Malicious Office documents have been on the radar for many years now. But do you know how to create and tailor them efficiently to achieve successful red team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. MS Office documents that execute code via macros. And we will take a very quick look at PDF too. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents, and Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.

No prior knowledge of malicious Office documents is required to take this training.
We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Office, like a port scan, and also how to use this API to inject and execute shellcode inside the Word/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word/Excel’s process memory, without touching the disk. This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements is useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities. We will learn how to reuse VBA functions and modules from the provided tools to create goal-specific documents (Word, Excel, …).

Over the years, Didier has developed many tools and techniques to “abuse VBA”. Non-exhaustive list of Didier’s tools shared during this class:
• Taskmanager with shellcode injector, process hollowing, parent process selection, .NET injector, …
• Filemanager and container to drop and exfiltrate, modify and encode arbitrary files
• Network tool (ping, port scan, service detection, communication, …)
• Document to perform reconnaissance and exfiltration
• Enumerate installed programs & patches
• Enumerate executables modifiable by the user
• CMD & Regedit running inside Word/Excel process
• Tool to create Excel files on different operating systems, without dependencies with MS Office (Mono required)
• Python tool to create / modify Office OLE and OOXML files, without dependencies with MS Office
• Python tool to hack ZIP containers
• Tool to uncover AV signatures to better evade AV detection
• …

SYSTEM REQUIREMENTS

• A Windows laptop or VM
• Microsoft Office installed, 32-bit preferred (for example Office 2016 or 2019)
• Administrative rights
• Rights to disable AV

Mobile Device Security and Cellular Networks: Hacking, Malware, and Exploits in 2022 - Mobile devices and cellular networks are critical military and intelligence assets in the Russo-Ukrainian War. This presenter led efforts at DHS and NIST to quantify and document just how exploitable both sides of this system are, and the implications for corporations,
political leadership, militaries, and the “mere civilians" caught in the fray. This deep dive will examine what we know, from rumors to highly publicized events, of attacks that touch on all aspects of this technical landscape. It will review key exploits, and provide live demonstrations of several including geolocation attacks, attacks against cell towers, and remote device bricking.

The training will be offered remote only.

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout their career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Evaluate different implementations of Touch ID / Face ID and ways to bypass them
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

WHAT DOES "THREAT HUNTING" MEAN?
- Threat Hunting technics on network level
- Threat Hunting on Microsoft Windows Active Directory
- Threat Hunting on Linux Systems / Memory Forensics
- Incident Response process


WHO SHOULD TAKE THIS TRAINING?
- IT-Security Administrators
- IT-Administrators with knowledge of protocols and basic LINUX skills
- Security analysts looking to hone their threat hunting skills
- Junior analysts looking to forward their security career
- Environments needing to quickly identify compromised systems
- IT Security Management and Leadership
- Active Directory / Windows Engineers


AUDIENCE SKILL LEVEL
Students should have a working understanding of IP communications. They should also have a basic understanding of network threat hunting.


STUDENT REQUIREMENTS
- Bring your own Notebook with local admin rights
- Min. 8 GB RAM and 100GB free disk space
- VMWare Player installed
- The ability to connect to the Ubuntu system via SSH


KEY TAKEAWAYS
- Acquiring and analyzing Linux memory
- Understand security risks and defensive mitigations
- Hardening Active Directory
- Identify tools and processes for network threat hunting
- How to set up a threat hunting environment
- Threat score system to prioritize artifacts
- Leveraging network findings to pivot into a forensic analysis

Mastering Web Attacks with Full-Stack Exploitation

This training will take place online on 28./29.11

HackerOne bug hunters have earned over $100 million in bug bounties so far. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the top HackerOne bug hunters.

Modern web applications are complex and it's all about full-stack nowadays. That's why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say 'No' to classical web application hacking. Join this unique hands-on training and become a full‑stack exploitation master.

Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734 

Key Learning Objectives

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking 
• DOM-based exploitation 
• Bypassing Content Security Policy 
• Server-side request forgery 
• Browser-dependent exploitation 
• DB truncation attack 
• NoSQL injection 
• Type confusion vulnerability 
• Exploiting race conditions 
• Path-relative stylesheet import vulnerability 
• Reflected file download vulnerability 
• Subdomain takeover 
• XML attacks 
• Deserialization attacks 
• HTTP parameter pollution 
• Bypassing XSS protection 
• Clickjacking attack 
• window.opener tabnabbing attack 
• RCE attacks
• and more…

What Students Will Receive

Students will be handed a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.


