Speakers (preliminary) - DeepSec IDSC 2021 Europe

Advanced Deployment and Architecture for Network Traffic Analysis (closed)

Peter Manev, Eric Leblond & Josh Stroschein (Open Information Security Foundation)

Network-based threat detection is crucial for developing a comprehensive security strategy, whether it is on-premise or in the cloud. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn how to maximize the visibility that Suricata can provide in your network. You will gain deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment. You will also learn traditional and non-traditional tips, tricks and techniques to implement Suricata and its newest features, based on real-world deployment experiences to include cloud-based deployments. This class also offers a unique opportunity to bring in-depth use cases, questions, and challenges directly to the Suricata team. By the end of this course you will be able to successfully design, deploy, implement, optimize and hunt with your high-performance Suricata deployment.

Peter Manev: Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS - an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Eric Leblond: Eric is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activities for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight and a threat researcher for Bromium.

Advanced Whiteboard Hacking – aka Hands-on Threat Modeling

Sebastien Deleersnyder (Toreon)

First released at Black Hat USA trainings 2021, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we released this war game in première at Black Hat USA 2021. Also, in this edition we enhanced the sections on agile and DevOps threat modeling, threat modeling and compliance, added a section on "threat modeling at scale" and all participants get our Threat Modeling Playbook plus one-year access to our online threat modeling coaching subscription.

As highly skilled professionals with years of experience under our belts, we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for our hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices into their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• Diagramming web and mobile applications, sharing the same REST backend
• Threat modeling an IoT gateway with a cloud-based update service
• Get into the defender's head – modeling points of attack against a nuclear facility
• Threat mitigations of OAuth scenarios for an HR application
• Privacy analysis of a new face recognition system in an airport
• Battle for control over "Zwarte Wind", an offshore windmill park

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we released this updated advanced threat modeling training at Black Hat USA 2021.

Course topics

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model
Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: diagramming web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• Attack trees
• Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service
Addressing each threat
• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• Specialist mitigations
• Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Threat modeling and compliance
• How to marry threat modeling with compliance
• Mapping threat modeling on compliance frameworks
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Hands-on: privacy threat modeling of a face recognition system in an airport
Penetration testing based on offensive threat models
• Create pentest cases for threat mitigation features
• Pentest planning to exploit security design flaws
• Vulnerabilities as input to plan and scope security testing
• Prioritization of pentesting based on risk rating
• Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.
Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Threat models examples: automotive, industrial control systems, IoT and Cloud
Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared
Battle for control over "Zwarte Wind", an offshore windmill park
In our 5th edition of Black Hat trainings, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we release this war game in première at Black Hat USA 2021.
• Hands-on examination
• Grading and certification

Seba (https://twitter.com/Sebadele) is co-founder, CTO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.

With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.

Defending Enterprises (closed)

Will Hunt, Owen Shearing (In.security)


[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]

New for 2021, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.
From SIEM monitoring, alerting and threat hunting, you’ll play a SOC analyst in our cloud-based lab and try to rapidly locate IOA’s and IOC’s from an enterprise breach executed by the trainers.
You’ll use a combination of Microsoft Azure Sentinel and Elastic platforms to perform practical exercises, creating your own queries to detect potential compromises and highlight interesting activity.

Day 1
• MITRE ATT&CK framework
• Defensive OSINT
• Linux/Windows auditing and logging
• Using Logstash as a data forwarder
• Overview of the Kibana Query Language
• Overview of the Kusto Query Language
• Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
• Detecting phishing attacks (Office macros, HTA’s and suspicious links)
• Detecting credential exploitation (Kerberoasting, PtH, PtT, DCSync)

Day 2
• Creating alerts/rules in Azure Sentinel
• Detecting lateral movement within a network (WinRM, WMI, SMB, DCOM, MSSQL)
• Detecting data exfiltration (HTTP/S, DNS, ICMP)
• Detecting persistence activities (userland methods, WMI Event Subscriptions)
• C2 Communications

Also included:
We realise that training courses are limited for time and therefore students are also provided with the following:
• Completion certificate
• 14-day extended lab access after the course finishes
• Discord support channel access where our security consultants are available

Will (@Stealthsploit) co-founded In.security in 2018. He’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin' Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.

Hacking Modern Desktop Apps: Master the Future of Attack Vectors

Abraham Aranguren (7ASecurity LLLP)

This course is a 100% hands-on deep dive into the OWASP Security Testing
Guide and relevant items of the OWASP Application Security Verification
Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long gone are the days since desktop apps were written in Delphi. What have
Microsoft Teams, Skype, Bitwarden, Slack and Discord in common? All of them are
written in Electron: JavaScript on the client.

Modern desktop apps share traditional attack vectors and also introduce new
opportunities to threat actors. This course will teach you how to review modern
desktop apps, showcasing Node.js and Electron but using techniques that will
also work with any other desktop app platform. Ideal for Penetration Testers,
Desktop App Developers as well as everybody interested in
JavaScript/Node.js/Electron app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace. Packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to our training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps


## Course Content (ToC) ##

### Section 1: Hacking Modern Desktop apps by Example ###

Part 0 - Modern Desktop App Security Crash Course
- The state of Modern Desktop App Security
- Modern app security architecture and its components
- Modern Desktop apps and the filesystem
- Recommended lab setup tips


Part 1 - Static Analysis and Tools
- Tools and techniques to reverse and review Modern apps
- Finding vulnerabilities in Modern app dependencies
- Identification of the attack surface of Modern apps & information gathering
- Static modification of Modern apps for analysis and debugging
- Identification of common vulnerability patterns in Modern apps:
+ Common misconfigurations
+ Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ URL handlers
+ XSS, Injection attacks and more
- Modifying Modern apps to alter behaviour and debug issues


Part 2 - Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, unsafe storage of app secrets, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning at runtime
- The art of Instrumentation: Introduction to Frida
- App behaviour monitoring at runtime
- Modifying app behaviour at runtime


Part 3 - Test your Skills
- CTF time

### Section 2: Advanced Instrumentation & Attacks on Modern Desktop apps ###


Part 0 - Advanced Instrumentation on Modern Desktop apps
- Introduction to Frida on Desktop apps
- Advanced usage of Frida against Modern Desktop apps
- Writing custom Frida scripts to assist with common challenges
- Reviewing app behavior at runtime
- Modifying app behavior at runtime
- Modifying app behavior at rest


Part 1 - Advanced attacks on Modern Desktop apps
- UI manipulation with XSS
- Interesting attack vectors with XSS
- Coverage of Multiple edge case scenarios to gain RCE
- Dumping memory
- Prototype pollution
- Defeating crypto
- Gaining RCE via IPC
- Attacking WebSockets
- Local Attacks and Privilege Escalation
- Remote Attacks when Desktop Apps are deployed on the server
- Bypassing Pining
- And more


Part 2 - Advanced Modern Desktop Apps CTF
- Challenges to practice advanced attacks and instrumentation on Modern Desktop apps

Abraham Aranguren: After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (​7asecurity.com​), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 (​cure53.de​) and Version 1 (​www.version1.com​). Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course (​www.elearnsecurity.com/PWD​), OWASP OWTF project leader, an OWASP flagship project (​owtf.org​), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as ​ @7asecurity​ ​ @7a_​ ​ @owtfp​ or ​ https://7asecurity.com/blog​ . Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

How to Break and Secure Single Sign-On (OAuth and OpenID Connect) (closed)

Karsten Meyer zu Selhausen (Hackmanit GmbH)

Single sign-on protocols are one of the most important Internet technologies and are used by countless applications. Security plays a critical role when using systems based on standards such as OAuth and OpenID Connect. Successful attacks allow hackers to bypass authentication or to access confidential user data. In this training, you will learn all security aspects relevant to single sign-on based on OAuth and OpenID Connect. You will learn which serious attacks exist and get the chance to try them yourself in our test environment. Finally, you will learn how to test and defend your own systems against these attacks.

