HackerOne bug hunters have earned over $100 million in bug bounties so far. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. It clearly shows where the challenges and opportunities are for you in the upcoming years. What you need is a solid technical training by one of the top HackerOne bug hunters.

Modern web applications are complex and it's all about full-stack nowadays. That's why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say 'No' to classical web application hacking. Join this unique hands-on training and become a full‑stack exploitation master.

Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734 

Key Learning Objectives

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking 
• DOM-based exploitation 
• Bypassing Content Security Policy 
• Server-side request forgery 
• Browser-dependent exploitation 
• DB truncation attack 
• NoSQL injection 
• Type confusion vulnerability 
• Exploiting race conditions 
• Path-relative stylesheet import vulnerability 
• Reflected file download vulnerability 
• Subdomain takeover 
• XML attacks 
• Deserialization attacks 
• HTTP parameter pollution 
• Bypassing XSS protection 
• Clickjacking attack 
• window.opener tabnabbing attack 
• RCE attacks
• and more…

What Students Will Receive

Students will be handed a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.


Special Bonus

The ticket price includes FREE access to Dawid Czagan's 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne 
• Case Studies of Award-Winning XSS Attacks: Part 1 
• Case Studies of Award-Winning XSS Attacks: Part 2 
• DOUBLE Your Web Hacking Rewards with Fuzzing 
• How Web Hackers Make BIG MONEY: Remote Code Execution

What Students Say About This Training

This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/ . They can also be found here (https://silesiasecuritylab.com/services/training/#opinions ) - by training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ ).

Malicious Office documents have been on the radar for many years now. But do you know how to create and tailor them efficiently to achieve successful read team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. MS Office documents that execute code via macros. And we will take a very quick look at PDF too. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents, and Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.
No prior knowledge of malicious Office documents is required to take this training.
We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Office, like a port scan, and also how to use this API to inject and execute shellcode inside the Word/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word/Excel’s process memory, without touching the disk. This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements is useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities. We will learn how to reuse VBA functions and modules from the provided tools to create goal-specific documents (Word, Excel, …).
Over the years, Didier has developed many tools and techniques to “abuse VBA”. Non-exhaustive list of Didier’s tools shared during this class:
• Taskmanager with shellcode injector, process hollowing, parent process selection, .NET injector, …
• Filemanager and container to drop and exfiltrate, modify and encode arbitrary files
• Network tool (ping, port scan, service detection, communication, …)
• Document to perform reconnaissance and exfiltration
• Enumerate installed programs & patches
• Enumerate executables modifiable by the user
• CMD & Regedit running inside Word/Excel process
• Tool to create Excel files on different operating systems, without dependencies with MS Office (Mono required)
• Python tool to create / modify Office OLE and OOXML files, without dependencies with MS Office
• Python tool to hack ZIP containers
• Tool to uncover AV signatures to better evade AV detection
• …

Mobile Device Security and Cellular Networks: Hacking, Malware, and Exploits in 2022 - Mobile devices and cellular networks are critical military and intelligence assets in the Russo-Ukrainian War. This presenter led efforts at DHS and NIST to quantify and document just how exploitable both sides of this system are, and the implications for corporations,
political leadership, militaries, and the “mere civilians" caught in the fray. This deep dive will examine what we know, from rumors to highly publicized events, of attacks that touch on all aspects of this technical landscape. It will review key exploits, and provide live demonstrations of several including geolocation attacks, attacks against cell towers, and remote device bricking.

The training will be offered as Hybrid, and conducted as on-site course with the possibility to join also remotely.

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout their career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Evaluate different implementations of Touch ID / Face ID and ways to bypass them
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

WHAT DOES "THREAT HUNTING" MEAN?
- Threat Hunting technics on network level
- Threat Hunting on Microsoft Windows Active Directory
- Threat Hunting on Linux Systems / Memory Forensics
- Incident Response process


WHO SHOULD TAKE THIS TRAINING?
- IT-Security Administrators
- IT-Administrators with knowledge of protocols and basic LINUX skills
- Security analysts looking to hone their threat hunting skills
- Junior analysts looking to forward their security career
- Environments needing to quickly identify compromised systems
- IT Security Management and Leadership
- Active Directory / Windows Engineers


AUDIENCE SKILL LEVEL
Students should have a working understanding of IP communications. They should also have a basic understanding of network threat hunting.


