Speakers (preliminary) - DeepSec IDSC 2022 Europe

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation

Dawid Czagan (Silesia Security Lab)

HackerOne bug hunters have earned over $100 million in bug bounties so far. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the top HackerOne bug hunters.

Modern web applications are complex and it's all about full-stack nowadays. That's why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say 'No' to classical web application hacking. Join this unique hands-on training and become a full‑stack exploitation master.

Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734 

Key Learning Objectives

After completing this training, you will have learned about:

  • REST API hacking
  • AngularJS-based application hacking 
  • DOM-based exploitation 
  • Bypassing Content Security Policy 
  • Server-side request forgery 
  • Browser-dependent exploitation 
  • DB truncation attack 
  • NoSQL injection 
  • Type confusion vulnerability 
  • Exploiting race conditions 
  • Path-relative stylesheet import vulnerability 
  • Reflected file download vulnerability 
  • Subdomain takeover 
  • XML attacks 
  • Deserialization attacks 
  • HTTP parameter pollution 
  • Bypassing XSS protection 
  • Clickjacking attack 
  • window.opener tabnabbing attack 
  • RCE attacks
  • and more…

What Students Will Receive

Students will be handed a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.

Special Bonus

The ticket price includes FREE access to Dawid Czagan's 6 online courses:

  • Start Hacking and Making Money Today at HackerOne
  • Keep Hacking and Making Money at HackerOne 
  • Case Studies of Award-Winning XSS Attacks: Part 1 
  • Case Studies of Award-Winning XSS Attacks: Part 2 
  • DOUBLE Your Web Hacking Rewards with Fuzzing 
  • How Web Hackers Make BIG MONEY: Remote Code Execution


What Students Say About This Training

This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/ . They can also be found here (https://silesiasecuritylab.com/services/training/#opinions ) - by training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ ).

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and thengovernment sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/ ). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions ).

Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses. To find out about the latest in Dawid Czagan’s work, you are invited subscribe to his newsletter (https://silesiasecuritylab.com/newsletter ) and follow him on Twitter (@dawidczagan) and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/ ). 


Didier Stevens (NVISO)

Malicious Office documents have been on the radar for many years now. But do you know how to create and tailor them efficiently to achieve successful read team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. MS Office documents that execute code via macros. And we will take a very quick look at PDF too. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents, and Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.
No prior knowledge of malicious Office documents is required to take this training.
We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Office, like a port scan, and also how to use this API to inject and execute shellcode inside the Word/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word/Excel’s process memory, without touching the disk. This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements is useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities. We will learn how to reuse VBA functions and modules from the provided tools to create goal-specific documents (Word, Excel, …).
Over the years, Didier has developed many tools and techniques to “abuse VBA”. Non-exhaustive list of Didier’s tools shared during this class:
• Taskmanager with shellcode injector, process hollowing, parent process selection, .NET injector, …
• Filemanager and container to drop and exfiltrate, modify and encode arbitrary files
• Network tool (ping, port scan, service detection, communication, …)
• Document to perform reconnaissance and exfiltration
• Enumerate installed programs & patches
• Enumerate executables modifiable by the user
• CMD & Regedit running inside Word/Excel process
• Tool to create Excel files on different operating systems, without dependencies with MS Office (Mono required)
• Python tool to create / modify Office OLE and OOXML files, without dependencies with MS Office
• Python tool to hack ZIP containers
• Tool to uncover AV signatures to better evade AV detection
• …

Didier Stevens (Microsoft MVP, SANS ISC Handler, Wireshark Certified Network Analyst, …) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. Didier regularly participates in pentests and red team engagements to create task specific documents. You can find his open source security tools on his IT security related blog. http://blog.DidierStevens.com

Mobile Network Security

James Bart Stidham (Telecom Experts LLC)

Mobile Device Security and Cellular Networks: Hacking, Malware, and Exploits in 2022 - Mobile devices and cellular networks are critical military and intelligence assets in the Russo-Ukrainian War. This presenter led efforts at DHS and NIST to quantify and document just how exploitable both sides of this system are, and the implications for corporations,
political leadership, militaries, and the “mere civilians" caught in the fray. This deep dive will examine what we know, from rumors to highly publicized events, of attacks that touch on all aspects of this technical landscape. It will review key exploits, and provide live demonstrations of several including geolocation attacks, attacks against cell towers, and remote device bricking.

Bart Stidham has worked extensively in secure communications and mobile security R&D. For more than a decade, officials at the National Institute of Standards and Technology (NIST), the US State Department, USAID, and the Department of Homeland Security (DHS) have engaged Bart for his expertise in mobile security research and development.

Bart led efforts to develop new technologies resistant to tracking for use by dissidents in authoritarian countries for the US State Department and USAID, as well as architecting systems to detect such tracking. He later contributed to the first in-depth mobile security research projects at NIST and DHS and the resulting papers. He investigated the security of two critical US cellular systems and potential upgrades: the US Wireless Emergency Alert (WEA) protocol, including the FEMA IPAWS Open system that drives it, and the Wireless Priority Service (WPS).

All of these efforts relied on Bart’s deep understanding of cellular network technologies, surveillance and tracking systems, and how they work.

Bart’s experience spans government and commercial markets. Prior to launching his own company, he worked as an enterprise architect and systems designer for Accenture and ThoughtWorks, a security architect, and CTO at True North Communications. He has also worked as a contractor with the GSMA – the professional body that oversees all cell phone operations globally.

Mobile Security Testing Guide Hands-On (Hybrid edition)

Sven Schleier (WithSecure)

The training will be offered as Hybrid, and conducted as on-site course with the possibility to join also remotely.

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout their career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Evaluate different implementations of Touch ID / Face ID and ways to bypass them
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

Sven is the Technical Director of WithSecure in Singapore, specialized in penetration testing and application security. Next to offensive security engagements he has supported and guided software development projects for Mobile and Web Applications during the whole SDLC to build security in from the start.

Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Network Threat Hunting & Incident Response

Michael Meixner, CISSP (Computerforensic & more GmbH)

- Threat Hunting technics on network level
- Threat Hunting on Microsoft Windows Active Directory
- Threat Hunting on Linux Systems / Memory Forensics
- Incident Response process

- IT-Security Administrators
- IT-Administrators with knowledge of protocols and basic LINUX skills
- Security analysts looking to hone their threat hunting skills
- Junior analysts looking to forward their security career
- Environments needing to quickly identify compromised systems
- IT Security Management and Leadership
- Active Directory / Windows Engineers

Students should have a working understanding of IP communications. They should also have a basic understanding of network threat hunting.