Karsten Meyer zu Selhausen has several years of experience in the fields of secure deployment and secure use of well-known single sign-on standards, such as OAuth, OpenID Connect and SAML.

He works as an IT security consultant, penetration tester and trainer for Hackmanit GmbH since 2016. During his master degree in IT Security at the Ruhr-University Bochum, he specialized on the security of protocols for delegated authorization and authentication, as well as data description languages, such as XML and PDF. He gained profound expertise in the security of single sign-on procedures, such as OAuth, OpenID Connect and SAML, during numerous consulting projects and penetration tests. Karsten frequently shares his knowledge and experience with customers from various industry fields in IT security training courses.

Mobile Network Operations and Security

David Burgess (-)

This workshop describes basic functions and security shortcomings in mobile
networks, both in the core network and in radio network, for GSM, UMTS, LTE
and 5GNR. The material is intended for individuals in the areas of
journalism, international aid, corporate security, and the law, who have or
who work with people who have specific security concerns and want to
better understand what is really happening in their phones and in the
mobile networks that serve those phones.

The workshop will start with an overview of cellular technology in general
and types of security flaws common to all mobile networks, and then
proceed to specific examples for different network segments and technology
types. The workshop will include demonstrations of some security failures
and deeper analysis of specific events reported in the popular press. The
goal of the workshop is to give attendees a good grasp of key concepts in
mobile network operation and the security implications, while avoiding
unnecessary technical details. Questions and discussion are welcome and

This workshop covers the mobile network, handset baseband, and SIM only,
and does not address Android, iOS or application-layer security.

David Burgess has worked in telecommunications since 1998, first in signals
intelligence and then in commercial network equipment. He is probably best
known as the primary author of OpenBTS, but has written complete stacks for
other cellular radio protocols as well. David’s company, Legba, provides
mobile network equipment and test equipment for small network operators,
embedded systems developers, and special applications. David also writes
about telecommunications and does occasional work as an expert in legal

Mobile Security Testing Guide Hands-On

Sven Schleier (-)


[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.

If you just entered the domain of mobile app penetration testing, or have only experience in Web App Testing and would like to make the switch to mobile, this session is a perfect starting point for you. Nevertheless, there are also some more advanced topics that will also be of interest for more experienced testers.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student by using Corellium. These are some of the topics that will be covered during the course:

●    Frida crash course to kick-start with dynamic instrumentation on Android apps
●    Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
●    Identifying and exploiting a real word Deep-link vulnerability
●    Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
●    Analyze Local Storage of an Android App
●    Usage of dynamic Instrumentation with Frida to:
  ○      bypass Frida detection mechanisms
  ○      bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:

●    Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
●    Frida crash course to kick-start with dynamic instrumentation for iOS apps
●    Bypassing SSL Pinning with SSL Kill Switch and Objection
●    Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
●    Testing stateless authentication mechanisms such as JWT in an iOS Application
●    Using Frida for Runtime Instrumentation of iOS Apps to bypass:
  ○      Anti-Jailbreaking mechanisms
  ○      Frida detection mechanism
  ○      and other client-side security controls

The course consists of many different labs developed by the instructor and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and you will have the chance to win a price!

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Attendees will be provided with the following content:

- All slides in PDF format used for Day 1 and Day 2
- Virtual Machine that includes all tools needed
- Several iOS and Android Apps that are used for the exercises


The following prerequisites need to be fulfilled by the students in order to be able to follow all exercises and fully participate:
●    Laptop (Windows/Linux/macOS) with at least 8 GB Ram and 40GB of free disk space
●    Full administrative access, in case of any issues with the laptop environment (e.g. deactivate AV or Firewall)
●    Virtualization software (e.g. VMware, VirtualBox); A VM will be provided as OVA with all tools needed for the training
●    Stable internet connection with at least 50 Mbps

An Android hardware device is not needed by the participants. The Android hands-on exercises of the training will instead be executed in Corelium, a cloud-based virtualized environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

An iOS device is also not needed, as an emulated and jailbroken iOS instance will be provided for each student that is hosted in Corellium.

I will offer support 1 week before the training for all students, to make sure that the setup is up and working prior to the training.

Students will enjoy the training the most, if they have a basic understanding of mobile apps and the command line, interest in security and learning new things!

Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.

Besides his day job Sven is since 2016 one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Pentesting Industrial Control Systems (closed)

Arnaud Soullié (RS formation et conseil)

In this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.
The training will end with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to an elearning portal, which allows to watch the training content on video, as well as to perform all the exercises on a cloud platform.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 10 years he has been performing security audits and pentests on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open­source data diode aimed at ICS.


René 'Lynx' Pfeiffer (DeepSec Conference)

This is your welcome to the second DeepSec conference during a global pandemic. Since the beginning of 2020, a lot of issues known from information technology have crossed over to the real world – even without the Metaverse. The opening is just a short recapitulation of what happened so far and why we should put our efforts into defending networks and computer systems.

René „Lynx“ Pfeiffer was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn Texas Instruments TMS 1600 assembler before any other programming language.

After finishing school he went to university in order to study physics. He then collected experiences with a C64, a C128, two Commodore Amigas, DEC's Ultrix, OpenVMS, and finally GNU/Linux on a PC in 1997. He is using Linux since this day and still likes to take things apart and put them together again. Freedom of tinkering brought him close to the Free Software movement, where he puts some effort into the right to understand how things work – which he still does.

Intelligence? Smartness? Emotion? What do We Expect from Future Computing Machinery?

Univ. Prof. Mag. Dr. Gabriele Kotsis (Johannes Kepler University Linz)

Artificial intelligence (AI) is one of the key technologies for dramatic change processes in the next 30 years. Research on the development of AI is driven by scientific and political ambitions, accompanied by great hopes and fears. What does it mean to live and work with such a form of intelligence? How will computing machinery evolve within the next decades? What can and should computer societies consider to ensure a positive development from both, a technological as well as societal point of view? These are some of the questions that will be addressed in this keynote.

Gabriele Kotsis is Full Professor in Computer Science and President of the ACM. She has received her PhD from the University of Vienna in 1995, honored with the Heinz Zemanek PhD award. After visiting professor positions at the Business Schools in Vienna and Copenhagen in 2001/2002, she joined Johannes Kepler University Linz as head of the Department of Telecooperation. Her scientific contributions include seminal work in the field of workload characterisation for parallel and distributed systems and in performance management of computer systems with a specific focus on ubiquitous computing environments and cooperative systems. In 2014, Kotsis has been recognized as ACM Distinguished Scientist for her scientific contributions. From 2003 to 2007 she was President of the Austrian Computer Society, from 2007 to 2015 Vice-Rector for Research at JKU. Gabriele has been JKU´s representative (2016-2018) and National Coordinator (since 2019) for Austria in the ASEA-UNINET academic research network.

How to Choose your Best API Protection Tool? Comparison of AI Based API Protection Solutions

Vitaly Davidoff (JFrog)

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface
(API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed.

There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems.

Vitaly has about 15 + years’ experience as a developer and more than 8 years in the application security field. Applications Products Security lead at JFrog TLV Israel. In this position he's responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modeling and many other activities.
He holds CISSP and CSSLP certificates.

