly capture the risk landscape of agile projects to ensure we didn't miss an important thing? Traditionally, this happens in workshops with lots of discussion and model work on the whiteboard with boxes, lines and clouds. It's just a pity that it often stops then: Instead of a living model, a slowly but surely eroding artifact is created, while the agile project evolves at a faster pace.

In order to counteract this process of decay, something has to be done continuously, something like "Threat-Model-as-Code" in the DevSecOps sense. The open-source tool Threagile implements the ideas behind this approach: Agile developer-friendly threat modeling right from within the IDE. Models editable in developer IDEs and diffable in Git, which automatically derive risks including graphical diagram and report generation with recommended mitigation actions.

The open-source Threagile toolkit can be executed as a simple docker container and runs either as a command line tool or a full-fledged server with a REST-API: Given information about your data assets, technical assets, communication links, and trust boundaries as input in a simple to maintain YAML file, it executes a set of over 40 built-in risk rules and optionally your custom risk rules against the processed model. The resulting artifacts are diagrams, JSON, Excel, and PDF reports about the identified risks, their rating, and the mitigation steps as well as risk tracking state.

Agile development teams can easily integrate threat modeling into their process by maintaining a simple YAML input file about their architecture and the open-source Threagile toolkits handles the risk evaluation.

Adversary Emulation is a type of ethical hacking engagement where the Red or Purple Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organisation. The goal of these engagements is to train and improve people, process, and technology. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organisation.

In this presentation, end-to-end methodology and tools will be introduced to help security operations and defence teams. The methodology will cover how to organise cyber threat intelligence and leverage it to conduct adversary emulation and hunting using a framework like ATT&CK. Hunters, incident responders and SOC teams will learn how to use emulation to gain a better understanding of adversary TTPs and help identify gaps in controls as well as prioritise hunting and mitigation activities.

Azure AD is used by Microsoft Office 365 and over 2900 third-party apps. Although Azure AD is commonly regarded as secure, there are serious vulnerabilities regarding identity federation, pass-through authentication, and seamless single-sign-on.

In this session, using AADInternals PowerShell module, the exploitation of these vulnerabilities to create backdoors, impersonate users, and bypass MFA are demonstrated.

The purpose of this session is to raise awareness of the importance of the principle of least privilege and the role of on-prem security to cloud security.

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps.

This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference.

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests' private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Cloud computing is a convenient model for processing data remotely. However, users must trust their cloud provider with the confidentiality and integrity of the stored and processed data. To increase the protection of virtual machines, AMD introduced SEV, a hardware feature which aims to protect code and data in a virtual machine. This allows to store and process sensitive data in cloud environments without the need to trust the cloud provider or the underlying software.

However, the virtual machine still depends on the hypervisor for performing certain activities, such as the emulation of special CPU instructions, or the emulation of devices. Yet, most code that runs in virtual machines was not written with an attacker model which considers the hypervisor as malicious.

In this work, we introduce a new class of attacks in which a malicious hypervisor manipulates external interfaces of an SEV or SEV-ES virtual machine to make it act against its own interests. We start by showing how we can make use of virtual devices to extract encryption keys and secret data of a virtual machine. We then show how we can reduce the entropy of probabilistic kernel defenses in the virtual machine by carefully manipulating the results of the CPUID and RDTSC instructions. We continue by showing an approach for secret data exfiltration and code injection based on the forgery of MMIO regions over the VM's address space. Finally, we show another attack which forces decryption of the VM's stack and uses Return Oriented Programming to execute arbitrary code inside the VM.

While our approach is also applicable to traditional virtualization environments, its severity significantly increases with the attacker model of SEV-ES, which aims to protect a virtual machine from a benign but vulnerable hypervisor.

Ransomware is one of the most damaging variations of malware to date, extorting individuals, companies, and governments. This presentation will cover a history of Ransomware and related malware, the types of extortion that are used, and the effects it has had on victims. An analysis of tools, tactics, infrastructure, malware used in attacks, and specific ransomware variants will be presented, along with where different types of solutions can be used to stop infection. Additionally, techniques for recovery and remediation will be discussed.

While it may be impossible to stop a determined ransomware infection, there are many ways to prepare and possibly prevent them. This talk will help to bring clarity to this problem, leaving attendees better informed and capable of fighting back.