- Bring your own Notebook with local admin rights
- Min. 8 GB RAM and 100GB free disk space
- VMWare Player installed
- The ability to connect to the Ubuntu system via SSH

- Acquiring and analyzing Linux memory
- Understand security risks and defensive mitigations
- Hardening Active Directory
- Identify tools and processes for network threat hunting
- How to set up a threat hunting environment
- Threat score system to prioritize artifacts
- Leveraging network findings to pivot into a forensic analysis

Mr. Michael Meixner, CISSP is the managing director of the renowned computer forensics company Computerforensic & more GmbH based in the south of Vienna. Mr. Meixner deals with IT security, threat hunting, incident response, cyber crime such as hack or phishing attacks, data theft, digital preservation of evidence, computer forensic analysis and much more to protect against cyber attacks. As a generally sworn and court-certified expert, Mr. Meixner offers forensic data backup, data reconstruction, data analysis, the preservation of evidence that can be used in court and the preparation of expert opinions. As part of numerous events on the subject of IT security and cybercrime, he passes on his knowledge in a practical way as a speaker.

Online Course: Full-Stack Exploitation Mastery

Dawid Czagan (Silesia Security Lab)

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique online training, and take your professional pentesting career to the next level.

I have found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this online training I will share my experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.

This online training is composed of

• Almost 5 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)

• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and finding security bugs in companies like Google, Yahoo, Mozilla, Twitter)

Almost 5 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 5 video courses:

1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com <http://ajax.googleapis.com/> (FREE VIDEO <https://www.youtube.com/watch?v=tTK4SZXB734>)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS

2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF (FREE VIDEO <https://www.youtube.com/watch?v=AWplef1CyQs>)
- XSS via Image
- User Redirection via window.opener Tabnabbing

3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking (FREE VIDEO <https://www.youtube.com/watch?v=rQA-aKim18U>)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary

4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1 (FREE VIDEO <https://www.youtube.com/watch?v=lLd9Y1r2dhM>)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks

5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution (FREE VIDEO <https://www.youtube.com/watch?v=09ZJPcw_smE>)
- Subdomain Takeover
- Account Takeover via Clickjacking

Lifetime access to these 5 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.

2 hours of live online training support

- Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.

- Do you want to take your professional pentesting career to the next level and have some questions? No problem, ask me anything you want!

- Are you looking for some advice on how to find security bugs in companies like Google, Yahoo, Mozilla, Twitter (bug bounty programs)? Ask your question and I will do my best to help you.

What students should know

Common web application vulnerabilities

What students will learn

- Become a web hacking expert
- Dive into full-stack exploitation of modern web applications
- Learn how hackers can bypass Content Security Policy (CSP)
- Discover how web applications can be hacked via PDFs, images, and links
- Explore how hackers can steal secrets from AngularJS applications
- Check if your web applications are vulnerable to race condition attacks
- Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
- Discover step by step how all these attacks work in practice (DEMOS)
- Take your professional pentesting career to the next level
- Learn from one of the top hackers at HackerOne

What students will receive

Students will receive lifetime access to almost 5 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use <https://grinfer.com/terms-of-use> and privacy policy <https://grinfer.com/privacy-policy>). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses – training support for the video courses).


Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector.

Online Course: How to Hack Legally and Earn Thousands of Dollars at HackerOne

Dawid Czagan (Silesia Security Lab)

HackerOne is your big opportunity. This is the platform where you can hack legally and at the same time you can make money. You can hack many different companies like Twitter, Yahoo, Uber, Coinbase, and a lot more. And you can get paid for your findings, for example $100, $1,000, or even $10,000 per one bug. It’s just amazing. All you need is Internet connection and knowledge. Yes – you need knowledge to go from zero to thousands of dollars at HackerOne, and in this online training I’m going to share my knowledge with you.

I’m one of the top hackers at HackerOne and I know quite a lot about hacking and making money that way. In this online training I’ll present many award-winning bugs. The more you play with award-winning-bugs the more knowledge you get and the more knowledge you have, the more money you can make. I’ll also discuss a successful bug hunting strategy that I have been using in the recent years. What’s more, I’ll present a lot of demos, because I want you to see how all these things work in practice.

This online training is composed of

• 6 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)

• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and bug hunting at HackerOne)

6 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 6 video courses:

1. Start Hacking and Making Money Today at HackerOne
- HackerOne: Your Big Opportunity
- Getting Started with 5 Bugs
- Automatic Leakage of Password Reset Link (FREE VIDEO <https://www.youtube.com/watch?v=e2iEXi7YQVc>)
- How to Get Access to the Account of the Logged Out User
- Insecure Processing of Credit Card Data
- Disclosure of Authentication Cookie
- User Enumeration

2. Keep Hacking and Making Money at HackerOne
- How to Impersonate a User via Insecure Log In (FREE VIDEO <https://www.youtube.com/watch?v=qAawfBPJs7U>)
- Sensitive Information in Metadata
- Disclosure of Credentials
- Insecure Password Change
- Dictionary Attack

3. Case Studies of Award-Winning XSS Attacks: Part 1
- XSS via Image
- XSS via HTTP Response Splitting
- XSS via Cookie (FREE DEMO <https://www.youtube.com/watch?v=ntWOiuKe5ts>)
- XSS via AngularJS Template Injection

4. Case Studies of Award-Winning XSS Attacks: Part 2
- XSS via XML (FREE VIDEO <https://www.youtube.com/watch?v=0D1hd6j5z78>)
- XSS via location.href
- XSS via vbscript:
- From XSS to Remote Code Execution

5. DOUBLE Your Web Hacking Rewards with Fuzzing
- The Basics of Fuzzing
- Fuzzing with Burp Suite Intruder - Overview
- Fuzzing for SQL Injection - Demo (FREE VIDEO <https://www.youtube.com/watch?v=pVIrQtYSA3I>)
- Fuzzing for Path Traversal – Demo
- Fuzzing with Burp Suite Intruder: Tips and Tricks

6. How Web Hackers Make BIG MONEY: Remote Code Execution
- From SQL Injection to Remote Code Execution (FREE VIDEO <https://www.youtube.com/watch?v=YLqpfUXiSRo>)
- From Disclosure of Software Version to Remote Code Execution
- Remote Code Execution via File Upload
- Remote Code Execution via Deserialization

Lifetime access to these 6 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.

2 hours of live online training support

- Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.

- Do you want to start hacking at HackerOne and have some questions? No problem, ask me anything you want about bug hunting at HackerOne.

- Are you already a bug hunter at HackerOne and need some advice on how to go to he next level? Ask your question and I will do my best to help you.

What students should know

- Basic hacking skills
- Basic knowledge of web application security
- Basic understanding of XSS attacks (cross-site scripting)

What students will learn

- Master web application security testing
- Become a successful bug hunter
- Go from zero to thousands of dollars at HackerOne.
- Double your web hacking rewards with fuzzing
- Learn how hackers earn thousands of dollars per one bug
- Discover how to find these bugs step-by-step in practice (recorded DEMOS)
- Learn from one of the top hackers at HackerOne

What students will receive

Students will receive lifetime access to 6 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use <https://grinfer.com/terms-of-use> and privacy policy <https://grinfer.com/privacy-policy>). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses and bug hunting at HackerOne – training support for the video courses).

