5G core networks, with their promise of tailored connectivity and enhanced capabilities, have
become increasingly popular across industries from diverse sectors ranging from manufacturing, healthcare and smart cities to defense networks. With the integration of mission-critical systems and sensitive data transmission, organizations face an urgent need to fortify their 5G core networks against evolving cyber threats.

One of the critical challenges here lies in the shortage of expertise and the requisite skillset to
effectively secure 5G networks. This gap manifests in various stages, from the initial deployment phase to ongoing testing and adaptation. The need for specialized knowledge in mobile network attacks, secure deployment practices, and testing methodologies becomes apparent and our training is your key to mastering the art of safeguarding 5G networks.
This training program is not just about theory; it's a journey through practical application and real- world scenarios. Get ready to immerse yourself in hands-on exercises, simulations, and practical demonstrations that mirror the challenges faced by 5G security professionals. The training will cover a wide range of topics, including 5G network architecture, threat modeling, risk assessment, defense-in-depth strategies and 5G security features and their role in protecting the modern day virtualized core networks against potential attacks.

Through practical exercises and case studies, hackathon experiences, participants will learn about new ways to attack core networks by exploiting device and network authentication issues, vulnerabilities in network slicing, by deploying rogue network functions, container breakouts, and invesitgate the potential for data interception and manipulation. This hands-on experience is achieved entirely in an ethically controlled test environment with security testing tools and techniques, including reconnaissance, penetration testing and vulnerability scanning. The training will also cover advanced topics such as fuzzing the service based and Telecom APIs.

By the end of this training, participants will be equipped with the technical expertise to design, implement, and maintain secure 5G core networks. They will have the confidence to tackle the security challenges posed by 5G technology and ensure the availability, integrity and confidentiality of their networks.

2. Course overview
Detailed plan

Module 1: Understanding 5G Architecture and Security Foundations
Overview of 5G architecture and Network IDs
Security requirements for UE, AMF, SEAF, UDM by 3GPP
Exploring SUCI, 5G-AKA, EAP-AKA, NAS, and AS crypto
Understanding 3GPP 33.501 standards and NIST guidelines
Securing backhaul, interconnect SEPP, private 5G, and MEC
Authentication, Authorization, and Cryptography for Network Functions

Module 2: Comprehensive Threat Modeling and Risk Assessment
Identifying security challenges and risks in the 5G core
Using MITRE FiGHT framework for attack tactics and techniques
Analyzing new attack patterns for 5G sliced networks (MEC, NFV)
Strategies for 5G core and RAN assessments with 5G EU toolbox
Ensuring security compliance and assurance with 3GPP SCAS/SECAM
Conducting audits using Network Equipment Security Assurance (NESAS)

Module 3: In-Depth 5G System Vulnerability Analysis
Evaluating 5G System and network attacks
Understanding stages of core exploitation and entry points
Examining attacks on User-to-network and network-to-network interfaces
Assessing reconnaissance, exploitation, and persistence strategies
Identifying rogue network functions, APIs, and spoofed slices
Uncovering threats like protocol tunneling and MEC exploitation
Exploring supply chain security for network function containers

Module 4: 5G Security Pentesting Techniques
Overview of tools and techniques for pentesting 5G interfaces and endpoints
Probing network functions over HTTP/2
Fuzzing 3GPP core interfaces NGAP (N1/N2) and core service-based APIs
Conducting core network intrusion (via N1/N2, SEPP) and container breakouts
Securing IoT service platform application security (Northbound APIs)

Module 5: Hands-On Exercises: Simulations and Assessments
Simulating an end-to-end 5G multi-slice network
Network reconnaissance and intrusion into an on-site 5G core network testbed
Vulnerability scanning for 5G core
Executing inter-slice compromise attacks via NRF/AMF/SEAF/UDM
Insider data theft on UPF/UDR
Auditing 5G AMF using SECAM 33.512
Investigating PFCP exposure, DoS, and hijacking

Module 6: Defense-in-Depth Strategies
Establishing network function (container) access and monitoring rules
Implementing network border firewall rules for MNO interconnect
Utilizing 5G network analytics and log monitoring (NWAF)
Ensuring secure communication proxy for 5G core
Enhancing NEF/SCEF security via Telecom API Top 10
Incorporating supply chain security testing and monitoring

Module 7: Case Studies
Security assessment of 5G core network protocols
Intrusion scenarios to 5G core via commercial exposure function (NEF/SCEF)
Examining 5G private core configurations and security settings

Overall, this advanced 5G practical security training will provide attendees with a comprehensive understanding of the security risks and vulnerabilities associated with 5G networks, as well as the knowledge and tools to implement effective security measures to protect their networks and data.

3. Takeaways

Technical expertise in 5G core security and protocols: Gain an in-depth understanding of 5G
core network security and protocols, which will enable them to perform effective penetration testing on 5G networks. They will be able to identify and exploit vulnerabilities in 5G core networks, and devise strategies to secure these networks against potential attacks.

Practical skills in using 5G pentesting tools and techniques: Learn how to use the latest 5G
pentesting tools and techniques to perform vulnerability assessments, penetration testing, and exploit development on 5G networks. They will also learn how to evaluate and select the most appropriate tools and techniques for specific testing scenarios.

Awareness of 5G security challenges and best practices: Exposure to the latest 5G security
challenges and best practices, including network slicing security, network function virtualization security, and secure communication between 5G core network entities. They will gain an understanding of how these challenges can be mitigated using best practices, and be able to apply these practices in their own organizations to ensure the security of their 5G networks.

4. Students are provided with

• Pentesting tools custom-made for recon, core intrusion, & PFCP testing
• Access to 5G virtual lab that models a multitude of threats inside a sliced core network
• 5G Network traffic monitoring and analysis tools for core and devices
• Case studies and real-world example like exploits for IoT service platforms, API traffic
• Virtual machine files packaged with all test, and evaluation tools

5. Who should attend:

This course is ideal for wireless and mobile network security architects, telecom engineers,
security researchers/practitioners, and students (advanced graduate students), or anyone interested in understanding: 5G security aspects, and new security improvements, and how they contribute to build secure next-generation networks.

6. Pre-requisite knowledge for students

A basic understanding of at least either wireless communications or security is
recommended for participation in this course. Furthermore, knowledge of basic concepts of telecom technologies like 2/3/4/5G systems, clouds, micro services, and APIs is desirable. Good knowledge and usage of Wireshark and one or more programming/scripting languages is also highly recommended.

7. Hardware / software requirements for students

A laptop with linux OS (preferably latest Ubuntu), USB3 support and support for running
Virtual machines and dockers.

8. Format:

In-person / Virtual

9. Duration

2-day training
Note: This training program ensures a legal and compliant environment by explicitly excluding the use of cellular RF equipment and refraining from transmitting in licensed frequencies. Participants engage in a secure and simulated learning experience that adheres to regulatory guidelines and ethical standards.

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training!

I will discuss security bugs found in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session.

Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734

Key Learning Objectives

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking
• DOM-based exploitation
• bypassing Content Security Policy
• server-side request forgery
• browser-dependent exploitation
• DB truncation attack
• NoSQL injection
• type confusion vulnerability
• exploiting race conditions
• path-relative stylesheet import vulnerability
• reflected file download vulnerability
• hacking with wrappers
• subdomain takeover
• remote cookie tampering
• non-standard XSS attacks
• hijacking tokens via PDF
• XML attacks
• deserialization attacks
• HTTP parameter pollution
• bypassing XSS protection
• hacking with polyglot
• clickjacking attack
• window.opener tabnabbing attack
• RCE attacks
• and more…

What Students Will Receive

Students will be handed in a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.


Special Bonus

The ticket price includes FREE access to Dawid Czagan's 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• DOUBLE Your Web Hacking Rewards with Fuzzing
• How Web Hackers Make BIG MONEY: Remote Code Execution

What Students Say About This Training

This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs. Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11.

Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.

For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.


Key Learning Objectives

After completing this training, you will have learned about:

• Hacking cloud applications
• API hacking tips & tricks
• Data exfiltration techniques
• OSINT asset discovery tools
• Tricky user impersonation
• Bypassing protection mechanisms
• CLI hacking scripts
• Interesting XSS attacks
• Server-side template injection
• Hacking with Google & GitHub search engines
• Automated SQL injection detection and exploitation
• File read & file upload attacks
• Password cracking in a smart way
• Hacking Git repos
• XML attacks
• NoSQL injection
• HTTP parameter pollution
• Web cache deception attack
• Hacking with wrappers
• Finding metadata with sensitive information
• Hijacking NTLM hashes
• Automated detection of JavaScript libraries with known vulnerabilities
• Extracting passwords
• Hacking Electron applications
• Establishing reverse shell connections
• RCE attacks
• XSS polyglot
• and more …

What Students Will Receive

Students will be handed a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to my newsletter.


Special Bonus

The ticket price includes FREE access to my 6 online courses:

• Fuzzing with Burp Suite Intruder
• Exploiting Race Conditions with OWASP ZAP
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• How Hackers Find SQL Injections in Minutes with Sqlmap
• Web Application Security Testing with Google Hacking

What Students Say About My Trainings

References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …


What Students Should Know

To get the most of this training intermediate knowledge of pentesting and web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.


What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide. It covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.

Please note our courses are 100% hands-on. We do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. The training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.

Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks, finishing off with a nice CTF session to test the skills gained.

Day 1​: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.

Day 2: Focused on Hacking JavaScript Desktop Apps: We start with understanding JavaScript Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.

# Training Outline #

## Course Objectives ##

This course will take any student and make sure that:
- The general level of proficiency is much higher than when they came
- The skills acquired can be immediately applied to modern Web and Desktop app security assessments
- Skills can be sharpened via continued education in our training portal for free
- The student is equipped to defeat common Web and Desktop app assessment challenges
- Everybody will learn a lot in this training.
- Advanced students will come out with enhanced skills and more efficient workflows
- The skills gained are highly practical and applicable to real-world assessments

## Attendees will be provided with ##

- Lifetime access to training portal, with all course materials
- Unlimited access to future updates and step-by-step video recordings
- Unlimited email support, if you need help while you practice at home later
- Interesting vulnerable apps​ to practice
- Digital copies of all training material
- Custom Build Lab VMs
- Purpose Build Vulnerable Test apps
- Source code for test apps
- A USB pendrive with materials

## Topics Included ##

1. Review of Common Flaws in Source Code and at Runtime
2. Desktop App Modification of Behavior Through Code/Configuration Changes
3. Web & Desktop - Interception of Network Communication and MitM-proxy techniques to find security flaws in these platforms
4. Platform-specific attack vectors against Modern Web apps & mitigation
5. Platform-specific attack vectors against JavaScript Desktop apps & mitigation
6. CTF Challenges for attendants to test their skills

## Why should you take this course? ##

This is more than a physical attendance course: You get the physical course but also lifetime access to a training portal with step-by-step video recordings, slides and lab exercises, including all future updates for free.

Students can take the course at their own pace and the training portal access ensures topics can be reviewed on an ad-hoc basis as required by the student online after the course.

This training has been built from real issues seen in real applications, not fabricated vulnerabilities that you will never see in practice.

The goal is to start from the basics and ensure that each student comes out of the training with a significantly higher level of proficiency in the artistry of pentesting.

Students will be taught ways to identify the attack surface of Modern Web and Desktop apps, exploit interesting vulnerabilities and means to fix them. The course walks students through the process of performing security audits of Modern apps. The training also covers effective identification, exploitation and mitigation of common vulnerability patterns against these platforms.

As the course has been written and carefully created by professional penetration testers, after many years of experience, many practical tips will be shared to leverage automation and make penetration testing more efficient as soon as the student goes back to their workplace.

## Top three takeaways ##

- Learn how to find Modern Web and Desktop App vulnerabilities due to common misconfigurations and typical mistakes in framework setups

- Identify and exploit Modern Web and Desktop App security vulnerabilities as efficiently as possible

- Improve your Modern Application Security Testing process leveraging a number of open source tools, as well as lots of tips and tricks shared by the instructors after years of Modern Web and Desktop App penetration testing.

## Upon Completion of this training, attendees will know ##

Completing this training ensures attendees will be competent and able to:
- Review and tamper network communications to exploit security vulnerabilities
- Bypass certificate and public key pinning protections on Desktop apps
- Bypass inadequate Modern Web and Desktop App defences
- Analyze Modern Web and Desktop Apps from a blackbox perspective
- Review Modern Web and Desktop App source code to identify security flaws
- Perform Modern Web and Desktop App security reviews


## Course Content (ToC) ##

### Day 1: Hacking Modern Web apps by Example ###

Part 0 - Modern Web App Security Crash Course
- The state of Modern Web App Security
- Modern Web App architecture
- Introduction to Modern Web App apps
- Modern Web App apps the filesystem
- JavaScript prototypes
- Recommended lab setup tips

Part 1 – Static Analysis, Modern Web App frameworks and Tools
- Modern Web App frameworks and their components
- Finding vulnerabilities in Modern Web App dependencies
- Common misconfigurations / flaws in Modern Web App applications and frameworks
- Tools and techniques to find security flaws in Modern Web App apps

Part 2 - Finding and fixing Modern Web App vulnerabilities
- Identification of the attack surface of Modern Web App apps and general information
gathering
- Identification of common vulnerability patterns in Modern Web App apps:
+ CSRF
+ XSS
+ Access control flaws
+ NOSQL Injection, MongoDB attacks
+ SQL Injection
+ RCE
+ Crypto
- Monitoring data: Logs, Insecure file storage, etc.

Part 3 - Test Your Skills
- CTF time

### Day 2: Hacking JavaScript Desktop apps by Example ###

Part 0 - JavaScript Desktop App Security Crash Course
- The state of JavaScript Desktop App Security
- JavaScript app security architecture and its components
- JavaScript Desktop apps and the filesystem
- Recommended lab setup tips

Part 1 - Static Analysis and Tools
- Tools and techniques to reverse and review JavaScript apps
- Finding vulnerabilities in JavaScript app dependencies
- Identification of the attack surface of JavaScript apps & information gathering
- Static modification of JavaScript apps for analysis and debugging
- Identification of common vulnerability patterns in JavaScript apps:
+ Common misconfigurations
+ Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ URL handlers
+ XSS, Injection attacks and more
- Modifying Modern apps to alter behavior and debug issues

Part 2 - Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, unsafe storage of app secrets, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning at runtime
- The art of Instrumentation: Introduction to ​Frida
- App behavior monitoring at runtime
- Modifying app behavior at runtime

Part 3 - Test your Skills
- CTF time



# Prerequisite of Training Class #

## Hardware & Software: Attendees should bring ##

A laptop with the following specifications:
- Ability to connect to wireless and wired networks.
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc.
- Knowledge of the BIOS password, in case VT is disabled.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”

## Student / Prerequisites for attendees ##

This course has no prerequisites as it is designed to accommodate students with different skills:
- Advanced students will enjoy comprehensive labs, extra miles and CTF challenges
- Less experienced students complete what they can during the class, and can continue at their own pace from home using the training portal.

This said, the more you learn about the following ahead of the course, the more you will get out of the course:
- Linux command line basics
- Basic knowledge of Node.js, Electron or JavaScript is not required, but would help.