Have you ever asked these questions? You are using the latest mobile and using your laptop with the latest and patched OS, running antivirus: Do you need to worry about security? Isn’t there still something broken in the entire security and permission model? Why can the desktop application, that is not an internet browser, access and communicate by using any IP address? Why can the application access your whole filesystem and collect the files from there? Why can an android app with internet permission communicate using any arbitrary IP, even a private one? Why can the app communicate by using different domains? Isn't the app market ecosystem creating a friendly environment for botnets? This talk will shed some light on these issues and propose some mitigation strategy.

Machine learning based solutions have been very helpful in solving problems that deal with immense amounts of data, such as malware detection and classification. However, deep neural networks have been found to be vulnerable to adversarial examples, or inputs that have been purposefully perturbed to result in an incorrect label. Researchers have shown that this vulnerability can be exploited to create evasive malware samples. However, many proposed attacks do not generate an executable and instead generate a feature vector. To fully understand the impact of adversarial examples on malware detection, we review practical attacks against malware classifiers that generate executable adversarial malware examples. We also discuss current challenges in this area of research, as well as suggestions for improvement and future research directions.

Check Point Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can be leveraged for several purposes such as monetization and shutting down critical services.

DarkCrewFriends has been quite active over the last few years. The group offers a variety of services ranging from bots to traffic services for websites, and was mentioned as the party responsible for causing a data breach in an Italian news site.

The attack chain of the current campaign includes exploiting an unrestricted file upload vulnerability, uploading a malicious PHP web shell, and communicating with a C&C server using an IRC channel. The attackers can leverage the malware’s capabilities for various scenarios, such as DDoS attack types and shell command execution.

In the presentation we will present our findings, from the detailed entire attack chain walk through to sharing unique insights on the threat actors.

Technology poses a risk of cyber attacks to all of us, but mobile devices are more at risk because there are no good detection applications for phones, and because they are the target of many novel attacks. We still don't have a good idea of what our phones are doing in the network. To be better protected, mobile devices need better detection solutions from our community.
In this talk I will present the development of Slips, a Python-based, free software IDS using machine learning to detect attacks in the network traffic of devices. For the last year I have been developing the core parts of Slips and a new command line graphical interface in Node.js. This talk will show how to use Slips for performing traffic analysis, behavioral study and detection of real malware executed in mobile devices. During this research, I executed several RAT applications for Android that I plan to show how to detect them using Slips. Slips offers to our community an open solution that we are working to improve with the latest technology.

Adversarial machine learning is so popular nowadays that Machine Learning (ML) based security solutions became the target of many attacks and, as a consequence, they need to adapt to them to be effective. In our talk, we explore attacks in different ML-models used to detect malware, as part of our experience in the Machine Learning Security Evasion Competition (MLSEC) 2020, sponsored by Microsoft and CUJO AI’s Vulnerability Research Lab, in which we managed to finish in first and second positions in the attacker' and defender challenge, respectively.

During the contest’s first edition (2019), participating teams were challenged to bypass three ML models in a white box manner. Our team bypassed all three of them and reported interesting insights about the models’ weaknesses. This year, the challenge evolved into an attack-and-defense model: the teams should either propose defensive models and attack other teams’ models in a black-box manner. Despite the increase in difficulty, our team was able to bypass all models again, which allowed us to present interesting insights regarding attacking models, as well as defending them from adversarial attacks.

In particular, we showed how frequency-based models (e.g., TF-IDF) are vulnerable to the addition of dead function imports, and how models based on raw bytes are vulnerable to payload-embedding obfuscation (e.g., XOR and base64 encoding). One of the main contributions of this work is to show that adversarial attacks are more practical in real life models than previously thought, affecting even anti-virus used by final users.

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs; teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge.

Fault attacks induce incorrect behavior into a system, enabling the compromise of the entire system and the disclosure of confidential data. Traditionally, fault attacks required hardware equipment and local access. In the past five years multiple fault attacks have been discovered that do not require local access, as they can be mounted from software.
We will discuss the Rowhammer attack and how it can subvert a system. We then show that a new primitive, Plundervolt, can similarly lead to a system compromise and information disclosure.

The concept of a blameless culture is familiar to agile software development teams the world over. Going blameless has lots of merits, yet in many organizations and management teams true blamelessness is far from being the norm. This is especially true for the security sector, where the thinking is perhaps even more linear than elsewhere in an organization. This way of thinking is not necessarily bad, but not always helpful. On the other hand, sugarcoating any shortcoming will not help things along either. In truth, the security industry is still facing a lot of work when it comes to dealing with people. This talk will address and explore some of the fundamental problems of corporate security culture and why it keeps companies from moving forward.