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector.

Online-Onsite Training: Hacking JavaScript Desktop apps: Master the Future of Attack Vector

Abraham Aranguren (7ASecurity)

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since desktop apps were written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Practical Secure Code Review

Seth Law, Ken Johnson (Redpoint Security, Inc.)

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.

Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is employed as a security consultant, co-hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.

We are sorry that your mouse is admin - Windows privilege escalation through the Razer co-installer

Oliver Schwarz (SySS GmbH)

Device-specific co-installers have repeatedly allowed for Windows privilege escalation.
Through Windows' plug'n'play concept, attackers don't need to rely on any preinstalled software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device.

In this talk, I'll report on my responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the fix we ended up approving can be fooled quite easily. In other words: this story is the sequel to what we have published before.

The main purpose of the presentation is to entertain you by sharing the anecdotes from this interesting journey and demoing the attack. But besides that, admins, developers and researchers will also learn about the security risks that arise from co-installers and placing binaries into directories where they don’t belong to. Finally, I want to motivate researchers to have a closer look into other co-installers. Interesting Windows privilege escalation vulnerabilities seem to wait out there.

Oliver works as a pentester for the German IT security company SySS GmbH.
Besides finding vulnerabilities in applications and networks, he also enjoys presenting hacks to layman audiences, for fun and awareness.
This was also how he discovered the vulnerability presented in his talk.

Before his practical hacking career, Oliver worked as academic security researcher and did his PhD at KTH Royal Institute of Technology on the formal verification of separation kernels.

Phishing with Phineas Again , Purple Hack Recreation on Steroid

Georgios Karantzas and Constantinos Patsakis (University of Piraeus Student and Professor)

Public Description:
A few years ago, a vigilante hacker under the name “Phineas Phisher” conducted a series of high-profile attacks, including hacking into a company that, among others, was developing and selling spyware to government agencies named “Hacking Team”. This was not a result of a random attack but a wellplanned and targeted one. To achieve his goals, the hacker developed a 0-day for the SonicWall VPN appliance. After this attack, the attacker scanned the internet for such devices and found out that an offshore bank in the Cayman Islands was using the same vulnerable version. Beyond this exploit, he reported through his write-ups that he used common hacker utilities like Meterpreter and Empire and that he was not some kind of APT with custom malware writers nor received significant funding and support, but he claims to be a humble ‘one-man army’. The final goal of the bank hack was to access Bottomline’s SWIFT management panel and initiate transactions targeting his own accounts. Then, he uploaded the VMs used by the bank along with all the sensitive clients’ information that was stored in these systems. The scenario is rather intriguing as, despite the impact and sensitivity of the information, it provides a deep insight into an environment in which few people operate. Moreover, such environments are not well publicly documented, and their digital twins are hard to find. We argue that emulating such an attack scenario and adapting it to current tools and methods, offensive and defensive wise, can provide a good baseline to understand the capabilities of both sides and stress the changes that have undergone these years. To this end, in our scenario, we have tried to follow the evolution in defensive and offensive security by rebuilding such an environment, equipping it with modern defence mechanisms. Since most organizations are now integrating endpoint detection and response (EDR) systems to their endpoints to behaviorally detect and throttle cyber-attacks, we have equipped our endpoints accordingly. However, as shown in our previous research, EDRs are no silver bullets and have their weak points as well. In fact, Advanced Persistent Threat (APT) groups have significantly advanced their capabilities. Therefore, having access to several such defensive technologies, they study them and customize their malware accordingly to target them and minimize their detection. Moreover, APTs and ransomware groups are using several C2 frameworks, with the most widely used being Cobalt Strike; however, there are different options that may provide different capabilities and serve fit better in the cyber kill chain. Based on the above, this work can be considered a purple teaming scenario in the financial sector. Practically, we present the blue versus red team fight detailing, where possible, detection and bypass methods, their rationale and gaps, where applicable, mainly through the use of C2 servers. Therefore, we present in each step the attacker’s and defender’s perspectives of the same scenario. This means that we report by what means an EDR would report and/or block and how the attacker would try to prevent this.


GitHub Actions Security Landscape

Ronen Slavin (Cycode)

GitHub Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers are proficient in the depths of GitHub best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product.

During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Ronen Slavin is Chief Technology Officer and co-founder of Cycode with expert knowledge in cybersecurity. Previously, he was the CTO and co-founder of Filelock that uniquely developed a solution to protect data even after a breach has occurred. Fileock was acquired by Reason Software in 2018 where Ronen moved to Lead the development of their Windows endpoint protection solution and security research. Prior to that Ronen worked on offensive cybersecurity research for a technology firm building commercial tools for government agencies. Ronen served roles as an R&D team leader, developer and architect in the Israeli Intelligence Corps and holds an M.Sc. in Computer Science with focus on Cyber Security from Bar Ilan University.

The Need For a Human Touch In Cyber Security

Erlend Andreas Gjære (Secure Practice)

In a technical world of cyber, crypto and cloud, it is easy to forget that in the end, we are all humans. While social engineering has always been a craft of its own on the attacker side, our efforts as human defenders are scattered between various technical measures and not always very effective awareness training - sometimes even counterproductive ones.

Regardless of cyber specialization, however, some people skills are needed to maximize impact. This goes all the way from building alliances, communication and "selling" your ideas, to building more resilient processes, organizations and software through empathy for both our technical and non-technical colleagues. Heck, we can even apply certain people skills to understand our adversaries better, profile their motivations, and predict their next actions.

Therefore, this talk will explore a variety of techniques freely available to anyone looking to boost their output from efforts to stop cybercriminals.

Outline (not for public program):
- The disconnect between cyber and people (with counterproductive outputs)
- Finding root causes by understanding seven flavours of human errors
- Mitigating resistance with empathy
- Seven principles for persuasion (including their abuse by attackers)
- Attacker and defender economy (in human terms)
- Defeating the curse of knowledge to elicit success

Erlend Andreas Gjære is a specialist in security and people, with a focus on security awareness, training and culture, risk, behavior and user experience. He received his MSc degree in Informatics from the Norwegian University of Science and Technology (NTNU) in Norway, and then worked six years as a research scientist, before transitioning to industry work as a consultant and security manager. He is now co-founder & CEO Secure Practice, working to unlock a more human approach to reducing cyber risk.

Auditing Closed Source Trusted Applications for Qualcomm Secure Execution Environment (QSEE)

Hector Marco & Fernando Vano (Cyber Intelligence S.L.)

Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices rely on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

In order to audit the QSEE environment, security researchers have to face different challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to assess their security. On the other hand, to the best of our knowledge there are no publicly available emulators for QSEE Trusted Applications that assist in debugging and auditing their code.