Those Among Us - The Insider Threat facing Organizations

Robert Sell (Trace Labs)

The cost of insider threats is rising, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are a growing risk that is still often under-addressed within cybersecurity of organizations (especially when compared with external threats). Perhaps this is because it is hard to imagine that a trusted coworker could be siphoning corporate secrets from the company you both work for. Yet, this act is more common than you think. There are many levels of insider threats and some much more harmful than others. Robert takes us on a journey that first outlines the many different kinds of insider threats: everything from accidental to espionage. He then discusses how to detect it and what companies can do about it. Having worked in the Information Security industry for 20 years in various fields and positions, Robert has seen many insider threat incidents and the damage this can have on a company. Today more than ever, companies are susceptible to this risk however few seem able to detect and mitigate. In this talk, Robert draws upon his experiences to outline some of the tell tale signs of insider threats and some of the many ways this can be detected early. He also discusses company culture and how to prevent the damage that insider threats can have. Robert also integrates some great industry examples as learning to help show the audience the damage insider threats have. The talk finishes with a check list of mitigation strategies that companies can do to greatly improve their position and safeguard their secrets. There are many great talks out there on social engineering, however, all of these are focussed on an outside entity tricking the employees to get access. This talk looks at those amongst us who are already trusted employees and how to manage that risk.

Robert is the founder and president of the Trace Labs non profit organization that crowd sources open source intelligence (OSINT) to help locate missing persons. He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security and other topics. Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world. In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years). In 2018, he actually ran his own Trace Labs OSINT CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas. Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his search & rescue capacity, Robert specializes in tracking lost persons and teaching first responders how to leverage OSINT.

Ethics in Security Research – The Good, the Bad and the Ugly

Dr. Katharina Krombholz (CISPA Helmholtz Center for Information Security)

In recent years, the top security conferences have started to add ethics statements to their call for papers. It has become common practice to obtain ethics votes for human subjects studies in security research. But what about everything else, such as offensive security research, large scale measurement studies or adversarial machine learning? In this talk, I discuss good, bad and ugly examples of how ethics are handled in security & privacy research. I will also present actionable recommendations to ensure ethical and responsible research practices that are essential to build and break systems without causing harm.

Katharina Krombholz is faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany where she leads the usable security research group. Besides that, Katharina is a member of the Ethics Review Board (ERB) of the Faculty for Mathematics and Computer Science at the University of Saarland and currently establishing a dedicated ethics board for security research at CISPA.

Releasing The Cracken – A Data Driven Approach for Password Generation

Or Safran, Shmuel Amar (Proofpoint)

By now, it should be well known that passwords are like underwear, they should be changed often, the longer the better and it’s better not to leave them lying around.
While the big players advocating for passwordless authentication, passwords are still the most common authentication method. In the wild, we’ve seen thousands of organizations experiencing password spraying and bruteforce attacks on their users. Although MFA should mitigate some of the threats, it's still not implemented on all protocols and in some cases was bypassed by security flaws in the IDP.

In this talk, we’ll present a new concept for password security – smartlists, built on a new data driven approach that utilizes recent advancements in NLP. Together with this talk, we are proud to release a new FOSS tool that makes these new concepts practical and easy to use by generating 200M+ password candidates per second written in Rust.

Or Safran is an experienced and passionate security researcher working for Proofpoint at the Israel R&D site as a security researcher for cloud applications and enjoys publishing his findings in blogs and technical talks. Prior to Proofpoint, Or worked as a malware researcher and reverse engineer for IBM cybercrime research labs. In his free time, he likes to break stuff while trying to dump their firmware, tinkers with hardware projects and plays online games.

Shmuel Amar is an experienced software architect working for Proofpoint at the Israel R&D site. During his free time, Shmuel likes to crack passwords for fun. Shmuel is part of the BIU NLP research lab completing his MSc.

Building a Cybersecurity Workforce: Challenges for Organizations

Matthieu J. Guitton, PhD, FRAI (Université Laval)

The shift of human activities from offline to online spaces has major impacts on organizations – either public or corporate – in terms of security, therefore creating a constantly growing need for cybersecurity experts. Although for small companies, expertise can come from external providers, large organizations need to build their own cybersecurity workforce. For companies the limited number of higher education formations lead to tension in the employment market, and in the recruitment of people whose expertise is not primarily on cybersecurity. Furthermore, cybersecurity often focuses on technical aspects, and does not always deal enough with the human factor – while the human factor is critical for companies and other large organizations.

This presentation will explore the challenges related to building a workforce in cybersecurity from the point of view of organizations. We will discuss how to build a workforce that can take on both the mission of first line defenders, and the mission of education of the other company members, ranging from its higher operatives to the basic workers, and how cybersecurity can be operationally articulated between security services and IT professionals.

Matthieu J. Guitton is Secretary (Vice-Dean) of the Faculty of Medicine, Full Professor at the Faculty of Medicine and at the Graduate School of International Studies at Université Laval (Quebec City, QC, Canada), Fellow of the Royal Anthropological Institute, and Senior Researcher/Group Leader at the CERVO Brain Research Center (Quebec City, QC, Canada). He is the Editor-in-Chief of Computers in Human Behavior (Elsevier's leading journal in the field of cyberpsychology), and of Computers in Human Behavior Reports, and serves on several other editorial boards, such as Current Opinion in Behavioral Sciences. A graduate from the University of Rouen and Université Pierre et Marie Curie - Paris VI, he obtained his PhD from the University of Montpellier (France) and was a Koshland Scholar/Postdoctoral Fellow of Excellence at the Weizmann Institute of Science (Israel). He has published over 120 research papers, book chapters, or editorials on subjects ranging from neuropharmacology and health sciences to cyberpsychology, cyberbehavior, or security issues. His most recent works have appeared in journals such as Computers in Human Behavior, the International Journal of Intelligence and CounterIntelligence, or the International Journal of Intelligence, Security, and Public Affairs.

Reversing and Fuzzing the Google Titan M Chip

Damiano Melotti (Quarkslab)

Google recently introduced a secure chip called Titan M in its Pixel smartphones, allowing the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore studying their security lays the basis of the trust we have in the features that they bring.

In this paper, we provide the first security analysis of the Titan M. We start by reverse engineering the firmware and reviewing the open source code in the Android OS responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer.

Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we find and report a new vulnerability in the latest version of the firmware.

Damiano Melotti is a Security Researcher at Quarkslab. His interests range from systems security (especially Android), fuzzing, reversing and security engineering in general. He also enjoys playing CTFs and reached the Italian finals of the CyberChallenge competition with the University of Trento team, in 2020.

Post-quantum Encryption System for 5G

Maksim Iavich (SCSA)

Nowadays, many leading scientists and experts are actively working on the creation of quantum computers. On October 23 2019, Google announced that it has achieved quantum supremacy. This means the great speedup of the quantum processors compared to the fastest classic computer. On December 06 2020, scientists in China also announced that they also achieved quantum supremacy. Quantum computers will probably destroy most cryptosystems that are widely used in practice. A variety of "resistant to quantum attacks," alternatives are developed. These alternatives are hash-based, code-based, lattice-based and multivariate crypto schemes. However, to date a number of successful attacks is recorded on the given system. It is also shown that these schemes have efficiency problems.

The amount of traffic carried over wireless networks and the number of mobile devices (including IoT) are growing rapidly and are being driven by many factors. The telecoms industry is undergoing a major transformation towards 5G networks in order to fulfill the needs of existing and emerging use cases. So the vision of 5G wireless networks lies in providing very high data rates and higher coverage through dense base station deployment with increased capacity, significantly better Quality of Service (QoS), and extremely low latency. To provide the necessary services envisioned by 5G, novel networking, service deployment, storage and processing technologies will be required. These technologies will bring new challenges for the 5G cybersecurity systems and its functionality. The 3rd Generation Partnership Project (3GPP) offers a standard for 5G networks. It contains the identity protection scheme, which addresses the important privacy problem of permanent subscriber-identity disclosure. This offer contains two stages: the identification stage, which is followed by providing the security context between service providers and mobile subscribers using the authenticated key agreement with the symmetric key. 3GPP offers to protect the identification stage by means of a public-key scheme. They offer to use Elliptic Curve Integrated Encryption Scheme (ECIES). The offered scheme is not secure against the attacks of quantum computers. It is important to integrate the quantum resistant scheme to 5G networks.

