Speakers (preliminary) - DeepSec IDSC 2024 Europe
AI SecureOps: Attacking & Defending GenAI Applications and Services
Acquire hands-on experience in GenAI and LLM security through CTF-styled training, tailored to real-world attacks and defense scenarios. Dive into protecting both public and private GenAI & LLM solutions, crafting specialized models for distinct security challenges. Excel in red and blue team strategies, create robust LLM defenses, and enforce ethical AI standards across enterprise services. This training covers both "Securing GenAI" as well as "Using GenAI for security" for a well rounded understanding of the complexities involved in AI-driven security landscapes.
Detailed Abstract:
By 2026, Gartner, Inc. predicts that over 80% of enterprises will engage with GenAI models, up from less than 5% in 2023. This rapid adoption presents a new challenge for security professionals. To bring you up to speed, this training provides essential GenAI and LLM security skills through an immersive CTF-styled framework. Delve into sophisticated techniques for mitigating LLM threats, engineering robust defense mechanisms, and operationalizing LLM agents, preparing them to address the complex security challenges posed by the rapid expansion of GenAI technologies. You will be provided with access to a live playground with custom built AI applications replicating real-world attack scenarios.
The course focuses on safeguarding both public GenAI services and proprietary enterprise LLM solutions. You will dive deep into creating specialized models to tackle unique security issues and also to deploy defense strategies across GenAI supply chain, utilizing both open-source and custom tools. This dual approach ensures comprehensive coverage of "securing GenAI technologies" alongside "leveraging GenAI for enhancing security". Mastering these two dimensions is crucial for developing sophisticated defense infrastructures in enterprise environments.
This training will also cover the completely new segment of ethics and trustworthiness in GenAI services. Unlike traditional cybersecurity verticals, these unique challenges such as bias detection, managing risky behaviors, and implementing mechanisms for tracking information are going to be the key challenges for enterprise security teams. The sections will explore complex scenarios related to access rights and data privacy protection, ensuring secure usage of sensitive data in LLM application development(practical labs).
By the end of this training, you will be able to:
- Red-teaming a GenAI application using adversary simulation, LLM top 10 and MITRE Atlas frameworks, and applying AI security and ethical principles in real-world scenarios.
- Execute and defend against adversarial attacks, including prompt injection, data poisoning, model inversion and more.
- Perform advanced AI red-teaming through multi-agent based auto-prompting attacks.
- Build LLM security scanners to protect injections, manipulations & risky behaviors in LLMs.
- Develop and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, benchmarking models for security and pen-testing of LLM Agents.
- Implement Retrieval Augmented Generation(RAG) to train custom LLM agents and solve specific security challenges, such as building security operations co-pilot, cloud policy generator, compliance automation and much more.
- Use open-source tooling, HuggingFace, Langchain, OpenAI, NeMo, Ollama, Streamlit and much more to craft your own tools and get up to speed with GenAI development.
- Utilize cloud based GenAI services like AWS Bedrock and Azure OpenAI as the playgrounds for learning and development.
- Utilize base models like LLaMA, GPT4, Claude. Deploy them locally or in the cloud to build Retrieval augmented Training for faster retrieval of information from custom datasets.
- Establish a comprehensive LLM SecOps process(assisted through GenAI), to secure the supply chain against adversarial attacks and perform a comprehensive threat model of enterprise applications.
Why should people attend?
This course is focused on solving enterprise use-cases around securing GenAI applications and services. The content has been developed by speaking with the security leaders of 8 different large-scale enterprises that are actively using GenAI.
The idea is keep the training focused on solving the common use-cases that the security teams will encounter as the businesses start adopting this technology.
Because things are changing rapidly in this space, I am focusing on continued learning and support through the live CTF playground and Slack community to ensure that there is a long term support, learning and collaboration.
At a high level:
- Focused on solving enterprise security challenges by providing the skills to build and deploy comprehensive LLM defenses, including custom guardrails and security scanners, ensuring robust protection for both public and private AI services.
- Covers both the security of GenAI as well as using GenAI for security.
Completely hands-on with lots of labs and post-training support for continued learning.
Top 3 takeaways students will learn
- Participants will gain expertise in identifying and countering advanced adversarial attacks and implementing their countermeasures.
- Skills to build and deploy comprehensive LLM defenses, including custom guardrails and security scanners, ensuring robust protection for both public and private AI services.
- Knowledge in utilizing and deploying cutting-edge AI tools and models for security purposes, including RAG for custom LLM agent training and securing the AI supply chain.
Who Should Take This Course:
- Security professionals seeking to update their skills for the AI era.
- Red & Blue team members.
- AI Developers & Engineers interested in the security aspects of AI and LLM models.
- Product Managers & Founders looking to strenthen their PoVs and models with security best practices.
Student Requirements:
- Security professionals seeking to update their skills for the AI era.
- Familiarity with AI and machine learning concepts is beneficial but not required.
- Ability to run python codes and notebooks.
- Familiarity with common GenAI applications like OpenAI.
What will students be provided with
- One year access to a live interactive playground with various exercises to practice different attack and defense scenarios for GenAI and LLM applications.
- "AI Guardian" Metal coin for CTF players.
- Complete course guide containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs, and a detailed explanation of concepts discussed during the training.
- PDF versions of slides that will be used during the training.
- Access to Slack channel for continued engagement, support and development.
- Access to Github account for accessing custom-built source codes and tools.
- Access to HuggingFace models, datasets and transformers.
Abhinav Singh is an esteemed cybersecurity leader & researcher with over a decade of experience across technology leaders, financial institutions, and as an independent trainer and consultant. Author of "Metasploit Penetration Testing Cookbook" and "Instant Wireshark Starter," his contributions span patents, open-source tools, and numerous publications. Recognized on security portals and digital platforms, Abhinav is a sought-after speaker & trainer at international conferences like Black Hat, RSA, DEFCON, BruCon and many more, where he shares his deep industry insights and innovative approaches in cybersecurity. He also leads multiple AI security groups at CSA, responsible for coming up with cutting-edge whitepapers and industry reports around safety and security of GenAI.
Attacking and Defending Private 5G Cores (closed)
5G core networks, with their promise of tailored connectivity and enhanced capabilities, have
become increasingly popular across industries from diverse sectors ranging from manufacturing, healthcare and smart cities to defense networks. With the integration of mission-critical systems and sensitive data transmission, organizations face an urgent need to fortify their 5G core networks against evolving cyber threats.
One of the critical challenges here lies in the shortage of expertise and the requisite skillset to
effectively secure 5G networks. This gap manifests in various stages, from the initial deployment phase to ongoing testing and adaptation. The need for specialized knowledge in mobile network attacks, secure deployment practices, and testing methodologies becomes apparent and our training is your key to mastering the art of safeguarding 5G networks.
This training program is not just about theory; it's a journey through practical application and real- world scenarios. Get ready to immerse yourself in hands-on exercises, simulations, and practical demonstrations that mirror the challenges faced by 5G security professionals. The training will cover a wide range of topics, including 5G network architecture, threat modeling, risk assessment, defense-in-depth strategies and 5G security features and their role in protecting the modern day virtualized core networks against potential attacks.
Through practical exercises and case studies, hackathon experiences, participants will learn about new ways to attack core networks by exploiting device and network authentication issues, vulnerabilities in network slicing, by deploying rogue network functions, container breakouts, and invesitgate the potential for data interception and manipulation. This hands-on experience is achieved entirely in an ethically controlled test environment with security testing tools and techniques, including reconnaissance, penetration testing and vulnerability scanning. The training will also cover advanced topics such as fuzzing the service based and Telecom APIs.
By the end of this training, participants will be equipped with the technical expertise to design, implement, and maintain secure 5G core networks. They will have the confidence to tackle the security challenges posed by 5G technology and ensure the availability, integrity and confidentiality of their networks.
2. Course overview
Detailed plan
Module 1: Understanding 5G Architecture and Security Foundations
Overview of 5G architecture and Network IDs
Security requirements for UE, AMF, SEAF, UDM by 3GPP
Exploring SUCI, 5G-AKA, EAP-AKA, NAS, and AS crypto
Understanding 3GPP 33.501 standards and NIST guidelines
Securing backhaul, interconnect SEPP, private 5G, and MEC
Authentication, Authorization, and Cryptography for Network Functions
Module 2: Comprehensive Threat Modeling and Risk Assessment
Identifying security challenges and risks in the 5G core
Using MITRE FiGHT framework for attack tactics and techniques
Analyzing new attack patterns for 5G sliced networks (MEC, NFV)
Strategies for 5G core and RAN assessments with 5G EU toolbox
Ensuring security compliance and assurance with 3GPP SCAS/SECAM
Conducting audits using Network Equipment Security Assurance (NESAS)
Module 3: In-Depth 5G System Vulnerability Analysis
Evaluating 5G System and network attacks
Understanding stages of core exploitation and entry points
Examining attacks on User-to-network and network-to-network interfaces
Assessing reconnaissance, exploitation, and persistence strategies
Identifying rogue network functions, APIs, and spoofed slices
Uncovering threats like protocol tunneling and MEC exploitation
Exploring supply chain security for network function containers
Module 4: 5G Security Pentesting Techniques
Overview of tools and techniques for pentesting 5G interfaces and endpoints
Probing network functions over HTTP/2
Fuzzing 3GPP core interfaces NGAP (N1/N2) and core service-based APIs
Conducting core network intrusion (via N1/N2, SEPP) and container breakouts
Securing IoT service platform application security (Northbound APIs)
Module 5: Hands-On Exercises: Simulations and Assessments
Simulating an end-to-end 5G multi-slice network
Network reconnaissance and intrusion into an on-site 5G core network testbed
Vulnerability scanning for 5G core
Executing inter-slice compromise attacks via NRF/AMF/SEAF/UDM
Insider data theft on UPF/UDR
Auditing 5G AMF using SECAM 33.512
Investigating PFCP exposure, DoS, and hijacking
Module 6: Defense-in-Depth Strategies
Establishing network function (container) access and monitoring rules
Implementing network border firewall rules for MNO interconnect
Utilizing 5G network analytics and log monitoring (NWAF)
Ensuring secure communication proxy for 5G core
Enhancing NEF/SCEF security via Telecom API Top 10
Incorporating supply chain security testing and monitoring
Module 7: Case Studies
Security assessment of 5G core network protocols
Intrusion scenarios to 5G core via commercial exposure function (NEF/SCEF)
Examining 5G private core configurations and security settings
Overall, this advanced 5G practical security training will provide attendees with a comprehensive understanding of the security risks and vulnerabilities associated with 5G networks, as well as the knowledge and tools to implement effective security measures to protect their networks and data.
3. Takeaways
Technical expertise in 5G core security and protocols: Gain an in-depth understanding of 5G
core network security and protocols, which will enable them to perform effective penetration testing on 5G networks. They will be able to identify and exploit vulnerabilities in 5G core networks, and devise strategies to secure these networks against potential attacks.
Practical skills in using 5G pentesting tools and techniques: Learn how to use the latest 5G
pentesting tools and techniques to perform vulnerability assessments, penetration testing, and exploit development on 5G networks. They will also learn how to evaluate and select the most appropriate tools and techniques for specific testing scenarios.
Awareness of 5G security challenges and best practices: Exposure to the latest 5G security
challenges and best practices, including network slicing security, network function virtualization security, and secure communication between 5G core network entities. They will gain an understanding of how these challenges can be mitigated using best practices, and be able to apply these practices in their own organizations to ensure the security of their 5G networks.
4. Students are provided with
- Pentesting tools custom-made for recon, core intrusion, & PFCP testing
- Access to 5G virtual lab that models a multitude of threats inside a sliced core network
- 5G Network traffic monitoring and analysis tools for core and devices
- Case studies and real-world example like exploits for IoT service platforms, API traffic
- Virtual machine files packaged with all test, and evaluation tools
5. Who should attend:
This course is ideal for wireless and mobile network security architects, telecom engineers,
security researchers/practitioners, and students (advanced graduate students), or anyone interested in understanding: 5G security aspects, and new security improvements, and how they contribute to build secure next-generation networks.
6. Pre-requisite knowledge for students
A basic understanding of at least either wireless communications or security is
recommended for participation in this course. Furthermore, knowledge of basic concepts of telecom technologies like 2/3/4/5G systems, clouds, micro services, and APIs is desirable. Good knowledge and usage of Wireshark and one or more programming/scripting languages is also highly recommended.