In this talk, we share the knowledge we obtained from a careful reverse engineering examination of different QSEE Trusted Applications and operating systems (QSEE-OS), showing the different versions of QSEE-OS and the differences with regard to how trusted applications are loaded in each of the QSEE-OS versions. Besides, we will present the different tools we have developed throughout our research to assist in the security evaluation of QSEE, including a debugger for QSEE Trusted Applications fully integrated with GDB and Ghidra and a coverage-based fuzzer for QSEE Trusted Applications. Such tools are essential for us to better understand the internals and behaviour of the trusted applications, to find attack surfaces and to identify vulnerable code for further analyzing and fuzzing.

Hector is a cybersecurity expert with more than 15 years of experience. He holds a PhD in cybersecurity where he found multiple vulnerabilities that have been awarded by Google and Packet Storm Security. He is the founder of Cyber Intelligence S.L., a Spanish experienced company specialized in software and hardware security. The company has developed their own tools and methods which allow to perform unique pentestings and vulnerability assessments. Cyber Intelligence has leaded several national and international security contracts and has successfully evaluated multiple products discovering multiple 1- and 0-day vulnerabilities.

Fernando is a Lead Security Researcher at Cyber Intelligence S.L., where he specializes in smartphone security, reverse engineering and fuzzing. He holds a PhD in cybersecurity and his main research interests include mobile devices, memory management in cloud computing, critical infrastructures and virtualization technologies. During the last few years, he has participated in many cybersecurity research projects. Fernando is author of many articles of computer security and cloud computing. He has contributed on several occasions as a reviewer for international scientific conferences and reputable scientific journals.

Automatic Recovery of Cyber Physical Systems Applications against Known Attacks

Dr M Taimoor Khan (University of Greenwich)

Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a methodology and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The methodology can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the methodology supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the methodology is based on program verification that allows specifying of various attacks and their recovery strategies in an extended Java Modeling Language. The language also allows for describing the functional behavior of applications that are developed in Java. Finally, we demonstrate our methodology through its application to recover a typical e-commerce application.

I am an Associate Professor of Cyber Security at the University of Greenwich, UK. There I founded the Cyber Assurance Lab in the Internet of Things and Security Research Centre. I am also a member of an interdisciplinary Law, Emerging Tech and Science (LETS) Lab, UK. I received an MSc in Advanced Distributed Systems from the University of Leicester, the UK in 2008 and a Ph.D. (Dr. techn.) in 2014 in Software Engineering from the Research Institute for Symbolic Computation (RISC), Johannes Kepler University, Austria, both with distinction. I was a Lecturer in Cyber Security at Surrey Center of Cyber Security, University of Surrey, the UK in 2018 and 2019. Prior to that, I was a Postdoc at the MIT CSAIL, USA (jointly with QCRI) during 2014-2016 and in SERG Group at the Alpen-Adria University, Austria during 2016-2018. My research has been recognized through (i) winning awards in the most premier research venues including CICM 2012, WF-IoT 2016, and ICS-CSR 2019, to name a few, and (ii) winning and being part of mega research grants by distinguished international and regional funding agencies including H2020, HFRI, FWF, and NSF/DARPA, to name a few. I am a member of IEEE.

Communicative incident response

Hauke Gierow (PIABO)

Crisis communication is probably the hardest part of communication to get right - and the most important. Combine this with a successful attempt on a companies network that completely shatters operation and you have all the ingredients for disaster.

But especially in these situations it is imperative to stay calm and remain in contact with the outside world. In this talk we will relay best practices for crisis communication and how they specifically apply to IR situations.

We will show the best and the worst attempts to manage a crisis - and demonstrate, that situations like this can be used to reposition a company and build trust, rather than loosing it.

Hauke has been in cybersecurity communications for ten years - and currently leads the cybersecurity practice of PIABO, Europes leading agency for tech pr and communications. He served as head of communications at G DATA CyberDefense, was an editor at Golem.de and build the cybersecurity program of Reporters Without Borders.

Iran: A top tier threat actor

Steph Shample (Middle East Institute)

This presentation, conducted hundreds of times throughout the United States on Wall Street, at various American universities, and throughout the US Defense sector, will go into detail on the evolution of the Iranian cyber program, its current state and most common malware, as well as what geopolitical events and relationships influence Iranian cyber actors. It will also detail why Iran needs to be taken seriously as a digital threat, as they indeed operate at the same level as malicious Russian and Chinese threat actors.

Steph Shample is a Non-Resident Scholar with the Middle East Institute's Cyber Program and Senior Analyst at Team Cymru.

For the past 16 years, her career has focused on analyzing Iran in various capacities, including its tense relationships with Middle Eastern countries as well as their bordering states, and countering Iranian roles in terrorism, proliferation, and narcotics.

During her military career, Steph gained operational experience across the Middle East, Levant, and Central and South Asia. She also completed two deployments to Afghanistan, one military and one as a civilian.

Kates' Pot: Finding Attacks Against Kubernetes Deployments

Matthias Meidinger (Red Hat)

While default deployments on managed platforms are getting safer and safer, the potential attack surface of Kubernetes remains a valuable target given its widespread adoption. But how do you find new or even current attacks against Kubernetes instances? Continuously monitoring and analysing any publicly reachable cluster is one way - another would be to deploy a Honeypot that emulates an open instance, providing unique insights into ongoing and novel attacks. This talk introduces a Kubernetes Honeypot and provides insights and interpretations into collected data and observed actions. Furthermore, it provides some recommendations and best practices for publicly reachable Kubernetes instances to mitigate common attacks.

The talk provides some insight into the observed threat landscape and aims to enrich discussions around common attack scenarios, detections, and mitigations. Providing more data to refine or update threat models for publicly reachable Kubernetes deployments could benefit the ecosystem in the long run. The provided recommendations strive to improve awareness for common misconfigurations, which, combined with real world event data, illustrate the potential dangers.

Matthias is a Software Engineer working for the Advanced Cluster Security team, focusing on Product Development and Open Source. He is also one of the Community Managers for StackRox, the upstream Open Source project for Advanced Cluster Security.
Previous to his current role, he provided Infrastructure, Tooling, and Automation for Research and Malware Hunting at VMRay.
Away from work, Matthias enjoys photography, and travel.

Melting the DNS Iceberg - Taking over your infrastructure Kaminsky style

Dipl.-Ing. Timo Longin BSc (SEC Consult Unternehmensberatung GmbH)

What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice. However, beneath the DNS there are hiding unexpected vulnerabilities!

If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address However, not every system is using such an open resolver. Hosting providers, ISPs or alike, are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.

In my previous research “Forgot password? Taking over user accounts Kaminsky style,” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I looked at the root of the problem!

In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.

Timo Longin is a security consultant at SEC Consult (an Atos company) at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and, most importantly, has a passion for CTFs. His main focus is on web applications; however, infrastructure and hardware are not safe from him either. As a well-rounded offensive security researcher, he tries to find forgotten and new attack vectors that make the unthinkable possible!