At DeepSec, the post-quantum encryption system, which will be secure against the attacks of quantum computers will be presented and analyzed. The methodology of integration of the encryption system into the identification stage of 5G will be shown. The implementation of the scheme will be explained.

Maksim Iavich holds a PH.D. in mathematics and is a professor of computer science. He is the CEO & President of the Scientific Cyber Security Association (SCSA). Maksim is an affiliate professor and the head of the cyber security division at Caucasus University. Maksim is a cyber security consultant for Georgian and international organizations. He speaks at international cyber security conferences and is the organizer of many scientific cyber security events. He has many scientific awards in the cyber security field. Maksim is the author of many scientific papers. The topics of the papers are cyber security, cryptography, post-quantum cryptography, quantum cryptography, 5G security, mathematical models and simulations.

Uncovering Smart Contract VM Bugs Via Differential Fuzzing

Dominik Maier (TU Berlin)

The ongoing public interest in blockchains and smart contracts has brought a rise to a magnitude of different blockchain implementations.
The rate at which new concepts are envisioned and implemented makes it hard to vet their security.
Still, people put their trust and money into chains that may lack proper testing.
However, smart contract platforms, executing untrusted code, are complex by design.
A behavior deviation for edge cases of single op-codes is a critical bug class in this brave new world.
It can be abused for Denial of Service against the blockchain, chain splits for double-spending, or direct attacks on applications operating on the blockchain.
In this paper, we propose an automated methodology to uncover such differences.
Through coverage-guided, and state-guided fuzzing, we explore smart contract virtual machine behavior against multiple VMs in parallel.
We develop NeoDiff, the first framework for feedback-guided differential fuzzing of smart contract VMs.
We discuss real, monetary, consequences our tool prevents.
NeoDiff can be ported to new smart contract platforms with ease.
Apart from fuzzing Ethereum VMs, NeoDiff found a range of critical differentials in VMs for the Neo blockchain.
Moreover, through a higher-layer semantics mutator, we uncovered semantic discrepancies between Neo smart contracts, written in Python and classic CPython.
Along the way, NeoDiff uncovered memory corruptions in the C# Neo VM.


Critical Infrastructure (KRITIS) in Cyberspace - Complex and Dangerous?

Manuel Atug (HiSolutions AG)

Critical infrastructures are slowly but continuously being globalized and digitized. You
are using more and more IT components in production environments where previously
only operational technologies and mechanical processes were intended.
What are the effects of actions and legislation in cyberspace in relation to KRITIS? What
are the risks and side effects to watch out for? And are these also observed? Which solutions assure us that we will still be able to drink a digitally supported glass of water

Manuel Atug is an expert for critical infrastructure. He works for HiSolutions AG, Berlin, Ger-

Running an AppSec Program in an Agile Environment

Mert Coskuner (Amazon)

Application security in an enterprise is a challenge. We can see this when we look at the statistics: There have been 16648 security vulnerabilities (CVEs) published so far in 2020 and the average severity is 7.1 out of 10.

In this talk, you will find various solutions such as
- Development team risk scoring based on maturity and business aspect,
- SAST/DAST at CI/CD pipeline without blocking the pipeline itself,
- How to leverage bug bounty program,
- When to employ penetration testing,
- When to employ code review,
- Platform developments to remove dependency for developers’ to implement features i.e. internal authorization.

Most important of all, you will see these solutions lead to minimal friction within the team, which creates a fine-tuned security program.

Mert Coskuner, MSc is a Security Engineer at Amazon. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner. In his free time Mert Can is performing mobile malware research and threat intelligence.

WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots

Keno Haßler (TU Berlin)

WebAssembly, the open standard for binary code, is quickly gaining adoption on the web and beyond. As the binaries are often written in low-level languages, like C and C++, they are riddled with the same bugs as their traditional counterparts. Minimal tooling to uncover these bugs on Wasm binaries exists. In this paper we present WAFL, a fuzzer for Wasm binaries. WAFL adds a set of patches to the WAVM WebAssembly runtime to generate coverage data for the popular AFL++ fuzzer. Thanks to the underlying JITing WAVM, WAFL is already very performant. WAFL adds lightweight VM snapshots. By replacing forks, traditionally used in AFL++ harnesses, with WAFL’s snapshots, WAFL harnesses can even outperform native harnesses with compile-time instrumentation in raw fuzzing performance. To the best of our knowledge, WAFL is the first coverage-guided fuzzer for binary-only Wasm, without the need for source.

Keno Hassler is an M.Sc. Student of Computer Science at TU Berlin with a major in Embedded Systems and Computer Architecture. He is specializing in Computer Security and currently working on his Master Thesis on the subject of greybox fuzzing for WebAssembly binaries. In his first academic paper, he presents the results of this research. 


Intercepting Mobile App Network Traffic aka “The Squirrel in the Middle”

Sven Schleier (OWASP Project Leader of Mobile Security Testing Guide (MSTG) and Mobile AppSec Verification Standard)

Sven want's to make a deep dive into intercepting network communication of mobile apps and it's API's and tries to cover all different kind of challenges you might be facing when doing the same.

You might think now: What’s the problem here? I configure Burp Suite, install the Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp and case closed.

This is definitely true, but this will only cover the „ideal“ case! But what about the following use cases:

- The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
- Not every app is relying on HTTP; especially to overcome the overhead of HTTP, TCP might be used. You can also see sometimes XMPP or other protocols. As the system proxy that you are setting in iOS and/or Android will only be covering HTTP(S), other protocols will never be sent to Burp and even if you find a way to route them to Burp, Burp will not be able to process and display them as Burp can only understand HTTP.
- You might not be able to use a jailbroken or rooted device in the client’s network.

These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.

This talk will present and follow a methodology for intercepting the network communication between a mobile app and it’s API’s and want's to enable the audience to tackle all potential use cases described above. In order to this the talk will give detailed technical demos to overcome the challenges and allow you to master them.

Why "Squirrel-in-the-middle"? You will find out in the talk :-)

Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.

Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile AppSec Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Large-scale Security Analysis Of IoT Firmware

Daniel Nussko (Freelancer)

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.

To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.

For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.

The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.

Daniel Nussko is an independent security researcher and information security professional with years of progressive experience in cyber security. His main expertise lies with the penetration testing of enterprise networks and web applications. He holds a Master's degree in IT Security from University of Offenburg in Germany. When not involved in customer projects, he enjoys doing research in the field of IoT security.

SSH spoofing attack on FIDO2 Devices in Combination with Agent Forwarding

Manfred Kaiser (Bundesministerium für Landesverteidigung)

With OpenSSH 8.5 agent forwarding was implemented for SFTP and SCP to allow remote copy operations. Agent forwarding has already been considered a security risk for years, but in some special use cases it seems to be more secure than stored private keys on an exposed server.

Since OpenSSH 8.2 a private key can be protected with a fido2 token. With a fido2 secured key, each usage has to be confirmed with a press on a hardware button. This should prevent an attacker to abuse the key, when agent forwarding is used.

In this talk a spoofing attack is presented, which allows an attacker to abuse a fido2 protected key to login to another server. Also a patch for OpenSSH and PuTTY, which mitigates this spoofing attack is shown.