7. Hardware / software requirements for students
A laptop with linux OS (preferably latest Ubuntu), USB3 support and support for running
Virtual machines and dockers.
8. Format:
In-person / Virtual
9. Duration
2-day training
Note: This training program ensures a legal and compliant environment by explicitly excluding the use of cellular RF equipment and refraining from transmitting in licensed frequencies. Participants engage in a secure and simulated learning experience that adheres to regulatory guidelines and ethical standards.
Dr. Altaf Shaik is a senior researcher at the Technische Universität Berlin in Germany, and conducts advanced research in telecommunications esp. in 6G security architecture, openRAN, and 5G radio access and core network security. He holds more than 11 years of experience in Telecom security and combines a professional background in embedded programming, wireless communications, and offensive network security. Dr. Shaik spent his career as a security engineer and expert at various leading telecommunication companies including Gemalto (currently Thales), Deutsche Telekom (Germany), and Huawei Technologies (Sweden). His PhD research assisted in improving the 3GPP 4G security standards and also exposed several vulnerabilities in commercial mobile networks affecting millions of base stations, networks, and handsets worldwide. His post-doctoral research exposed vulnerable API designs in latest 5G networks and slicing vulnerabilities in the 5G security specifications leading to serious attacks. Dr. Shaik is a frequent speaker at various prestigious international security conferences such as Blackhat USA & Europe, T2, SECT, Nullcon, Hardware.io and HITB, and many others. His accomplishments landed him in the hall of fame of organizations like Google, Qualcomm, Huawei, and GSMA. He is also the founder of Kaitiaki labs and FastIoT that trains internationally various companies and governmental organizations in exploit development and also building secure mobile and IoT networks including their testing and security assessment.
Black Belt Pentesting / Bug Hunting Millionaire (100% Hands-On, Live Online Training, 2-3 Dec.)
Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training!
I will discuss security bugs found in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.
To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session.
Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734
Key Learning Objectives
After completing this training, you will have learned about:
- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- bypassing Content Security Policy
- server-side request forgery
- browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- type confusion vulnerability
- exploiting race conditions
- path-relative stylesheet import vulnerability
- reflected file download vulnerability
- hacking with wrappers
- subdomain takeover
- remote cookie tampering
- non-standard XSS attacks
- hijacking tokens via PDF
- XML attacks
- deserialization attacks
- HTTP parameter pollution
- bypassing XSS protection
- hacking with polyglot
- clickjacking attack
- window.opener tabnabbing attack
- RCE attacks
- and more…
What Students Will Receive
Students will be handed in a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.
(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.
Special Bonus
The ticket price includes FREE access to Dawid Czagan's 6 online courses:
- Start Hacking and Making Money Today at HackerOne
- Keep Hacking and Making Money at HackerOne
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- DOUBLE Your Web Hacking Rewards with Fuzzing
- How Web Hackers Make BIG MONEY: Remote Code Execution
What Students Say About This Training
This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …
What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.
What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs. Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11.
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions.
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan) and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.
For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.
I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.
Key Learning Objectives
After completing this training, you will have learned about:
- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …
What Students Will Receive
Students will be handed a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.
(*) The download link will be sent after signing a non-disclosure agreement and subscribing to my newsletter.
Special Bonus
The ticket price includes FREE access to my 6 online courses:
- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking
What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …
What Students Should Know
To get the most of this training intermediate knowledge of pentesting and web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.
What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions.
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan) and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
Hacking Modern Web & Desktop Apps: Master the Future of Attack Vectors (closed)
This course is the culmination of years of experience gained via practical penetration testing of Modern Web and Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide. It covers the OWASP Top Ten and specific attack vectors against Modern Web and Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1.
Please note our courses are 100% hands-on. We do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. The training then continues after the course through our frequently updated training portal, for which you keep lifetime access, as well as unlimited email support.
Each day starts with a brief introduction to the Modern platform (i.e. Node.js, Electron) for that day and then continues with a look at static analysis, moves on to dynamic checks, finishing off with a nice CTF session to test the skills gained.
Day 1: Focused specifically on Hacking Modern Web Apps: We start with understanding Modern Web Apps and then deep dive into static and dynamic analysis of the applications at hand. This day is packed with hands-on exercises and CTF-style challenges.
Day 2: Focused on Hacking JavaScript Desktop Apps: We start with understanding JavaScript Desktop apps and various security considerations. We then focus on static and dynamic analysis of the applications at hand. The day is filled with hands-on exercises ending with a CTF for more practical fun.
# Training Outline #
## Course Objectives ##
This course will take any student and make sure that:
- The general level of proficiency is much higher than when they came
- The skills acquired can be immediately applied to modern Web and Desktop app security assessments
- Skills can be sharpened via continued education in our training portal for free
- The student is equipped to defeat common Web and Desktop app assessment challenges
- Everybody will learn a lot in this training.
- Advanced students will come out with enhanced skills and more efficient workflows
- The skills gained are highly practical and applicable to real-world assessments
## Attendees will be provided with ##
- Lifetime access to training portal, with all course materials
- Unlimited access to future updates and step-by-step video recordings
- Unlimited email support, if you need help while you practice at home later
- Interesting vulnerable apps to practice
- Digital copies of all training material
- Custom Build Lab VMs
- Purpose Build Vulnerable Test apps
- Source code for test apps
- A USB pendrive with materials
## Topics Included ##
1. Review of Common Flaws in Source Code and at Runtime
2. Desktop App Modification of Behavior Through Code/Configuration Changes
3. Web & Desktop - Interception of Network Communication and MitM-proxy techniques to find security flaws in these platforms
4. Platform-specific attack vectors against Modern Web apps & mitigation
5. Platform-specific attack vectors against JavaScript Desktop apps & mitigation
6. CTF Challenges for attendants to test their skills
## Why should you take this course? ##
This is more than a physical attendance course: You get the physical course but also lifetime access to a training portal with step-by-step video recordings, slides and lab exercises, including all future updates for free.
Students can take the course at their own pace and the training portal access ensures topics can be reviewed on an ad-hoc basis as required by the student online after the course.
This training has been built from real issues seen in real applications, not fabricated vulnerabilities that you will never see in practice.
The goal is to start from the basics and ensure that each student comes out of the training with a significantly higher level of proficiency in the artistry of pentesting.
Students will be taught ways to identify the attack surface of Modern Web and Desktop apps, exploit interesting vulnerabilities and means to fix them. The course walks students through the process of performing security audits of Modern apps. The training also covers effective identification, exploitation and mitigation of common vulnerability patterns against these platforms.
As the course has been written and carefully created by professional penetration testers, after many years of experience, many practical tips will be shared to leverage automation and make penetration testing more efficient as soon as the student goes back to their workplace.
## Top three takeaways ##
- Learn how to find Modern Web and Desktop App vulnerabilities due to common misconfigurations and typical mistakes in framework setups
- Identify and exploit Modern Web and Desktop App security vulnerabilities as efficiently as possible
- Improve your Modern Application Security Testing process leveraging a number of open source tools, as well as lots of tips and tricks shared by the instructors after years of Modern Web and Desktop App penetration testing.
## Upon Completion of this training, attendees will know ##
Completing this training ensures attendees will be competent and able to:
- Review and tamper network communications to exploit security vulnerabilities
- Bypass certificate and public key pinning protections on Desktop apps
- Bypass inadequate Modern Web and Desktop App defences
- Analyze Modern Web and Desktop Apps from a blackbox perspective
- Review Modern Web and Desktop App source code to identify security flaws
- Perform Modern Web and Desktop App security reviews
## Course Content (ToC) ##
### Day 1: Hacking Modern Web apps by Example ###
Part 0 - Modern Web App Security Crash Course
- The state of Modern Web App Security
- Modern Web App architecture
- Introduction to Modern Web App apps
- Modern Web App apps the filesystem
- JavaScript prototypes
- Recommended lab setup tips
Part 1 – Static Analysis, Modern Web App frameworks and Tools
- Modern Web App frameworks and their components
- Finding vulnerabilities in Modern Web App dependencies
- Common misconfigurations / flaws in Modern Web App applications and frameworks
- Tools and techniques to find security flaws in Modern Web App apps
Part 2 - Finding and fixing Modern Web App vulnerabilities
- Identification of the attack surface of Modern Web App apps and general information
gathering
- Identification of common vulnerability patterns in Modern Web App apps:
+ CSRF
+ XSS
+ Access control flaws
+ NOSQL Injection, MongoDB attacks
+ SQL Injection
+ RCE
+ Crypto
- Monitoring data: Logs, Insecure file storage, etc.
Part 3 - Test Your Skills
- CTF time
### Day 2: Hacking JavaScript Desktop apps by Example ###
Part 0 - JavaScript Desktop App Security Crash Course
- The state of JavaScript Desktop App Security
- JavaScript app security architecture and its components
- JavaScript Desktop apps and the filesystem
- Recommended lab setup tips
Part 1 - Static Analysis and Tools
- Tools and techniques to reverse and review JavaScript apps
- Finding vulnerabilities in JavaScript app dependencies
- Identification of the attack surface of JavaScript apps & information gathering
- Static modification of JavaScript apps for analysis and debugging
- Identification of common vulnerability patterns in JavaScript apps:
+ Common misconfigurations
+ Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ URL handlers
+ XSS, Injection attacks and more
- Modifying Modern apps to alter behavior and debug issues
Part 2 - Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, unsafe storage of app secrets, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning at runtime
- The art of Instrumentation: Introduction to Frida
- App behavior monitoring at runtime
- Modifying app behavior at runtime
Part 3 - Test your Skills
- CTF time
# Prerequisite of Training Class #
## Hardware & Software: Attendees should bring ##
A laptop with the following specifications:
- Ability to connect to wireless and wired networks.
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc.
- Knowledge of the BIOS password, in case VT is disabled.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”
## Student / Prerequisites for attendees ##
This course has no prerequisites as it is designed to accommodate students with different skills:
- Advanced students will enjoy comprehensive labs, extra miles and CTF challenges
- Less experienced students complete what they can during the class, and can continue at their own pace from home using the training portal.
This said, the more you learn about the following ahead of the course, the more you will get out of the course:
- Linux command line basics
- Basic knowledge of Node.js, Electron or JavaScript is not required, but would help.
# Who should attend #
Any Web or Desktop App developer, penetration tester or person interested in Modern Web and Desktop apps, Node.js, Electron o rJavaScript security will benefit from attending this training regardless of the initial skill level:
This course is for beginners, intermediate and advanced level students. While beginners are introduced to the nuances of Modern Web and Desktop App security from scratch, intermediate and advanced level learners get to perfect both their knowledge and skills on the subject. Extra mile challenges are available in every module to help more advanced students polish their skills.
The course is crafted in a way that regardless of your skill level you will significantly improve your Modern App security auditing skills:
If you are new and cannot complete the labs during the class, that is OK, as you keep training portal access, you will learn a lot in the class but can continue from home with the training portal.
If you are more advanced you can try to complete the labs in full and then take the CTF challenges we have for each day, you will likely also attempt to complete some exercises from home later :)
# What to expect #
Lifetime access to training portal (including all future updates), unlimited email support, access to private groups to communicate with other students, access to interesting apps from various countries.
A fully practical class that will seriously improve your Modern Web and Desktop App security knowledge and skills, regardless of the skill level you come in with.
Battle-tested tips and tricks that take your abilities to the next level and that you can apply as soon as you go back to your workplace, making security testing of Modern Web and Desktop apps as efficient as possible.
Intensive hands-on exercises that challenge you to deep dive into the world of Modern App security.
# What not to expect #
This is more than a physical attendance course: You get the physical course but also lifetime access to a training portal with step-by-step video recordings, slides and lab exercises, including all future updates for free.
The course does not cover: 0-days, Windows/Linux/Mac OS exploits, x86 exploit writing, writing buffer or heap overflows.
Do not expect the teachers to be talking through slides most of the time: This class is practical not theoretical, the teachers don’t bore you with slides all the time, instead you do exercises and the teachers help you solve the challenges you face as you complete them.
After 15 years in ITsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications
“Look What You Made Me Do”: The Psychology behind Social Engineering & Human Intelligence Operations
Social Engineering and Human Intelligence (HUMINT) operations both rely heavily on effectively navigating a person’s mind in order to steer their behavior. As simple as this sounds, “quick and dirty” influence tactics will not take an operator very far. Behavior engineering is a complex, multilayered process that requires a good understanding of human psychology and self-awareness.