Special Bonus

The ticket price includes FREE access to Dawid Czagan's 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne 
• Case Studies of Award-Winning XSS Attacks: Part 1 
• Case Studies of Award-Winning XSS Attacks: Part 2 
• DOUBLE Your Web Hacking Rewards with Fuzzing 
• How Web Hackers Make BIG MONEY: Remote Code Execution

What Students Say About This Training

This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/ . They can also be found here (https://silesiasecuritylab.com/services/training/#opinions ) - by training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ ).

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since desktop apps were written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique online training, and take your professional pentesting career to the next level.

I have found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this online training I will share my experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.

 
This online training is composed of 



• Almost 5 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)



• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and finding security bugs in companies like Google, Yahoo, Mozilla, Twitter)


Almost 5 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 5 video courses:
1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com  (FREE VIDEO)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS

2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF  (FREE VIDEO)
- XSS via Image
- User Redirection via window.opener Tabnabbing

3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking  (FREE VIDEO)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary

4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1  (FREE VIDEO)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks

5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution  (FREE VIDEO)
- Subdomain Takeover
- Account Takeover via Clickjacking

Lifetime access to these 5 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.
 

2 hours of live online training support

•  Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.
•  Do you want to take your professional pentesting career to the next level and have some questions? No problem, ask me anything you want!
• Are you looking for some advice on how to find security bugs in companies like Google, Yahoo, Mozilla, Twitter (bug bounty programs)? Ask your question and I will do my best to help you.

 
What students should know

• Common web application vulnerabilities

 
What students will learn

• Become a web hacking expert
• Dive into full-stack exploitation of modern web applications
• Learn how hackers can bypass Content Security Policy (CSP)
• Discover how web applications can be hacked via PDFs, images, and links
• Explore how hackers can steal secrets from AngularJS applications
• Check if your web applications are vulnerable to race condition attacks
• Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
• Discover step by step how all these attacks work in practice (DEMOS)
• Take your professional pentesting career to the next level
• Learn from one of the top hackers at HackerOne

 
What students will receive
Students will receive lifetime access to 6 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use and privacy policy). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses and bug hunting at HackerOne – training support for the video courses).

 
What students say about my trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here (https://silesiasecuritylab.com/services/training/#opinions) - training participants from companies such as Oracle, Adobe, ESET, ING, …



HackerOne is your big opportunity. This is the platform where you can hack legally and at the same time you can make money. You can hack many different companies like Twitter, Yahoo, Uber, Coinbase, and a lot more. And you can get paid for your findings, for example $100, $1,000, or even $10,000 per one bug. It’s just amazing. All you need is Internet connection and knowledge. Yes – you need knowledge to go from zero to thousands of dollars at HackerOne, and in this online training I’m going to share my knowledge with you.

I’m one of the top hackers at HackerOne and I know quite a lot about hacking and making money that way. In this online training I’ll present many award-winning bugs. The more you play with award-winning-bugs the more knowledge you get and the more knowledge you have, the more money you can make. I’ll also discuss a successful bug hunting strategy that I have been using in the recent years. What’s more, I’ll present a lot of demos, because I want you to see how all these things work in practice.

This online training is composed of 



• 6 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)



• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and bug hunting at HackerOne)
 

6 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 6 video courses:

1. Start Hacking and Making Money Today at HackerOne
- HackerOne: Your Big Opportunity
- Getting Started with 5 Bugs
- Automatic Leakage of Password Reset Link  (FREE VIDEO)
- How to Get Access to the Account of the Logged Out User
- Insecure Processing of Credit Card Data
- Disclosure of Authentication Cookie
- User Enumeration

2. Keep Hacking and Making Money at HackerOne
- How to Impersonate a User via Insecure Log In  (FREE VIDEO)
- Sensitive Information in Metadata
- Disclosure of Credentials
- Insecure Password Change
- Dictionary Attack

3. Case Studies of Award-Winning XSS Attacks: Part 1
- XSS via Image
- XSS via HTTP Response Splitting
- XSS via Cookie  (FREE DEMO)
- XSS via AngularJS Template Injection

4. Case Studies of Award-Winning XSS Attacks: Part 2
- XSS via XML  (FREE VIDEO)
- XSS via location.href
- XSS via vbscript:
- From XSS to Remote Code Execution

5. DOUBLE Your Web Hacking Rewards with Fuzzing
- The Basics of Fuzzing
- Fuzzing with Burp Suite Intruder - Overview
- Fuzzing for SQL Injection - Demo  (FREE VIDEO)
- Fuzzing for Path Traversal – Demo
- Fuzzing with Burp Suite Intruder: Tips and Tricks

6. How Web Hackers Make BIG MONEY: Remote Code Execution
- From SQL Injection to Remote Code Execution   (FREE VIDEO)
- From Disclosure of Software Version to Remote Code Execution
- Remote Code Execution via File Upload
- Remote Code Execution via Deserialization

Lifetime access to these 6 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.