Active work is being done to create and develop quantum computers.
Traditional digital signature systems, which are used in practice, are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the
alternatives are hash based digital signature schemes. Merkle digital signature scheme is the very promising alternative to the classical digital signature schemes. It must be emphasized, that the scheme has efficiency problems and can not be used in practice. Major improvements of the scheme lead to security vulnerabilities. I will show that Merkle uses hash functions many times. I will offer the improved implementation of the hash function. I will integrate it into Merkle scheme. By means of this function, I will offer the secure and efficient Pseudo Random Number Generator (PRNG). I will offer the optimized approach for the generation of the seed for this PRNG by quantum source of randomness (using the simulation). During my talk, I will offer the efficient and secure implementation of Merkle signature. This scheme will use the optimized approaches discussed above. The implementation will be significantly speeded up using the threads of CPU. I will analyze the efficiency and the security of the scheme.

The Art of the Breach is designed to be a journey for anyone interested in physical security. Robert takes the audience on a trip from a public sidewalk outside a target organization all the way to the executive filing cabinet in the President’s office. During this adventure, Robert discusses everything from successful reconnaissance prior to the breach to ensuring an easy exit afterwards.
Robert spends time at each step to go over the various options for moving forward. Some of these options are easy and straight forward while others require preparation and planning. Since every business is different, Robert brings in many different obstacles a physical penetration tester might face. This includes steel doors, cameras, armed guards and aware employees.
While many physical security talks focus strictly on the information security aspect of breaching, Robert will combine this with techniques used by first responders to enter a building.
If you want to up your game on physical security or at the very least gain some ideas for improving your company’s defenses, this talk is for you.

Don’t say no one likes passwords. It isn’t true. Criminals love them. Passwords are easy to steal, copy, and re-use. Who wouldn’t like that? Well, I mean, other than victims and those in charge of protecting systems. Between user complaints about complex password policies and admin complaints about help desk calls and password resets, perhaps it is time for a change. After all, for as long as people have been securing IT, the credentials have been the first and last line of defense.

This talk provides a walking tour of the authentication landscape. Red versus blue style, we’ll compare attacks and defenses and walk along the evolution of strong authentication. To the left, we’ll see multi-factor with SMS, soft tokens, push authentication, and biometrics. To the right, we’ll see single sign-on with SAML and OIDC. Look straight ahead for passwordless methods such as Windows Hello and FIDO2. This session will conclude with the latest practices for protecting authentication and give a glimpse of the changes to come. Attendees will be able to provide authentication that even a criminal could love.

The Eclipse Arrowhead Framework addresses the move from large monolithic organisations towards multi-stakeholder cooperation, thus addressing the high level requirements in today’s society such as sustainability, flexibility, efficiency and competitiveness. The secure onboarding procedure is needed when a new device (hosting a software system and several services) wants to interact for the first time with the Eclipse Arrowhead local cloud. This is especially needed when the device is very resource constrained and may not have an user interface. The onboarding procedure ensures a secure and trusted communication between the application systems and the core systems of the Eclipse Arrowhead framework, and can be easily adapted for other IoT frameworks that are build based on Service-oriented Architecture (SoA) principles. The applicability is shown in a smart charging use case.

"Catch me if you can!" is the right phrase to describe today's malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too. 

What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in "H.E.L.E.N" and "Dummy" and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key "attributes" that are extracted are used for ML, how we build bipartite graphs, build instruction based sequence detection models and win32 api based detection models "leveraging HELEN's intelligence".

Home Automation System (HAS) are a growing market, which is very diverse ranging from consumer electronics like TVs, mobile phones and gaming consoles via WLAN connected sensors, power plugs or lightbulbs to building automation devices for HVAC systems  or access solutions. Beside "classical" network technologies IoT technologies gain increasing spread and importance.

This paper presents results of a representative survey analyzing the security awareness and perception as well as susceptibility to cybercrime of HAS users in Austria. The aim of this survey is to investigate the spread of the device types, cybercrime attacks and security risks.
These results are compared with technical vulnerabilities of such devices to identify relevant security risks and countermeasures.

Additionally, a concept to protect sensor values directly in the analog circuit is presented as an outlook to ongoing research.