Identification of the location in 5G Network

Giorgi Akhalaia (Caucasus University, Scientific Cyber Security Association)

Mobile devices can provide majority of everyday service: like emergency, healthcare, security. Development of mobile devices itself triggered the 5G network deployment. New telecom standard will create new ecosystem with variety of industries and will exceed the limit of telecom communication. New standards, functionality, services, products always arise new cyber threats. Operating Spectrum in 5G Network is divided into 3 categories: Low, Middle and High Bands. Actually, third category, high band, also known as mmWave provides majority benefits of the new standard. This band covers from 6 GHz-100 GHz operating spectrums. Because of the limitation of this frequency range, devices connected to high-band have to be near to the cell-tower. Otherwise, buildings will interrupt the connection. So, when user is connected to mmWave tower, only one tower is enough to determine the location of device, instead of 3 towers, which is usually used in previous standards. By default, mobile devices always scan cell-towers to choose that one with stronger signal. Our study is about, to interrupt scanning operation and make devices to connect only high-band towers, without measuring signal strength. As, towers are always sending their identities, like IDs, locations, we can map all of them. After we steal active tower information from user and determine its location.

Giorgi Akhalaia is Ph.D candidate of computer science. Giorgi has defended his Master’s degree at Caucasus University, Caucasus School of Technology (Program: IT Management). Giorgi is an Assistant-Professor at Caucasus University and at International Black Sea University (direction – Cyber Security). He is cyber security trainer at Scientific Cyber Security Association and Orient Logic Academy. Giorgi is a cyber security main specialist and actively involved in Cyber Security Center, CST (Caucasus University), which is the official representative of BITSENTINEL in the region. From 2014, he was involved in scientific studies at the Institute of Earth Sciences and by 2016, Mr. Akhalaia was promoted as an Acting Head of Scientific Geodesy Network of Georgia. He is responsible for managing and maintaining online and data servers, data collecting and processing as well as for upgrading and development of services and staff of the department.
In 2019, Giorgi was involved in various international and local projects. Right now, he is security oriented IT System Admin in the project of Seismic Network Expansion in the Caucasus and Central Asia (Project between 7 countries), funded by The US Department of Energy. In 2020 he won the PhD fund from Shota Rustaveli National Science Foundation of Georgia. Project title is “5G Network security”. In the framework of this fund, a micro 5G lab will be created for testing and deploying new security functions.

OPSEC - The Discipline of the Grey Man

Robert Sell (Trace Labs)

During operations, it is not unusual for us to get excited about the target and to prematurely begin before we have adequately prepared. As a result, this can not only spoil an operation but can cause dire life-threatening consequences. This talk goes over why OpSec is so important, failures people often make and how we can greatly improve our operational security during intelligence gathering and operations. While I will cover sock puppets and other techniques in detail, I will also cover physical considerations, habits and other areas where risks can be generated unless the operator is careful and diligent.

Robert is the founder and president of the Trace Labs, a non profit organization that crowdsources open source intelligence (OSINT) to help locate missing persons. He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security, insider threats, operational security and other topics. Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world. In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years). In 2018, he actually ran his own Trace Labs OSINT CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas. Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his search & rescue capacity, Robert specializes in tracking lost persons and teaching first responders how to leverage OSINT.

A survey of secure in-vehicle communication

Miltos D. Grammatikakis (Hellenic Mediterranean University)

We aim to review existing research on protocols, patterns, and generic paradigms that support secure in-vehicle communications. In addition, we present methods, tools, and related open source development platforms for preliminary experimentation. We also examine how to to leverage lightweight cryptography into security solutions, including integrating Crypto ICs (e.g., Zymbit Zymkey, Microchip ATECC series). Finally, we examine interactions between security and traditional quality-of-service characteristics (message efficiency and reliability), and propose interesting open problems related to the design of secure and reliable gateways for automotive solutions and beyond.

Miltos D. Grammatikakis is a Professor in the Department of Electrical and Computer Engineering at the Hellenic Mediterranean University in Greece. His expertise is on distributed, parallel, and embedded systems design/development. More recently, he enjoys working at the intersection of embedded security, real-time, and reliability issues.

End-to-end Health Data Privacy Using Secure 5G Data Channels

Dr. Razvan Bocu (Transilvania University of Brasov, Romania, Department of Mathematics and Computer Science)

The integrated collection of personal health data represents a relevant research topic, which is enhanced further by the development of next generation mobile networks that can be used in order to transport the acquired medical data. The gathering of personal health data has become recently feasible using relevant wearable personal devices. Nevertheless, these devices do not possess sufficient computational power, and do not offer proper local data storage capabilities. This paper presents an integrated personal health metrics data management system, which considers a virtualized symmetric 5G data transportation system. The personal health data is acquired using a client application component, which is normally deployed on the user’s mobile device, regardless it is a smartphone, smartwatch, or another kind of personal mobile device. The collected data is securely transported to the cloud data processing components, using a virtualized 5G infrastructure and homomorphically encrypted data packages. The system has been comprehensively assessed through the consideration of a real-world use case, which is presented.

Razvan Bocu Transilvania University of Brasov. Department of Mathematics and Computer Science, Brasov 500091, Romania (razvan.bocu@unitbv.ro). Dr. Bocu is a Research and Teaching Staff Member in the Department of Mathematics and Computer Science, the Transilvania University of Brasov, Romania. He received a B.S. degree in Computer Science from Transilvania University of Brasov in 2005, a B.S. degree in Sociology from Transilvania University of Brasov in 2007, an M.S. degree in Computer Science from the Transilvania University of Brasov in 2006, and a Ph.D. degree from the National University of Ireland, Cork, in 2010. He is the author or coauthor of 42 technical papers, together with eight books and book chapters. Dr. Bocu is an editorial reviewing board member for the following technical journals in the field of Information Technology and Biotechnology: Journal of Network and Computer Applications, IEEE Transactions on Dependable and Secure Computing, IEEE Access, International Journal of Computers Communications & Control, Sensors, Symmetry, Algorithms, Big Data and Cognitive Computing, and several other ones.

Towards the Automation of Highly Targeted Phishing Attacks with Adversarial Artificial Intelligence

Francesco Morano and Enrico Frumento (Cefriel - Polytechnic of Milan)

The work we will present aims to develop a Proof of Concept (PoC) of an attack scenario that uses Artificial Intelligence (i.e., AI) to create a semi-automatic phishing attack. The AI-based PoC used different network types to automatically compose highly targeted phishing emails with information derived from the initial OSINT analysis of the potential victims. The study approaches the problem from a cybercriminal point of view to understand the feasibility of such an attack tactic and prepare for possible defences. Phishing is a popular way to perform social engineering attacks. According to the Verizon 2022 Data Breach Investigations Report, 82% of data breaches involve human elements and belong to several categories, including phishing, the most common. Using AI tools, this study implements a complete attack chain: (i) initial collection of victims' data through OSINT, (ii) generation of phishing email body using a GPT-2 and (iii) creation of the graphic mimicking the real organisation brand identity (i.e., logo and stylistic features) through other models. The paper presents the steps needed to prepare an effective phishing strategy and discusses whether and how AI can automate it. This study helps penetration testers and red teams build targeted phishing simulations more rapidly. The result is discussed in terms of the simulated attack's efficiency.