2 hours of live online training support

• Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.
• Do you want to start hacking at HackerOne and have some questions? No problem, ask me anything you want about bug hunting at HackerOne.
• Are you already a bug hunter at HackerOne and need some advice on how to go to he next level? Ask your question and I will do my best to help you.

 
What students should know

• Basic hacking skills
• Basic knowledge of web application security
• Basic understanding of XSS attacks (cross-site scripting)

 
What students will learn

• Master web application security testing
• Become a successful bug hunter
• Go from zero to thousands of dollars at HackerOne.
• Double your web hacking rewards with fuzzing
• Learn how hackers earn thousands of dollars per one bug
• Discover how to find these bugs step-by-step in practice (recorded DEMOS)
• Learn from one of the top hackers at HackerOne



What students will receive
Students will receive lifetime access to 6 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use and privacy policy). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses and bug hunting at HackerOne – training support for the video courses).
 
What students say about my trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here (https://silesiasecuritylab.com/services/training/#opinions) - training participants from companies such as Oracle, Adobe, ESET, ING, …



The start of the beginning: Our short opening ceremony.

Information technology can deal with complex scenarios and complex data structure. The information age has created powerful tools that made even more useful technologies and research possible. Computers can deal with a lot of data, enabling researchers to create more complex algorithms. Big data has become mainstream. Artificial intelligence is only a few years away, given the pace of progress. The GPT-3 language model is a stepping stone into a bright future. With the help of these tools, the problems of information security are no problems at all. There's a catch: The bright new future needs resources and is built on the foundation of complexity. Follow this presentation for a tour through the real challenges of information technology and the information society.

A lot of wireless input devices are vulnerable to keystroke injection due to the lack of security mechanisms, which makes it a perfect attack vector. During the attack, an attacker can send any text string to the victim machine acting as a remote keyboard, which can lead to quick and stealthy compromise of the system. No antivirus software shall spot the attack, as the keyboard, even remote, is not malicious by itself and is always trusted.

Device-specific co-installers have repeatedly allowed for Windows privilege escalation.
Through Windows' plug'n'play concept, attackers don't need to rely on any preinstalled software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device.

In this talk, I'll report on my responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the fix we ended up approving can be fooled quite easily. In other words: this story is the sequel to what we have published before.

The main purpose of the presentation is to entertain you by sharing the anecdotes from this interesting journey and demoing the attack. But besides that, admins, developers and researchers will also learn about the security risks that arise from co-installers and placing binaries into directories where they don’t belong. Finally, I want to motivate researchers to have a closer look into other co-installers. Interesting Windows privilege escalation vulnerabilities seem to wait out there.

Increasing challenges in food provision along with the need for environmental protection require a rethinking in the agricultural sector. Digitalization and automation approaches, such as precision farming, provide a promising approach to optimize resource usage and efficiency. The provision of passive digital services for monitoring and managing small scale farms has the potential to reshape the sector, as it supports existing infrastructures and ecosystems near the consumer rather than introducing large scale automated agricultural systems which are more volatile to supply chain disruptions. But like every IoT based service, it requires security concepts to prevent unsatisfactory situations and increases the trust in its usage.

In a technical world of cyber, crypto and cloud, it is easy to forget that in the end, we are all humans. While social engineering has always been a craft of its own on the attacker side, our efforts as human defenders are scattered between various technical measures and not always very effective awareness training - sometimes even counterproductive ones.

However, regardless of cyber specialization, some people skills are needed to maximize impact. This goes all the way from building alliances, communication and "selling" your ideas, to building more resilient processes, organizations and software through empathy for both our technical and non-technical colleagues. Heck, we can even apply certain people skills to understand our adversaries better, profile their motivations, and predict their next actions.

Therefore, this talk will explore a variety of techniques freely available to anyone looking to boost their output of efforts to stop cybercriminals.

GitHub Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers are proficient in the depths of GitHub best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product.

During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Haaukins is a highly accessible platform for security education, which allows users to try out ethical hacking and penetration testing through a browser. It makes it possible to conduct trainings for even large groups without the need for installing virtual environments or other tools – the participants can work on their own laptops just through their web browser of choice and have access within a couple of minutes.
Haaukins is designed with training in mind rather than for competition. For this reason, several features are implemented such as Dynamic Flags, so the teams cannot exchange flags between each other, and a randomization of IP addresses throughout the challenges, so teams really must work their own way through.
Haaukins allows the teacher/instructor to set up an event using a web interface web interface, by specifying a set of challenges and the number of labs needed. The process of setting up the labs is then fully automated. When the event is ready the students can then enroll themselves to the event automatically getting a lab assigned on enrollment.
Contributing new challenges to the challenge pool is easily done, as these can consist of any set of docker images or VirtualBox machines.
Following the recent trends within cybersecurity the focus of developing new challenges for Haaukins has recently been focused on how to develop challenges within ICS/OT.
Testing the newly developed challenges working with commonly used protocols withing ICS/OT and simple supply chain attack on people within the industry has received very good feedback.