In this intensive masterclass, participants will get access to the underlying psychology responsible for the way people think, decide, and act. They will also learn to influence and reshape all three of these layers. What are people’s automatic triggers? How can you engineer predictable action-reaction responses that produce an desirable outcome? How do you cultivate a target into taking specific actions or divulging information? But also, what are the ethical boundaries and moral implications of this process?
The class will revolve around two main pillars:
Understanding humans.
Some of the areas we will cover include:
- Human needs (universal, individual)
- Decision making
- Perception engineering and re-framing
- The person and the situation
- Profiling (online & in-person)
Engaging effectively with human targets:
- Developing the right mindset
- Reading body language
- Using body language to connect, establish trust or communicate authority
- Planning the approach
- Building rapport & engineering trust
- Enhanced influence tactics
- Elicitation
- …and more!
This class is a rare opportunity to gather insights that are almost never been taught in open classes. We will work these concepts around the scenarios of social engineering, covert HUMINT and virtual HUMINT.
Christina Lekati is a psychologist and a social engineer. With her background and degree in psychology, she learned the mechanisms of behavior, motivation, and decision-making, as well as manipulation and deceit. She became particularly interested in human dynamics, passionate about social engineering and in extent, open-source intelligence. She is currently working with Cyber Risk GmbH as a senior social engineering trainer and consultant. She is also conducting targeted Open Source Intelligence (OSINT) vulnerability assessments to help organizations or high-value individuals identify and manage risks related to human or physical vulnerabilities. Christina is the main developer of the social engineering programs provided by Cyber Risk GmbH. These programs are intertwining the lessons learned from real-life cases and previous experiences in the fields of cybersecurity, open-source intelligence, psychology, and counterintelligence. She was an active Executive Board Member at the OSINT Curious project, contributing to the international scene of Open-Source Intelligence (OSINT) with the latest news, updates, and techniques for collection and analysis.
Software Reverse Engineering Training Course for Beginners (closed)
The training course is designed for attendees with little to no knowledge of reverse engineering, but who are capable of writing simple programs in a programming language of their choice and also wish to learn reverse engineering of compiled applications.
The course spans a total of 2 days, during which low-level computing and the basics of architectures are explained. The primary target architectures of this course are Intel x86 and AMD x64, where we cover the fundamentals of computing and assembly language. Throughout the course, we will explore how to create basic programs in both C and assembly, and then explore the process of reverse engineering using disassembler, decompiler and debugger on Windows.
Each day of the course emphasises hands-on labs, allowing participants to apply their newly acquired knowledge in practical exercises. Theory alone quickly fades, so our main objective is to help you acquire useful, long-term knowledge by putting it into practice.
Every challenge builds upon the previous one to ensure continuous learning and the overcoming of new obstacles. This approach allows knowledge to be built up reliably and quickly, without wasting time, which is one of the main objectives of this training. The labs are fun and entertaining, providing a great reward for those who can solve them.
The training employs state-of-the-art tools and techniques that mirror those utilised in real-world situations. Any knowledge acquired during the training can be readily applied to real-life objectives following the course.
Balazs Bucsay is the founder & CEO of Mantra Information Security that offers a variety of consultancy services in the field of IT Security. With decades of offensive security experience he is focusing his time mainly on research in various fields including Red Teaming, Reverse Engineering, embedded devices, firmware emulation, CI/CD and cloud. He gave multiple talks around the globe (Singapore, London, Melbourne, Honolulu) on different advanced topics and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares it with his peers. Because of his passion for technology he starts the second shift right after work to do some research to find new vulnerabilities.
The Mobile Playbook: Dissecting iOS and Android Apps (Available as hybrid - in Person or online)
This two-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering, using the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications. This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios. This course is delivered by one of the main authors of the MASTG.
## Description
We'll start the first day with an introduction into the OWASP MASTG and Mobile AppSec Verification Standard (MASVS) and dive afterwards into the Android platform and its security architecture.
> It is no longer mandatory for students to bring their own Android or iOS device, instead cloud-based virtualised devices will be provided to each student using Corellium.
Topics include:
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Frida crash course to get started with dynamic instrumentation on Android apps
- Intercepting network traffic from applications written in mobile application frameworks such as Google's Flutter
- Bypass different implementations of SSL pinning using Frida
- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching and Dynamic Instrumentation with Frida
- Analyse the local storage of an Android application
- Use dynamic instrumentation with Frida to
- Bypass multiple root detection mechanisms
- Bypass Frida detection mechanisms
Day 2 focuses on iOS, starting with an overview of the iOS platform and security architecture and we will begin to create an iOS test environment using Corellium and dive into several topics, including:
- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.
- Intercepting network traffic and examining stateless authentication (JWT) in a mobile application
- A Frida crash course to get started with dynamic instrumentation for iOS applications
- Analysing data stored in the iOS application sandbox
- Demonstration on how to test watchOS apps and it's limitations
- Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
- Using Frida to bypass runtime instrumentation of iOS applications
- Anti-Jailbreaking Mechanisms
- Frida's detection mechanism
At the end of each day there will be a Capture-the-Flag (CTF) to test two apps using the newly learned skills and you can win a prize!
Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced professional who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.
The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture.
Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.
### What students will receive
- Slide decks for the iOS and Android training and all videos for all demonstrations shared in class.
- All vulnerable apps used during the training, either as APK or IPA.
- Detailed write-ups for all labs so you can do them at your own pace after the course.
- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.
- Certificate of completion.
### Prerequisites
The following prerequisites need to be fulfilled by the student in order to be able to follow all exercises and fully participate:
- Laptop (Windows/Linux/macOS) with at least 16 GB Ram and 50GB of free disk space
- Full administrative access, in case of any issues with the laptop environment (e.g. being able to deactivate VPN)
- Virtualization software (e.g. VMware, VirtualBox, UTM); a Virtual Machine will be provided (either X86 or ARM for M1/M2/M3 macBooks) with all tools needed for the training.
An iOS and Android device is NOT needed, as an emulated instance will be provided for each student that is hosted in Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and rooted Android device during the training.
Sven, an application and cloud security expert living in Austria, is the co-founder of Bai7 Consulting together with his wife Bettina. With extensive experience in the delivery of numerous offensive security engagements, he also provides support and guidance on software development projects for mobile and web applications throughout the SDLC.
Since 2016, Sven has been a project leader and co-author of the OWASP Mobile AppSec Testing Guide (MASTG) and OWASP Mobile AppSec Verification Standard (MASVS).He has conducted talks and workshops globally since 2017, engaging with diverse audiences, including developers, penetration testers, and students.
Web Hacking Expert: Full-Stack Exploitation Mastery [Video Training, Lifetime Access]
Trailer: https://drive.google.com/file/d/1K7nLy6a9n9DP_-Fj6iSdpP5Yib7C8-nV/view
Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique video training, and take your professional pentesting career to the next level.
Dawid Czagan has found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this video training he will share his experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.
Almost 5 hours of high-quality video courses with lots of recorded demos
You will get lifetime access to these 5 video courses:
1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com (FREE VIDEO)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS
2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF (FREE VIDEO)
- XSS via Image
- User Redirection via window.opener Tabnabbing
3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking (FREE VIDEO)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary
4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1 (FREE VIDEO)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks
5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution (FREE VIDEO)
- Subdomain Takeover
- Account Takeover via Clickjacking
What students should know
- Common web application vulnerabilities
What students will learn
- Become a web hacking expert
- Dive into full-stack exploitation of modern web applications
- Learn how hackers can bypass Content Security Policy (CSP)
- Discover how web applications can be hacked via PDFs, images, and links
- Explore how hackers can steal secrets from AngularJS applications
- Check if your web applications are vulnerable to race condition attacks
- Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
- Discover step by step how all these attacks work in practice (DEMOS)
- Take your professional pentesting career to the next level
- Learn from one of the top hackers at HackerOne
What students will receive
Students will receive lifetime access to almost 5 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use and privacy policy). The access link will be sent after subscribing to Dawid's newsletter.
What students say about Dawid's trainings
References are attached to Dawid's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions.
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan) and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
The Mind Bomb
International Political Commentator Randahl Fink presents the latest frontier of the modern security war: attacking the minds of millions. For 8 decades, the atomic bomb has been the ultimate weapon. In 1945, the US showed its horrific power by killing 200,000 Japanese citizens, thereby forcing the Empire of Japan to surrender and ending World War II. Historically, no other weapon has had more influence on the balance of power — but this is about to change. For there is a new weapon which allows malicious actors to destabilise entire countries without killing a single human being. And when the new digital bomb drops, empires will fall.
In this presentation, Randahl Fink will discuss the security risks of the increased decoupling of human interaction from the physical world, and explore how direct and indirect abuse of social media and their content curation algorithms can affect the minds of millions and potentially be leveraged for hacking democracy itself.
Using examples of X, Threads and Mastodon, Randahl Fink will illustrate the dangers of viewing the world through an algorithmic lens, and discuss potential adversaries, their motives, and potential attack vectors, including disinformation, moderation exploitation, dislike attacks and more. Finally, the presentation takes a critical look at our political reality — are our politicians prepared for this new weapon? And what can we as individuals do to become more resilient and to counter the mind bomb?
Randahl Fink is an international political commentator. He has written more than a hundred pieces for Ekstra Bladet and appeared on many radio shows before launching this YouTube channel in 2023.
Hacking with Physics v2.0
The industry is going crazy with electronics and some major technological standards. Especially some things like IoT, ICS, SCADA, IoTMT and automotive. Being a 500Bn$ industry there could be some major issues when we try to understand the criticality behind the devices.
But, we tend to ignore the key components like Sensors, actuators, ADCs and Band pass filters. Since, they are being ignored and only things like serial debuggers, firmware, mcus and eprom chips ignore the idea that even the slightest of the ignorance in them can lead to havoc.
For example: OT and SCADA systems have a major impact on the industry, where the criticality and impact is very high.
In this paper, we are going to discuss some critical attacks which can be done on an IoT system with targeting sensor based systems and analog devices.
Hrishikesh Somchatwar
Meet an esteemed cybersecurity expert and distinguished speaker who has graced prestigious stages such as c0c0n, Bsides Delhi 2019, Bsides Ahmedabad 2021, and HackFest Canada 2021, DefCamp Romania 2019 & 2023 and SCSA Georgia 2024, SecurityFest Sweden 2024. Their insights have found a profound resonance with diverse audiences, cementing their status as a revered authority in the cybersecurity realm. Beyond this, the luminary author penned the acclaimed “Hacking the Physical World,” capturing readers’ attention on Amazon’s bestseller lists. Venturing further into the intricate tapestry of technology and human narratives, they host the “StorytellingHacker” podcast. Here, they unravel the captivating intersection of storytelling and electronics hacking, sharing compelling tales and insights that bridge the gap between technology and human experiences.
GenAI and Cybercrime: Separating Fact from Fiction
Are we standing at the brink of an AI Armageddon? With the rise of Generative AI (GenAI), cybercriminals allegedly now use unprecedented AI tools, flooding the digital world with sophisticated, unblockable threats. This talk aims to dissect the hype and uncover the reality behind the use of GenAI in cybercrime.
We will explore the growing use of deepfakes in scams, exemplified by a million dollar fake BEC video conference call. From son-in-trouble scams to KYC bypass schemes, deepfakes are becoming versatile tools for cybercriminals and a nightmare for defenders. Turning to phishing attacks, we’ll discuss how GenAI personalizes and automates social engineering, significantly increasing the volume of attacks. However, they still require an account to send from and some payload. Having the ultimate phishing text does not mean you are not blocked. We'll also showcase how GenAI can generate basic malware, similar to malware toolkits, and explore advanced threats like polymorphic/metamorphic malware that dynamically adapts in real time. By clarifying the differences between AI-generated, AI-aided, and AI-powered threats, we reveal that while GenAI facilitates threat distribution, true AI-powered malware is still rare. While GenAI scales and speeds up attacks, it does not fundamentally create completely new threat patterns, allowing behavior based and anomaly detections to remain effective against them. We will discuss additional threat concepts such as the self-replicating indirect prompt injection worm Morris II, which exploits filtering weaknesses in Retrieval Augmented Generation (RAG) systems and AI apps. In conclusion, we will draw the balance between current AI-powered threats and the defender, and highlight future research areas, such as finding and exploiting zero-day vulnerabilities and supply chain attacks against GenAI by targeting Pickles and Python.
Join us to learn the difference between the hype and the real impact of AI in cybercrime, and understand what this means for the future of cybersecurity.