PuTTY has accepted our patch, which enhances the existing spoofing attack mitigation. Many SFTP clients like WinSCP are using PuTTY as a library and our patch allows other applications to use the new spoofing mitigation.

OpenSSH considers spoofing attacks not as a vulnerability which has to be mitigated by the client. This is the reason why this spoofing attack is not mitigated by OpenSSH's client. We are presenting some mitigation strategies how to mitigate this kind of spoofing attack with OpenSSH.

Manfred Kaiser works for the BMLV. He is responsible for creating security software.

Proactive SIMs

David Burgess (-)
The SIM is a complete computer system that has its own relationship with the cellular network, independent of the application processor. We will look at some examples of so-called proactive SIM behavior and their security implications.

David Burgess has worked in telecommunications since 1998, first in signals intelligence and then in commercial network equipment. He is probably best known as the primary author of OpenBTS, but has written complete stacks for other cellular radio protocols as well. David’s company, Legba, provides mobile network equipment and test equipment for small network operators, embedded systems developers, and special applications. David also writes about telecommunications and does occasional work as an expert in legal cases.

State Malware: When Cops Play Hackers

Andre Meister (netzpolitik.org)

IT security is hard. But while many institutions try to improve security, some government institutions are actively working to weaken IT security. This takes many forms: government backdoors, legal attacks on encryption, and offensive hacking with exploits and 0-days. This talk gives an overview over the most important developments, and tries to escape the German perspective of the speaker.

Andre Meister is an investigative journalist at netzpolitik.org. He works a lot on government surveillance capabilities and has been tracking state malware for many years. 

QKD-based Security for 5G and Next Generation Networks

Sergiy Gnatyuk, PhD. DSc. (-)

Modern information and communication technologies (ICT) implementation in all spheres of human activity, as well as increasing the number and power of cyber-attacks on them make the cyber security of the developed digital state vulnerable and weak. Cyber-attacks become targeted (so-called APT-attacks) and attackers carefully prepare them, analyzing the identified vulnerabilities and all possible ways of attack. The security and defense capabilities of the state are considered in an additional fifth domain titled cyberspace (after land, air, water and space), world`s leading states develop strategies to protect cyberspace, create cyber troops, develop and test cyber weapons. A significant number of cyber-attacks today are aimed at critical infrastructures and government organizations.

Traditional security methods (in particular, cryptographic algorithms) do not fully protect against all currently known attacks, they are potentially vulnerable to attacks based on quantum algorithms (Shore`s, Grover`s, Deutsch-Jozsa etc). These methods are based on the fundamental impossibility of an attacker to solve some complex mathematical problem (unordered database search, factorization, logarithm in large discrete fields etc.) in polynomial time. But increase in the computational power of advanced ICT as well as potential “quantum computer in the hands of an attacker” is the security and privacy threat and it encourages the search for alternative security methods. which will be secured the post-quantum period. Such alternative approaches can be methods of quantum and post-quantum cryptography. Quantum Cryptography (Quantum Key Distribution, QKD) does not depend on the computational power of an attacker, uses the specific unique properties of quantum particles and is based on the inviolability of the laws of quantum physics. The main advantages of QKD are the ability to define an attacker and ensure information and theoretical security. QKD includes the following protocols: protocols using single (non-entangled) qubits and qudits (d-level quantum systems, d>2); protocols using phase coding; protocols using entangled states; decoy states protocols and others.

World`s leading QKD company ID Quantique has developed many QKD systems, QRNGs, Quantum-Safe security devices as well as implemented these systems in 5G deployment projects with SK Telekom, British Telecom, Deutsche Telecom and other cellular operators. Today QKD is important part of 5G and next generation networks.

At DeepSec, QKD-based security system post-quantum period will be presented and analyzed. Impact of Quantum computing on cryptography (secret key cryptography, public key cryptography, hash functions) will be assessed and analyzed. Author`s QKD / QSDC protocols and additional security procedures will be presented. The methods of QKD integration into different 5G network slices will be shown and explained.

Sergiy Gnatyuk holds PhD and DSc (second academic research degree in Ukraine) in cybersecurity, he is Professor in Computer Science. Sergiy is Professor and Vice-Dean of the Faculty of Cybersecurity, Computer and Software Engineering at National Aviation University as well as Scientific Advisor of the NAU Cybersecurity R&D Lab http://cyberlab.fccpi.nau.edu.ua/ Also, Sergiy is a cybersecurity expert and consultant for state and private Ukrainian and international organizations. He was the speaker and organizer of many international cybersecurity events as well as he has many books, patents and papers. The topics of the papers and books are cybersecurity, QKD, 5G and NGN security, incidents response, CIIP and others.

Real-Time Deep Packet Inspection Intrusion Detection System for Software Defined 5G Networks

Dr. Razvan Bocu (Transilvania University of Brasov, Romania, Department of Mathematics and Computer Science)

The philosophy that founds the world of the Internet of Things apparently becomes essential for the projected permanently connected world. The 5G data networks are supposed to dramatically improve the actual 4G networks’ real world significance, which makes them fundamental for the next generation networks of IoT devices. The academic and industrial effort to improve the 5G technological standards and security mechanisms considers various routes. Thus, this proposed talk aims to present the state-of-the-art concerning the development of the standards that model the 5G networks. It values the author's experience that was gathered during the implementation of the Vodafone Romania 5G networked services. It puts this acquired experience in context by reviewing the relevant similar contributions, the relevant technologies, and it describes the research directions and difficulties that will probably influence the design and implementation of secure large 5G data networks.

Consequently, this talk presents a machine learning-based real time intrusion detection system that is based on the deep inspection of the data packets, which has been effectively tested in the context of a 5G data network. The intelligent intrusion detection system considers the creation of software defined networks, and it uses artificial intelligence based models. It is able to proactively detect unknown intrusions patterns through the usage of machine learning-based software components. The system has been assessed and the results prove that it achieves superior performance with a lower overhead in comparison to similar approaches, which allows it to be effectively deployed on real-time 5G networks.

Dr. Razvan Bocu, Transilvania University of Brasov, Department of Mathematics and Computer Science, 500091, Romania (razvan.bocu@unitbv.ro). Dr. Bocu is a Research and Teaching Staff Member in the Department of Mathematics and Computer Science, the Transilvania University of Brasov, Romania. He received a B.S. degree in Computer Science from the Transilvania University of Brasov in 2005, a B.S. degree in Sociology from the Transilvania University of Brasov in 2007, an M.S. degree in Computer Science from the Transilvania University of Brasov in 2006, and a Ph.D. degree from the National University of Ireland, Cork, in 2010. He is the author or coauthor of 33 technical papers, together with four books and book chapters. Dr. Bocu is an editorial reviewing board member of seven high-profile technical journals in the field of Information Technology and Biotechnology.

The Black Box in your Data Center

Kai Michaelis (immune GmbH)

Proprietary BIOS/UEFI firmware has been the de-facto standard for most DC devices in the last three decades. Firmware and platform technologies these days are still closed-source and lack transparency. We will show what kind of attack surfaces your firmware exposes and how supply chain security plays a huge role in this scenario.

We will give you a good understanding of how firmware and platform security work in-depth and what tremendous impact firmware security has on threats like ransomware.

In the end, we will present solutions for getting back control on the firmware level and show how you can contribute to change the industry of hardware development.

Kai Michaelis is co-founder and CTO of immune GmbH set out to build a solution for platform and supply chain security. He’s also a co-founder of the Open Source Firmware Foundation. He earned a Masters degree in computer security in 2018 from Ruhr University Bochum and has previously worked on GnuPG and Sequoia PGP.