Protecting your web applications and apis are more important than ever. Especially these days where one can deploy their application in the cloud, where everything but the application itself is a standardized application constantly updated for you by continuous patch processes, it is more evident than ever that the biggest risk is present in the code you produce yourself and expose to the internet.

But what are the risks? And how to mitigate them? And is it true that APIs don't need to be secured as much as your website?
All competent security professionals know that there's no such thing as a silver bullet, so obviously creating an AppSec program is inevitable to achieve a sufficient security posture.

But how do we handle the remaining risks?
CrowdSec is a FOSS security tool that can be used for those (as well as many other risks). I'll show you how to achieve this without it costing an arm and a leg.

Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices rely on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

In order to audit the QSEE environment, security researchers have to face different challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to assess their security. On the other hand, to the best of our knowledge there are no publicly available emulators for QSEE Trusted Applications that assist in debugging and auditing their code.

In this talk, we share the knowledge we obtained from a careful reverse engineering examination of different QSEE Trusted Applications and operating systems (QSEE-OS), showing the different versions of QSEE-OS and the differences with regard to how trusted applications are loaded in each of the QSEE-OS versions. Besides, we will present the different tools we have developed throughout our research to assist in the security evaluation of QSEE, including a debugger for QSEE Trusted Applications fully integrated with GDB and Ghidra and a coverage-based fuzzer for QSEE Trusted Applications. Such tools are essential for us to better understand the internals and behaviour of the trusted applications, to find attack surfaces and to identify vulnerable code for further analyzing and fuzzing.

This presentation,conducted hundreds of times throughout the United States on Wall Street, at various American universities, and throughout the US Defense sector, will go into detail on the evolution of the Iranian cyber program, its current state and most common malware, as well as what geopolitical events and relationships influence Iranian cyber actors. It will also detail why Iran needs to be taken seriously as a digital threat, as they indeed operate at the same level as malicious Russian and Chinese threat actors.

Crisis communication is probably the hardest part of communication to get right - and the most important. Combine this with a successful attack attempt on a companies network that completely shatters operation and you have all the ingredients for disaster.

But especially in situations like this it is imperative to stay calm and remain in contact with the outside world. In this talk we will relay best practices for crisis communication and how they specifically apply to IR situations.

We will show the best and the worst attempts to manage a crisis - and demonstrate, that situations like this can be used to reposition a company and build trust, rather than loosing it.

The difference between theory and practice is much smaller in theory than in practice. This also applies to physical and digital security in war zones. While those at home imagine journalists driving certified armored vehicles and using special encrypted devices, in practice it is often a Toyota Corolla and WhatsApp. Why is that the case? I will try to explain the different aspects and reasoning behind the decisions on digital and physical security based on real-world experiences and examples.

The integrated collection of personal health data represents a relevant research topic, which is enhanced further by the development of next generation mobile networks that can be used in order to transport the acquired medical data. The gathering of personal health data has become recently feasible using relevant wearable personal devices. Nevertheless, these devices do not possess sufficient computational power, and do not offer proper local data storage capabilities. This paper presents an integrated personal health metrics data management system, which considers a virtualized symmetric 5G data transportation system. The personal health data is acquired using a client application component, which is normally deployed on the user’s mobile device, regardless if it is a smartphone, smartwatch, or another kind of personal mobile device. The collected data is securely transported to the cloud data processing components, using a virtualized 5G infrastructure and homomorphically encrypted data packages. The system has been comprehensively assessed through the consideration of a real-world use case, which is presented.

In this session we’ll play with the Haaukins CTF platform presented in the “Developing and testing ICS related challenges for the Haaukins CTF platform”. The participants will be presented with friendly CTF where they can try out some of the existing ICS challenges and come with feedback on these and ideas for new challenges.

During operations, it is not unusual for us to get excited about the target and to prematurely begin before we have adequately prepared. As a result, this can not only spoil an operation but can cause dire life-threatening consequences. This talk goes over why OpSec is so important, failures people often make and how we can greatly improve our operational security during intelligence gathering and operations. While I will cover sock puppets and other techniques in detail, I will also cover physical considerations, habits and other areas where risks can be generated unless the operator is careful and diligent.