STUDENT REQUIREMENTS
- Bring your own Notebook with local admin rights
- Min. 8 GB RAM and 100GB free disk space
- VMWare Player installed
- The ability to connect to the Ubuntu system via SSH


KEY TAKEAWAYS
- Acquiring and analyzing Linux memory
- Understand security risks and defensive mitigations
- Hardening Active Directory
- Identify tools and processes for network threat hunting
- How to set up a threat hunting environment
- Threat score system to prioritize artifacts
- Leveraging network findings to pivot into a forensic analysis

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique online training, and take your professional pentesting career to the next level.

I have found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this online training I will share my experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.


This online training is composed of

• Almost 5 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)

• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and finding security bugs in companies like Google, Yahoo, Mozilla, Twitter)




Almost 5 hours of high-quality video courses with lots of recorded demos


You will get lifetime access to these 5 video courses:


1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com <http://ajax.googleapis.com/> (FREE VIDEO <https://www.youtube.com/watch?v=tTK4SZXB734>)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS

2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF (FREE VIDEO <https://www.youtube.com/watch?v=AWplef1CyQs>)
- XSS via Image
- User Redirection via window.opener Tabnabbing

3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking (FREE VIDEO <https://www.youtube.com/watch?v=rQA-aKim18U>)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary

4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1 (FREE VIDEO <https://www.youtube.com/watch?v=lLd9Y1r2dhM>)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks

5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution (FREE VIDEO <https://www.youtube.com/watch?v=09ZJPcw_smE>)
- Subdomain Takeover
- Account Takeover via Clickjacking


Lifetime access to these 5 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.



2 hours of live online training support

- Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.

- Do you want to take your professional pentesting career to the next level and have some questions? No problem, ask me anything you want!

- Are you looking for some advice on how to find security bugs in companies like Google, Yahoo, Mozilla, Twitter (bug bounty programs)? Ask your question and I will do my best to help you.

What students should know

Common web application vulnerabilities

What students will learn

- Become a web hacking expert
- Dive into full-stack exploitation of modern web applications
- Learn how hackers can bypass Content Security Policy (CSP)
- Discover how web applications can be hacked via PDFs, images, and links
- Explore how hackers can steal secrets from AngularJS applications
- Check if your web applications are vulnerable to race condition attacks
- Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
- Discover step by step how all these attacks work in practice (DEMOS)
- Take your professional pentesting career to the next level
- Learn from one of the top hackers at HackerOne

What students will receive

Students will receive lifetime access to almost 5 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use <https://grinfer.com/terms-of-use> and privacy policy <https://grinfer.com/privacy-policy>). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses – training support for the video courses).



HackerOne is your big opportunity. This is the platform where you can hack legally and at the same time you can make money. You can hack many different companies like Twitter, Yahoo, Uber, Coinbase, and a lot more. And you can get paid for your findings, for example $100, $1,000, or even $10,000 per one bug. It’s just amazing. All you need is Internet connection and knowledge. Yes – you need knowledge to go from zero to thousands of dollars at HackerOne, and in this online training I’m going to share my knowledge with you.

I’m one of the top hackers at HackerOne and I know quite a lot about hacking and making money that way. In this online training I’ll present many award-winning bugs. The more you play with award-winning-bugs the more knowledge you get and the more knowledge you have, the more money you can make. I’ll also discuss a successful bug hunting strategy that I have been using in the recent years. What’s more, I’ll present a lot of demos, because I want you to see how all these things work in practice.