Candid Wuest is an experienced cybersecurity expert with a strong blend of technical skills and over 25 years of passion in the field of security. He currently works as an independent security advisor for various companies and the Swiss government. Previously, he was the VP of Cyber Protection Research at Acronis, where he led the creation of the security department and the development of their EDR product. Before that, he spent more than sixteen years building Symantec's global security response team as the tech lead, analyzing malware and threats – from NetSky to Stuxnet. Wuest has published a book and various whitepapers and has been featured as a security expert in top-tier media outlets. He is a frequent speaker at security-related conferences, including RSAC and BlackHat, and organizer of AREA41 and BSidesZurich. He learned coding and the English language on a Commodore 64. He holds a Master of Computer Science from ETH Zurich and has various patents and useless certifications.
AI Code Security: A Challenge to be Solved by... AI
Short Abstract:
AI-powered code generators are an innovative and sophisticated technology that boosts productivity and efficiency. However, it is not new that these sophisticated tools are still evolving and often fail to adhere to security best practices, leading to vulnerabilities, inadequate error handling, and insufficient testing in the generated code. As developers increasingly adopt AI technologies to streamline their workflows, the risk of blindly trusting these tools and inadvertently incorporating security flaws escalates.
In this talk, we will explore the security implications of using AI-powered code generators, highlighting real-world examples where these tools have compromised application security. We'll examine the persistent challenges vendors face in addressing these vulnerabilities and where they stand today. Finally, I will present an easy-to-implement solution we researched and found to solve this issue, that comprehensively identifies and decreases the amount of security issues and potential vulnerabilities in code provided by AI-powered code generators.
We’ll give you a small hint: it’s AI.
Long Abstract:
As Artificial Intelligence and Machine Learning continue to evolve at a breakneck pace, security issues are quick to join the party. In this era filled with daily emerging and sophisticated threats, it is crucial for security professionals to stay ahead of these developments to safeguard systems effectively.
This presentation will explore the broad implications of AI on cybersecurity, detailing various novel threats and vulnerabilities that have surfaced. I will particularly focus on application security within the shift-left approach in the development lifecycle when integrating with AI-powered code-generation tools.
We'll explore specific security concerns arising from AI-powered code generators increasingly used by developers and highlight the impact of blindly trusting them and integrating them into code, by presenting cases where they introduce vulnerabilities to code we developed.
We’ll speak about the challenges that code generator vendors are facing with solving this issue that reflect where they stand today.
At the end I will unveil an interesting approach to solve this complex challenge comprehensively.
Talk Structure and Highlights
Introduction to AI and Security (7 minutes)
Overview of AI and ML advancements
Emergence of security challenges
Impact of AI on Cybersecurity
Exploration of security issues and vulnerabilities introduced by AI (15 minutes)
Case studies of AI-powered code generators introducing security issues
Challenges for Code Generator Vendors
The current state of vendor solutions (3 minutes)
Challenges vendors face in addressing security concerns
Our Solution (10 minutes)
Unveiling our approach to solving these challenges
Detailed walkthrough of research phases
Actionable insights for implementation
Questions (5 minutes)
Background Information
Developers are increasingly using AI-powered code generators to speed up their workflow. However, these tools often introduce vulnerabilities, posing significant risks. Our research focused on finding a solution that is both developer-friendly and comprehensive in addressing all security issues.
Main Takeaways
For Developers: Understanding the impact of writing insecure code and how AI tools can introduce vulnerabilities.
For Security Practitioners: Gaining insights into the security implications of integrating AI-powered code generators and learning how to mitigate these risks effectively.
Audience
This talk is designed for both developers and security practitioners at a beginners level. Developers are often frustrated with the added burden of security, as they aim to develop code quickly and efficiently. Code generator AI tools solve this problem but also can introduce vulnerabilities into the code. Providing a comprehensive security solution for this problem is still a challenge. Our approach balances developer convenience with thorough security coverage.
Developers will see the impact of writing insecure code and security practitioners will learn about the implications of integrating AI-powered code generator tools and how to address these challenges quickly and effectively.
Join us as we provide a deep dive into these critical issues, equipping you with the knowledge to improve your security posture in the fast-evolving landscape of AI and ML.
Ofri Ouzan is a security researcher and speaker in the cybersecurity field, currently working in the JFrog security research team. She specializes in conducting security research with a focus on vulnerabilities and exploitation. She excels in developing solutions for security issues and creating open-source and automation tools to address them.
Among her notable achievements, Ofri presented a Python open-source tool she developed at two different Black Hat events. Additionally, she delivered talks at OWASP Washington D.C. and DeepSec Vienna.
Ofri is passionate about exploring new technologies and is dedicated to finding innovative solutions to security challenges within them.
Why NIS2 Implementation often Fails in Industrial Areas
Why do most projects preparing for NIS2 fail in practice? Many affected companies complain about the requirements of EU Directive 2022/2555, which are too unspecific and technically difficult to implement. Excessive demands are spreading. Companies affected are uncertain because of the evaluation of the actual implementation, unlike ISO security certification (e.g. ISO27001/ISO62443). The results are often unsatisfactory despite the sometimes-massive investment in costs and personnel resources. An Excel spreadsheet or a Visio drawing itself does nothing to change the resilience of KRITIS or industrial facilities against cyber-attacks in practice. We focus on industrial customers and their OT infrastructure, using anonymized, real-world examples to show the challenges in practice and offer examples of solutions to prevent repeating past mistakes. The first steps do not have to cost a lot of money or tie up a huge amount of human resources. A little creativity and knowledge of your own processes are often enough to overcome the biggest hurdles and increase the level of protection enormously.
Michael Walser is a member of the Management Board and the CTO of the Munich-based industrial security company sematicon AG. In this role, he handles the company's technical strategy and advises customers on the secure implementation of digital transformation in the industrial sector. He is a recognized expert for OT cyber security in industry and KRITIS environments. After graduating in electrical engineering, he worked for many years as a consultant and advisor on successful IT security projects with a focus on cryptography worldwide and handled their implementation.
sematicon AG is a Munich-based company that specializes in industrial security and embedded cryptography. We support you in successfully and securely mastering digital transformation. With a focus on industry and electrical engineering, we offer specialized security solutions that we have developed based on industry requirements. For example, industry experts consider our "Zero Trust" solution for secure and isolated remote access to industrial plants and systems an innovation. We also support and advise you in the planning and implementation of your OT security concepts. We thus offer comprehensive security services for the industrial and electronics sectors from a single source.
Beyond Flesh, Beyond Code: LLM based attack lifecycle with self-guided agent
Large Language Models (LLMs) are rapidly evolving, and their capabilities are attracting the attention of threat actors. This presentation explores how malicious actors are utilizing LLMs to enhance their cyber operations, and showcasing available tools based on LLM, as well as an advanced stealer managed by AI.
Cyber Security is a very dynamic field, but there are still a few basic things that haven’t changed for a while, one of them is the attack lifecycle. A full attack lifecycle can be enchased using LLM – and threat actors already use it. There are risks and potential usage in the future. LLM-based tools can play a significant role in various stages of the cyber attack lifecycle.
In this talk I will show how threat actors weaponizing LLM based chats, as well as LLM based chats that were built specifically for threat actors and hackers and how these operate, including smart LLM obfuscation of malware to avoid AV detection. Finally, I will present an undetected - fully LLM operated C2 and Stealer POC.
Mark Vaitzman is a Security and Threat Research Team Leader at Deep Instinct, a leader in deep learning cybersecurity company. He is a passionate cybersecurity expert with extensive experience in leading security research teams, analyzing emerging threats, incident response and developing innovative solutions. Mark is also a lecturer of Cyber Security courses, sharing his knowledge and shaping the next generation of cybersecurity professionals. In his free time he likes sailing in the sea and riding a motorcycle.
RAT Builders - How to Catch Them All
Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs.
Initially, we scrutinize the distribution channels of different Trojans, pinpointing where individual builders are accessible for download. These sources range from GitHub, hosted as open-source projects, to other online platforms (such as VX-Underground). Subsequently, we delve into a detailed examination of each Trojan, investigating the diverse infection sources, the locations of persistences, the methods employed for establishing connections with the C2 server, and the array of functionalities embedded within the RATs (with the help of the open-sourced or leaked builder).
This focused analysis of individual Trojans equips us with the capability to identify precise Indicators of Compromise (IOCs) essential for monitoring or conducting targeted hunting within our networks, learning more about the various RATs, and how to fight against them.
Stephan Berger has been involved in IT security for more than a decade, currently working for over three years at the Swiss security firm InfoGuard, where he oversees the Incident Response Team. He is an active presence on Twitter with the handle @malmoeb, holds a Bachelor's degree in Computer Science and a Master's degree in Engineering, and possesses multiple SANS certifications along with the OSCP credential.
Memory Safety in Programming Languages
Memory safety is a key property of all code (applications and infrastructure). Recently, the NSA has expressed some concerns regarding this issue. The presentation will give you some insights into the memory safety features of C++ and how they relate to other programming languages. The C++ standardisation committee is working on memory safety and other security features for a long time. Modern C++ differs greatly from any C++ techniques used before 2015. The presentation will put a few loose ends into perspective, will show how code can be improved by adopting the secure coding mindset, and what developers need to know about security features of programming languages.
René Pfeiffer was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn Texas Instruments TMS 1600 assembler before any other programming language.
René is a senior systems administrator, a lecturer at the University of Applied Sciences Technikum Wien , and a senior security consultant.
AI’s New Era: Impacts on Health Data Security and Beyond
It has become easier to create AI systems due to the availability of numerous options and datasets. These AIs can quickly gain expert knowledge in different domains, enabling attackers to exploit scientific knowledge and target system and data security, which was not feasible before. Although recent studies have highlighted these impacts, a tangible example has been missing. For instance, attackers can use AI's expert knowledge in the healthcare sector to perform complex attacks without needing domain expertise.
Earlier this year, Google launched Health Connect [1], an Android app designed to seamlessly share data between medical and fitness apps, set to replace Google Fit. While Health Connect is robust against conventional cyberattacks, it is susceptible to these emerging threats.
In this talk, we’ll demonstrate an example of these threats by explaining a malicious app we developed. The app gathers data from Health Connect and sends it to a medical AI, which then crafts fake data tailored to the victims' medical conditions. This allows us to steer other apps' output into suggesting incorrect treatments and recommendations without the user noticing. We’ll show how such manipulation could alter diet control, family planning, and diabetes management apps, leading to serious medical issues for the victims.
We’ll conclude with mitigation strategies for developers and technology companies on building AI-resistant technologies and apps.
[1] https://health.google/health-connect-android/
Sina Yazdanmehr is a senior information security consultant and researcher. Since 2009, he has worked for different security firms and CERT, developing a strong expertise in cloud, application, and telecom security. He has presented his research at conferences like Black Hat. Recently, his expertise extended to healthcare cybersecurity, discovering structural issues that will be presented at this conference.
Lucian Ciobotaru is a cybersecurity expert with a background in healthcare. After transitioning from medical school to cybersecurity, he developed deep expertise in identifying and addressing security issues in the healthcare sector. Lucian's recent work focuses on leveraging his medical knowledge to enhance the security of healthcare and digital health systems.
Reversing Windows RPC in Enterprise Software for Fun and CVEs
This talk will walk the audience through the dissection of Windows RPC usage in the enterprise software ManageEngine ADAudit Plus, which will unravel two CVEs and crack a CTF-like encryption/decryption process.
Hacker, pentester, IT security consultant and co-founder of Shelltrail.
20 years in the IT industry and 6 years with 100% security focus.
Loves PDF-generators and Rubics cubes. Hates gRPC and obfuscated JavaScript.
SAP Cyber Security 101 (Part 1)
In many companies, we find that CISOs and security officers do not have any (in-depth) knowledge of SAP. This is why the topic of SAP security often gets underestimated. Anyone interested in gaining insight into the important basics of SAP technologies can benefit from this highly compact crash course on SAP security. The session will give you an overview about security threats and ways to counter them. It is a sneak preview for a complete SAP security training.
Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. He currently focuses his research on SAP malware.
Executive Breach Simulation Toolkits
As cyberattacks multiply and become more sophisticated, executive breach simulation toolkits have become essential. Enabling organizations to simulate, predict, and assess the impact of potential security breaches from an executive perspective is necessary to know how to keep organizations safe.