Mobile devices can provide the majority of everyday services: like emergency, healthcare, security services. The development of mobile devices itself triggered the 5G network deployment. The new telecom standard will create a new ecosystem with a variety of industries and will exceed the limit of telecom communication. With new standards, functionality, services, products always arise new cyber threats. The operating spectrum in the 5G Network is divided into 3 categories: Low, Middle and High Bands. Actually, the third category, high band, also known as mmWave provides majority benefits of the new standard. This band covers from 6 GHz to 100 GHz operating spectrums. Because of the limitation of this frequency range, devices connected to high-band have to be near to the cell-tower. Otherwise, buildings will interrupt the connection. So, when a user is connected to a mmWave tower, only one tower is enough to determine the location of device, instead of 3 towers, which is usually used in previous standards. By default, mobile devices always scan cell-towers to choose that one with stronger signal. Our study is about to interrupt the scanning operation and make devices connect only to high-band towers without measuring signal strength. As towers are always sending their identities, like IDs and locations, we can map all of them after we stole active tower information from a user and determine its location.

In this session we’ll play with the Haaukins CTF platform presented in the “Developing and testing ICS related challenges for the Haaukins CTF platform”. The participants will be presented with friendly CTF where they can try out some of the existing ICS challenges and come with feedback on these and ideas for new challenges.

On 24th of February, 2022, the life of Ukrainians has changed fundamentally. Russian troops attacked peaceful Ukrainian cities and civilian infrastructure, using all possible means and bridgeheads – land, sea, air and cyberspace. Predictably, given the technological conditions, the cyberspace has become one of the main arenas of combat in this war. Powerful cyber-attacks (more than 1,100 attacks so far) on the state's critical information infrastructure were accompanied by destructive information and psychological effects and special psychological operations (PSYOP). However, as in other domains, Ukraine persevered in cyberspace, fought back and counterattacked the enemy.

At DeepSec up-to-date information on the specifics of cyber-attacks on the technological infrastructures (DoS-attacks, malicious software, unauthorized data collection, etc.) will be presented and analyzed, as well as attacks on the population (mis- and disinformation, deep fakes, etc.). Current initiatives and projects developed by the state (SSSCIP, CERT-UA, Cyber Police) together with IT and cyber volunteers to consolidate efforts and counter Russian aggression in cyberspace will be considered. Current cyber projects of NAU Cybersecurity R&D Lab and the Scientific Cyber Security Association of Ukraine will be also presented and discussed.

We aim to review existing research on protocols, patterns, and generic paradigms that support secure in-vehicle communications. In addition, we present methods, tools, and related open source development platforms for preliminary experimentation. We also examine how to to leverage lightweight cryptography into security solutions, including integrating Crypto ICs (e.g., Zymbit Zymkey, Microchip ATECC series). Finally, we examine interactions between security and traditional quality-of-service characteristics (message efficiency and reliability), and propose interesting open problems related to the design of secure and reliable gateways for automotive solutions and beyond.

Mass production of quantum computers is expected in the near future. Quantum computers can easily break cryptographic schemes that are used in practice. Thus, classical encryption systems become vulnerable to attacks using quantum computers. There are research efforts to find encryption schemes that are resistant to attacks using quantum computers. Digital signatures are an important technology in securing the Internet and other IT infrastructures. A digital signature provides the authenticity, integrity, and identification of data. Digital signatures are used in identification and authentication protocols. So, these secure digital signature algorithms are crucial in terms of IT security.
Today, in practice, digital signature algorithms such as RSA, DSA, ECDSA are used. However, they are not quantum stable as their safety relies on large composite integers, complex factorization and the computation of discrete logarithms.

The work we will present aims to develop a Proof of Concept (PoC) of an attack scenario that uses Artificial Intelligence (i.e., AI) to create a semi-automatic phishing attack. The AI-based PoC used different network types to automatically compose highly targeted phishing emails with information derived from the initial OSINT analysis of the potential victims. The study approaches the problem from a cybercriminal point of view to understand the feasibility of such an attack tactic and prepare for possible defences.

Phishing is a popular way to perform social engineering attacks. According to the Verizon 2022 Data Breach Investigations Report, 82% of data breaches involve human elements and belong to several categories, including phishing, the most common. Using AI tools, this study implements a complete attack chain:

(i) initial collection of victims' data through OSINT,
(ii) generation of phishing email body using a GPT-2 and
(iii) creation of the graphic mimicking the real organisation brand identity (i.e., logo and stylistic features) through other models.

The paper presents the steps needed to prepare an effective phishing strategy and discusses whether and how AI can automate it. This study helps penetration testers and red teams build targeted phishing simulations more rapidly. The result is discussed in terms of the simulated attack's efficiency.