This online training is composed of

• 6 hours of high-quality video courses with lots of recorded demos (LIFETIME access; the courses are listed below)

• 2 hours of live online training support (you can ask any questions you have about the attacks presented in the video courses and bug hunting at HackerOne)



6 hours of high-quality video courses with lots of recorded demos


You will get lifetime access to these 6 video courses:


1. Start Hacking and Making Money Today at HackerOne
- HackerOne: Your Big Opportunity
- Getting Started with 5 Bugs
- Automatic Leakage of Password Reset Link (FREE VIDEO <https://www.youtube.com/watch?v=e2iEXi7YQVc>)
- How to Get Access to the Account of the Logged Out User
- Insecure Processing of Credit Card Data
- Disclosure of Authentication Cookie
- User Enumeration

2. Keep Hacking and Making Money at HackerOne
- How to Impersonate a User via Insecure Log In (FREE VIDEO <https://www.youtube.com/watch?v=qAawfBPJs7U>)
- Sensitive Information in Metadata
- Disclosure of Credentials
- Insecure Password Change
- Dictionary Attack

3. Case Studies of Award-Winning XSS Attacks: Part 1
- XSS via Image
- XSS via HTTP Response Splitting
- XSS via Cookie (FREE DEMO <https://www.youtube.com/watch?v=ntWOiuKe5ts>)
- XSS via AngularJS Template Injection

4. Case Studies of Award-Winning XSS Attacks: Part 2
- XSS via XML (FREE VIDEO <https://www.youtube.com/watch?v=0D1hd6j5z78>)
- XSS via location.href
- XSS via vbscript:
- From XSS to Remote Code Execution

5. DOUBLE Your Web Hacking Rewards with Fuzzing
- The Basics of Fuzzing
- Fuzzing with Burp Suite Intruder - Overview
- Fuzzing for SQL Injection - Demo (FREE VIDEO <https://www.youtube.com/watch?v=pVIrQtYSA3I>)
- Fuzzing for Path Traversal – Demo
- Fuzzing with Burp Suite Intruder: Tips and Tricks

6. How Web Hackers Make BIG MONEY: Remote Code Execution
- From SQL Injection to Remote Code Execution (FREE VIDEO <https://www.youtube.com/watch?v=YLqpfUXiSRo>)
- From Disclosure of Software Version to Remote Code Execution
- Remote Code Execution via File Upload
- Remote Code Execution via Deserialization


Lifetime access to these 6 video courses will be granted before participating in the live online training session. More information can be found in the section ”What students will receive”.



2 hours of live online training support


- Is anything not clear after watching the video courses? No worries, I am here to help you! You can ask any questions you have about the attacks presented in the videos.

- Do you want to start hacking at HackerOne and have some questions? No problem, ask me anything you want about bug hunting at HackerOne.

- Are you already a bug hunter at HackerOne and need some advice on how to go to he next level? Ask your question and I will do my best to help you.


What students should know

- Basic hacking skills
- Basic knowledge of web application security
- Basic understanding of XSS attacks (cross-site scripting)

What students will learn

- Master web application security testing
- Become a successful bug hunter
- Go from zero to thousands of dollars at HackerOne.
- Double your web hacking rewards with fuzzing
- Learn how hackers earn thousands of dollars per one bug
- Discover how to find these bugs step-by-step in practice (recorded DEMOS)
- Learn from one of the top hackers at HackerOne

What students will receive

Students will receive lifetime access to 6 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use <https://grinfer.com/terms-of-use> and privacy policy <https://grinfer.com/privacy-policy>). The access link will be sent after subscribing to my newsletter and before participating in the live online training session (during the live online training session, there will be time to ask questions about the attacks presented in the video courses and bug hunting at HackerOne – training support for the video courses).

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since desktop apps were written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Qckegc2gbfo

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.

Device-specific co-installers have repeatedly allowed for Windows privilege escalation.
Through Windows' plug'n'play concept, attackers don't need to rely on any preinstalled software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device.

In this talk, I'll report on my responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the fix we ended up approving can be fooled quite easily. In other words: this story is the sequel to what we have published before.