Firmware Surgery: Cutting, Patching and Instrumenting Firmware for Debugging the Undebuggable

Henrik Ferdinand Nölscher (Noelscher Consulting GmbH)

Embedded systems can be challenging to analyze. Especially on automotive systems, many things that we take for granted on other software such as debugging and tracing do not always work. This is further complicated by watchdogs and peripheral processors, that go haywire when strict timing and communication requirements are violated. On some systems, debugging is even impossible because debugging resources such as pins are either used for something else or they don’t exist at all!
Assuming that code can be dumped, the solution for this can be emulation, however emulating a rich automotive system can be painful and many times, only few aspects of the system can be sufficiently modeled.
What if there was an in-between? How can we debug, fuzz and tamper embedded firmware without access to real-time debugging or emulation?
In this talk, I will show a tool that uses a simple but smart binary instrumentation method and a new, pythonic assembler to automatically patch large firmware binaries, enhancing them with interactive backdoors, as well as function- or basic-block trace capabilities.
Along the way, I share some tricks that can be used to make targets easier to work with (regardless of whether they’re being instrumented) and explore further applications outside of the automotive realm for the tool, which is released specifically for DeepSec.

Ferdinand has been very passionate about information security ever since he was young. He is specialized in hardware security and reverse engineering techniques and enjoys spending his time analyzing the most challenging security aspects of embedded systems. In the past, he has spoken at Usenix WOOT, Blackhat Arsenal and, along with his great colleagues, he completed numerous embedded security projects involving secure boot audits, fault injection attacks and binary reverse engineering. In the past, he worked at companies such as Nio and Code White while right now, he's busy finding bugs and securing embedded systems at Noelscher Consulting GmbH.

Hunting for LoLs (a ML Living of the Land Classifier)

Boros Tiberiu (Adobe)

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Classic LoL detection mechanisms are noisy and somewhat unreliable, since the high number of False Positives makes it hard to keep track of what is of interest from the perspective of security analysists. So, we made a robust, dynamic, high confidence open source project to fix this!

Tiberiu Boros is a Ph.D. in computer science, specifically in the field of Text-to-Speech (TTS) Synthesis. He is currently working for Adobe Systems Romania and is a former associate of the Research Institute for Artificial Intelligence of the Romanian Academy. Additionally, he maintains two Machine Learning open source projects (Stringlifier, OSAS, NLP-Cube). His research is focused on applied Natural Language and Speech Processing.

Hunting for LoLs (a ML Living of the Land Classifier)

Tiberiu Boros, Andrei Cotaie (Adobe)

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this:

  • Experts tend not to reinvent the wheel
  • Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk)

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update.
Furthermore, classic LoL detection mechanisms are noisy and somewhat unreliable:

(a) they are dependent on the experience of the SME (Subject Matter Expertise) that creates them;

(b) they generate a high number of False Positives (because of the thin line in terms of tools and syntax between sysadmin operations and attacker operations);

(c) their rules grow organically, to the point where it is easier to retire and rewrite rather than maintain and update.

So, we made a robust, dynamic, high confidence project to fix this! We used Open-Source data, real incident data, a handful of Adobe's SME and a lot of research and engineering.
The presentation covers why it is hard to detect LoLs, the feature engineering used in our approach, comparison between different classifiers as well as hands-on experience using our library and integration into one of our previous open-source projects called One-Stop-Anomaly Shop (OSAS - https://github.com/adobe/OSAS). Additionally, we also discuss why OSAS and the LoL classifier are complementary solutions and how evading one will lead to being detected by the other.

*This project is scheduled to be open-sourced in August 2021.

Tiberiu Boros is a Ph.D. in computer science, specifically in the field of Text-to-Speech (TTS) Synthesis. He is currently working for Adobe Systems Romania and is a former associate of the Research Institute for Artificial Intelligence of the Romanian Academy. Additionally, he maintains three Machine Learning open source projects (Stringlifier, OSAS, NLP-Cube). His research is focused on machine learning applied to security.

Andrei Cotaie is a Security Engineer specialized in Incident Response. Currently working for Adobe’s Security Coordination Center, Andrei made the transition from the public to the private sector almost 7 years ago. A big fan of automation and machine learning enthusiast, Andrei spends most of his time involved in monitoring and threat hunting projects, always trying to identify the latest unconventional attacks.

Don't get hacked, get AMiner! Smart log data analytics for incident detection

Florian Skopik, Markus Wurzenberger and Max Landauer (Austrian Institute of Technology (AIT))

Monitoring log data for traces of malicious activities has proven to be an effective method for incident detection in cyber security. State-of-the-art detectors thereby frequently apply signature-based detection, meaning that these tools search for specific strings or tokens from threat intelligence databases that are known to correspond to particular attacks.

Unfortunately, signature-based detection is vulnerable to already simple forms of evasion techniques, and certainly insufficient to disclose previously unknown attack techniques. As a consequence, tools such as the AMiner provide a complementary line of defense by leveraging anomaly detection techniques that make use of machine learning to automatically learn a baseline of normal behavior and detect deviations from the generated models as suspicious activities that possibly relate to attacks.

The log processing pipeline of the AMiner consists of several configurable modules. First, light-weight parser models extract relevant information, such as timestamps, IP addresses, and usernames, from all kinds of logs, including access logs, audit logs, application logs, and more. The AMiner subsequently applies analysis techniques on the parsed data to learn a baseline of normal system events and their properties. On top of that, configurable detectors discover any deviations from this baseline, including detection of new values and value combinations, unusual character distributions of values, changes of event frequencies such as spikes or missing events, violations of expected correlation and sequence rules, as well as detection based on statistical distributions of values and event occurrences, among many others. All disclosed anomalies are eventually reported to security analysts for review and remediation through several interfaces, including message queues to store anomalies in databases or visualize them in SIEM dashboards.

In our talk we will present a broad overview of the AMiner and explain its modules with the aid of several use-cases and hands-on examples.

Florian Skopik, Markus Wurzenberger and Max Landauer are with the Austrian Institute of Technology (AIT) where they develop new concepts, models and algorithms in the field of computer log data analysis and anomaly detection in national and international security research projects. The solution is available on github: https://github.com/ait-aecid/logdata-anomaly-miner Their new book "Smart Log Data Analytics" describes their work in detail: https://www.springer.com/gp/book/9783030744496

Hacking Modern Desktop apps with XSS and RCE

Abraham Aranguren (7ASecurity LLLP)

If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this one is for you, all action, no fluff :)

“Hacking Modern Desktop apps: Master the Future of Attack Vectors” is a desktop app security talk that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your desktop app security auditing kung-fu to the next level. It covers attacks and mitigation against desktop apps on Linux, Windows and Mac OS X. The talk focuses on Electron but the techniques covered will be helpful against other desktop platforms, as well as CSP bypasses and other web security techniques. In this talk we will cover the following topics:
● Essential techniques to audit Electron applications
● What XSS means in a desktop application
● How to turn XSS into RCE in Modern apps
● Attacking preload scripts
● RCE via IPC

Come and join us for this 50-minute hacking session, we’re sure you’ll leave with a thirst for more!

Abraham Aranguren: After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (​7asecurity.com​), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 (​cure53.de​) and Version 1 (​www.version1.com​). Creator of "Practical Web Defense" - a hands-on eLearnSecurity attack / defense course (​www.elearnsecurity.com/PWD​), OWASP OWTF project leader, an OWASP flagship project (​owtf.org​), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as ​ @7asecurity​ ​ @7a_​ ​ @owtfp​ or  https://7asecurity.com/blog​ . Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Revenge is Best Served over IOT

Chris Kubecka (Middle East Institute)

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified digitally with the pandemic accelerating connectivity. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs: teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge and 2021 police protection.