# Who should attend #

Any Web or Desktop App developer, penetration tester or person interested in Modern Web and Desktop apps, Node.js, Electron o rJavaScript security will benefit from attending this training regardless of the initial skill level:

This course is for beginners, intermediate and advanced level students. While beginners are introduced to the nuances of Modern Web and Desktop App security from scratch, intermediate and advanced level learners get to perfect both their knowledge and skills on the subject. Extra mile challenges are available in every module to help more advanced students polish their skills.

The course is crafted in a way that regardless of your skill level you will significantly improve your Modern App security auditing skills:

If you are new and cannot complete the labs during the class, that is OK, as you keep training portal access, you will learn a lot in the class but can continue from home with the training portal.

If you are more advanced you can try to complete the labs in full and then take the CTF challenges we have for each day, you will likely also attempt to complete some exercises from home later :)

# What to expect #

Lifetime access to training portal (including all future updates), unlimited email support, access to private groups to communicate with other students, access to interesting apps from various countries.

A fully practical class that will seriously improve your Modern Web and Desktop App security knowledge and skills, regardless of the skill level you come in with.
Battle-tested tips and tricks that take your abilities to the next level and that you can apply as soon as you go back to your workplace, making security testing of Modern Web and Desktop apps as efficient as possible.
Intensive hands-on exercises that challenge you to deep dive into the world of Modern App security.

# What not to expect #

This is more than a physical attendance course: You get the physical course but also lifetime access to a training portal with step-by-step video recordings, slides and lab exercises, including all future updates for free.

The course does not cover: 0-days, Windows/Linux/Mac OS exploits, x86 exploit writing, writing buffer or heap overflows.

Do not expect the teachers to be talking through slides most of the time: This class is practical not theoretical, the teachers don’t bore you with slides all the time, instead you do exercises and the teachers help you solve the challenges you face as you complete them.

Social Engineering and Human Intelligence (HUMINT) operations both rely heavily on effectively navigating a person’s mind in order to steer their behavior. As simple as this sounds, “quick and dirty” influence tactics will not take an operator very far. Behavior engineering is a complex, multilayered process that requires a good understanding of human psychology and self-awareness.

In this intensive masterclass, participants will get access to the underlying psychology responsible for the way people think, decide, and act. They will also learn to influence and reshape all three of these layers. What are people’s automatic triggers? How can you engineer predictable action-reaction responses that produce an desirable outcome? How do you cultivate a target into taking specific actions or divulging information? But also, what are the ethical boundaries and moral implications of this process?

The class will revolve around two main pillars:

Understanding humans.
Some of the areas we will cover include:
- Human needs (universal, individual)
- Decision making
- Perception engineering and re-framing
- The person and the situation
- Profiling (online & in-person)

Engaging effectively with human targets:
- Developing the right mindset
- Reading body language
- Using body language to connect, establish trust or communicate authority
- Planning the approach
- Building rapport & engineering trust
- Enhanced influence tactics
- Elicitation
- …and more!

This class is a rare opportunity to gather insights that are almost never been taught in open classes. We will work these concepts around the scenarios of social engineering, covert HUMINT and virtual HUMINT.

The training course is designed for attendees with little to no knowledge of reverse engineering, but who are capable of writing simple programs in a programming language of their choice and also wish to learn reverse engineering of compiled applications.

The course spans a total of 2 days, during which low-level computing and the basics of architectures are explained. The primary target architectures of this course are Intel x86 and AMD x64, where we cover the fundamentals of computing and assembly language. Throughout the course, we will explore how to create basic programs in both C and assembly, and then explore the process of reverse engineering using disassembler, decompiler and debugger on Windows.

Each day of the course emphasises hands-on labs, allowing participants to apply their newly acquired knowledge in practical exercises. Theory alone quickly fades, so our main objective is to help you acquire useful, long-term knowledge by putting it into practice.

Every challenge builds upon the previous one to ensure continuous learning and the overcoming of new obstacles. This approach allows knowledge to be built up reliably and quickly, without wasting time, which is one of the main objectives of this training. The labs are fun and entertaining, providing a great reward for those who can solve them.

The training employs state-of-the-art tools and techniques that mirror those utilised in real-world situations. Any knowledge acquired during the training can be readily applied to real-life objectives following the course.

This two-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering, using the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications. This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios. This course is delivered by one of the main authors of the MASTG.

## Description

We'll start the first day with an introduction into the OWASP MASTG and Mobile AppSec Verification Standard (MASVS) and dive afterwards into the Android platform and its security architecture.

> It is no longer mandatory for students to bring their own Android or iOS device, instead cloud-based virtualised devices will be provided to each student using Corellium.

Topics include:

- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Frida crash course to get started with dynamic instrumentation on Android apps
- Intercepting network traffic from applications written in mobile application frameworks such as Google's Flutter
- Bypass different implementations of SSL pinning using Frida
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching and Dynamic Instrumentation with Frida
- Analyse the local storage of an Android application
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms

Day 2 focuses on iOS, starting with an overview of the iOS platform and security architecture and we will begin to create an iOS test environment using Corellium and dive into several topics, including:

- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Intercepting network traffic and examining stateless authentication (JWT) in a mobile application
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analysing data stored in the iOS application sandbox
- Demonstration on how to test watchOS apps and it's limitations
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism

At the end of each day there will be a Capture-the-Flag (CTF) to test two apps using the newly learned skills and you can win a prize!

Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced professional who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture.

Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

### What students will receive

- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can do them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.

### Prerequisites

The following prerequisites need to be fulfilled by the student in order to be able to follow all exercises and fully participate:

- Laptop (Windows/Linux/macOS) with at least 16 GB Ram and 50GB of free disk space
- Full administrative access, in case of any issues with the laptop environment (e.g. being able to deactivate VPN)
- Virtualization software (e.g. VMware, VirtualBox, UTM); a Virtual Machine will be provided (either X86 or ARM for M1/M2/M3 macBooks) with all tools needed for the training.

An iOS and Android device is NOT needed, as an emulated instance will be provided for each student that is hosted in Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and rooted Android device during the training.

Trailer: https://drive.google.com/file/d/1K7nLy6a9n9DP_-Fj6iSdpP5Yib7C8-nV/view


Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique video training, and take your professional pentesting career to the next level.

Dawid Czagan has found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this video training he will share his experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.


Almost 5 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 5 video courses:

1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com (FREE VIDEO)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS

2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF (FREE VIDEO)
- XSS via Image
- User Redirection via window.opener Tabnabbing

3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking (FREE VIDEO)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary

4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1 (FREE VIDEO)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks

5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution (FREE VIDEO)
- Subdomain Takeover
- Account Takeover via Clickjacking


What students should know

• Common web application vulnerabilities

What students will learn

• Become a web hacking expert
• Dive into full-stack exploitation of modern web applications
• Learn how hackers can bypass Content Security Policy (CSP)
• Discover how web applications can be hacked via PDFs, images, and links
• Explore how hackers can steal secrets from AngularJS applications
• Check if your web applications are vulnerable to race condition attacks
• Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
• Discover step by step how all these attacks work in practice (DEMOS)
• Take your professional pentesting career to the next level
• Learn from one of the top hackers at HackerOne

What students will receive

Students will receive lifetime access to almost 5 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use and privacy policy). The access link will be sent after subscribing to Dawid's newsletter.


What students say about Dawid's trainings

References are attached to Dawid's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …

International Political Commentator Randahl Fink presents the latest frontier of the modern security war: attacking the minds of millions. For 8 decades, the atomic bomb has been the ultimate weapon. In 1945, the US showed its horrific power by killing 200,000 Japanese citizens, thereby forcing the Empire of Japan to surrender and ending World War II. Historically, no other weapon has had more influence on the balance of power — but this is about to change. For there is a new weapon which allows malicious actors to destabilise entire countries without killing a single human being. And when the new digital bomb drops, empires will fall.
In this presentation, Randahl Fink will discuss the security risks of the increased decoupling of human interaction from the physical world, and explore how direct and indirect abuse of social media and their content curation algorithms can affect the minds of millions and potentially be leveraged for hacking democracy itself.
Using examples of X, Threads and Mastodon, Randahl Fink will illustrate the dangers of viewing the world through an algorithmic lens, and discuss potential adversaries, their motives, and potential attack vectors, including disinformation, moderation exploitation, dislike attacks and more. Finally, the presentation takes a critical look at our political reality — are our politicians prepared for this new weapon? And what can we as individuals do to become more resilient and to counter the mind bomb?