The main purpose of the presentation is to entertain you by sharing the anecdotes from this interesting journey and demoing the attack. But besides that, admins, developers and researchers will also learn about the security risks that arise from co-installers and placing binaries into directories where they don’t belong to. Finally, I want to motivate researchers to have a closer look into other co-installers. Interesting Windows privilege escalation vulnerabilities seem to wait out there.

Public Description:
A few years ago, a vigilante hacker under the name “Phineas Phisher” conducted a series of high-profile attacks, including hacking into a company that, among others, was developing and selling spyware to government agencies named “Hacking Team”. This was not a result of a random attack but a wellplanned and targeted one. To achieve his goals, the hacker developed a 0-day for the SonicWall VPN appliance. After this attack, the attacker scanned the internet for such devices and found out that an offshore bank in the Cayman Islands was using the same vulnerable version. Beyond this exploit, he reported through his write-ups that he used common hacker utilities like Meterpreter and Empire and that he was not some kind of APT with custom malware writers nor received significant funding and support, but he claims to be a humble ‘one-man army’. The final goal of the bank hack was to access Bottomline’s SWIFT management panel and initiate transactions targeting his own accounts. Then, he uploaded the VMs used by the bank along with all the sensitive clients’ information that was stored in these systems. The scenario is rather intriguing as, despite the impact and sensitivity of the information, it provides a deep insight into an environment in which few people operate. Moreover, such environments are not well publicly documented, and their digital twins are hard to find. We argue that emulating such an attack scenario and adapting it to current tools and methods, offensive and defensive wise, can provide a good baseline to understand the capabilities of both sides and stress the changes that have undergone these years. To this end, in our scenario, we have tried to follow the evolution in defensive and offensive security by rebuilding such an environment, equipping it with modern defence mechanisms. Since most organizations are now integrating endpoint detection and response (EDR) systems to their endpoints to behaviorally detect and throttle cyber-attacks, we have equipped our endpoints accordingly. However, as shown in our previous research, EDRs are no silver bullets and have their weak points as well. In fact, Advanced Persistent Threat (APT) groups have significantly advanced their capabilities. Therefore, having access to several such defensive technologies, they study them and customize their malware accordingly to target them and minimize their detection. Moreover, APTs and ransomware groups are using several C2 frameworks, with the most widely used being Cobalt Strike; however, there are different options that may provide different capabilities and serve fit better in the cyber kill chain. Based on the above, this work can be considered a purple teaming scenario in the financial sector. Practically, we present the blue versus red team fight detailing, where possible, detection and bypass methods, their rationale and gaps, where applicable, mainly through the use of C2 servers. Therefore, we present in each step the attacker’s and defender’s perspectives of the same scenario. This means that we report by what means an EDR would report and/or block and how the attacker would try to prevent this.

GitHub Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration.

As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers are proficient in the depths of GitHub best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product.

During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into GitHub Actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

In a technical world of cyber, crypto and cloud, it is easy to forget that in the end, we are all humans. While social engineering has always been a craft of its own on the attacker side, our efforts as human defenders are scattered between various technical measures and not always very effective awareness training - sometimes even counterproductive ones.

Regardless of cyber specialization, however, some people skills are needed to maximize impact. This goes all the way from building alliances, communication and "selling" your ideas, to building more resilient processes, organizations and software through empathy for both our technical and non-technical colleagues. Heck, we can even apply certain people skills to understand our adversaries better, profile their motivations, and predict their next actions.

Therefore, this talk will explore a variety of techniques freely available to anyone looking to boost their output from efforts to stop cybercriminals.

---
Outline (not for public program):
- The disconnect between cyber and people (with counterproductive outputs)
- Finding root causes by understanding seven flavours of human errors
- Mitigating resistance with empathy
- Seven principles for persuasion (including their abuse by attackers)
- Attacker and defender economy (in human terms)
- Defeating the curse of knowledge to elicit success

Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices rely on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

In order to audit the QSEE environment, security researchers have to face different challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to assess their security. On the other hand, to the best of our knowledge there are no publicly available emulators for QSEE Trusted Applications that assist in debugging and auditing their code.