Chris is the Distinguished Chair of the Middle East Institute’s Cyber Program and CEO of HypaSec. She has practical and strategic hands-on experience in several cyber warfare and cyber terrorism incidents. Previous USAF aviator and USAF Space Command. Detecting and helping to halt the July 2009 Second Wave attacks from the DPKR against South Korea and helping to recover and reestablish international business operations after the world’s most devastating cyber warfare attack, Shamoon in 2012. Leading the incident management when the Saudi Arabian Embassy in The Netherlands was hacked in 2014 which involved the ISIS terrorist group, The city of The Hague, all embassies in the city, negotiating and discovery of evidence of a diplomatic insider that saved over 400 dignitaries lives.

Assessing and Exploiting ICS

Etizaz Mohsin (Saudi Telecom Company)

All modern control systems have brought a greater security risk for the whole society. While adding value to the business, one must accept  the compromise attached to it. The talk here is going to highlight all the security assessment types needed to perform to minimize the vulnerabilities that attackers can use to exploit the ICS environment across the globe. We will talk about ICS components (Control systems, PLC, RTOS, IEDs) and ICS attack surfaces (network Protocols, Maintenance interfaces, Radio frequency communication, Field devices) and outline the methods to mitigate the threats.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research and reverse engineering. He is an active speaker at international security conferences including DEFCON, HITCON, HACTIVITY, DEEPSEC, SECTOR, GREHACK, ARAB SECURITY CONFERENCE, BSIDES etc. He has achieved industry certifications, the most prominent are OSCP, OSCE, OSWP, OSWE, OSEE, CREST CRT, CPSA.

Kubernetes Security - Challenge or Chance?

Marc Nimmerrichter (Certitude Consulting GmbH)

For anyone in IT and IT-security, there seems to be no way around Kubernetes. Containerization has changed the way software is developed, deployed, and operated. Microservices is the new paradigm. Many information security teams around the world, who see the adoption of Kubernetes and microservice-architectures in their organization, discuss just now: What does containerization and Kubernetes mean to security and how to fit this technology into our existing architectures and processes?

In this talk we will dissect the various components of Kubernetes and how they work technically under the hood. We will investigate common pitfalls and how they could be exploited to gain privileges, take over components or compromise the whole cluster and learn how to avoid these issues.

But let’s not only talk about the risks. There are also new chances for more security with containers and Kubernetes in contrast to previous deployment models and technologies. But only when it’s done right!

Marc Nimmerrichter started specialising in information security during his studies in IT and information security. He has worked for many years as pentester and IT-security consultant and currently he works as Managing Partner at Certitude Consulting GmbH. He has advised well-known IT service providers, software developers, banks and federal authorities in Europe.

He specialized in Kubernetes security early - At a time when Kubernetes security guides were scarce. Marc has performed Kubernetes security audits for various clients in software development, telecommunications, health care and the public sector.

When Ransomware fails

Sreenidhi Ramadurgam (Cisco Talos)

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files.
Even though they have been around for many years, the popularity has increased since the outbreak of Wannacry which shook the whole cyber world.

When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the Logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first.

What if there is a logical drive in the system which doesn’t have any letter assigned to it.
Well, now it is harder to access the files, because the ransomware code is written to access the drive with the assigned letter. This is where most of the ransomwares fail to encrypt the data.

Guess what? The audience will witness what ransomware can not encrypt. Yes you heard it right! Can not!
Can this be a solution for the basic users to backup important files from being encrypted ?
We will see what an attacker might do in the future when ransomware encounters this situation.

I am a Security Researcher at Cisco. I have conducted cybersecurity and malware analysis workshops at universities across India and have delivered talks at Cisco SecCon packet village, 2019 and at BSides Munich/ELBSides 2021.

I actively work on threat hunting, reverse engineering various malware samples and build honeypots to catch threats in the wild. My arsenal includes malware reversing and analysis skills, Metasploit skills, and I also have a strong interest in memory forensics.
I have published blog posts related to interesting findings that I have come across in this domain:
1. https://umbrella.cisco.com/blog/inadequate-security-makes-wordpress-sites-a-land-of-opportunity-for-hackers
2. https://umbrella.cisco.com/blog/cyber-attackers-use-seo-to-spread-malware-through-torrent-files”
3. https://umbrella.cisco.com/blog/obfuscation-the-abracadabra-of-malware-authors

Certifications: GREM, CEH, Cisco BlackBelt.

Do You Have a PlugX?

Artem Artemov, Rustam Mirkasymov (Group-IB Europe B.V.)

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it's important for big industrial companies. And also we talk about our assumption that all recent big attacks - first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain.

Artem Artemov: Head of DFIR Lab Group-IB Europe. More than 14 years in DF, last 10 years in Group-IB. Incident responses all over the world, I take part in investigations and arrest of cybercrime groups like Carberp, Buhtrap, Corcow, Cobalt, Cron, Moneytaker and others. Also I provide tailored DF courses at several universities.

Rustam Mirkasymov: Head of Cyber Threat Research, Group-IB Europe. 8 years in cyber threat research and threat intelligence. Strong skills in reverse engineering, knowledge in exploit development and understanding software vulnerabilities mechanisms. Author / co-author of numerous APT threat reports (including Lazarus, Silence, Cobalt, MoneyTaker, RedCurl). Experienced speaker at key cyber security media & events.

Information Security Assurance – The Capital C in PDCA

Frank Ackermann (Deutsche Börse AG)

In some organizations 2nd Line of Defense functions are kept in the ivory tower, far away from the machine room and the real security issues the company faces. These functions and their deliverables, e.g. the developed and maintained policy and framework, might be used to manage compliance and feed regulators. But are these outcomes valuable? Is their implementation design- and operationally effective? Do they support the security organization to thrive and prosper?

After Deutsche Börse Group revised their security organization, the 2nd LoD function IS Assurance was established. The function, its framework, the grading approach, the assessment plans, and the validation methods for evidences were developed from scratch – with the holistic target to further improve the security organization.
Within a short period of time the function was able to assess the first security process and generated an overview over the design- and operational effectiveness of the verified subject. Here IS Assurance became a trustworthy partner for the 1st and the 3rd Lines of Defense.
This talk introduces the implemented IS Assurance function of the Deutsche Börse Group, gives insights into lessons-learned and challenges, and demonstrates a model to grade the operational effectiveness with practical details.

Frank Ackermann has longstanding experience in cyber security and technology. He held diverse expert and lead functions in all three Lines of Defense and willingly challenged the status quo to improve the respective security organizations.
His credo “Security is not my job – it is my passion.” comes along with the strong desire to support further development in the area of Information Security.

Web Cache Tunneling

Justin Ohneiser (Booz Allen Hamilton, Inc)

By using cache poisoning to store arbitrary data, public web caches can be utilized as open ephemeral storage to facilitate anonymous and evasive communication between network clients.

Justin Ohneiser, following a Bachelor's Degree in Mechanical Engineering from the University of Maryland, worked various roles in enterprise software development and computer forensics before spending the last 4 years at Booz Allen Hamilton bringing clients an offensive perspective to information security.

I Will Hide, You Come And Seek - Discovering The Unknown in Known Malwares using Memory Forensics

Shyam Sundar Ramaswami (Senior Research Scientist - Research and Efficacy Team - Cisco)

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to "showcase only 90%" and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers:

1. Talk about the traditional malware analysis process
2. Introduction to memory forensics and why
3. Introducing tools like Volatility and Rekall
4. Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares using traditional methods like Any.run online sandbox and malware runs
5. Playing a game by capturing memory of the infected machine by invoking WMI module and suspending the machine
6. Tracking malware, bypassing malware hooks and executing wmic command to hibernate the machine
7. Obtaining the hyb.sys file and performing memory forensics
8. Extracting hidden process, spotting dll injection, dumping process memory and extracting IOCs like ip and urls
9. Voilá, we win !