The industry is going crazy with electronics and some major technological standards. Especially some things like IoT, ICS, SCADA, IoTMT and automotive. Being a 500Bn$ industry there could be some major issues when we try to understand the criticality behind the devices.

But, we tend to ignore the key components like Sensors, actuators, ADCs and Band pass filters. Since, they are being ignored and only things like serial debuggers, firmware, mcus and eprom chips ignore the idea that even the slightest of the ignorance in them can lead to havoc.

For example: OT and SCADA systems have a major impact on the industry, where the criticality and impact is very high.

In this paper, we are going to discuss some critical attacks which can be done on an IoT system with targeting sensor based systems and analog devices.

Are we standing at the brink of an AI Armageddon? With the rise of Generative AI (GenAI), cybercriminals allegedly now use unprecedented AI tools, flooding the digital world with sophisticated, unblockable threats. This talk aims to dissect the hype and uncover the reality behind the use of GenAI in cybercrime.

We will explore the growing use of deepfakes in scams, exemplified by a million dollar fake BEC video conference call. From son-in-trouble scams to KYC bypass schemes, deepfakes are becoming versatile tools for cybercriminals and a nightmare for defenders. Turning to phishing attacks, we’ll discuss how GenAI personalizes and automates social engineering, significantly increasing the volume of attacks. However, they still require an account to send from and some payload. Having the ultimate phishing text does not mean you are not blocked. We'll also showcase how GenAI can generate basic malware, similar to malware toolkits, and explore advanced threats like polymorphic/metamorphic malware that dynamically adapts in real time. By clarifying the differences between AI-generated, AI-aided, and AI-powered threats, we reveal that while GenAI facilitates threat distribution, true AI-powered malware is still rare. While GenAI scales and speeds up attacks, it does not fundamentally create completely new threat patterns, allowing behavior based and anomaly detections to remain effective against them. We will discuss additional threat concepts such as the self-replicating indirect prompt injection worm Morris II, which exploits filtering weaknesses in Retrieval Augmented Generation (RAG) systems and AI apps. In conclusion, we will draw the balance between current AI-powered threats and the defender, and highlight future research areas, such as finding and exploiting zero-day vulnerabilities and supply chain attacks against GenAI by targeting Pickles and Python.

Join us to learn the difference between the hype and the real impact of AI in cybercrime, and understand what this means for the future of cybersecurity.

Short Abstract:
AI-powered code generators are an innovative and sophisticated technology that boosts productivity and efficiency. However, it is not new that these sophisticated tools are still evolving and often fail to adhere to security best practices, leading to vulnerabilities, inadequate error handling, and insufficient testing in the generated code. As developers increasingly adopt AI technologies to streamline their workflows, the risk of blindly trusting these tools and inadvertently incorporating security flaws escalates.

In this talk, we will explore the security implications of using AI-powered code generators, highlighting real-world examples where these tools have compromised application security. We'll examine the persistent challenges vendors face in addressing these vulnerabilities and where they stand today. Finally, I will present an easy-to-implement solution we researched and found to solve this issue, that comprehensively identifies and decreases the amount of security issues and potential vulnerabilities in code provided by AI-powered code generators.

We’ll give you a small hint: it’s AI.


Long Abstract:
As Artificial Intelligence and Machine Learning continue to evolve at a breakneck pace, security issues are quick to join the party. In this era filled with daily emerging and sophisticated threats, it is crucial for security professionals to stay ahead of these developments to safeguard systems effectively.

This presentation will explore the broad implications of AI on cybersecurity, detailing various novel threats and vulnerabilities that have surfaced. I will particularly focus on application security within the shift-left approach in the development lifecycle when integrating with AI-powered code-generation tools.

We'll explore specific security concerns arising from AI-powered code generators increasingly used by developers and highlight the impact of blindly trusting them and integrating them into code, by presenting cases where they introduce vulnerabilities to code we developed.
We’ll speak about the challenges that code generator vendors are facing with solving this issue that reflect where they stand today.

At the end I will unveil an interesting approach to solve this complex challenge comprehensively.
Talk Structure and Highlights
Introduction to AI and Security (7 minutes)
Overview of AI and ML advancements
Emergence of security challenges
Impact of AI on Cybersecurity
Exploration of security issues and vulnerabilities introduced by AI (15 minutes)
Case studies of AI-powered code generators introducing security issues
Challenges for Code Generator Vendors
The current state of vendor solutions (3 minutes)
Challenges vendors face in addressing security concerns
Our Solution (10 minutes)
Unveiling our approach to solving these challenges
Detailed walkthrough of research phases
Actionable insights for implementation
Questions (5 minutes)
Background Information
Developers are increasingly using AI-powered code generators to speed up their workflow. However, these tools often introduce vulnerabilities, posing significant risks. Our research focused on finding a solution that is both developer-friendly and comprehensive in addressing all security issues.
Main Takeaways
For Developers: Understanding the impact of writing insecure code and how AI tools can introduce vulnerabilities.
For Security Practitioners: Gaining insights into the security implications of integrating AI-powered code generators and learning how to mitigate these risks effectively.
Audience
This talk is designed for both developers and security practitioners at a beginners level. Developers are often frustrated with the added burden of security, as they aim to develop code quickly and efficiently. Code generator AI tools solve this problem but also can introduce vulnerabilities into the code. Providing a comprehensive security solution for this problem is still a challenge. Our approach balances developer convenience with thorough security coverage.
Developers will see the impact of writing insecure code and security practitioners will learn about the implications of integrating AI-powered code generator tools and how to address these challenges quickly and effectively.
Join us as we provide a deep dive into these critical issues, equipping you with the knowledge to improve your security posture in the fast-evolving landscape of AI and ML.

Why do most projects preparing for NIS2 fail in practice? Many affected companies complain about the requirements of EU Directive 2022/2555, which are too unspecific and technically difficult to implement. Excessive demands are spreading. Companies affected are uncertain because of the evaluation of the actual implementation, unlike ISO security certification (e.g. ISO27001/ISO62443). The results are often unsatisfactory despite the sometimes-massive investment in costs and personnel resources. An Excel spreadsheet or a Visio drawing itself does nothing to change the resilience of KRITIS or industrial facilities against cyber-attacks in practice. We focus on industrial customers and their OT infrastructure, using anonymized, real-world examples to show the challenges in practice and offer examples of solutions to prevent repeating past mistakes. The first steps do not have to cost a lot of money or tie up a huge amount of human resources. A little creativity and knowledge of your own processes are often enough to overcome the biggest hurdles and increase the level of protection enormously.

Large Language Models (LLMs) are rapidly evolving, and their capabilities are attracting the attention of threat actors. This presentation explores how malicious actors are utilizing LLMs to enhance their cyber operations, and showcasing available tools based on LLM, as well as an advanced stealer managed by AI.
Cyber Security is a very dynamic field, but there are still a few basic things that haven’t changed for a while, one of them is the attack lifecycle. A full attack lifecycle can be enchased using LLM – and threat actors already use it. There are risks and potential usage in the future. LLM-based tools can play a significant role in various stages of the cyber attack lifecycle.
In this talk I will show how threat actors weaponizing LLM based chats, as well as LLM based chats that were built specifically for threat actors and hackers and how these operate, including smart LLM obfuscation of malware to avoid AV detection. Finally, I will present an undetected - fully LLM operated C2 and Stealer POC.

Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs.

Initially, we scrutinize the distribution channels of different Trojans, pinpointing where individual builders are accessible for download. These sources range from GitHub, hosted as open-source projects, to other online platforms (such as VX-Underground). Subsequently, we delve into a detailed examination of each Trojan, investigating the diverse infection sources, the locations of persistences, the methods employed for establishing connections with the C2 server, and the array of functionalities embedded within the RATs (with the help of the open-sourced or leaked builder).
This focused analysis of individual Trojans equips us with the capability to identify precise Indicators of Compromise (IOCs) essential for monitoring or conducting targeted hunting within our networks, learning more about the various RATs, and how to fight against them.

Memory safety is a key property of all code (applications and infrastructure). Recently, the NSA has expressed some concerns regarding this issue. The presentation will give you some insights into the memory safety features of C++ and how they relate to other programming languages. The C++ standardisation committee is working on memory safety and other security features for a long time. Modern C++ differs greatly from any C++ techniques used before 2015. The presentation will put a few loose ends into perspective, will show how code can be improved by adopting the secure coding mindset, and what developers need to know about security features of programming languages.

It has become easier to create AI systems due to the availability of numerous options and datasets. These AIs can quickly gain expert knowledge in different domains, enabling attackers to exploit scientific knowledge and target system and data security, which was not feasible before. Although recent studies have highlighted these impacts, a tangible example has been missing. For instance, attackers can use AI's expert knowledge in the healthcare sector to perform complex attacks without needing domain expertise.

Earlier this year, Google launched Health Connect [1], an Android app designed to seamlessly share data between medical and fitness apps, set to replace Google Fit. While Health Connect is robust against conventional cyberattacks, it is susceptible to these emerging threats.

In this talk, we’ll demonstrate an example of these threats by explaining a malicious app we developed. The app gathers data from Health Connect and sends it to a medical AI, which then crafts fake data tailored to the victims' medical conditions. This allows us to steer other apps' output into suggesting incorrect treatments and recommendations without the user noticing. We’ll show how such manipulation could alter diet control, family planning, and diabetes management apps, leading to serious medical issues for the victims.

We’ll conclude with mitigation strategies for developers and technology companies on building AI-resistant technologies and apps.

[1] https://health.google/health-connect-android/

This talk will walk the audience through the dissection of Windows RPC usage in the enterprise software ManageEngine ADAudit Plus, which will unravel two CVEs and crack a CTF-like encryption/decryption process.

In many companies, we find that CISOs and security officers do not have any (in-depth) knowledge of SAP. This is why the topic of SAP security often gets underestimated. Anyone interested in gaining insight into the important basics of SAP technologies can benefit from this highly compact crash course on SAP security. The session will give you an overview about security threats and ways to counter them. It is a sneak preview for a complete SAP security training.

As cyberattacks multiply and become more sophisticated, executive breach simulation toolkits have become essential. Enabling organizations to simulate, predict, and assess the impact of potential security breaches from an executive perspective is necessary to know how to keep organizations safe.

Unfortunately, simulations are broken. Simply put, they don't properly prepare leaders and security practitioners for security breaches. This talk will look at the evolving landscape of breach simulation toolkits designed for security practitioners, focusing on their role in enhancing cybersecurity strategies, incident preparedness, and organizational resilience. We will see how simulations can be engaging, while remaining instructive and preparing people for actual cyber events.

We'll discuss how these toolkits work, why they’re essential for making smarter business decisions around cybersecurity, and how they help align leadership with technical teams. Real-world examples will show how using these tools can strengthen response strategies and enhance communication across the organization.

Attendees will walk away with practical tips on choosing and using the right toolkit for their organization, integrating it into risk management plans, and using it to stay ahead of potential cyber threats. The goal is to give executives a clearer picture of their cybersecurity landscape and how to respond effectively to potential breaches.

Over the past ten years, researchers have extensively explored the vulnerability of Android malware detectors to adversarial examples through the development of evasion attacks. Nevertheless, the feasability of these attacks in real-world use case scenarios is debatable. Most of the existing published papers are based on the assumptions that the attackers know the details of the target classifiers used for malware detection.Nevertheless, in reality, malicious actors have limited access to the target classifiers.

This talk presents a problem-space adversarial attack designed to effectively evade blackbox Android malware detectors in real-world use case scenarios. The proposed approach constructs a collection of problem-space transformations derived from benign donors that share opcode-level similarity with malware applications through the consideration of an n-gram-based approach. These transformations are then used to present malware instances as legitimate entities through an iterative and incremental manipulation strategy.

The presentation will describe a manipulation model that is based on a query-efficient optimization algorithm, which can identify and implement the required sequences of transformations into the malware applications. The model has already been evaluated relative to more than 1,000 malware applications. This demonstrates the effectiveness of the reported approach relative to the generation of real-world adversarial examples in both software and hardware-related scenarios. The experiments that we conducted demonstrate that the proposed model may effectively trick various malware detectors into believing that malware entities are legitimate. More precisely, the proposed model generates evasion rates of 90%–95% relative to data sets like DREBIN, Sec-SVM, ADE-MA, MaMaDroid, and Opcode-SVM. The average number of required computational operations belongs to the range [1..7].

Additionally, it is relevant to note that the proposed adversarial attack preserves its stealthiness against the virus detection core of three popular commercial antivirus softwares. The obtained evasion rate is 87%, which further proves the proposed model’s relevance for real-world use case scenarios.

In many companies, we find that CISOs and security officers do not have any (in-depth) knowledge of SAP. This is why the topic of SAP security often gets underestimated. Anyone interested in gaining insight into the important basics of SAP technologies can benefit from this highly compact crash course on SAP security. The session will give you an overview about security threats and ways to counter them. It is a sneak preview for a complete SAP security training.

This presentation will discuss real-world satellite attacks then continue into an architecture for a cyber resilient software-defined satellite architecture that provides an autonomous cybersecurity self-healing and immunity capability. The discussion will include the concept of a software-defined satellite architecture capable of detecting the undetectable advanced persistent threat then automatically and dynamically morph the configuration to continue uninterrupted mission operations. In addition, the presentation will discuss software-defined satellite cybersecurity deception.

As cloud adoption accelerates, so too does the sophistication of attacks targeting cloud infrastructure. Our talk delves into the evolving landscape of AWS security, focusing on the burgeoning threat of cryptomining. We've witnessed a significant shift in the tactics, techniques, and procedures (TTPs) used by attackers. This session will uncover the latest trends in cloud security, spotlighting new threat groups and their innovative methods for abusing AWS services.

Attendees will learn about real-world threats involving AWS resources. We will explore the intricate ways these attackers infiltrate and collaborate with other groups in a large black market for credentials. Our discussion will also cover proactive strategies for detection and mitigation, empowering security professionals to safeguard their cloud infrastructure against these evolving threats.

I want to give an overview on Germany's digital administrative architecture, the role of municipal administration and security expertise, the software ecosystem for public administration, relevant threats to municipal administrations, and how security experts could help.

In recent years, the field of quantum computing has seen remarkable advancements, prompting concerns about the security of current public key cryptosystems in the development's event of sufficiently powerful quantum computers. Kyber, a post-quantum encryption technique relying on lattice problem hardness, has recently been standardized. However, despite rigorous testing by the National Institute of Standards and Technology (NIST), recent investigations have revealed the efficacy of Crystals-Kyber attacks and their potential impact in real-world scenarios.
Following the publication of the paper "Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Artificial Intelligence" discussions have emerged regarding the vulnerability of the post-quantum crypto system Kyber. The authors propose a side-channel attack leveraging artificial intelligence, specifically employing a neural network training method known as recursive learning to compromise the system.
Our study explores CRYSTALS-Kyber's susceptibility to side-channel attacks. We find that in the reference implementation of Kyber512, certain additional functions can be compromised through selected ciphertexts, facilitating successful attacks. Notably, real-time recovery of the entire secret key becomes feasible under various assault scenarios.