The aim is to provide red and purple teams with a methodological approach to social engineering attacks by continuing the work started by one of the authors in a previous study. The study objective is to explore the AI's potentialities in a full OpSec attack stack: wearing the attackers' hat and performing a full attack. A semi-automatic attack vector created the phishing email.

Dr. Enrico Frumento is a Senior Domain Specialist in the cybersecurity team at Cefriel, ICT Center of Excellence for Research, Innovation, Education and industrial Labs partnerships. He is the author of subject-related publications and books and member of the European CyberSecurity Organisation and the European Digital SME Alliance. His 20+ years of research activity focuses on unconventional security, cybercrime intelligence technologies tactics and techniques, the contrast to the modern social engineering and dynamic assessment of organisations‘ vulnerabilities corresponding to tangible and intangible assets at risk.

Dr. Francesco Morano is a scientific researcher and technical consultant in the Cybersecurity team at Cefriel. He is a member of the Order of Engineers and began his career in scientific research by taking part in several European projects. During his undergraduate and early professional years, he devoted himself to researching the most innovative technologies applied to applied to various fields, including image processing and cybersecruity

Post-quantum Verkle signature scheme

Maksim Iavich (Caucasus University, Scientific Cyber Security Association)

Mass production of quantum computers is expected in the near future. Quantum computers can easily break cryptographic schemes that are used in practice. Thus, classical encryption systems became vulnerable to attacks using quantum computers. This includes research efforts to find encryption schemes that are resistant to attacks using quantum computers. digital signatures are an important technology in securing the Internet and other IT infrastructures. A digital signature provides the authenticity, integrity, and identification of data. Digital signatures are used in identification and authentication protocols. So, ტhis secure digital signature algorithm is crucial in terms of IT security.
Today, in practice, digital signature algorithms such as RSA, DSA, ECDSA are used. However, they are not quantum stable as their safety relies on large composite integers, complex factorization and the computation of discrete logarithms.

Maksim Iavich is Ph.D. in mathematics and a professor of computer science. In 2018, he was acknowledged as the best young scientist of Georgia in computer science. Maksim is an affiliate professor and the Head of cyber security direction at Caucasus University. He is also Head of the information technologies bachelor and of the IT management master programs. Since 2020, Maksim Iavich is an expert-evaluator at National Center for Education Quality Development of Georgia. Prof. Iavich is a Director of the Cyber Security Center, CST (CU), which is the official representative of BITSENTINEL in the region. He leads bachelor and master IT programs at this university. He is CEO & President of Scientific Cyber Security Association (SCSA). Maksim is cybersecurity consultant in Georgian and international organizations. He uses to be the invited speaker at international cyber security conferences and is the organizer of many scientific cyber security events. He was the key speaker at Defcamp in 2018-2021. He has many scientific awards in the cyber security field. Maksim is the author of many scientific papers. The topics of the papers are cyber security, cryptography, post-quantum cryptography, quantum cryptography, mathematical models, and simulations.
-2020 Scholar, DeepSec, Austria
-2019 Best paper award, IVUS-2019, Vytautas Magnus University, Lithuania
-2018–2019 The best young scientist of Georgia in computer science, Shota Rustaveli National Science Foundation of Georgia, Georgia
-2018 Best paper award, IVUS-2018, Vilnius University Kaunas Faculty, Lithuania
-2015 Scholarship of the young scientist, Shota Rustaveli National Science Foundation of Georgia, Georgia

Machine Learning use in OSINT

Giorgi Iashvili (Caucasus University)

Open source intelligence is one of the important aspects during cyber security activities. As it relies on the publicly available sources, such as social networks, websites, blogs etc. This includes data mining and gathering techniques, as well as data extraction and data analysis activities. Open source intelligence is widely used in different directions today. Mainly this process runs manually and is fully managed by human. Moving from a manual to automated processes in OSINT is vital especially that we work with real-world operations. Different components must be used to build relevant system to provide automated open source based activities together with training simulations for the ML.
The structure of the ML approach is the following:
Requirements: Information used from previous user experience;
Collection: Web crawlers or / and scrapers;
Processing exploration: Pattern recognition, Detection of the events, Vision of the automated system;
Analysis: Matching the pattern, Visualization process, Data analysis;
Dissemination: Automated responses, Automated Error messages;

The processes will be performed by the machine using automated processes mechanisms.

In 2019 – 2022 studied in the Georgian Technical University at the faculty of informatics and Control Systems, got the PH.D. degree. The topic was: Secure design in cryptography.

Work experience:
2011 – 2014 worked at cinema club “Cache” as IT specialist
2012 – 2015 worked at LTD “Maxitop” as web developer
2014 – 2015 worked at Ilia State University as IT lecturer and web developer in the frame of “STIGMA PROJECT 771 OF USA EMBASSY”.
2014 – 2015 worked at Jewish – Georgian school “Oravner” as computer science teacher
2015 – 2017 works at European school in IB MYP and American High School sections as computer science teacher
2015 – 2017 works at Bank of Georgia University as a researcher in the frame of the “Post-quantum Cryptography” project.

Deputy director of Cybersecurity center at Caucasus University, associate professor. Technical director of Scientific Cyber Security Association (SCSA). PhD in informatics. Cyber security expert

Attacking Developer environment through drive-by localhost attacks

Joseph Beeton (Contrast Security)

There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would ( hopefully! ) do in higher environments.
By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page. It is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring. Or known vulnerabilities found by myself and others. I'll demonstrate during the talk, it is possible to generate a RCE on the developer's machine. Or other services on their private network.
As developers have write access to codebases, AWS keys, server creds etc. Access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network. Modify or just steal the codebase.

I'm a recovering Java Developer. I started my career as a Java developer writing Archive/Backup software. Before moving to a large financial company working on webapps and the backend APIs. However after a while writing yet another microservice isn't that much fun anymore, but breaking them was. So I moved to Application Security and from their to Research. Now I work as Security Researcher for Contrast Security.

Your Phishing assessment is bad & you should feeld bad

Alexander Riepl (CERT.at)

Sending malicious emails to employees in order to gauge a perceived security awareness is becoming ever more popular with companies large and small taking part in such Phishing assessment.

Despite their popularity, there is a ton of issues with how we do these things. At best, these issues cause them to be actively useless exercises, at worst, they can end up decreasing your security or even have a significant negative impact on your internal culture and erode trust.