In this talk, we share the knowledge we obtained from a careful reverse engineering examination of different QSEE Trusted Applications and operating systems (QSEE-OS), showing the different versions of QSEE-OS and the differences with regard to how trusted applications are loaded in each of the QSEE-OS versions. Besides, we will present the different tools we have developed throughout our research to assist in the security evaluation of QSEE, including a debugger for QSEE Trusted Applications fully integrated with GDB and Ghidra and a coverage-based fuzzer for QSEE Trusted Applications. Such tools are essential for us to better understand the internals and behaviour of the trusted applications, to find attack surfaces and to identify vulnerable code for further analyzing and fuzzing.

Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a methodology and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The methodology can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the methodology supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the methodology is based on program verification that allows specifying of various attacks and their recovery strategies in an extended Java Modeling Language. The language also allows for describing the functional behavior of applications that are developed in Java. Finally, we demonstrate our methodology through its application to recover a typical e-commerce application.

Crisis communication is probably the hardest part of communication to get right - and the most important. Combine this with a successful attempt on a companies network that completely shatters operation and you have all the ingredients for disaster.

But especially in these situations it is imperative to stay calm and remain in contact with the outside world. In this talk we will relay best practices for crisis communication and how they specifically apply to IR situations.

We will show the best and the worst attempts to manage a crisis - and demonstrate, that situations like this can be used to reposition a company and build trust, rather than loosing it.

This presentation, conducted hundreds of times throughout the United States on Wall Street, at various American universities, and throughout the US Defense sector, will go into detail on the evolution of the Iranian cyber program, its current state and most common malware, as well as what geopolitical events and relationships influence Iranian cyber actors. It will also detail why Iran needs to be taken seriously as a digital threat, as they indeed operate at the same level as malicious Russian and Chinese threat actors.

While default deployments on managed platforms are getting safer and safer, the potential attack surface of Kubernetes remains a valuable target given its widespread adoption. But how do you find new or even current attacks against Kubernetes instances? Continuously monitoring and analysing any publicly reachable cluster is one way - another would be to deploy a Honeypot that emulates an open instance, providing unique insights into ongoing and novel attacks. This talk introduces a Kubernetes Honeypot and provides insights and interpretations into collected data and observed actions. Furthermore, it provides some recommendations and best practices for publicly reachable Kubernetes instances to mitigate common attacks.

The talk provides some insight into the observed threat landscape and aims to enrich discussions around common attack scenarios, detections, and mitigations. Providing more data to refine or update threat models for publicly reachable Kubernetes deployments could benefit the ecosystem in the long run. The provided recommendations strive to improve awareness for common misconfigurations, which, combined with real world event data, illustrate the potential dangers.

What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice. However, beneath the DNS there are hiding unexpected vulnerabilities!

If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs or alike, are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.

In my previous research “Forgot password? Taking over user accounts Kaminsky style,” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I looked at the root of the problem!

In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.

Mobile devices can provide majority of everyday service: like emergency, healthcare, security. Development of mobile devices itself triggered the 5G network deployment. New telecom standard will create new ecosystem with variety of industries and will exceed the limit of telecom communication. New standards, functionality, services, products always arise new cyber threats. Operating Spectrum in 5G Network is divided into 3 categories: Low, Middle and High Bands. Actually, third category, high band, also known as mmWave provides majority benefits of the new standard. This band covers from 6 GHz-100 GHz operating spectrums. Because of the limitation of this frequency range, devices connected to high-band have to be near to the cell-tower. Otherwise, buildings will interrupt the connection. So, when user is connected to mmWave tower, only one tower is enough to determine the location of device, instead of 3 towers, which is usually used in previous standards. By default, mobile devices always scan cell-towers to choose that one with stronger signal. Our study is about, to interrupt scanning operation and make devices to connect only high-band towers, without measuring signal strength. As, towers are always sending their identities, like IDs, locations, we can map all of them. After we steal active tower information from user and determine its location.