At DeepSec, I will provide an in-depth explanation of how Kyber operates and conduct a comprehensive analysis of the attack vectors targeting it. We will delve into the question whether Kyber has indeed been compromised. Additionally, during the conference, I will present a protective mechanism designed to mitigate the impact of such attacks.

Social media, and our communications systems, have devoured any semblance of privacy, putting the eyes and ears of authoritarian and wannabe fascist types into the pockets of each of us; radically erasing whatever distance once existed between those who exercise authority and the human objects of their control, both at home and abroad. As Professor Ronald J. Deibert, founder of Citizen Lab, eloquently highlights in his book "Reset: Reclaiming the Internet for Civil Society": "...recent years have brought about a disturbing descent into authoritarianism, fueled by and in turn driving income inequality in grotesque proportions the rise of a kind of transnational gangster economy."
As we continue our descent into a global madness, fueled by AI, spyware, algorithms, and misinformation, tyrants around the world continue to expand their toolbox. Through our talk, we examine their weapons through which they maintain their stranglehold on power, whether in an authoritarian regime or an illiberal democracy. Building upon our paper, "Eyes in The Skies: A Study of Spyware's Usage by Authoritarian and Illiberal Regimes," we expand our scope to better understand what technology is enabling these frightening trends. Our aim is to contribute to the awareness of these trends and empower those who wish to combat them.

Continuous improvement/training is in the DNA of cybersecurity professionals, specifically for incident responders, which are always searching for new ways to learn and practice their technical and analytical crafts. This is even more the case in mature environments where Incident response teams may find themselves in a situation with few high stakes incidents, preventing them from applying their technical and thinking skills, thus lowering their readiness when a crisis occur.

LLMs based conversational agents are becoming mainstream and applications are countless.

In the meantime, Tabletop Role-Playing Games (TTRPG) are found to be a great breeding ground for creativity and fun. To achieve the benefits of this game, preparation is needed and a game master must be present to keep the players engaged.

So we leveraged the power of AI, mixed automation and past experiences/lessons learned with the fun of TTRPG to provide a new tool for incident responders to practice live sessions... In this talk, we will present our new Mattermost-enabled game that allows players to be confronted with dire situations.

Linux has become a driving factor in the industrial and automotive domain. Vehicles are already a complex network of electrical components. In recent years the technology stack and connectivity of vehicles have drastically evolved. Is all this complexity still safe and secure?

How can embedded systems running different bus systems and physical interfaces be protected against modern attackers? The now mandatory updates of on-board components in these vehicles have introduced even new security challenges to this evolving landscape. Common Linux security measures, including capabilities, permissions, and mandatory access control, are already hitting their limits. The use of eBPF technologies promises a flexible way to define security at runtime without the need to change the application code. Will this be as transformative for the embedded sector as it has been for the cloud?

This talk presents hands-on the internals of embedded security and shows how eBPF can be employed for defenses on automotive and embedded systems running Linux.

The development landscape includes an ever-changing set of security practices. It has finally become standard practice to perform penetration testing, run threat modeling, teach developers about security, push left, and have zero trust. This shows the industry is better off today than in previous years. Or does it? Get a taste for the real history of security and why everything old is new again. See security failures as they existed in years past and how they still exist in modern examples from the last year. Finally, explore the strategies that effectively catch these problems early in the development lifecycle without spending a fortune on security snake oil.

Customs duties and trade restrictions are increasingly presenting companies with logistical challenges. The trend is to relocate production capacities to the relevant countries to be close to the customer. But how can a company safely move an industrial plant abroad without risking the loss of its own IP (intellectual property)? By using a practical example, we demonstrate how to enable a commercially available Simatic S7 1500 PLC to keep control over the PLC program stored in the controller and its parameters. To achieve this, we implement strong cryptography within the device. The challenge here is that the device does not have the necessary functionality “out of the box”. How can we make sure that production does not take on a life of its own (secure manufacturing)? Regardless of the PLC used, industry has successfully implemented this practical example for years. Experience with programming PLC controls is not required.

Content Warning: This talk may include mention of child sexual abuse and exploitation.

In this talk, we want to give an overview of our research into Client-Side Scanning (CSS) and follow-up work on safety in end-to-end encrypted messaging concerning sexual risks.

Client-Side Scanning (CSS) is discussed as a potential solution to contain the dissemination of child sexual abuse material (CSAM). A significant challenge associated with this debate is that stakeholders have different interpretations of the capabilities and frontiers of the concept and its varying implementations. 
In current work, we explore stakeholders' understandings of the technology and the expectations and potential implications in the context of CSAM by conducting and analyzing 28 semi-structured interviews with a diverse sample of experts.

We identified mental models of CSS and the expected challenges. 
Our results show that CSS is often a preferred solution in the child sexual abuse debate due to the perceived lack of an alternative.
Our findings illustrate the importance of further interdisciplinary discussions to define and comprehend the impact of CSS usage on society, particularly vulnerable groups such as children, on whom CSS would have a detrimental impact.

Why should you care? Child sexual abuse and exploitation (CSAE) is a global problem hurting every society. The introduction of Client-Side Scanning would have far reaching consequences not only for individuals but also for companies. Understanding what it is and can be is a first step at participating in the discussion. Since CSS won't solve the root problem of CSAE, it is also imminent to research alternatives that give agency to users to protect themselves from these crimes online. However, sexual abuse and exploitation are not only problems for youth; adults can also fall victim to these crimes. Thus, protective mechanisms are important for everyone.

This research is dedicated to enhancing the cybersecurity of electric vehicles, with a specific focus on identifying vulnerabilities in the Electric Vehicle Communication Controller (EVCC). This controller facilitates communication with the Supply Equipment Communication Controller during the charging process. Accessible through the On-Board Charging (OBC) port, which is as publicly available as the gas tank in combustion engine vehicles.

The research journey began by studying the electric vehicle charging ports, how they communicate, and the standards they follow, especially focusing on ISO 15118. Then, we closely looked at how On-Board Charging (OBC) works, especially its communication protocols during charging, with a special focus on the High-Level Communication (HLC).

Our research efforts resulted in the development of a dedicated security tool. This tool is designed to examine and assess the implementation of the EVCC (Electric Vehicle Communication Controller). It can simulate the behaviour of the SECC (Supply Equipment Communication Controller) during charging and includes extra features to simplify the process of enumeration and fuzzing the EVCC during charging operations.

In this talk, we’ll explore the world of electric vehicle cybersecurity, focusing on charging communication, vulnerabilities in EVCC implementation, and the development of a dedicated security tool. We’ll discuss charging standards, communication protocols, and real-world scenarios to understand the evolving landscape of electric mobility cybersecurity. Additionally, we’ll showcase and discuss the hardware required for connecting to the vehicle charging port.

This meta-study of scientific security journals and a user survey examines the most common cybersecurity threats and solutions for smart home devices. But do the researched topics correspond to the security threats encountered in practice? This talk will explore the tension between research interests and practical applications, and present opportunities for improving the cybersecurity of smart home devices.

ASVS is awesome! At the same time it contains 200+ requirements. Even after localising it for your context, it’s likely to have 100+ relevant requirements. Can we - the security team - ask the developers to go through this list for every feature?

We can, but how likely it is to happen in a modern DevSecOps environment, and what will be the quality of the engagement with ASVS?

(Also, spreadsheets are boring and everyone hates them). Can we do better? Yes!

Retrieval-Augmented Generation (RAG) is the process of optimising the output of a large language model, so it references an authoritative knowledge base outside of its training data sources before generating a response. Luckily, ASVS is a very “graphy” data that lends itself well to being stored in a graph format.