The aim is to provide red and purple teams with a methodological approach to social engineering attacks by continuing the work started by one of the authors in a previous study. The study objective is to explore the AI's potentialities in a full OpSec attack stack: wearing the attackers' hat and performing a full attack. A semi-automatic attack vector created the phishing email.



There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would (hopefully!) do in higher environments.

By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself and others. I'll demonstrate during the talk, it is possible to generate a RCE on the developer's machine or other services on their private network.

As developers have write access to codebases, AWS keys, server creds etc., access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network, modify or just steal the codebase.

Open source intelligence is one of the important aspects during cyber security activities as it relies on the publicly available sources, such as social networks, websites, blogs etc. This includes data mining and gathering techniques, as well as data extraction and data analysis activities. Open source intelligence is widely used in different fields today. Mainly this process runs manually and is fully managed by humans. Moving from a manual to automated processes in OSINT is vital especially that we work with real-world operations. Different components must be used to build a relevant system to provide automated open source based activities together with training simulations for the Machine Learning.

The structure of the ML approach is the following:
- Requirements: Information used from previous user experience;
- Collection: Web crawlers or / and scrapers;
- Processing exploration: Pattern recognition, Detection of the events, Vision of the automated system;
- Analysis: Matching the pattern, Visualization process, Data analysis;
- Dissemination: Automated responses, Automated Error messages;

The processes will be performed by the machine using automated processes mechanisms.

Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.

As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.

We have observed the usage of Telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g.
Saved passwords
Cryptocurrency wallets
Credit cards
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
OS information
Machine credentials
Geolocation
Screenshots(in some cases live webcam view)

Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.

In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
- Image Correlation
- Username correlation
Message Interception via
- Updates
- WebHooks

Throughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.

In the age of digitalisation, classic IT and industry are moving ever closer together. Devices are being networked and more and more smart devices are flooding the production hall. However, IT security is often disregarded in the process. Every device in the network can be compromised and requires an adapted strategy. Experience from 30 years of IT security gives the industry an orientation - but does not solve its problems. The challenges are often completely different, and the situation often requires completely different approaches. We try an approach and show experiences from the work with our customers and partners and give food for thought on what an IT security strategy for industry can look like and what both worlds can learn from each other.

The Trace Labs Search Party CTF is a nontheoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help law enforcement find missing persons. The search will be done in teams and supervised by a team of judges.

See the description here: https://deepsec.net/docs/C0311_Trace_Labs_Missing_Persons_CTF.pdf

Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware.

However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We'll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we'll attempt to identify unusual activity based only on bandwidth.

Mobile networks are globally interconnected via private/public networks. Mobile signalization, being the core of the telecoms, is widely used, hence mobile networks are always at risk of exposure to data leaks. Signaling firewalls are the first line of defense, which could prevent known attacks, but are typically inadequate to identify zero-day exploits or sophisticated bypass techniques.

Besides, the threat actors are no longer stagnant and bound to a geographical area. Rather, they are moving around the world leveraging cloud-based deployments using various interconnect points geographically dispersed, making it more arduous to detect new patterns.
Massive exploitation of victim networks by sophisticated bypass techniques has been seen where operators are incapable of correlating the entire frame of the security chain because of limited view. Not knowing if the damage has been done and under the hypothesis that they are protected it comes as a surprise when a high-profile individual becomes the victim of this series of a coordinated unnoticed chain of events.


In this engagement, the research outputs TTP used by an APT performing zero-day exploit via Interconnect signaling that left a significant impact on operators globally. The critical vulnerability was silently exploited across different high-risk markets with coverage seen in almost every continent. The vulnerability aims to bypass signalling firewalls and security controls to get hold of initial data access like real IMSI for the subscriber, Serving Node address for the network where the subscriber is attached and can potentially perform subsequent attacks like, Call Interception, billing fraud, tracking, surveillance, 2FA bypass.

A responsible vulnerability disclosure for this zero-day exploit was submitted to the GSMA CVD program who assigned a CVD number CVD-2021-0052 and after impact assessment, nature and severity placed the discovery in the “hall of fame” accessible at the acknowledgment page.

https://www.gsma.com/security/gsma-mobile-security-research-acknowledgements/

The Trace Labs Search Party CTF is a nontheoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help law enforcement find missing persons. The search will be done in teams and supervised by a team of judges.