This talk looks at how we mostly do these assessments, the various ways that are wrong about it and even tries to provide a few suggestions on how we, as security professionals, can do well.

Alexander Riepl works as a (on the insistence of higher-ups: Senior) Security Analyst for the national Computer Emergency Response Team of Austria, with his work focusing on keeping an eye on threat actors, what's happening around the world to provide geopolitical context & occasionally role-playing as "still a tech guy, I swear" when doing work around Linux security.

Before that he did a brief stint as CSO for a FinTech company, a longer stint as a Security Analyst for totally not the same employer he is working for now, and in his earliest life he spent his days in solitude maintaining datacenters - which means that after a decade in IT professionally, I'd be surprised if there is still something that can surprise me.

Malware and Exfiltration : A telegram story

Godwin Attigah (Google)

Abstract: Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.

As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.

We have observed the usage of telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets(fiat and crypto): E.g
Saved passwords
Cryptocurrency wallets
Credit cards
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
OS information
Machine credentials
Screenshots(in some cases live webcam view)

Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.

In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
- Image Correlation
- Username correlation
Message Interception via
- Updates
- WebHooks

Throughout the talk, we provide several samples that use telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.

Godwin Attigah is a Security Engineer at Google. Before working at Google, they worked at Microsoft's Cyber Defense Operation Center, where they primarily focused on detecting and managing incidents involving state-sponsored actors. Godwin's work in security includes reverse engineering, detection engineering, security tool development, statistical modeling, and machine learning. Godwin holds a Masters's Degree in Computer Science from Johns Hopkins University and a BSc in Mathematics and Computer Science from the University of North Carolina at Chapel Hill.
Godwin works on global issues outside of cybersecurity, including but not limited to reducing global deaths from indoor pollution.

Detecting the unknowns – Mobile Network Operators cyber resilience in responding to zero-day exploit

Imran Saleem (Mobileum)

Mobile networks are globally interconnected via private/public networks. Mobile signalization, being the core of the telecoms, is widely used, hence mobile networks are always at risk of exposure to data leaks. Signaling firewalls is the first line of defense, which could prevent known attacks, but are typically inadequate to identify zero-day exploits or sophisticated bypass techniques.

Besides, the threat actors are no longer stagnant and bound to a geographical area. Rather, they are moving around the world leveraging cloud-based deployments using various interconnect points geographically dispersed, making it more arduous to detect new patterns.
Massive exploitation of victim networks by sophisticated bypass techniques has been seen where operators are incapable of correlating the entire frame of the security chain because of limited view. Not knowing if the damage has been done and under the hypothesis that they are protected comes in as a surprise when a high-profile individual becomes the victim of this series of a coordinated unnoticed chain of events.

In this engagement, the research outputs TTP used by an APT performing zero-day exploit via Interconnect signaling that left a significant impact on the operators globally. The critical vulnerability was silently exploited across different high-risk markets with coverage seen in almost every continent. The vulnerability aims to bypass signalling firewalls and security controls to get hold of initial data access like real IMSI for the subscriber, Serving Node address for the network where the subscriber is attached and can potentially perform subsequent attacks like, Call Interception, billing fraud, tracking, surveillance, 2FA bypass.

A responsible vulnerability disclosure for this zero-day exploit was submitted to the GSMA CVD program who assigned a CVD number CVD-2021-0052 and after impact assessment, nature and severity placed the discovery under the “hall of fame” accessible at acknowledgment page.


Imran Saleem is a Security Researcher, with more than 17 years of experience in Telecom and Security he has also served as the Cyber Security Consultant for Fortune 100 companies in the past. Imran holds a master’s degree in Cyber Security and maintains CISSP, CISM, CDPSE, and other highly sought-after security certifications. His past work areas combine Threat Intelligence, Security Design & Architecture, security risk assessment, privacy impact assessment, and data analytics.
Imran’s currently engaged in threat Intelligence and security research wing bringing Mobile Network operators with the visibility, they need by providing a Global threat intelligence view.
Imran is a speaker with participation and contributions to various international bodies like GSMA and the World Economic Forum. Significant contributions to GSMA Security guidelines related to interconnect signaling of mobile networks. He also serves as a member of GSMA CVD PoE (Panel of Expert).
His work has been acknowledged in the GSMA “Hall of fame” for critical vulnerability disclosure.

Signature-based Detection using Network Timing

Josh Pyorre (Cisco Talos, Pyosec)

Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware. However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We'll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we'll attempt to identify unusual activity based only on bandwidth.

Josh Pyorre is a Security Research Engineering Technical Leader with Cisco Talos. He has been in security since 2000, working as a researcher and analyst at organizations such as Cisco, NASA, and Mandiant, and a principal product manager for advanced threat protection at Zscaler.
Josh has presented at conferences and locations around the world, including DEFCON, RSA, B-Sides, Source, Derbycon, InfoSecurity, DeepSec, Qubit, and at various companies and government organizations. He was also the host and producer of the security podcast, 'Root Access'. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.

The Story Continues: Hacking Some More "Secure" Portable Storage Devices

Matthias Deeg (SySS GmbH)

Encrypting sensitive data at rest has always been a good idea, especially when storing it on small, portable devices like external hard drives or USB flash drives. Because in case of loss or theft of such a storage device, you want to be quite sure that unauthorized access to your confidential data is not possible. Unfortunately, even in 2022, "secure" portable storage devices with 256-bit AES hardware encryption and sometimes also biometric technology are sold that are actually not secure when taking a closer look.

In this presentation, I will talk about how a customer request led to further research resulting in several cryptographically broken "secure" portable storage devices. This research continues the long story of insecure portable storage devices with hardware AES encryption that goes back many years. With this presentation, I want to raise the awareness of security issues and practical attacks against vulnerable "secure" portable USB storage devices, and tell an interesting story.

Matthias Deeg is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is head of Research & Development.

His research results concerning different IT security topics were presented on different national and international IT security conferences (e.g. Black Alps, BSidesVienna, Chaos Communication Congress, CONFidence, DeepSec, Hacktivity, Hack.lu, PHDays, Ruxcon, t2, ZeroNights). He also published several IT security papers, security advisories, and security-related YouTube videos.

Vanquish: Analysis Everywhere with Smartphones

Hiroyuki Kakara (Trend Micro Incorporated)

I couldn’t sleep well until I developed the “Vanquish.” I couldn’t fully enjoy Disneyland until I developed the “Vanquish.” I was always thinking about 2nd and subsequent payloads of malware of my interest. I was always hoping that C2 servers are available until I reached my malware analysis desktop. But the Vanquish changed my life. He tries to collect all the samples that appear in twitter accounts of your interests. He analyzes those samples and tries to get the next stages samples when I am in bed. And I can ask him to analyze malware from your iPhone even while I’m in Disneyland.
The core of the Vanquish is the system which crawls specified twitter accounts every specified minute, parses hashes from the tweet bodies or web sites tweeted, downloads the sample from malware sharing sites, and puts it in a sandbox. The results are posted to the Slack workspace. Also, I can order ad hoc analysis to the Vanquish by specifying hashes.
The Vanquish uses Slack for its I/O interface. Not only does he output results to the Slack workspace, but he also accepts commands from Slack to adjust crawl parameters, start ad hoc query, etc. With this, I don’t need to be in front of my desktop but only need an iPhone to communicate with Vanquish.
The presentation at DeepSec 2022 will introduce the concept of the Vanquish as well as additional features like malware parsing which can be implemented into your in-house research infrastructure.