Using this graph as the authoritative knowledge base, we use semantic similarity search on the feature description to look up relevant ASVS requirements, which is already very useful on its own. But passing these requirements as context to OpenAI or another LLM gives further useful results, reducing hallucinations and giving the developers specific security requirements for their feature that are based on ASVS.

Bottom line: Don’t let ASVS become a chore, let the developers have an easy initial engagement with it. They can always go deeper if needed.

The workflow we’ve achieved in our engineering org: Let the tool run on internal portal. Developers provide a feature description (a paragraph or though), the tool gives them top-10 most relevant ASVS requirements and some further recommendations based on these requirements. Lots of ideas for refining and expanding, we’ll discuss some of these.

We released as open source the prototype tool and the underlying graph database including pre-calculated vector embeddings for semantic similarity search: https://github.com/neo4j-examples/appsec-asvs-bot

The ideas in this talk will help AppSec engineers with their scaling and culture building efforts, and will help all the developers/builders to get some security impact in their features fast.

The new EU Directive EU 2019/1020, also known as the "Cyber Resilience Act" or “CRA” for short, defines new rules for manufacturers of hardware and software with "digital elements". For device manufacturers in the medical, industrial and entertainment sectors, the time to act is now. Security updates, vulnerabilities and an extended duty of care for the life cycle are now enforced by law. However, hardware production, such as IoT devices, poses particularly new challenges. What many do not know: Many vulnerabilities are due to physics and are not "bugs" in the conventional sense. As part of the "DeepSec Secure Coding" series, we put the spotlight on the challenges of developing secure hardware and show the vulnerabilities using the example implementation of a bootloader for embedded systems. How to keep control over updates? What is "Secure Boot" and why does the compiler work against the developer?



During the talk, I will address the escalating issue of cheating in online chess, underscored by recent incidents like Hans Niemann's case, highlighting the urgent need for effective solutions to maintain fair play and uphold competitive integrity.

I will present our innovative approach to detecting AI assistance in chess, utilizing advanced neural networks. Our research involves a comprehensive analysis of extensive chess game data, encompassing moves from established engines like Stockfish to cutting-edge neural networks such as Maia, Maia individual and its components.

Key aspects of our methodology include:
• Centipawn Deviations: Evaluating deviations from typical computer strategies to identify moves influenced by AI.
• Human-like Play Recognition: Utilizing Maia's and Maia Individual’s capability to discern human-specific playing styles, enhancing our ability to distinguish genuine human play from computer-assisted moves.
• Move Time Distribution: Analyzing patterns in move time distributions as potential indicators of AI involvement, adding another layer of detection.

Our approach marks a significant advancement in cybersecurity efforts aimed at combating digital deception in gaming. The success of our algorithm, achieving an impressive 98.62% accuracy rate in detecting AI aids, underscores its efficacy in safeguarding gaming integrity.
I will discuss the broader implications of our findings beyond chess, emphasizing the potential applicability of our methodology in addressing cheating across various digital environments. Ethical considerations are integral to our approach, advocating for the establishment of guidelines to ensure fairness and equity in AI utilization.

This talk aims to provide insights into our pioneering methodology, discuss the pivotal role of neural networks in cybersecurity, and explore future directions for enhancing fair play in gaming environments. During the talk I will show the practical use of the model trained by Maia and Maia Individual’s chess engines. I will show the work of our novel neural network for cheating detection in chess.

In today's digital landscape, adversaries have shifted their focus to the cloud, finding it easier to attack and compromise than traditional on-premises systems. This talk explores the asymmetry in cloud security, where attackers find the cloud environment more accessible and easier to exploit, while defenders struggle to keep up. We will delve into the reasons behind this imbalance, including the global accessibility of cloud services, the critical role of identity as the new perimeter, and the low barrier to entry for attackers needing only a single set of credentials. Additionally, we'll discuss the lack of visibility in cloud environments compared to the well-established practices in on-premises setups, and how the diverse configurations and logging systems of various cloud providers add to the complexity. Finally, we will address the unique skill set required for incident response in the cloud and the industry's current readiness. Attendees will gain a comprehensive understanding of these challenges and learn practical strategies to enhance their cloud defense capabilities.

T.B.A.

Self-hosting is the epitome of privacy-friendly behavior and therefore a first-class measure for gaining sovereignty over one's own digital assets. However, taking control of a server's hardware and software is a demanding task, and security considerations in particular pose a major challenge.

In this talk, we will explore how human factors enter into the technical tasks of system administration. To this end, we will get to know the population of self-hosters on a systematic level. We will look at the motivations, operations, and security challenges faced by organizational and private self-hosts. From there, we will learn how these dimensions are connected in non-obvious ways, such as how motivational factors influence the choice of server type and how these in turn affect security outcomes. In addition, we discuss the prevalence of private self-hosting and highlight potentially risky use cases.

Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a methodology and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The methodology can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the methodology supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the methodology is based on program verification that allows specifying of various attacks and their recovery strategies in an extended Java Modeling Language. The language also allows for describing the functional behavior of applications that are developed in Java. Finally, we demonstrate our methodology through its application to recover a typical e-commerce application.

This presentation will explore the practical risks associated with granting Large Language Models (LLMs) agency, enabling them to perform actions on behalf of users. We will delve into how attackers can exploit these capabilities in real-world scenarios. Specifically, the focus will be on an emerging use cases: autonomous browser and software engineering agents. The session will cover how LLM agents operate, the risks of indirect prompt injection, and strategies for mitigating these vulnerabilities.

Looking for intel in all the right places is an art that adversaries seem to have mastered; but when it comes to their own data, many companies seem to lose interest in examining anything that's outside the "perimeter" - whatever that is suppossed to be nowadays. Credential leaks, shadow IT, unofficial websites with official info - the list of assets far outside the data centers of companies is long and those assets nevertheless pose risks. Instead of turning a blind eye, it's important (and necessary) to get an understanding of what kind of information is out there, ready to be used or abused and protect accordingly.
What risks are "out there" and what is meant by "out there"? How can those risks be addressed? What tools are easily available?

Gathering information is a valuable tool not only for adversaries, but also for anyone trying to address risks before they become problems. Most companies with more than just a handful of employees sooner or later will find out that not all of their digital assets are behind company firewalls. Any sensitive data that is not controlled by the company itself can become a problem - from leaked credentials to VPN access details being sold on the darknet and other shady places.

Knowing something has leaked won't solve the problem, but will give the opportunity to protect against potential attacks leveraging this intel, and also to examine the reasons why it's somewhere it shouldn't be.

This talk won't go into details of scanning company servers or whatever goes on in internal networks; we will focus solely on all the things adversaries can and will use to craft spear phishing emails, learn company secrets or to find a scenic back route to internal networks.

Hopefully this talk will motivate you to dig deeper into getting to understand the external attack surface of the company you're working for, or help you prepare your next red team engagement. If you're already doing this stuff on a daily basis, there won't be any surprises, but if you never thought about digging into this topic, you'll hopefully learn a ton of new things.

Not looking for risks poses a risk in itself.
After all, how can something be protected if nobody knows about it?

The rise of applications based on AI (mostly generative AI) forces us to think about the security and privacy implications of these systems. We will try to make sense about the attack surface of generative AI applications, what practitioners in the field need to consider in development and operations and how they can derive security measures for these systems.

We will first dive into the range of generative AI applications using examples of the openAI ecosystem. This will give the audience an understanding about the fundamental problem of AI from a security perspective. We then offer an insight into the attack surface that those applications have. This will help understand what needs to be secured and what can be secured. In many cases, good old security best practices will be a good start although AI security brings new challenges that we will discuss. In addition we will talk briefly about privacy issues related to AI that we need to consider in the future.