Unfortunately, simulations are broken. Simply put, they don't properly prepare leaders and security practitioners for security breaches. This talk will look at the evolving landscape of breach simulation toolkits designed for security practitioners, focusing on their role in enhancing cybersecurity strategies, incident preparedness, and organizational resilience. We will see how simulations can be engaging, while remaining instructive and preparing people for actual cyber events.
We'll discuss how these toolkits work, why they’re essential for making smarter business decisions around cybersecurity, and how they help align leadership with technical teams. Real-world examples will show how using these tools can strengthen response strategies and enhance communication across the organization.
Attendees will walk away with practical tips on choosing and using the right toolkit for their organization, integrating it into risk management plans, and using it to stay ahead of potential cyber threats. The goal is to give executives a clearer picture of their cybersecurity landscape and how to respond effectively to potential breaches.
A social scientist by trade, Pavle Bozalo is a risk analyst specializing in risk assessment, audit, and privacy. Outside of his consulting career, Pavle is a researcher, his areas of interest sitting at the intersection of surveillance technologies, civil rights, and global affairs.
Aron Feuer is the Chief Executive Optimist at Valencia. Aron manages cybersecurity projects and builds cybersecurity programs for the federal government, banks, and Canadian business. He has led hundreds of penetration tests and threat risk assessments, simulations, and incident response projects, including helping the City of Ottawa recover from a hack by
Anonymous. A national expert on cybersecurity, he co-authored Canadian Privacy—Data Protection Law and Privacy. Aron is a former stockbroker and technology architect. In 1998, he started Cygnos IT Security, which grew to be a regional player and was sold to a global accounting firm. In 2015, Aron launched Valencia with Michael Power and Sameer Malik.
Matias is a seasoned cybersecurity analyst currently working at Valencia, where he leverages hands-on expertise to secure infrastructure and deliver client-focused solutions. Known for aligning strategies with organizational goals, he is dedicated to advancing practical security innovations.
Blackbox Android Malware Detection Using Machine Learning and Evasion Attacks Techniques
Over the past ten years, researchers have extensively explored the vulnerability of Android malware detectors to adversarial examples through the development of evasion attacks. Nevertheless, the feasability of these attacks in real-world use case scenarios is debatable. Most of the existing published papers are based on the assumptions that the attackers know the details of the target classifiers used for malware detection.Nevertheless, in reality, malicious actors have limited access to the target classifiers.
This talk presents a problem-space adversarial attack designed to effectively evade blackbox Android malware detectors in real-world use case scenarios. The proposed approach constructs a collection of problem-space transformations derived from benign donors that share opcode-level similarity with malware applications through the consideration of an n-gram-based approach. These transformations are then used to present malware instances as legitimate entities through an iterative and incremental manipulation strategy.
The presentation will describe a manipulation model that is based on a query-efficient optimization algorithm, which can identify and implement the required sequences of transformations into the malware applications. The model has already been evaluated relative to more than 1,000 malware applications. This demonstrates the effectiveness of the reported approach relative to the generation of real-world adversarial examples in both software and hardware-related scenarios. The experiments that we conducted demonstrate that the proposed model may effectively trick various malware detectors into believing that malware entities are legitimate. More precisely, the proposed model generates evasion rates of 90%–95% relative to data sets like DREBIN, Sec-SVM, ADE-MA, MaMaDroid, and Opcode-SVM. The average number of required computational operations belongs to the range [1..7].
Additionally, it is relevant to note that the proposed adversarial attack preserves its stealthiness against the virus detection core of three popular commercial antivirus softwares. The obtained evasion rate is 87%, which further proves the proposed model’s relevance for real-world use case scenarios.
Professor Dr. Razvan Bocu received a B.S. degree in computer science, a B.S. degree in sociology, and an M.S. degree in computer science from Transilvania University of Brasov, Romania, in 2005, 2007, and 2006, respectively. He also received a Ph.D. degree from the National University of Ireland, Cork, in 2010. He is a Research and Teaching Staff Member in the Department of Mathematics and Computer Science at the Transilvania University of Brasov. He is author or coauthor of more than 60 technical papers, together with six books and book chapters. Dr. Bocu is an editorial reviewing board member of 28 technical journals in the field of information technology and biotechnology, which includes prestigious journals like Journal of Network and Computer Applications, IEEE Transactions on Dependable and Secure Computing, International Journal of Computers Communications & Control. He is also a Research Scientist with Siemens Industry Software, Brasov, Romania. In this capacity, he supervises research projects with strategic business value.
SAP Cyber Security 101 (Part 2)
In many companies, we find that CISOs and security officers do not have any (in-depth) knowledge of SAP. This is why the topic of SAP security often gets underestimated. Anyone interested in gaining insight into the important basics of SAP technologies can benefit from this highly compact crash course on SAP security. The session will give you an overview about security threats and ways to counter them. It is a sneak preview for a complete SAP security training.
Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. He currently focuses his research on SAP malware.
Space Cyber Immunity
This presentation will discuss real-world satellite attacks then continue into an architecture for a cyber resilient software-defined satellite architecture that provides an autonomous cybersecurity self-healing and immunity capability. The discussion will include the concept of a software-defined satellite architecture capable of detecting the undetectable advanced persistent threat then automatically and dynamically morph the configuration to continue uninterrupted mission operations. In addition, the presentation will discuss software-defined satellite cybersecurity deception.
Paul is a Cyber SME at nou Systems, Inc. His expertise includes space systems, service provider, and ICS/SCADA network infrastructure attacks and defenses, as well as large complex network design and implementation. Paul is experienced in leading network architecture reviews, vulnerability analysis, and penetration testing engagements for service provider, enterprise, space systems and tactical networks. Paul is a regular instructor at international conferences teaching networking, hacking and forensics courses. He has a BS in Math\Computer Science, a MS in Systems Management, a MS in Information Assurance and Security and a MS in Computer Information Systems. Paul is currently pursuing a MS in Space Systems. In addition, he holds numerous industry network and security certifications.
Navigating the Storm: Emerging Threats in AWS Cloud Security
As cloud adoption accelerates, so too does the sophistication of attacks targeting cloud infrastructure. Our talk delves into the evolving landscape of AWS security, focusing on the burgeoning threat of cryptomining. We've witnessed a significant shift in the tactics, techniques, and procedures (TTPs) used by attackers. This session will uncover the latest trends in cloud security, spotlighting new threat groups and their innovative methods for abusing AWS services.
Attendees will learn about real-world threats involving AWS resources. We will explore the intricate ways these attackers infiltrate and collaborate with other groups in a large black market for credentials. Our discussion will also cover proactive strategies for detection and mitigation, empowering security professionals to safeguard their cloud infrastructure against these evolving threats.
Miguel Hernández is a student for life with a passion for innovation. He spent the last nine years working in security research at big tech companies. Currently, he’s a Sr. Threat Research Engineer at Sysdig, in addition to contributing with his own open source projects such as Grafscan or Spyscrap.
Alessandro is a Sr. Threat Research Engineer at Sysdig with a background in penetration testing of web and mobile applications. His research includes cloud and container security, with a specific focus on supply chain attacks and cloud platform exploitation. While studying computer science and engineering at Politecnico di Milano, he participated in various bug bounty programs where he received rewards from several large companies. Alessandro is also a contributor to Falco, an incubation-level CNCF project.
The State of Security in Germany's Municipal Administration
I want to give an overview on Germany's digital administrative architecture, the role of municipal administration and security expertise, the software ecosystem for public administration, relevant threats to municipal administrations, and how security experts could help.
I studied Computer Science at the Leibniz University of Hannover and then joined Matthew Smith's research group on usable security and privacy where I graduated with a PhD in 2021. The research focus of my thesis was on the perception of security in selected contexts. Since 2020, I work at the Niedersächsisches Studieninstitut für kommunale Verwaltung e.V. and Kommunale Hochschule für Verwaltung Niedersachsen (HSVN), an education provider for municipal administraion staff in the state of Lower Saxony, Germany. Here, I teach about security, data protection, and digital transformation in public administration. My current research interests are organizational security and business continiuty management from a human-first perspective.
AI Based Attack on Post Quantum Standard “CRYSTALS Kyber”
In recent years, the field of quantum computing has seen remarkable advancements, prompting concerns about the security of current public key cryptosystems in the development's event of sufficiently powerful quantum computers. Kyber, a post-quantum encryption technique relying on lattice problem hardness, has recently been standardized. However, despite rigorous testing by the National Institute of Standards and Technology (NIST), recent investigations have revealed the efficacy of Crystals-Kyber attacks and their potential impact in real-world scenarios.
Following the publication of the paper "Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Artificial Intelligence" discussions have emerged regarding the vulnerability of the post-quantum crypto system Kyber. The authors propose a side-channel attack leveraging artificial intelligence, specifically employing a neural network training method known as recursive learning to compromise the system.
Our study explores CRYSTALS-Kyber's susceptibility to side-channel attacks. We find that in the reference implementation of Kyber512, certain additional functions can be compromised through selected ciphertexts, facilitating successful attacks. Notably, real-time recovery of the entire secret key becomes feasible under various assault scenarios.
At DeepSec, I will provide an in-depth explanation of how Kyber operates and conduct a comprehensive analysis of the attack vectors targeting it. We will delve into the question whether Kyber has indeed been compromised. Additionally, during the conference, I will present a protective mechanism designed to mitigate the impact of such attacks.
Maksim Iavich is Ph.D. in mathematics and a professor of computer science. In 2018, he was acknowledged as the best young scientist of Georgia in computer science. Maksim is an affiliate professor and the Head of Cyber Security Direction at Caucasus University. He is also a Head of the Information Technologies bachelor and of the IT Management master programs. Since 2020, Maksim Iavich is an expert-evaluator at the National Center for Education Quality Development of Georgia. Furthermore Prof. Iavich is a Director of the Cyber Security Center, CST (CU), the CEO & President of the Scientific Cyber Security Association (SCSA) and a cybersecurity consultant in Georgian and international organizations. He's a speaker at international cyber security conferences and the organizer of many scientific cyber security events. He has many scientific awards in the cyber security field, mainly in cryptography and is the author of many scientific papers. The topics of the papers are cyber security, cryptography, post-quantum cryptography, quantum cryptography, mathematical models, 5G security, machine learning and simulations.
The Tyrant's Toolbox
Social media, and our communications systems, have devoured any semblance of privacy, putting the eyes and ears of authoritarian and wannabe fascist types into the pockets of each of us; radically erasing whatever distance once existed between those who exercise authority and the human objects of their control, both at home and abroad. As Professor Ronald J. Deibert, founder of Citizen Lab, eloquently highlights in his book "Reset: Reclaiming the Internet for Civil Society": "...recent years have brought about a disturbing descent into authoritarianism, fueled by and in turn driving income inequality in grotesque proportions the rise of a kind of transnational gangster economy."
As we continue our descent into a global madness, fueled by AI, spyware, algorithms, and misinformation, tyrants around the world continue to expand their toolbox. Through our talk, we examine their weapons through which they maintain their stranglehold on power, whether in an authoritarian regime or an illiberal democracy. Building upon our paper, "Eyes in The Skies: A Study of Spyware's Usage by Authoritarian and Illiberal Regimes," we expand our scope to better understand what technology is enabling these frightening trends. Our aim is to contribute to the awareness of these trends and empower those who wish to combat them.
Penetration tester by day, Julian identifies vulnerabilities to exploit for a wide range of clients. OSINT enthusiast by night, Julian follows emerging threats to the Western world.
A social scientist by trade, Pavle is a risk analyst specializing in risk assessment, audit, and privacy. Outside of his consulting career, Pavle is a researcher, his areas of interest sitting at the intersection of surveillance technologies, civil rights, and global affairs.
From Dungeon Crawling to Cyber Defense Drill: Using RPG Principles and LLM for Operational Team Dev
Continuous improvement/training is in the DNA of cybersecurity professionals, specifically for incident responders, which are always searching for new ways to learn and practice their technical and analytical crafts. This is even more the case in mature environments where Incident response teams may find themselves in a situation with few high stakes incidents, preventing them from applying their technical and thinking skills, thus lowering their readiness when a crisis occur.
LLMs based conversational agents are becoming mainstream and applications are countless.
In the meantime, Tabletop Role-Playing Games (TTRPG) are found to be a great breeding ground for creativity and fun. To achieve the benefits of this game, preparation is needed and a game master must be present to keep the players engaged.
So we leveraged the power of AI, mixed automation and past experiences/lessons learned with the fun of TTRPG to provide a new tool for incident responders to practice live sessions... In this talk, we will present our new Mattermost-enabled game that allows players to be confronted with dire situations.