See the description here: https://deepsec.net/docs/C0311_Trace_Labs_Missing_Persons_CTF.pdf

I couldn’t sleep well until I developed the “Vanquish.” I couldn’t fully enjoy Disneyland until I developed the “Vanquish.” I was always thinking about 2nd and subsequent payloads of malware of my interest. I was always hoping that C2 servers are available until I reached my malware analysis desktop. But the Vanquish changed my life. He tries to collect all the samples that appear in twitter accounts of your interests. He analyzes those samples and tries to get the next stage samples when I am in bed. And I can ask him to analyze malware from your iPhone even while I’m in Disneyland.
The core of the Vanquish is the system which crawls specified twitter accounts every specified minute, parses hashes from the tweet bodies or web sites tweeted, downloads the sample from malware sharing sites, and puts it in a sandbox. The results are posted to the Slack workspace. Also, I can order ad hoc analysis to the Vanquish by specifying hashes.
The Vanquish uses Slack for its I/O interface. Not only does he output results to the Slack workspace, but he also accepts commands from Slack to adjust crawl parameters, start ad hoc query, etc. With this, I don’t need to be in front of my desktop but only need an iPhone to communicate with Vanquish.
The presentation at DeepSec 2022 will introduce the concept of the Vanquish as well as additional features like malware parsing which can be implemented into your in-house research infrastructure.

Encrypting sensitive data at rest has always been a good idea, especially when storing it on small, portable devices like external hard drives or USB flash drives. Because in case of loss or theft of such a storage device, you want to be quite sure that unauthorized access to your confidential data is not possible. Unfortunately, even in 2022, "secure" portable storage devices with 256-bit AES hardware encryption and sometimes also biometric technology are sold that are actually not secure when taking a closer look.

In this presentation, I will talk about how a customer request led to further research resulting in several cryptographically broken "secure" portable storage devices. This research continues the long story of insecure portable storage devices with hardware AES encryption that goes back many years. With this presentation, I want to raise the awareness of security issues and practical attacks against vulnerable "secure" portable USB storage devices, and tell an interesting story.

The Trace Labs Search Party CTF is a nontheoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help law enforcement find missing persons. The search will be done in teams and supervised by a team of judges.

See the description here: https://deepsec.net/docs/C0311_Trace_Labs_Missing_Persons_CTF.pdf

How often do you hear about injections? Probably a lot. Probably most of them are familiar to you and chances are that you are tired of hearing about another SQL injection that was recently found. Graph Databases (e.g. Neo4j, RedisGraph, Amazon Neptune) which are becoming increasingly popular don’t use SQL, but you can still achieve an injection and even go beyond that. We are going to show how by manipulating legitimate functionalities we are able to leverage an injection in Cypher Query to attack the database (DoS), leak sensitive files, access protected endpoints and leverage our attack to perform lateral movement and escalate to other machines as well. We’ll sum up with remediation & mitigation steps and experience with a ready-to-use open-source playground that was created so you could exploit Graph Databases yourself.

There are many components and systems that may be targeted in a space system by adversaries including ground station systems and satellites. In this presentation we will discuss ideas for providing cyber resiliency in zero-gravity. Both theoretical and real-world examples of cybersecurity issues concerning satellite systems will be covered. This presentation will step through attack trees for targeting satellite systems. Recommendations best practices for securing satellite systems will be discussed. In addition, new ideas industry is currently developing for improving the cyber resiliency of space systems will be presented.

The Trace Labs Search Party CTF is a nontheoretical, gamified effort that allows for the crowdsourcing of contestants to perform a single task: Conduct open source intelligence operations to help law enforcement find missing persons. The search will be done in teams and supervised by a team of judges.

See the description here: https://deepsec.net/docs/C0311_Trace_Labs_Missing_Persons_CTF.pdf

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control.

Damage control strategies are typically handled by public relations experts and tend to follow a classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore a damage control narrative can not exclusively focus on a general public relations discourse, but should also include reflexive components, i.e. narrative elements targeted at organization members themselves on the one hand, and addressing the cybersecurity strategy itself on the other hand.

This presentation will explore this specific aspect of damage control specifically addressing communication related to cybersecurity measures and strategies. We will first identify which components of the cybersecurity policy, measures, and training of the organization workforce can be the target of communication. We will then explore how communicating about these aspects can be done within the organization. We will finally discuss how communicating about these elements can be done outside of the organizations specific context and network, before and after the occurrence of damaging events, and how such communication may not only contribute to the degree of security of the assets of the organization, but also to its overall reputation and branding.