All the aspects mentioned above will be supported by examples we have prepared. The aim is for the audience to gain an understanding of the issues associated with generative AI applications, and for security practitioners to be able to derive security measures that can be applied in this area.

Firmware, essential to hardware functionality, increasingly becomes a prime target for cyber threat actors due to its foundational control over devices. This presentation delves into a detailed analysis of malware embedded within purported firmware updates for Sabrent devices, a case study revealing widespread exploitation. By leveraging advanced static and dynamic analysis techniques, we uncover the intricate workings of this malware, strategically hidden within seemingly legitimate firmware patches. Through meticulous investigation, including static examination for file headers, hashes, and embedded resources, and dynamic analysis within controlled environments, we decipher the malware's operational stages. This includes its initial execution triggers, subsequent macro-driven deployments, and ultimate persistence mechanisms through registry modifications, all orchestrated to evade detection and ensure prolonged access to compromised systems.

Current phishing detection methods include analyzing URL reputation and patterns, hosting infrastructure, and file signatures. However, these approaches may not always detect phishing pages that mimic the look and feel of previously observed attacks.

This talk explores an approach to detecting similar phishing pages by creating a corpus of visual fingerprints from known malicious sites. By taking screenshots, calculating hash values, and storing metadata, a reference library can be used to compare against newly crawled suspicious URLs. Fuzzy searches and OCR techniques can be combined with other methods to identify similar matches.

For some time now, we have been investigating how we can initiate p2p communication without the need of a Third Party system (server) that would assist in establishing that communication. As it may be already known, systems that initiate p2p communication use a separate server in order to help establish communication by sharing connection details with each other. One example is the well known technique of "NAT traversal" which requires an intermediate (third party) STUN/TURN server [1],[2],[3]. The widespread implementation of the network address translation (NAT) technique in a network based on IPv4 addresses has enforced serious limitations on peer to peer (P2P) communications. All previous attempts to establish an autonomous communication P2P, no matter how much resourceful, have also suffered from major limitations that prevented their implementation in general  [4,5,6]. In 2023 we described a similar technique using IPV4 with UDP packets in order to bypass router limitations and directly establish communications between two parties [7] which we presented at DeepSec 2023 [8].

However, the advent of IPv6 based networks, has eliminated a major obstacle in autonomous P2P communication: The usage of Network Address Translation (NAT) techniques. Nowadays, given the widespread prevalence of IPv6 in the global internet, the only obstacle preventing the end user from interacting directly with the rest of the internet is usually a firewall and not a technical problem. If it wasn’t for that firewall which is usually set on the router level by the ISP, every PC or mobile phone device would be able to act as a server. Revisiting the problem, we now present a technique that uses ICMPv6 error messages to allow direct and autonomous P2P communication, bypassing the inherent limitations of router firewalls.

Unlike a lot of Hollywood productions, Mr. Robot depicts the technical aspects of compromising systems reasonably realistic. One of the hacks depicted sparked a lively discussion at Certitude: If an attacker fully compromises a battery backup system firmware, does the hardware prevent an attacker from blowing up the batteries? Naturally, we needed to find out.

In this talk we dive into the hardware and firmware analysis of an uninterruptible power supply system (UPS) to figure out whether this scenario has any merit. We explore all the steps we took from having a literal black box device to trying to actually blowing up the device. We explore the challenges we faced decoding a firmware using an exotic instruction set, the way we were able to identify the charging regulation mechanisms and how we were ultimately able to modify the firmware to overcharge the battery.

We give a short overview of the theory behind blowing up UPS batteries, particularly how and under which circumstances lead acid batteries may produce explosive gas as well as how a UPS may produce a spark to ignite such gas.

Lastly, we explain our experimental setup as well as the safety precautions we took to try to blow up our UPS. We discuss the results of our experiment and the real-life risks of these kinds of attacks.

ShadowPad is a particularly notorious malware family used in Advanced Persistent Threat (APT) campaigns since 2017. Beginning in 2019, it has been utilized by various groups, and in June 2024, a builder of ShadowPad was disclosed. One of the reasons ShadowPad has garnered so much attention from security researchers is that it is an advanced modular type fileless RAT with a complex structure that is difficult to analyze.
In July 2023, Deed RAT was published by Positive Security as a variant of ShadowPad. Furthermore, Blood Alchemy malware was also discovered as another variant of Deed RAT in April by ICI, with evidence such as unique data structures, malware configurations, loading schemes, and code similarities.
However, important features of both Deed RAT and Blood Alchemy, such as the C2 communication scheme, loading additional modules, and details of backdoor commands, were missing from the past reports. Thus, we conducted further investigation and analysis based on the published research results and deeply disclosed the communication protocols and doubly linked list for managing additional modules, which are quite unique. Additionally, we confirmed more code similarities that were not mentioned in the publicly available information, further establishing the relationships between Deed RAT and Blood Alchemy.
Moreover, we investigated a server that hosted various tools along with Deed RAT between October 2023 and April 2024. Through this investigation, we uncovered another relationship between threat groups involving ShadowPad and Deed RAT, as well as the TTPs of the attack using Deed RAT.
In our talk, we will reveal the inherited relationships between the three malware families, from ShadowPad to Blood Alchemy, based on the code similarities and TTPs that have not been clarified so far. We will also describe further details of Deed RAT and Blood Alchemy's implementation, including our configuration parsers for them, which will be useful for assisting threat researchers and malware analysts.

The presentation features novel research on using different protocols to remotely measure network load and deduce network traffic patterns of a target using ICMP and other widely adopted protocols. The attack allows to distinguish between file upload, file download, video streaming, VoIP, web browsing, etc. depending on network conditions.

This attack works even when done from a different AS.

Microsoft Defender Antivirus (aka Windows Defender) is an antivirus deployed worldwide and used by default on every Windows out-of-the-box. We all use it but who knows exactly how it really works? What is inside this software trusted by a lot of people and companies across the world? This talk is the first one providing such a view about Windows Defender internals, from kernel mode to user-mode, based on extensive reverse engineering research work. With the recent world-wide BSOD of CrowdStrike antivirus, it matters to understand how an antivirus works, what it really monitors, and how some designs are prone to error or security issues. During this talk, we will see that such a highly privileged software is just another Deus Ex Machina, not only for regular malware analysis but also for many security features on Windows.
This talk will start with a deep dive into the kernel mode modules of Windows Defender. The different filters initialized in kernel modes and the different technologies used to get access to real time information on the system will be presented. That will make up the basis to describe the actual architecture of Windows Defender, which is a large software composed of many modules. With this design in mind, it will be the perfect occasion to discuss different approaches when designing an antivirus, especially regarding to CrowdStrike.
Subsequently, we will detail the user-mode service MsMpEng.exe and the main modules constituting it. The goal is to have an overview of the different features proposed by the antivirus, how to interface with them (based on unpublished details), how the antivirus ensures its own security, and the internal details of the initialization of Windows Defender (database retrieval, internal configuration management, update procedure, etc.). Thus, it will be possible to explain how a file is analyzed in memory, how the configuration of Windows Defender works and how the result is considered by the system. In this way, this will be the most complete overview of Windows Defender service as never shown before.
Since Windows Defender is a massive software, we propose to illustrate the talk with an introduction to the new feature called “Smart App Control” (SAC), released within Windows 11, and based on Windows Defender. The RPC interface used by Smart App Control and related to Windows Defender will be presented. This way, anyone can see the different septs in analyzing a file in the context of this new feature, and especially the set of information disclosed to the cloud of Microsoft when a program is about to be executed.
In the end, this journey into the internals of Windows Defender will provide each participant with a clear overview of how antivirus software works, its core characteristics, and what can be observed in the quality of some. A good way to make an educated choice when choosing an antivirus, by understanding how it works, and not just relying on the marketing work of the software vendor.