Aurelien is a cybersecurity professional who has been active in the industry for over five years. He began his journey as an intern Incident Handler at CERT-W, where he gained valuable hands-on experience in incident response and digital forensics. Aurelien then went on to join CERT-XMCO as a full-time consultant. Over two and a half years, he honed his skills and used them in maintaining a cybersecurity watch for his clients, helping them managing their external attack surface and also engaging in complex security incidents. Aurelien is now working as a Cybersecurity analyst at CERT Societe Generale.
With over seven years of experience in cybersecurity, Charles is a seasoned analyst currently helping at protecting one of France's leading financial institutions within CERT Societe Generale. He brings a wealth of knowledge from his diverse background, having served as a SOC analyst at a French Managed Security Service Provider (MSSP) and a Threat Intelligence Analyst at a French Ministry.
Charles and Aurelien are active members of cybersecurity communities, such as InterCERT France or FIRST where they both held talks regarding to automation, threat intelligence and artificial intelligence. Aurelien also shared his expertise through publications in XMCO's ActuSecu, a leading French cybersecurity newspaper.
Living on the Edge: eBPF Defenses for Embedded System (in the Automotive Domain)
Linux has become a driving factor in the industrial and automotive domain. Vehicles are already a complex network of electrical components. In recent years the technology stack and connectivity of vehicles have drastically evolved. Is all this complexity still safe and secure?
How can embedded systems running different bus systems and physical interfaces be protected against modern attackers? The now mandatory updates of on-board components in these vehicles have introduced even new security challenges to this evolving landscape. Common Linux security measures, including capabilities, permissions, and mandatory access control, are already hitting their limits. The use of eBPF technologies promises a flexible way to define security at runtime without the need to change the application code. Will this be as transformative for the embedded sector as it has been for the cloud?
This talk presents hands-on the internals of embedded security and shows how eBPF can be employed for defenses on automotive and embedded systems running Linux.
Reinhard's expertise centers around security testing of IT, industrial, and cyber-physical systems. Drawing from his background in cyber defense, reverse engineering and penetration testing, he collaborates with companies to enhance their security capabilities, develop secure products, and contribute to research projects in applied security. Reinhard is also a seasoned instructor, developing customized security training programs. As a member of the MATRIS research group at SBA Research, he provides Applied Research Consulting services to both research partners and industrial companies. He co-organizes meetups in the domains of automotive security, container security and eBPF.
Modern vs. 0ld Sk00l
The development landscape includes an ever-changing set of security practices. It has finally become standard practice to perform penetration testing, run threat modeling, teach developers about security, push left, and have zero trust. This shows the industry is better off today than in previous years. Or does it? Get a taste for the real history of security and why everything old is new again. See security failures as they existed in years past and how they still exist in modern examples from the last year. Finally, explore the strategies that effectively catch these problems early in the development lifecycle without spending a fortune on security snake oil.
Seth Law is the Founder of Redpoint Security (redpointsecurity.com). Over the last 20 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual contributor. Seth has honed his security skills using offensive and defensive techniques, including tool development and security research. His understanding of the software development lifecycle and ability to equate security issues to development tasks has allowed him to speak at conferences ranging from Blackhat and DEF CON to local security meetups. In his spare time, Seth revels in deep-level analysis of programming languages and inherent flaws, develops the iOS version of HackerTracker, and co-hosts the Absolute AppSec podcast with Ken Johnson.
Industrial plants: IP Protection in an increasingly (de)globalized economic System
Customs duties and trade restrictions are increasingly presenting companies with logistical challenges. The trend is to relocate production capacities to the relevant countries to be close to the customer. But how can a company safely move an industrial plant abroad without risking the loss of its own IP (intellectual property)? By using a practical example, we demonstrate how to enable a commercially available Simatic S7 1500 PLC to keep control over the PLC program stored in the controller and its parameters. To achieve this, we implement strong cryptography within the device. The challenge here is that the device does not have the necessary functionality “out of the box”. How can we make sure that production does not take on a life of its own (secure manufacturing)? Regardless of the PLC used, industry has successfully implemented this practical example for years. Experience with programming PLC controls is not required.
Josef Rametsteiner is an expert in applied cryptography and co-founder of the Munich-based security company sematicon AG. In his role as Lead Security Consultant, he handles internal product security and leads sematicon's own "Security Response Team (SRT)". In addition, he supports customers in the development of secure embedded products, for example in the IoT or industrial sector, with a focus on secure coding and strong cryptography.
sematicon AG is a Munich-based company that specializes in industrial security and embedded cryptography. We support you in successfully and securely mastering the digital transformation. With a focus on industry and electrical engineering, we offer specialized security solutions that we have developed based on industry requirements. Our "Zero Trust" solution, providing secure and isolated remote access to industrial plants and systems, is considered an innovation. We also support and advise you in the planning and implementation of your OT security concepts. We thus offer comprehensive security services for the industrial and electronics sectors from a single source.
Insights on Client-Side Scanning and Alternatives in the Fight Against Child Sexual Abuse and Exploi
Content Warning: This talk may include mention of child sexual abuse and exploitation.
In this talk, we want to give an overview of our research into Client-Side Scanning (CSS) and follow-up work on safety in end-to-end encrypted messaging concerning sexual risks.
Client-Side Scanning (CSS) is discussed as a potential solution to contain the dissemination of child sexual abuse material (CSAM). A significant challenge associated with this debate is that stakeholders have different interpretations of the capabilities and frontiers of the concept and its varying implementations.
In current work, we explore stakeholders' understandings of the technology and the expectations and potential implications in the context of CSAM by conducting and analyzing 28 semi-structured interviews with a diverse sample of experts.
We identified mental models of CSS and the expected challenges.
Our results show that CSS is often a preferred solution in the child sexual abuse debate due to the perceived lack of an alternative.
Our findings illustrate the importance of further interdisciplinary discussions to define and comprehend the impact of CSS usage on society, particularly vulnerable groups such as children, on whom CSS would have a detrimental impact.
Why should you care? Child sexual abuse and exploitation (CSAE) is a global problem hurting every society. The introduction of Client-Side Scanning would have far reaching consequences not only for individuals but also for companies. Understanding what it is and can be is a first step at participating in the discussion. Since CSS won't solve the root problem of CSAE, it is also imminent to research alternatives that give agency to users to protect themselves from these crimes online. However, sexual abuse and exploitation are not only problems for youth; adults can also fall victim to these crimes. Thus, protective mechanisms are important for everyone.
Carolyn Guthoff is a doctoral researcher at the CISPA Helmholtz Center for Information Security in Germany. Her research primarily focuses on usable security and privacy, particularly on bridging the gap between theoretical security measures and their practical applications, where she aims to align the demands of security researchers with the realities faced by end users.
Before joining CISPA, she worked as an application owner and business analyst at Mercedes-Benz.
V2GEvil: Ghost in the Wires
This research is dedicated to enhancing the cybersecurity of electric vehicles, with a specific focus on identifying vulnerabilities in the Electric Vehicle Communication Controller (EVCC). This controller facilitates communication with the Supply Equipment Communication Controller during the charging process. Accessible through the On-Board Charging (OBC) port, which is as publicly available as the gas tank in combustion engine vehicles.
The research journey began by studying the electric vehicle charging ports, how they communicate, and the standards they follow, especially focusing on ISO 15118. Then, we closely looked at how On-Board Charging (OBC) works, especially its communication protocols during charging, with a special focus on the High-Level Communication (HLC).
Our research efforts resulted in the development of a dedicated security tool. This tool is designed to examine and assess the implementation of the EVCC (Electric Vehicle Communication Controller). It can simulate the behaviour of the SECC (Supply Equipment Communication Controller) during charging and includes extra features to simplify the process of enumeration and fuzzing the EVCC during charging operations.
In this talk, we’ll explore the world of electric vehicle cybersecurity, focusing on charging communication, vulnerabilities in EVCC implementation, and the development of a dedicated security tool. We’ll discuss charging standards, communication protocols, and real-world scenarios to understand the evolving landscape of electric mobility cybersecurity. Additionally, we’ll showcase and discuss the hardware required for connecting to the vehicle charging port.
Pavel Khunt is an Cyber Security Researcher and Penetration Tester at Auxilium Pentest Labs. With a background in engineering, Pavel graduated from FIT CTU, where his master’s thesis focused on V2G (Vehicle-to-Grid) communication during the charging of Electric Vehicles (EVs). Passionate about ensuring the safety and security of automotive technologies.
Thomas Sermpinis (a.k.a. Cr0wTom) is the Technical Director of Auxilium Cyber Security and independent security researcher with main topics of interest in the automotive, industrial control, embedded device and cryptography sectors. During his research, he published several academic papers, 0days and tools with the ultimate goal of making the world a safer place, but also helped almost 100 OEMs and Tier 1 automotive suppliers to achieve better security and develop more secure products.
Differences in Focus on Cybersecurity in Smart Home Devices between Research and Practice
This meta-study of scientific security journals and a user survey examines the most common cybersecurity threats and solutions for smart home devices. But do the researched topics correspond to the security threats encountered in practice? This talk will explore the tension between research interests and practical applications, and present opportunities for improving the cybersecurity of smart home devices.
Dr Edith Huber is a senior researcher in the field of cybercriminology and security research. She studied at the Faculty of Social Sciences at the University of Vienna and has been employed at University of Continuing Education Krems since 2006. She can draw on numerous research and teaching papers in the field of security research.
She is also a reviewer for research programmes at the European Commission and for journals in the field of IT security research.
Albert Treytl is senior researcher in the area of communication technologies and security. His research focused on security and communication for resource limited devices in distributed systems and IoT. He is head of the Center for Distributed Systems and Sensor Networks and deputy head of the Department for Integrated Sensor Systems at the University for Continuing Education Krems (Danube University Krems). His research is dealing with distributed data management and processing in sensor networks and the integration of sensor systems. This comprises securing sensor networks, distributed energy optimization in industrial and office buildings as well as integration of sensors in intelligent traffic systems. Recent research is on embedded intelligence, digital twins and applications of AI methods for model predictive control strategies. He is author of more than 100 peer reviewed scientific publications and leader of multiple national and international projects. Aside this, he is engaged in various technical committees (IEEE, CEN TC 247 WG4, IEEE1588 standardisation), scientific conferences, and is co-lecturer at the Vienna University of Technology.
"RAGs to Reqs" - Making ASVS More Accessible for Developers Through the Power of Graphs and Chatbots
ASVS is awesome! At the same time it contains 200+ requirements. Even after localising it for your context, it’s likely to have 100+ relevant requirements. Can we - the security team - ask the developers to go through this list for every feature?
We can, but how likely it is to happen in a modern DevSecOps environment, and what will be the quality of the engagement with ASVS?
(Also, spreadsheets are boring and everyone hates them). Can we do better? Yes!
Retrieval-Augmented Generation (RAG) is the process of optimising the output of a large language model, so it references an authoritative knowledge base outside of its training data sources before generating a response. Luckily, ASVS is a very “graphy” data that lends itself well to being stored in a graph format.
Using this graph as the authoritative knowledge base, we use semantic similarity search on the feature description to look up relevant ASVS requirements, which is already very useful on its own. But passing these requirements as context to OpenAI or another LLM gives further useful results, reducing hallucinations and giving the developers specific security requirements for their feature that are based on ASVS.
Bottom line: Don’t let ASVS become a chore, let the developers have an easy initial engagement with it. They can always go deeper if needed.
The workflow we’ve achieved in our engineering org: Let the tool run on internal portal. Developers provide a feature description (a paragraph or though), the tool gives them top-10 most relevant ASVS requirements and some further recommendations based on these requirements. Lots of ideas for refining and expanding, we’ll discuss some of these.
We released as open source the prototype tool and the underlying graph database including pre-calculated vector embeddings for semantic similarity search: https://github.com/neo4j-examples/appsec-asvs-bot
The ideas in this talk will help AppSec engineers with their scaling and culture building efforts, and will help all the developers/builders to get some security impact in their features fast.
Irene Michlin is an application security lead at Neo4j. Before going into application security, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles and architectures. After years of AppSec consultancy, she is now back to in-house role, where she can apply all that she's learned.