Hiroyuki Kakara is working as a Cyber Threat Researcher for Threat Intelligence Center of Trend Micro Incorporated in Japan. He is engaged in research on APTs and delivers threat intelligence to Japanese government organizations. Technically, his research activity consists of incident response, malware analysis, forensics, OSINT, and utilization of his company's internal telemetry. He is also an instructor of Trend Micro internal security expert training. He co-works with some of the Japanese parliament members to have a better national security against cyber threats. He presented at DeepINTEL 2019, 2020 and 2021. 

Hey You! Get off my Satellite!

Paul Coggin (nou Systems, Inc)

There are many components and systems that may be targeted in a space system by adversaries including ground station systems and satellites. In this presentation we will discuss ideas for providing cyber resiliency in zero-gravity. Both theoretical and real-world examples of cybersecurity issues concerning satellite systems will be covered. This presentation will step through attack trees for targeting satellite systems. Recommendations best practices for securing satellite systems will be discussed. In addition, new ideas industry is currently developing for improving the cyber resiliency of space systems will be presented

Paul Coggin is a Cyber SME at nou Systems, Inc. His expertise includes space systems, service provider, and ICS/SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. Paul is experienced in leading network architecture reviews, vulnerability analysis, and penetration testing engagements for service provider, enterprise, space systems and tactical networks. Paul is a regular instructor at international conferences teaching networking, hacking and forensics courses. He has a BS in Math\Computer Science, MS in Systems Management, MS in Information Assurance and Security and a MS in Computer Information Systems. In addition, he holds numerous industry network and security certifications.

Practical Mobile App Attacks By Example

Abraham Aranguren (7ASecurity)

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this talk is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

Get FREE access to the slides, recording and vulnerable apps to practice with:

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Anticipating Damage Control: Communicating about Cybersecurity within and outside Organizations

Prof. Matthieu J. Guitton, PhD, FRAI (Université Laval (Quebec City, QC, Canada))

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control. Damage control strategies are typically handled by public relations experts and tend to follow classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore damage control narrative can not exclusively focus on general public relations discourse, but should also include reflexive components, i.e. narrative elements targeted at organization members themselves in the one hand, and addressing the cybersecurity strategy itself in the other hand. This presentation will explore this specific aspect of damage control specifically addressing communication related to cybersecurity measures and strategies. We will first identify which components of the cybersecurity policy, measures, and training of the organization workforce can be the target of communication. We will then explore how communicating about these aspects can be done within the organization. We will finally discuss how communicating about these elements can be done outside of the organization specific context and network, before and after the occurrence of damaging events, and how such communication may not only contribute to the degree of security of the assets of the organization, but also to its overall reputation and branding.

Matthieu J. Guitton is Full Professor at the Faculty of Medicine and Full Professor at the Graduate School of International Studies at Université Laval (Quebec City, QC, Canada), Fellow of the Royal Anthropological Institute, and Senior Researcher/Group Leader at the CERVO Brain Research Center (Quebec City, QC, Canada). He is the Editor-in-Chief of the Computers in Human Behavior family of journals, which includes Computers in Human Behavior (the world leading journal in the field of cyberpsychology), and Computers in Human Behavior Reports, and serves on several other editorial boards, such as Acta Psychologica (where he acts as the Psychology and Technology Section Editor) and Current Opinion in Behavioral Sciences. A graduate from the University of Rouen and Université Pierre et Marie Curie - Paris VI, he obtained his PhD from the University of Montpellier (France) and was a Koshland Scholar/Postdoctoral Fellow of Excellence at the Weizmann Institute of Science (Israel). He has published over 120 research papers, book chapters, or editorials on subjects ranging from neuropharmacology and health sciences to cyberpsychology, cyberbehavior, or security issues. Some of his recent works have appeared in journals such as Computers in Human Behavior, the International Journal of Intelligence and CounterIntelligence, or the International Journal of Intelligence, Security, and Public Affairs. He has been invited speaker or guest lecturer by numerous universities across the world, such as the Embry-Riddle Aeronautical University (USA), the Russian Academy of Science, or the Renmin University of China.

Faking at Level 1 - How Digital Twins Save Your PLCs

Thomas Weber (CyberDanube / Security Reseracher)

Every year, numerous big and small incidents in industrial environments, like power plants, factories, or food supply find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks.
A big portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed.Despite such known problems, that also lead to compromisation of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure.

OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more cannot be easily tested if they are in use by the factory. Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk. These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview of the vulnerability landscape of the OT network but cannot detect unknown vulnerabilities. The testing of such expensive devices instead of using them is often not desired due to the price, and spare items must be available, which is the reason why those devices can't be touched too.

For this reason, digital twins - in terms of virtualization - from the devices in the factory should be created for pentesting purposes. These twins can be build with different tools (open source/ closed source) and have been used for identifying 0-days during an ongoing research project. After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing these virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope.

This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.

Thomas is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT and wrote numerous security advisories in the past. Besides his past employment, he developed an emulation system for firmware in the course of scientific work. In the past, he spoke at conferences like HITB, BlackHat, IT-SECX, HEK.SI and OHM(international).

Hacker To Honcho

Darren Jones & Julian Botham (Valencia Risk)

How do young professionals stand out in the cybersecurity sector nowadays? This is the question tackled by two cybersecurity consultants from Canada in this presentation.

From the perspective of a more recent addition to the cybersecurity industry, Julian Botham describes how his interest in cybersecurity paved the way for a cybersecurity career and the role that research, analysis, and constant growth contributed to that

With a cybersecurity career spanning over three decades, Darren Jones provides insight in the best ways for young professionals to leave their mark on the work they do. Through his experience, he details the importance of developing team building skills and establishing a niche in a team based on interests and talents.

Darren Jones is an innovative and creative IT leader both in industry and as a consultant. He has led the way to assist clients with cybersecurity reviews, cyber strategy development, solutions implementation, 24x7 security monitoring and incident response. Darren has extensive experience with the NIST CSF and has formulated many cyber strategies using this framework as an anchor.

Julian Botham has been a part of the cybersecurity industry for 3 years and has quickly risen within his company. He is a published author on the Public Policy Forum paper Beyond The Digital Status Quo. On a day-to-day basis, Julian performs penetration tests, vulnerability assessments, and contributes his knowledge of the industry to his peers as a part of a mentorship program.