Targeted cyber attacks sometimes imply to investigate and mimic the people who work in a physical environment, who their clients are, what are their most common suppliers or services and more. Knowing about them and about your team (including yourself) can lead to a successful phishing or physical social engineering attack. Hardware hacking is usually related to this, as most of the gadgets need to be used physically close to the target. In this talk I'd like to explain how to investigate, profile a character, disguise the devices I build and use all public resources to make other people think I am someone that I'm not.

Bug bounties have started to make headlines over the past years and currently we can see a constant growth of it. Implementing a Bug Bounty Program can be challenging and requires some understanding of the nuances on how to make it successful or not. Actually running a successful bug bounty program starts far before it is launched officially. During this talk you will find out how a successful program looks like and also there will be some practical tips and tricks to optimize your program.

Red team operations involve many skills, the operation requires a lot of monitoring, consolidating and caution. In order to perform red team operations faster and stealthier, without thinking about the infrastructure, every team has its' own habits and standards.

However, there is a problem with those habits and standards:
- There are tons of tools but no operation management,
- No aggregation between these tools,
- When OPSEC fails due to problems above or any other reason, it's essential to possess the capability of maintaining robust infrastructure which can be recreated if discovered, and more importantly, without any issues upon deployment.

In this talk, infrastructure challenges we face as a red teamer will be discussed. Along with challenges, a solution will be proposed based on DevOps practices such as:
- Design your infrastructure based on the standards and habits which your team has
- Create playbooks which suit your needs based on your design
- Create CI pipeline to test and maintain your playbooks

IT security is one of the most challenging global issues of recent years. But apart from the establishment of countless "cyber security" authorities, politics doesn't seem to come up with something substantial. However, Free Software can be the solution to many pressing security problems. In this session, we will look at pros and cons and use concrete examples to illustrate why security and openness are not contradictory.

For security professionals, the growing complexity of today's digital world is no big surprise. But decision-makers are often overwhelmed by these new challenges and the uncertainties they entail. As a result, many fall for cheap selling arguments for blackboxed solutions and lose sight of a general strategy.

We don't know the exact security threats in five or ten years, but it is obvious that nobody can face them alone. This is where Free and Open Source Software comes into play. However, transparency and openness may seem contra-intuitive when it comes to security.

Together, we will explore how this riddle can be solved sustainably. The talk will also cover potential disadvantages and cases of consideration as well as typical counterarguments.

Many say “We will all, probably, be chipped”, others say “Never”! However, chipping humans can be seen as one of the most invasive biometric technologies. Radio Frequency Identification (RFID) and Near Field Technology (NFC) as related key technologies in the field of human implants are being used by hobbyists, scientists and companies. Reasons to use implants mainly refer to security reasons (identification, workplace surveillance), to healthcare (control of human biological functions of patients) or “just for fun” (to operate smart home applications, to pay by credit card, etc.).
One the one hand, current challenges in human chipping show positive corporate and individual (estimated) advantages; on the other hand, research in security and privacy has shown a high potential of negative impacts. Thus, beside a next big security and privacy debate in the field, also ethical and societal questions arise.
The presentation is organized as follows: The first part identifies current (surrounding) trends of the “Internet of bodies” like biohacking, body enhancement, and cyborgism. The second section discusses triggers for human chipping from an individual and corporate point of view. Existing and potentially upcoming issues of security, privacy and ethics are analyzed in the next part. Finally, theses for further corporate, individual, and also societal developments as well as potential new fields for research are being identified.

Information security typically focuses on endpoint exploitation and manipulation. However, adversaries increasingly migrate attacks to cover “midpoint” techniques (DNS manipulation, router exploitation, and traffic shaping mechanisms) to circumvent both endpoint and network defenses. Although receiving attention that such attacks take place, most threat analysis provides little information on the implications of such attacks or defensive strategies to meet them.

Starting with revelations emerging from various NSA-related leaks through several campaigns exploiting vulnerabilities in enterprise network devices and multiple examples of DNS traffic hijacking, this talk will examine how adversaries are migrating attack vectors to infrastructure or services beyond the perimeter of intended victims. Examples will include the alleged QUANTUM program associated with US government operations, network device attacks linked to Russian state interests targeting the energy sector, and several waves of DNS manipulation including the SeaTurtle and DNSpionage campaigns. Each illustrates one “layer” of midpoint attack possibility, with different implications in terms of both the threat and its possible mitigation.