"EU Cyber Resilience Act" - Maintain control and not just liability for your products
The new EU Directive EU 2019/1020, also known as the "Cyber Resilience Act" or “CRA” for short, defines new rules for manufacturers of hardware and software with "digital elements". For device manufacturers in the medical, industrial and entertainment sectors, the time to act is now. Security updates, vulnerabilities and an extended duty of care for the life cycle are now enforced by law. However, hardware production, such as IoT devices, poses particularly new challenges. What many do not know: Many vulnerabilities are due to physics and are not "bugs" in the conventional sense. As part of the "DeepSec Secure Coding" series, we put the spotlight on the challenges of developing secure hardware and show the vulnerabilities using the example implementation of a bootloader for embedded systems. How to keep control over updates? What is "Secure Boot" and why does the compiler work against the developer?
Michael Walser is a member of the Management Board and the CTO of the Munich-based industrial security company sematicon AG. In this role, he handles the company's technical strategy and advises customers on the secure implementation of digital transformation in the industrial sector. He is a recognized expert for OT cyber security in industry and KRITIS environments. After graduating in electrical engineering, he worked for many years as a consultant and advisor on successful IT security projects with a focus on cryptography worldwide and handled their implementation.
sematicon AG is a Munich-based company that specializes in industrial security and embedded cryptography. We support you in successfully and securely mastering digital transformation. With a focus on industry and electrical engineering, we offer specialized security solutions that we have developed based on industry requirements. For example, industry experts consider our "Zero Trust" solution for secure and isolated remote access to industrial plants and systems an innovation. We also support and advise you in the planning and implementation of your OT security concepts. We thus offer comprehensive security services for the industrial and electronics sectors from a single source.
Cheating Detection in Chess using Neural Network
During the talk, I will address the escalating issue of cheating in online chess, underscored by recent incidents like Hans Niemann's case, highlighting the urgent need for effective solutions to maintain fair play and uphold competitive integrity.
I will present our innovative approach to detecting AI assistance in chess, utilizing advanced neural networks. Our research involves a comprehensive analysis of extensive chess game data, encompassing moves from established engines like Stockfish to cutting-edge neural networks such as Maia, Maia individual and its components.
Key aspects of our methodology include:
• Centipawn Deviations: Evaluating deviations from typical computer strategies to identify moves influenced by AI.
• Human-like Play Recognition: Utilizing Maia's and Maia Individual’s capability to discern human-specific playing styles, enhancing our ability to distinguish genuine human play from computer-assisted moves.
• Move Time Distribution: Analyzing patterns in move time distributions as potential indicators of AI involvement, adding another layer of detection.
Our approach marks a significant advancement in cybersecurity efforts aimed at combating digital deception in gaming. The success of our algorithm, achieving an impressive 98.62% accuracy rate in detecting AI aids, underscores its efficacy in safeguarding gaming integrity.
I will discuss the broader implications of our findings beyond chess, emphasizing the potential applicability of our methodology in addressing cheating across various digital environments. Ethical considerations are integral to our approach, advocating for the establishment of guidelines to ensure fairness and equity in AI utilization.
This talk aims to provide insights into our pioneering methodology, discuss the pivotal role of neural networks in cybersecurity, and explore future directions for enhancing fair play in gaming environments. During the talk I will show the practical use of the model trained by Maia and Maia Individual’s chess engines. I will show the work of our novel neural network for cheating detection in chess.
I completed the International Baccalaureate at the European School and am currently in my third year of studying computer science at Caucasus University. Over the past two years, I've been dedicated to developing an innovative project focused on detecting cheating in online chess games, culminating in the founding of our startup, ChessU.
I've had the opportunity to showcase our project at various cybersecurity and AI competitions, achieving notable recognitions. These include winning the Best Work award at a cybersecurity conference for students and young scientists (https://scsa.ge/en/cyber-security-conference-for-students-and-young-scientists/), securing third place at the BTU Hackathon - AI Hackathon (https://btu.edu.ge/en/khelovnuri-inteleqtis-hakathoni-studentebisthvis), and emerging victorious in the Python battle organized by Transilvania University of Brașov in 2023.
These experiences have not only honed my skills but also affirmed my passion for leveraging technology to tackle real-world challenges.
Attackers Aren't Breaking In, They're Logging In: Cloud Security Asymmetry
In today's digital landscape, adversaries have shifted their focus to the cloud, finding it easier to attack and compromise than traditional on-premises systems. This talk explores the asymmetry in cloud security, where attackers find the cloud environment more accessible and easier to exploit, while defenders struggle to keep up. We will delve into the reasons behind this imbalance, including the global accessibility of cloud services, the critical role of identity as the new perimeter, and the low barrier to entry for attackers needing only a single set of credentials. Additionally, we'll discuss the lack of visibility in cloud environments compared to the well-established practices in on-premises setups, and how the diverse configurations and logging systems of various cloud providers add to the complexity. Finally, we will address the unique skill set required for incident response in the cloud and the industry's current readiness. Attendees will gain a comprehensive understanding of these challenges and learn practical strategies to enhance their cloud defense capabilities.
Roei Sherman is the Field CTO at Mitiga, a leading Cloud Incident Response company, where he leverages his extensive expertise in cybersecurity to drive innovation and guide strategic initiatives. With over a decade of experience in adversarial cybersecurity roles, he utilizes an adversarial mindset and guerrilla tactics to enhance defensive strategies across various security engagements, including training, lectures, and consulting.
Roei's career began in the Field Intelligence unit of the IDF. He has held significant positions at AB InBev as Global Director of Offensive Services and as a Red Team leader for EY. His technical acumen encompasses red teaming, cloud security, social engineering, physical security, deception, and incident response.
Roei is known for his ability to think like an attacker, providing invaluable insights and strategies for robust cybersecurity defenses. His contributions to the field have made him a sought-after speaker and consultant, helping organizations strengthen their security posture against evolving threats.
Secure Coding Lounge
T.B.A.
T.B.A.
Digital Sovereignty through Self-Hosting? - A Human-Centered View on Security Challenges
Self-hosting is the epitome of privacy-friendly behavior and therefore a first-class measure for gaining sovereignty over one's own digital assets. However, taking control of a server's hardware and software is a demanding task, and security considerations in particular pose a major challenge.
In this talk, we will explore how human factors enter into the technical tasks of system administration. To this end, we will get to know the population of self-hosters on a systematic level. We will look at the motivations, operations, and security challenges faced by organizational and private self-hosts. From there, we will learn how these dimensions are connected in non-obvious ways, such as how motivational factors influence the choice of server type and how these in turn affect security outcomes. In addition, we discuss the prevalence of private self-hosting and highlight potentially risky use cases.
Lea Gröber is a doctoral researcher at the CISPA Helmholtz Center for Information Security, in Saarbrücken, Germany. Before that, she obtained her M.Sc. in computer science from Saarland University. Her research primarily focuses on privacy and security, particularly within the context of cloud computing, the Web, and user-centered security design.
Far Beyond the Perimeter - Exploring External Attack Surfaces
Looking for intel in all the right places is an art that adversaries seem to have mastered; but when it comes to their own data, many companies seem to lose interest in examining anything that's outside the "perimeter" - whatever that is suppossed to be nowadays. Credential leaks, shadow IT, unofficial websites with official info - the list of assets far outside the data centers of companies is long and those assets nevertheless pose risks. Instead of turning a blind eye, it's important (and necessary) to get an understanding of what kind of information is out there, ready to be used or abused and protect accordingly.
What risks are "out there" and what is meant by "out there"? How can those risks be addressed? What tools are easily available?
Gathering information is a valuable tool not only for adversaries, but also for anyone trying to address risks before they become problems. Most companies with more than just a handful of employees sooner or later will find out that not all of their digital assets are behind company firewalls. Any sensitive data that is not controlled by the company itself can become a problem - from leaked credentials to VPN access details being sold on the darknet and other shady places.
Knowing something has leaked won't solve the problem, but will give the opportunity to protect against potential attacks leveraging this intel, and also to examine the reasons why it's somewhere it shouldn't be.
This talk won't go into details of scanning company servers or whatever goes on in internal networks; we will focus solely on all the things adversaries can and will use to craft spear phishing emails, learn company secrets or to find a scenic back route to internal networks.
Hopefully this talk will motivate you to dig deeper into getting to understand the external attack surface of the company you're working for, or help you prepare your next red team engagement. If you're already doing this stuff on a daily basis, there won't be any surprises, but if you never thought about digging into this topic, you'll hopefully learn a ton of new things.
Not looking for risks poses a risk in itself.
After all, how can something be protected if nobody knows about it?
Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, producing hacker music and other electronic beats or gardening.
Should You Let ChatGPT Control Your Browser?
This presentation will explore the practical risks associated with granting Large Language Models (LLMs) agency, enabling them to perform actions on behalf of users. We will delve into how attackers can exploit these capabilities in real-world scenarios. Specifically, the focus will be on an emerging use cases: autonomous browser and software engineering agents. The session will cover how LLM agents operate, the risks of indirect prompt injection, and strategies for mitigating these vulnerabilities.
Donatos work includes leading penetration testing for web applications and networks, and conducting adversary simulation and purple team activities. Recently, his research has focused on the security of autonomous agents created using Large Language Models (GenAI). Additionally, Donato has developed and delivered various training courses, including WithSecure's Secure Software Engineering, to enhance industry knowledge and promote continuous learning.
Automatic Recovery of Cyber Physical System Applications against Known Attacks
Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a methodology and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The methodology can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the methodology supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the methodology is based on program verification that allows specifying of various attacks and their recovery strategies in an extended Java Modeling Language. The language also allows for describing the functional behavior of applications that are developed in Java. Finally, we demonstrate our methodology through its application to recover a typical e-commerce application.
I am an Associate Professor (Reader) of Computer Science at the University of Greenwich, UK. There I founded the Cyber Assurance Lab in the Centre for Sustainable Cyber Security (CS2) (previously ISEC - Internet of Things and Security Research Centre). I am also a visting scientist at MIT CSAIL, USA and DARPA, USA. Also, I am a member of (i) an interdisciplinary Law, Emerging Tech and Science (LETS) Lab, UK, (ii) Formal Methods Europe - an association for bringing world leading researchers and academics together, including the teaching of formal methods, and (iii) EASST - an European Association for the Study of Science and Technology. I have received a MSc in Advanced Distributed Systems from the University of Leicester, UK in 2008 and a PhD (Dr. techn.) in 2014 focusing on Formal Verification of Computer Algebra Software from the Research Institute for Symbolic Computation (RISC), Johannes Kepler University, Austria, both with distinction. I have also received an MSc in Computer Science from the Islamia University of Bahawalpur, Pakistan in 2001. Before joining the University of Greenwich, I was a Lecturer in Cyber Security at Surrey Center of Cyber Security, University of Surrey, UK during 2018 and 2019. Prior to that I was a Postdoc at the MIT CSAIL, USA jointly during 2014-2016 and in SERG Group at the Alpen-Adria University, Austria during 2016-2018. My research has been recognised through (i) winning awards in the most premier research venues including CICM 2012, WF-IoT 2016 and ICS-CSR 2019, to name a few and (ii) winning and being part of mega research grants by distinguished international and regional funding agencies including Horizon Europe, H2020, HFRI, FWF and NSF/DARPA, to name a few. I am a member of IEEE.
A Practical Approach to Generative AI Security
The rise of applications based on AI (mostly generative AI) forces us to think about the security and privacy implications of these systems. We will try to make sense about the attack surface of generative AI applications, what practitioners in the field need to consider in development and operations and how they can derive security measures for these systems.
We will first dive into the range of generative AI applications using examples of the openAI ecosystem. This will give the audience an understanding about the fundamental problem of AI from a security perspective. We then offer an insight into the attack surface that those applications have. This will help understand what needs to be secured and what can be secured. In many cases, good old security best practices will be a good start although AI security brings new challenges that we will discuss. In addition we will talk briefly about privacy issues related to AI that we need to consider in the future.
All the aspects mentioned above will be supported by examples we have prepared. The aim is for the audience to gain an understanding of the issues associated with generative AI applications, and for security practitioners to be able to derive security measures that can be applied in this area.
Florian holds a Bachelor’s degree in Medical Computer Sciences and a Master’s degree in Software Engineering. He works as a Security Analyst and team lead at ERNW.
Hannes holds a Bachelor’s and a Master’s degree in Physics. He works as a Security Analyst and Team Lead at ERNW and takes care of application and infrastructure assessments. His topics include mobile, IoT and telco security.