Shyam Sundar Ramaswami is a Lead Threat Researcher with the Cisco Umbrella Threat Intelligence team. Shyam is a two-time TEDx speaker and a teacher of cybersecurity. He held talks at several conferences such as Black Hat (Las Vegas), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), HackFest (Canada), DeepSec (Vienna) several universities, and IEEE forums in India. Shyam has also taught an “Advanced malware attacks and defenses” class at Stanford University’s cybersecurity program and runs a mentoring program called “Being Robin” where he mentors students all over the globe on cybersecurity. Interviews with him have been published on leading websites like ZDNet and CISO MAG.His twitter tag is @hackerbat.

Analyzing Radicalization on the Internet - Method and Results of the COMRAD-Project

Dr. Andreas Enzminger & Dr. Jürgen Grimm (WU – Vienna University of Economics and Business & University of Vienna)

Incitement, radicalization, and terror are the buzzwords that currently concern us the most. Right-wing and left-wing extremist groups or religious fundamentalists act as fire accelerators for extremist tendencies, even leading to the use of political violence. In this way, they can also endanger the value-based foundations of democracy in the medium and long term.

Although much discussed, the role of the media, especially social media, in radicalization within society remains conceptually and empirically unclear. While there are several case analyses based on violent events, systematic studies have yet to be conducted. To fill this gap, the COMRAD project is dedicated to researching radicalization tendencies in cyberspace, focusing on psychosocial, ideological, and communicative conditioning factors. The focus is on the "open space" of politically left-wing, right-wing, or Islamic Facebook groups, in which recruitment strategies and camouflage techniques of extremist actors overlap. In addition, the project pursued as a methodological goal the development of a category system with the help of which conventional content analyses can be carried out on the net and used to optimize automatic content analyses.

The presentation will introduce the methodological concept RADIX, which operationalizes push and pull factors of radicalization such as segregation, worldview, moral outrage, and hostile language. Using RADIX, a total of 11,500 posts were analyzed with human coders and compared to results from automated analyses. Using structural equation modeling, it is possible to quantify the strength of the relationship between radicalization factors and use it to predict radicalization processes in defined Internet samples. Methodological and substantive consequences for radicalization research are discussed.


Juergen Grimm has been a professor of communication studies at the University of Vienna since 2004. Currently in the status as emeritus he is the active leader of the research project “Communication Patterns of Radicalization” (COMRAD). In 1985, he received his PhD from Siegen University with a theoretical and empirical work focused on content analysis regarding media entertainment. From 1984-1988 post-doc research assistant at the DFG- funded research project “Reality Impartment by the Mass Media” at ZUMA (Center for Surveys, Methods and Analyses). He habilitated at Mannheim University in 1998 with a study on violence depiction in TV documentaries and movies and the impact on children and adults. 1994, he has been a member of the board of trustees of the FSF ("Organization for the  Voluntary Self-Regulation of Television") in Germany. Since 2005 he has been the director of the Viennese “Forum of Methods”. Currently, he is also the leader of several research projects, e.g. "Media, Patriotism, Integration", "Communicating History in Transnational Space" and). One of his main topics is the impact of media on national identity, societal development and integration and processes of radicalization and political extremism. Grimm has published widely on depictions of media violence, war and crisis journalism, news processing, media entertainment, televised impartment of history and on methodological problems of content analyses and media effect research.

Andreas Enzminger is a postdoctoral research assistant at the Institute for Communication
Management and Media, based within the Department of Foreign Language Business
Communication at WU. Before joining the university in December 2020, he was based within the Institute for Communication at the University of Vienna. There, he was employed as a predoctoral researcher (2013-2019) and as a university lecturer (2016-2020), and he received his doctorate in Communication Science from the university in 2019. Andreas served as a postdoctoral researcher on the Kommunikationsmuster der Radikalisierung (COMRAD) project since 2019 and was involved in the international project TV-Geschichtsvermittlung im transnationalen Raum from 2013-2020.

How to Protect the Protectors? Musings about Security in Security

Tim Berghoff (G DATA CyberDefense)

Attacks on service providers and software vendors are starting to become a huge problem for society.
Which begs the question: Why is that and is there anything we can do about it?
The fact of the matter is: We have been building a house of cards higher, more complex and faster than ever before - sometimes blissfully unaware that the foundation has started to give.
And our answer so far has been: "Build faster".
Therefore, IT in general and security in particular, has a problem. Can we turn that around? Maybe. Let's talk.
We will look at some of the fundamental issues that have been years in the making and that will take the most work to get right.

Tim has been working for G DATA since 2009 and gathered experience in support, consulting and public relations work.

DevSecBioLawOps and the current State of Information Security

René Pfeiffer (DeepSec)

The information technology community changes fast. Life-cycles of code and hardware are short. Sometimes the way we work also changes. Enter the wonderful world of manifestos and trends. Sitting in silos doesn’t work for the modern full stack developer and administrator. This presentation intends to illustrate how changes in infrastructure management and software development affect the field of information security.

René „Lynx“ Pfeiffer was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn Texas Instruments TMS 1600 assembler before any other programming language.

After finishing school he went to university in order to study physics. He then collected experiences with a C64, a C128, two Commodore Amigas, DEC's Ultrix, OpenVMS and finally GNU/Linux on a PC in 1997. He is using Linux since this day and still likes to take things apart und put them together again. Freedom of tinkering brought him close to the Free Software movement, where he puts some effort into the right to understand how things work – which he still does.

René is a senior systems administrator, a lecturer at the University of Applied Sciences Technikum Wien and FH Burgenland, and a senior security consultant. He uses all the skills in order to develop security architectures, maintain/improve IT infrastructure, test applications, and to analyse security-related attributes of applications, networks (wired/wireless, components), (cryptographic algorithms), protocols, servers, cloud platforms, and more indicators of modern life.

Exploitation with Shell Reverse and Infection with PowerShell using VBS file

Filipi Pires (Hacking Is Not crime Advocate | RedTeam Village | DCG 5511 - Sao Paulo)

The purpose of this presentation, it was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike, this document brings the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain the access inside the victim's machine and after that performing a Malware in VBS to infected the victim machine through use some scripts in PowerShell to call this malware, in our environment.
Regarding the test performed, the first objective it’s to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by Signatures, NGAV and Machine Learning, running this script, the idea is to use the reverse shell technique to gain access on the victim's machine. After the execute this attack, the the second objective consists in perfoming the PowerShell Script to run this script, to download a VBS Malicious file on the victim's machine and execute itself, calling this malware provided through Malwares Bazaar by API request.

The purpose of this presentation, it was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike, this presentation brings the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain the access inside the victim's machine and after that performing a Malware in VBS to infected the victim machine through use some scripts in PowerShell to call this malware, in our environment bypassing some components and engines, such as: Malware Protection - Associated IOC (Command entered in script), Suspicious Processes, File System Access, Suspicious Processes, Suspicious Scripts and Commands, Intelligence-Sourced Threats, among others..

I’ve been working Principal Security Engineer and Security Researcher at Zup Innovation and Security Researcher and Instructor at Hacker Security…I’m Hacking is NOT crime Advocate..I’m part of the Staff team of DEFCON Group São Paulo-Brazil, Internacional Speakers in Security and New technologies events in many countrie such as US, Canada, Germany, Poland and others, I’ve been served as University Professor in graduation and MBA courses at colleges as FIAP / Mackenzie / UNIBTA and UNICIV, in addition, I'm Founder and Instructor of the Course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis - Fundamentals (HackerSec Company).