The discussion will conclude with security recommendations, examination of risks, and how privacy-oriented discussions such as debates over encryption may influence these types of attacks moving forward. Specifically, organizations face a dilemma of attacks manifesting outside the network perimeter (both endpoint and company-owned network infrastructure), making defense difficult. Yet options exist, from communication security through persistent network traffic monitoring and analysis. Through this discussion, entities will be better prepared to defend against, detect, or even eliminate such risks from harming their operations.

My research is focusing on social engineering attacks conducted against the healthcare sector in stressful situations.
The study involved doctors, healthcare workers, administrative staff, researchers and even university students in medicine. Through simulated social engineering attacks at different levels of complexity, we measured the risk thresholds in the various categories and identified strengths and weaknesses in their approach of technology.

The study involved over 500 people (different in age, gender and IT skills) and was conducted between May and June, to avoid creating problems during the most severe phase of the COVID-19 pandemic.

Despite the many critical issues that emerged from the analysis (statistically, over 62% of the subjects involved failed to recognize and neutralize at least one of the attacks), there are also positive results that allow us to identify virtuous users and privileged practices in defying social engineering.

A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This talk aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.

If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this talk is for you. This talk is all action, no fluff :)

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused. This is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Examples will include very interesting scenarios of copy-paste attacks, calling premium numbers from the phone, custom URLs, Deep Links, XSS, SQLi, RCE, MitM attacks, path traversals, and data leak examples from real-world mobile apps, Apart from that, many other issues, including interesting scenarios chaining several vulnerabilities, such as achieving RCE via SQLi, persistent XSS, data exfiltration, etc. are also addressed.

Vulnerability chaining in mobile apps is covered not only for the fun of it but also to demonstrate impact: Mobile app findings are typically downplayed given their relative lower impact compared to server vulnerabilities (i.e. pwn 1 user vs. everybody).

Obviously, almost no modern mobile app stands offline nowadays, so this presentation would be incomplete without covering some nice attacks against those mobile APIs everybody forgot to test.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment and there may be giveaways to the winners :)

Keywords
- Mobile app security
- Static analysis
- Dynamic analysis
- File storage
- Instrumentation
- Repackaging
- Patching
- Root / Jailbreak detection bypasses
- Signing
- Pinning
- Man-in-the-Middle (MitM)
- Crypto
- Mobile app vulnerability patterns
- XSS
- SSRF
- SQLi
- RCE
- Data exfiltration

Demonstrating an exploit in a container environment (three dockers) across three different networks, I will demonstrate different pivot, vulnerability exploit, and privilege escalation techniques on all machines using Alpine linux, Gogs app, and other Linux platforms using Pentest methodologies such as recon, enumeration, exploitation, post exploitation.

By the end of this presentation everyone will be able to see different ways that exist in working with a single form of pivot and how to overcome different obstacles in different networks within this "new" environment called Docker.

According to the report published by the Common Vulnerabilities and Exposures (CVE) organization, the number of reported vulnerabilities in software systems in 1999 was less than 1600. The number of the same organization report in 2019 is nearly 100,000, approximately 60 times higher. Consequently, facing many continually growing software vulnerabilities, security experts have neither adequate time nor sufficient resources to analyze, detect, and fix these issues promptly and accurately. Hence, this situation has provided an extraordinary opportunity for cybercriminals to exploit zero-day vulnerabilities and perform attacks successfully. Consequently, the presence of practical, scalable, and precise security tools for performing genuine, in-depth, and detailed security analysis on real-world software seems to be an indispensable requirement for today's cybersecurity situation.

A useful security analysis tool should identify zero-day vulnerabilities, exploits, and unseen attacks in real-world software quickly and precisely before being exploited by cyber attackers.
Moreover, such a tool should be easy-to-use and deploy, cost-effective, and result in a few false positives and false negatives. Considering the facts mentioned earlier, in this work, we aim to introduce a practical framework for delivering effective security testing and automatic exploit generation for real-world software without requiring the source code or debugging information. We particularly focus on the Java ecosystem due to its prevalence and extensive impact on enterprise software systems, web applications, and the Android ecosystem. Our proposal framework, which is called "TaintSpot", will be deployed without special firmware modifications or root privileges on various hardware (e.g., x86, ARM) and standard operating systems (e.g., Linux, Windows, and FreeBSD).