During operations, it is not unusual for us to get excited about the target and to prematurely begin before we have adequately prepared. As a result, this can not only spoil an operation but can cause dire life-threatening consequences. This talk goes over why OpSec is so important, failures people often make and how we can greatly improve our operational security during intelligence gathering and operations. While I will cover sock puppets and other techniques in detail, I will also cover physical considerations, habits and other areas where risks can be generated unless the operator is careful and diligent.

We aim to review existing research on protocols, patterns, and generic paradigms that support secure in-vehicle communications. In addition, we present methods, tools, and related open source development platforms for preliminary experimentation. We also examine how to to leverage lightweight cryptography into security solutions, including integrating Crypto ICs (e.g., Zymbit Zymkey, Microchip ATECC series). Finally, we examine interactions between security and traditional quality-of-service characteristics (message efficiency and reliability), and propose interesting open problems related to the design of secure and reliable gateways for automotive solutions and beyond.

The integrated collection of personal health data represents a relevant research topic, which is enhanced further by the development of next generation mobile networks that can be used in order to transport the acquired medical data. The gathering of personal health data has become recently feasible using relevant wearable personal devices. Nevertheless, these devices do not possess sufficient computational power, and do not offer proper local data storage capabilities. This paper presents an integrated personal health metrics data management system, which considers a virtualized symmetric 5G data transportation system. The personal health data is acquired using a client application component, which is normally deployed on the user’s mobile device, regardless it is a smartphone, smartwatch, or another kind of personal mobile device. The collected data is securely transported to the cloud data processing components, using a virtualized 5G infrastructure and homomorphically encrypted data packages. The system has been comprehensively assessed through the consideration of a real-world use case, which is presented.

The work we will present aims to develop a Proof of Concept (PoC) of an attack scenario that uses Artificial Intelligence (i.e., AI) to create a semi-automatic phishing attack. The AI-based PoC used different network types to automatically compose highly targeted phishing emails with information derived from the initial OSINT analysis of the potential victims. The study approaches the problem from a cybercriminal point of view to understand the feasibility of such an attack tactic and prepare for possible defences. Phishing is a popular way to perform social engineering attacks. According to the Verizon 2022 Data Breach Investigations Report, 82% of data breaches involve human elements and belong to several categories, including phishing, the most common. Using AI tools, this study implements a complete attack chain: (i) initial collection of victims' data through OSINT, (ii) generation of phishing email body using a GPT-2 and (iii) creation of the graphic mimicking the real organisation brand identity (i.e., logo and stylistic features) through other models. The paper presents the steps needed to prepare an effective phishing strategy and discusses whether and how AI can automate it. This study helps penetration testers and red teams build targeted phishing simulations more rapidly. The result is discussed in terms of the simulated attack's efficiency.

The aim is to provide red and purple teams with a methodological approach to social engineering attacks by continuing the work started by one of the authors in a previous study. The study objective is to explore the AI's potentialities in a full OpSec attack stack: wearing the attackers' hat and performing a full attack. A semi-automatic attack vector created the phishing email.



Mass production of quantum computers is expected in the near future. Quantum computers can easily break cryptographic schemes that are used in practice. Thus, classical encryption systems became vulnerable to attacks using quantum computers. This includes research efforts to find encryption schemes that are resistant to attacks using quantum computers. digital signatures are an important technology in securing the Internet and other IT infrastructures. A digital signature provides the authenticity, integrity, and identification of data. Digital signatures are used in identification and authentication protocols. So, ტhis secure digital signature algorithm is crucial in terms of IT security.
Today, in practice, digital signature algorithms such as RSA, DSA, ECDSA are used. However, they are not quantum stable as their safety relies on large composite integers, complex factorization and the computation of discrete logarithms.

Open source intelligence is one of the important aspects during cyber security activities. As it relies on the publicly available sources, such as social networks, websites, blogs etc. This includes data mining and gathering techniques, as well as data extraction and data analysis activities. Open source intelligence is widely used in different directions today. Mainly this process runs manually and is fully managed by human. Moving from a manual to automated processes in OSINT is vital especially that we work with real-world operations. Different components must be used to build relevant system to provide automated open source based activities together with training simulations for the ML.
The structure of the ML approach is the following:
Requirements: Information used from previous user experience;
Collection: Web crawlers or / and scrapers;
Processing exploration: Pattern recognition, Detection of the events, Vision of the automated system;
Analysis: Matching the pattern, Visualization process, Data analysis;
Dissemination: Automated responses, Automated Error messages;

The processes will be performed by the machine using automated processes mechanisms.