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this talk is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

Get FREE access to the slides, recording and vulnerable apps to practice with:
https://7asecurity.com/free-workshop-mobile-practical

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

EMUX (formerly known as ARMX) has been under regular development for over 5 years. The latest release brings MIPS emulation capabilities to the framework, expanding the set of targets that can be emulated. This workshop shall be in two parts:

Part 1 (30 minutes)
- Setting up EMUX in 7 minutes
- A tour of EMUX internals
- Case study of how IoT devices are emulated

Part 2 (90 minutes)
- Emulating an IP Camera from flash firmware
- Firmware extraction hands-on
- Building a emulation compatible kernel from scratch
- Managing the root file system
- Putting it all together in EMUX

Students are expected to bring their laptops with a working Docker instance. EMUX is publicly available as a Docker image on https://github.com/therealsaumil

DNS tunneling used as a covert-channel method to bypass security policies has increased considerably in the landscape of Ransomware attacks in recent years. This can be attributed to CobaltStrike post exploitation tools becoming modus operandi of cybercrime syndicates operating with ransomware. Most of the detections rely on packet inspection which suffers of scalability performance when a large set of sockets should be monitored in real time. Aggregation-based monitoring avoids packet inspection, but has two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation(to obtain a detection tool really applicable in the field). Our approach uses statistical analysis coupled with behavioral characteristics applied directly in the DNS resolver. The presentation will cover examples of the malicious tools used by threat actors and detections designed to protect from such tools.

Every year, numerous big and small incidents in industrial environments, like power plants, factories, or food supply find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks.
A big portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed.Despite such known problems, that also lead to compromisation of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure.

OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more cannot be easily tested if they are in use by the factory. Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk. These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview of the vulnerability landscape of the OT network but cannot detect unknown vulnerabilities. The testing of such expensive devices instead of using them is often not desired due to the price, and spare items must be available, which is the reason why those devices can't be touched too.

For this reason, digital twins - in terms of virtualization - from the devices in the factory should be created for pentesting purposes. These twins can be build with different tools (open source/ closed source) and have been used for identifying 0-days during an ongoing research project. After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing these virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope.

This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.

EMUX (formerly known as ARMX) has been under regular development for over 5 years. The latest release brings MIPS emulation capabilities to the framework, expanding the set of targets that can be emulated. This workshop shall be in two parts:

Part 1 (30 minutes)
- Setting up EMUX in 7 minutes
- A tour of EMUX internals
- Case study of how IoT devices are emulated

Part 2 (90 minutes)
- Emulating an IP Camera from flash firmware
- Firmware extraction hands-on
- Building a emulation compatible kernel from scratch
- Managing the root file system
- Putting it all together in EMUX

Students are expected to bring their laptops with a working Docker instance. EMUX is publicly available as a Docker image on https://github.com/therealsaumil

What does DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... even more ice. However, beneath the DNS there are hiding unexpected vulnerabilities!

If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs and the like, are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.

In my previous research “Forgot password? Taking over user accounts Kaminsky style,” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I looked at the root of the problem.

In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.

Having a proper(!) security posture is more challenging than ever. Implementing the bare necessities for usability and security is scalable (literally), but the reality is always full of surprises. Dozens of assets, services, tools, requirements, workforce, risks and threats. How to keep the balance between usability, security and reputation while being honest with yourself?

Many enterprises suffer from “keywords” and “trends” and have to pretend to be “proactive” by implementing the “latest” trends and approaches instead of solving the problems on “bits” that need “change”.

When you look at enterprise-level security incidents, you can quickly notice that they have the latest tools, technologies and services, implemented the “Zero Trust Security” model, achieved base standards and compliance requirements, and hired the experts. Literally, they are prepared for almost all possible risks and threats, but they had a security incident, and the effect is usually more significant than the acceptable risk.

There is no silver bullet for security architecture design and management. Also, it is hard and takes time to create better cyber maturity and cyber readiness/resilience. But there is a simple way that leads to achieving those: self-assessment!

In this talk, I will discuss how enterprises fail to go beyond the “manageable cyber maturity level” that operates in critical sectors with real-life stories. With this presentation, I want to raise awareness of proper cyber maturity implementation and self-assessment requirements. My presentation will cover three different incidents and two real-life example cases.

How do young professionals stand out in the cybersecurity sector nowadays? This is the question tackled by two cybersecurity consultants from Canada in this presentation.

From the perspective of a more recent addition to the cybersecurity industry, Julian Botham describes how his interest in cybersecurity paved the way for a cybersecurity career and the role that research, analysis, and constant growth contributed to that.

With a cybersecurity career spanning over three decades, Darren Jones provides insight in the best ways for young professionals to leave their mark on the work they do. Through his experience, he details the importance of developing team building skills and establishing a niche in a team based on interests and talents.

Sending malicious emails to employees in order to gauge a perceived security awareness is becoming ever more popular with companies large and small taking part in such Phishing assessments.

Despite their popularity, there is a ton of issues with how we do these things. At best, these issues cause them to be actively useless exercises, at worst, they can end up decreasing your security or even have a significant negative impact on your internal culture and erode trust.

This talk looks at how we mostly do these assessments, the various ways that are wrong about it and even tries to provide a few suggestions on how we, as security professionals, can do well.