Firmware Forensics: Analyzing Malware Embedded in Device Firmware
Firmware, essential to hardware functionality, increasingly becomes a prime target for cyber threat actors due to its foundational control over devices. This presentation delves into a detailed analysis of malware embedded within purported firmware updates for Sabrent devices, a case study revealing widespread exploitation. By leveraging advanced static and dynamic analysis techniques, we uncover the intricate workings of this malware, strategically hidden within seemingly legitimate firmware patches. Through meticulous investigation, including static examination for file headers, hashes, and embedded resources, and dynamic analysis within controlled environments, we decipher the malware's operational stages. This includes its initial execution triggers, subsequent macro-driven deployments, and ultimate persistence mechanisms through registry modifications, all orchestrated to evade detection and ensure prolonged access to compromised systems.
Diyar Saadi Ali, is a formidable force in the realm of cybersecurity. With a laser focus on cybercrime investigations, Diyar brings a wealth of expertise to the table as a certified SOC and malware analyst. Their mission? To decode and combat digital threats with precision and dedication.
At the heart of their role is real-time security event monitoring, a task they tackle with vigilance and expertise. But Diyar doesn’t stop there—they’re also a respected MITRE ATT&CK Contributor, contributing invaluable insights and strategies to the global cybersecurity community.
Diyar proudly holds ownership of CVEs (Common Vulnerabilities and Exposures) CVE-2024-25400 and CVE-2024-25399, a testament to their commitment to identifying and addressing critical vulnerabilities in digital systems.
Detecting Phishing using Visual Similarity
Current phishing detection methods include analyzing URL reputation and patterns, hosting infrastructure, and file signatures. However, these approaches may not always detect phishing pages that mimic the look and feel of previously observed attacks.
This talk explores an approach to detecting similar phishing pages by creating a corpus of visual fingerprints from known malicious sites. By taking screenshots, calculating hash values, and storing metadata, a reference library can be used to compare against newly crawled suspicious URLs. Fuzzy searches and OCR techniques can be combined with other methods to identify similar matches.
Josh Pyorre is a Security Researcher with Cisco Talos. He's been in security since 2000 with NASA, Mandiant, and other organizations. Josh has presented at many conferences, such as DEFCON, B-Sides, Derbycon, DeepSec, Qubit, and others. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. He's writes dark electronic music under the name Die Vortex.
Emperor : ICMPv6 p2p Communication without Third Party
For some time now, we have been investigating how we can initiate p2p communication without the need of a Third Party system (server) that would assist in establishing that communication. As it may be already known, systems that initiate p2p communication use a separate server in order to help establish communication by sharing connection details with each other. One example is the well known technique of "NAT traversal" which requires an intermediate (third party) STUN/TURN server [1],[2],[3]. The widespread implementation of the network address translation (NAT) technique in a network based on IPv4 addresses has enforced serious limitations on peer to peer (P2P) communications. All previous attempts to establish an autonomous communication P2P, no matter how much resourceful, have also suffered from major limitations that prevented their implementation in general [4,5,6]. In 2023 we described a similar technique using IPV4 with UDP packets in order to bypass router limitations and directly establish communications between two parties [7] which we presented at DeepSec 2023 [8].
However, the advent of IPv6 based networks, has eliminated a major obstacle in autonomous P2P communication: The usage of Network Address Translation (NAT) techniques. Nowadays, given the widespread prevalence of IPv6 in the global internet, the only obstacle preventing the end user from interacting directly with the rest of the internet is usually a firewall and not a technical problem. If it wasn’t for that firewall which is usually set on the router level by the ISP, every PC or mobile phone device would be able to act as a server. Revisiting the problem, we now present a technique that uses ICMPv6 error messages to allow direct and autonomous P2P communication, bypassing the inherent limitations of router firewalls.
Nikolaos Tsapakis is a reverse engineering enthusiast and poetry lover from Greece. He has been working as a security & software engineer in companies like NCR, Persado, Fujitsu, Symantec, Citrix. He has also been writing articles or presented for LeHack, Athcon, Deepsec, Symantec, 2600, Virus Bulletin, Hakin9.
George Tselos is a computer science tutor who lives and works in Athens, Greece. He is interested in embedded systems, microcontrollers, peripheral device development.
Blowing Up Datacenters: A Deep-Dive into the Feasibility of Remotely Exploding UPS Batteries
Unlike a lot of Hollywood productions, Mr. Robot depicts the technical aspects of compromising systems reasonably realistic. One of the hacks depicted sparked a lively discussion at Certitude: If an attacker fully compromises a battery backup system firmware, does the hardware prevent an attacker from blowing up the batteries? Naturally, we needed to find out.
In this talk we dive into the hardware and firmware analysis of an uninterruptible power supply system (UPS) to figure out whether this scenario has any merit. We explore all the steps we took from having a literal black box device to trying to actually blowing up the device. We explore the challenges we faced decoding a firmware using an exotic instruction set, the way we were able to identify the charging regulation mechanisms and how we were ultimately able to modify the firmware to overcharge the battery.
We give a short overview of the theory behind blowing up UPS batteries, particularly how and under which circumstances lead acid batteries may produce explosive gas as well as how a UPS may produce a spark to ignite such gas.
Lastly, we explain our experimental setup as well as the safety precautions we took to try to blow up our UPS. We discuss the results of our experiment and the real-life risks of these kinds of attacks.
Wolfgang Ettlinger is heavily interested in the technical aspects of IT security, in particular application security. In the past decade he has gathered experience with a broad range of languages, technologies and frameworks in e.g. penetration testing, source code review and secure software development projects. He is responsible for the identification of dozens of CVEs affecting products from Citrix, Oracle, Symantec, Sophos, Trend Micro, etc.
The Malicious Bloodline Inheritance: Dissecting Deed RAT and Blood Alchemy
ShadowPad is a particularly notorious malware family used in Advanced Persistent Threat (APT) campaigns since 2017. Beginning in 2019, it has been utilized by various groups, and in June 2024, a builder of ShadowPad was disclosed. One of the reasons ShadowPad has garnered so much attention from security researchers is that it is an advanced modular type fileless RAT with a complex structure that is difficult to analyze.
In July 2023, Deed RAT was published by Positive Security as a variant of ShadowPad. Furthermore, Blood Alchemy malware was also discovered as another variant of Deed RAT in April by ICI, with evidence such as unique data structures, malware configurations, loading schemes, and code similarities.
However, important features of both Deed RAT and Blood Alchemy, such as the C2 communication scheme, loading additional modules, and details of backdoor commands, were missing from the past reports. Thus, we conducted further investigation and analysis based on the published research results and deeply disclosed the communication protocols and doubly linked list for managing additional modules, which are quite unique. Additionally, we confirmed more code similarities that were not mentioned in the publicly available information, further establishing the relationships between Deed RAT and Blood Alchemy.
Moreover, we investigated a server that hosted various tools along with Deed RAT between October 2023 and April 2024. Through this investigation, we uncovered another relationship between threat groups involving ShadowPad and Deed RAT, as well as the TTPs of the attack using Deed RAT.
In our talk, we will reveal the inherited relationships between the three malware families, from ShadowPad to Blood Alchemy, based on the code similarities and TTPs that have not been clarified so far. We will also describe further details of Deed RAT and Blood Alchemy's implementation, including our configuration parsers for them, which will be useful for assisting threat researchers and malware analysts.
With a background in security incident response support and malware analysis and countermeasure research, You Nakatsuru joined Secureworks in March 2016. Currently, as a researcher on the Counter Threat Unit team, he focuses on investigating the latest cyber attacks, particularly those targeting Japanese enterprises. He is also actively involved in incident response and malware analysis.
Kiyotaka Tamada, Secureworks: He has joined the Counter Threat Unit (CTU) of Secureworks in 2018, and is engaged in malware analysis and forensic analysis during Incident Response service, as well as collecting and analyzing cyber threat intelligence targeting Japan. He also worked at the Regional TrendLabs (RTL) of Trend Micro for 8 years. He posted some technical blogs on trendmicro.com and secureworks.jp, and he presented at JSAC 2019, 2020 and 2022.
Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.: In 2023, he entered ITOCHU Cyber & Intelligence Inc. (ICI) as a senior cybersecurity researcher to analyze malware, to research Advanced Persistent Threat (APT), to review security solutions and to handle incident response for protecting the ITOCHU group. Before moving to ICI, he worked as a senior researcher in the Global Research and Analysis Team (GReAT) at Kaspersky for around 15 years. Based on his investigations, he posted some technical blogosts on securelist.com and held talks at several security conferences such as Virus Bulletin, SAS, JSAC, Botconf, Objective by the sea, HITCON pacific, HITCON community, GReAT Ideas Green Tea Edition, AVTokyo, FIRST TC and JPAAWG.
Remotely Snooping on Traffic Patterns using Network Protocols
The presentation features novel research on using different protocols to remotely measure network load and deduce network traffic patterns of a target using ICMP and other widely adopted protocols. The attack allows to distinguish between file upload, file download, video streaming, VoIP, web browsing, etc. depending on network conditions.
This attack works even when done from a different AS.
Kirils Solovjovs is an IT policy activist, bug bounty hunter, and the most visible white-hat hacker in Latvia having discovered and responsibly disclosed or reported multiple security vulnerabilities in information systems of both national and international significance. He has extensive experience in social engineering, penetration testing, network flow analysis, reverse engineering, and the legal dimension.
He has developed the jailbreak tool for Mikrotik RouterOS, as well as created e-Saeima, helping the Latvian Parliament become the first parliament in the world that is prepared for a fully remote legislative process. Kirils currently works as a research assistant at the Institute of Electronics in Computer Science and as a member of the board at the IT security company "Possible Security".
Windows Defender Internals
Microsoft Defender Antivirus (aka Windows Defender) is an antivirus deployed worldwide and used by default on every Windows out-of-the-box. We all use it but who knows exactly how it really works? What is inside this software trusted by a lot of people and companies across the world? This talk is the first one providing such a view about Windows Defender internals, from kernel mode to user-mode, based on extensive reverse engineering research work. With the recent world-wide BSOD of CrowdStrike antivirus, it matters to understand how an antivirus works, what it really monitors, and how some designs are prone to error or security issues. During this talk, we will see that such a highly privileged software is just another Deus Ex Machina, not only for regular malware analysis but also for many security features on Windows.
This talk will start with a deep dive into the kernel mode modules of Windows Defender. The different filters initialized in kernel modes and the different technologies used to get access to real time information on the system will be presented. That will make up the basis to describe the actual architecture of Windows Defender, which is a large software composed of many modules. With this design in mind, it will be the perfect occasion to discuss different approaches when designing an antivirus, especially regarding to CrowdStrike.
Subsequently, we will detail the user-mode service MsMpEng.exe and the main modules constituting it. The goal is to have an overview of the different features proposed by the antivirus, how to interface with them (based on unpublished details), how the antivirus ensures its own security, and the internal details of the initialization of Windows Defender (database retrieval, internal configuration management, update procedure, etc.). Thus, it will be possible to explain how a file is analyzed in memory, how the configuration of Windows Defender works and how the result is considered by the system. In this way, this will be the most complete overview of Windows Defender service as never shown before.
Since Windows Defender is a massive software, we propose to illustrate the talk with an introduction to the new feature called “Smart App Control” (SAC), released within Windows 11, and based on Windows Defender. The RPC interface used by Smart App Control and related to Windows Defender will be presented. This way, anyone can see the different septs in analyzing a file in the context of this new feature, and especially the set of information disclosed to the cloud of Microsoft when a program is about to be executed.
In the end, this journey into the internals of Windows Defender will provide each participant with a clear overview of how antivirus software works, its core characteristics, and what can be observed in the quality of some. A good way to make an educated choice when choosing an antivirus, by understanding how it works, and not just relying on the marketing work of the software vendor.
Dr. Baptiste David is an IT security specialist at ERNW, specialized in Windows operating system. His research is mainly focused on malware analysis, reverse engineering, security of the Windows operating system platform, kernel development and vulnerabilities research. He has given special courses and trainings at different universities in Europe. Also, he gives regularly talks at different conferences including Black Hat USA, Defcon, Troopers, Zero Night, Cocon, EICAR, ECCWS…
Tillmann Oßwald is a security researcher and Windows System Analyst at ERNW GmbH since 2015. He holds a master’s degree in informatics with a specialization in security from the University of Applied Sciences Darmstadt. Tillmann has worked on numerous penetration testing and security assessment projects, from large Cloud Infrastructure to tiny IoT devices. Lately, his focus has shifted to reverse engineering different Windows components. He enjoys discussing Windows internals, tracing approaches and security, and sharing his knowledge. Currently, he is focusing on analyzing components of the Windows operating system.