There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would ( hopefully! ) do in higher environments.
By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page. It is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring. Or known vulnerabilities found by myself and others. I'll demonstrate during the talk, it is possible to generate a RCE on the developer's machine. Or other services on their private network.
As developers have write access to codebases, AWS keys, server creds etc. Access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network. Modify or just steal the codebase.

Sending malicious emails to employees in order to gauge a perceived security awareness is becoming ever more popular with companies large and small taking part in such Phishing assessment.

Despite their popularity, there is a ton of issues with how we do these things. At best, these issues cause them to be actively useless exercises, at worst, they can end up decreasing your security or even have a significant negative impact on your internal culture and erode trust.

This talk looks at how we mostly do these assessments, the various ways that are wrong about it and even tries to provide a few suggestions on how we, as security professionals, can do well.

Abstract: Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.

As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.

We have observed the usage of telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets(fiat and crypto): E.g
Saved passwords
Cryptocurrency wallets
Credit cards
Files from personal directories
Direct messaging applications sessions (Telegram, WhatsApp, etc.)
OS information
Machine credentials
Geolocation
Screenshots(in some cases live webcam view)

Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.

In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.
The techniques we discuss include:
Correlating attacker identity to the real world
- Image Correlation
- Username correlation
Message Interception via
- Updates
- WebHooks

Throughout the talk, we provide several samples that use telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.

Mobile networks are globally interconnected via private/public networks. Mobile signalization, being the core of the telecoms, is widely used, hence mobile networks are always at risk of exposure to data leaks. Signaling firewalls is the first line of defense, which could prevent known attacks, but are typically inadequate to identify zero-day exploits or sophisticated bypass techniques.

Besides, the threat actors are no longer stagnant and bound to a geographical area. Rather, they are moving around the world leveraging cloud-based deployments using various interconnect points geographically dispersed, making it more arduous to detect new patterns.
Massive exploitation of victim networks by sophisticated bypass techniques has been seen where operators are incapable of correlating the entire frame of the security chain because of limited view. Not knowing if the damage has been done and under the hypothesis that they are protected comes in as a surprise when a high-profile individual becomes the victim of this series of a coordinated unnoticed chain of events.


In this engagement, the research outputs TTP used by an APT performing zero-day exploit via Interconnect signaling that left a significant impact on the operators globally. The critical vulnerability was silently exploited across different high-risk markets with coverage seen in almost every continent. The vulnerability aims to bypass signalling firewalls and security controls to get hold of initial data access like real IMSI for the subscriber, Serving Node address for the network where the subscriber is attached and can potentially perform subsequent attacks like, Call Interception, billing fraud, tracking, surveillance, 2FA bypass.

A responsible vulnerability disclosure for this zero-day exploit was submitted to the GSMA CVD program who assigned a CVD number CVD-2021-0052 and after impact assessment, nature and severity placed the discovery under the “hall of fame” accessible at acknowledgment page.

https://www.gsma.com/security/gsma-mobile-security-research-acknowledgements/

Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware. However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We'll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we'll attempt to identify unusual activity based only on bandwidth.

Encrypting sensitive data at rest has always been a good idea, especially when storing it on small, portable devices like external hard drives or USB flash drives. Because in case of loss or theft of such a storage device, you want to be quite sure that unauthorized access to your confidential data is not possible. Unfortunately, even in 2022, "secure" portable storage devices with 256-bit AES hardware encryption and sometimes also biometric technology are sold that are actually not secure when taking a closer look.

In this presentation, I will talk about how a customer request led to further research resulting in several cryptographically broken "secure" portable storage devices. This research continues the long story of insecure portable storage devices with hardware AES encryption that goes back many years. With this presentation, I want to raise the awareness of security issues and practical attacks against vulnerable "secure" portable USB storage devices, and tell an interesting story.

I couldn’t sleep well until I developed the “Vanquish.” I couldn’t fully enjoy Disneyland until I developed the “Vanquish.” I was always thinking about 2nd and subsequent payloads of malware of my interest. I was always hoping that C2 servers are available until I reached my malware analysis desktop. But the Vanquish changed my life. He tries to collect all the samples that appear in twitter accounts of your interests. He analyzes those samples and tries to get the next stages samples when I am in bed. And I can ask him to analyze malware from your iPhone even while I’m in Disneyland.
The core of the Vanquish is the system which crawls specified twitter accounts every specified minute, parses hashes from the tweet bodies or web sites tweeted, downloads the sample from malware sharing sites, and puts it in a sandbox. The results are posted to the Slack workspace. Also, I can order ad hoc analysis to the Vanquish by specifying hashes.
The Vanquish uses Slack for its I/O interface. Not only does he output results to the Slack workspace, but he also accepts commands from Slack to adjust crawl parameters, start ad hoc query, etc. With this, I don’t need to be in front of my desktop but only need an iPhone to communicate with Vanquish.
The presentation at DeepSec 2022 will introduce the concept of the Vanquish as well as additional features like malware parsing which can be implemented into your in-house research infrastructure.

There are many components and systems that may be targeted in a space system by adversaries including ground station systems and satellites. In this presentation we will discuss ideas for providing cyber resiliency in zero-gravity. Both theoretical and real-world examples of cybersecurity issues concerning satellite systems will be covered. This presentation will step through attack trees for targeting satellite systems. Recommendations best practices for securing satellite systems will be discussed. In addition, new ideas industry is currently developing for improving the cyber resiliency of space systems will be presented

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this talk is for you, all action, no fluff :)

Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.

Get FREE access to the slides, recording and vulnerable apps to practice with:
https://7asecurity.com/free-workshop-mobile-practical

This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more.

The talk offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control. Damage control strategies are typically handled by public relations experts and tend to follow classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore damage control narrative can not exclusively focus on general public relations discourse, but should also include reflexive components, i.e. narrative elements targeted at organization members themselves in the one hand, and addressing the cybersecurity strategy itself in the other hand. This presentation will explore this specific aspect of damage control specifically addressing communication related to cybersecurity measures and strategies. We will first identify which components of the cybersecurity policy, measures, and training of the organization workforce can be the target of communication. We will then explore how communicating about these aspects can be done within the organization. We will finally discuss how communicating about these elements can be done outside of the organization specific context and network, before and after the occurrence of damaging events, and how such communication may not only contribute to the degree of security of the assets of the organization, but also to its overall reputation and branding.

Every year, numerous big and small incidents in industrial environments, like power plants, factories, or food supply find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks.
A big portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed.Despite such known problems, that also lead to compromisation of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure.

OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more cannot be easily tested if they are in use by the factory. Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk. These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview of the vulnerability landscape of the OT network but cannot detect unknown vulnerabilities. The testing of such expensive devices instead of using them is often not desired due to the price, and spare items must be available, which is the reason why those devices can't be touched too.

For this reason, digital twins - in terms of virtualization - from the devices in the factory should be created for pentesting purposes. These twins can be build with different tools (open source/ closed source) and have been used for identifying 0-days during an ongoing research project. After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing these virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope.

This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.

How do young professionals stand out in the cybersecurity sector nowadays? This is the question tackled by two cybersecurity consultants from Canada in this presentation.

From the perspective of a more recent addition to the cybersecurity industry, Julian Botham describes how his interest in cybersecurity paved the way for a cybersecurity career and the role that research, analysis, and constant growth contributed to that

With a cybersecurity career spanning over three decades, Darren Jones provides insight in the best ways for young professionals to leave their mark on the work they do. Through his experience, he details the importance of developing team building skills and establishing a niche in a team based on interests and talents.