Thursday, March 19th
Friday, March 20th
Riccardo Sibilia (Head of Computer Network Operations Team, Swiss Armed Forces)
The challenge of integrating a complex and fast developing field of activity as Cyber Defence in the context of an army of conscripts requires to follow new paths in different areas. This starts with the selection of the personnel, based on the potential to rapidly acquire and integrate knowledge and to collaborate with skilled colleagues on a team or task force. In this talk both the current status and the ongoing and future developments towards an increasingly capable and reactive Cyber Force within the Swiss Army are presented.
Hacking the DevOps Butler: the road from nothing to admin
Nimrod holds an LLB in Law and BA in economics.
Jenkins, also referred to as the DevOps Butler, is an open source automation server used to accelerate the software delivery process. It is now widely considered the de-facto standard in open source continuous integration tools. For many organizations, Jenkins effectively acts as the DevOps engine, addressing everything from source code management to delivering code to production.
Jenkins is an indispensable part of technology stacks around the world. Facebook, Netflix, Lyft, ebay and LinkedIn are examples of very large organizations that utilize Jenkins in their software DevOps stacks.
During our research of the Jenkins software we discovered several interesting vulnerabilities, 6 of them got CVEs. In this talk we mainly speak of two of them. The two combine together to create a security hole, allowing anonymous (completely unauthenticated) attackers to take over, and gain full privileges on Jenkins to become admins by sending specially crafted HTTP packets to the Jenkins master. This attack allows anyone to login to Jenkins as admins and gain complete control of the entire Jenkins infrastructure, and although these issues were fixed, thousands of Jenkins servers are still vulnerable.
In this talk we will describe in detail the code reverse-engineering process that led us to discover these vulnerabilities and how we managed to exploit them to trip the Jenkins security switch OFF and gain control over the entire Jenkins infrastructure.
Practical security in the brave new Kubernetes world
Dive into a typical Kubernetes cluster by messing with the default security controls, popular sidecar containers and supporting infrastructure.
Kubernetes' broad adoption has triggered a growth of frameworks, tools and technologies supporting it. It also means a growth in the attack surface. Instead of taking Kubernetes clusters head on, learn how to do a recon on a real-world k8s cluster and the common sets of sidecar containers that it relies on. Then see what it takes to pwn ingress point, service mesh, network infrastructure, package manager and performance monitoring tools. From there, get persistence in Docker registries and images.
Fun with Windows processes: code injection techniques and where to find them
Christophe Tafani-Dereeper & Nicolas Reich
Nicolas Reich (@hatted_loutre) - Security engineer at Hacknowledge, graduated from EPFL, incidentally grew up 5 minutes from the conference's location
More and more corporate environments are adopting commercial antivirus and EDR solutions, forcing attackers to step up their game. In this context, malware and offensive actors increasingly use code injection techniques, allowing them to hijack legitimate processes and have them run malicious code in a stealthy manner. In our talk, we start by laying out some foundations on the internals of Windows processes. Building upon this, we present techniques to masquerade malicious processes, bypass EDRs, and inject code into legitimate processes. We include reusable proofs-of-concept and detection methods using forensics or live system monitoring tools.
[In]secure deserialization, and how [not] to do it
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk.
In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain several code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, cause a denial of service, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java, Python and .NET serialization, as well as JSON and XML formats. Of course, we’ll also talk about how to deserialize in secure way!
Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!
Hypervisor-level malware monitoring and extraction system - current state and further challenges
Michał Leszczyński & Krzysztof Stopczański
Krzysztof Stopczański - Fascinated in computer security and low-level stuff since his childhood. Currently working as an IT Security Specialist in CERT Poland, taking care of securing Polish people from cryminals. From time to time playing CTFs, previously with CodiSec, currently with p4 team.
During the talk, we will present DRAKVUF, an open-source blackbox binary analysis system. This project leverages Virtual Machine Introspection and Xen’s altp2m in order to serve its purpose in a very stealthy manner. We will describe our recent contributions to the project, including Windows API tracing and heuristic malware unpacking. Moreover, we will present how this approach can be used to extract configuration out of malware samples. In addition, we would like to present some unique challenges that can be encountered when developing hypervisor-level monitors.
Practical OWASP CRS in High Security Settings
Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference, the prime security conference in Switzerland. He helps to edit the Center for Internet Security "Apache Benchmark". He is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.
Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use. However, the release of CRS 3.0 in 2017 and the advancements made with CRS 3.1 and 3.2 successfully removed most of the false positives in the default installation. This improved the user experience when running the only general purpose open source web application firewall. The presentation explains how to operate CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and complementary whitelisting rule sets. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.
SMoTherSpectre: Exploiting speculative execution through port contention
Atri Bhattacharyya & Mathias Payer
Mathias Payer (@gannimo) is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques.
Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels.
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.
30 CVEs in 30 Day
Eran has an extensive background in security research that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities, he has several dozens of acknowledged vulnerabilities across major vendors, like Microsoft, Intel, Samsung, and many others. Besides finding security bugs, he enjoys making cocktails and listening to heavy metal and classical music.
In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using the method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.
Some things never die, in this session, we'll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim - finding new vulnerabilities.
Our mindset was - choose software that is prone to be vulnerable: installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We're only scratching the surface; we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.
Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.
Cyberburnouts: Detection, Prevention and Remediation in a complex world
In the IT industry, and even more proeminently in the Cybersecurity ecosystem, more and more professionals suffer psychic
issues such as depression, burnouts and even suicide. As threats and risks expand continuoulsy and become difficult to cope with, numerous well-known infosec specialists, experts and CISOs have already suffered this condition, and media regularly relay this.
As a former CISO having experienced burnout, I have acquired expertise on psychiatry diagnosis and neuroscience, Post Traumatic Stress
Disorder, learned how to survive and rebuild myself, and am currently a happy IT entrepreneur.
This talk will give you practical bullet points on :
- Detection : what are the triggers, and signals. Be Your Own IDS.
- Prevention : what are the actions to avoid burnouts as an Infosec or CISO professional. Be Your Own Firewall.
- Remediation : In case you unfortunately fell into depression, is there a recipe to regain confidence and start over happily. Be Your Own Self-Healing IaaS Platform.
I hope this talk will help those of you who have experienced or seen their collegues affected. Simple recipes to detect, prevent, heal and
Hacking your Smart Coffee Machine
She is the lead organizer of Ph0wn CTF, a Capture The Flag dedicated to smart devices. Finally, she enjoys drawing comics and 3D printing.
When you organize a CTF dedicated to smart devices, you've obviously got to prepare challenges that involve smart devices, and all the better if those are known, off-the-shelf, devices. Additionally, we were looking for a visual challenge, where everybody can notice when a team flags. After some time, we found the right object: an affordable smart coffee machine. Just the perfect IoT for geeks, and a CTF 😉 However, the challenge for me as an organizer was to manage to create a challenge out of that, starting from scratch on this topic (I don't even drink coffee). I was lucky in that case and found a nice feature, present on the device, but not available through the mobile app.
In this talk, I will explain:
- How this smart coffee machine works
- How I managed to hack the volume of coffee cups
- How I made the machine available on wifi, although it only nativelys supports Bluetooth Low Energy.
To Logical, Through Physical, Via Social: Accessing internal networks through physical access using social engineering techniques
Logical, physical, and social environments are all connected. One can gain access to an internal network by breaking into a physical location and plugging into an ethernet jack or one could gain access to a physical location by hacking into a computer network, accessing the badge access system, and picking up an access badge at a front desk. All the while, users and people interact in physical and logical spaces, hardening the systems and creating vulnerabilities at Layer 8.
In this presentation, we'll discuss pragmatic applications of social engineering and give specific techniques to gain illicit entry into physical spaces for the purposes of accessing internal networks and gaining physical access to computing devices. We'll cover initial breach, lateral movement, privilege escalation, and actions on target. In the end, your mark will watch and encourage you to plug into their network and hack their devices.
Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software
Sunil Kumar Sakoti
Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.
The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.
Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.
Travel for Hackers
He has spoken at many amazing conferences including Hack In The Box, Hack in Paris, Hackfest, Nullcon, SHA2017, 35C3, CONFidence, BalCCon, and TyphoonCon.
Travelling to India? Europe? USA? Belarus? Peru? Japan? Latvia?
The seasoned traveller will know that there are limits on tobacco, alcohol and currency. That's basically universal. However, that's not what interests most hackers.
Did you know some of these countries only allow to bring in just one puny laptop, a single portable calculator? No more than 20 CDs or 4 USB drives... No "politically sensitive literature", erotica... No lock picks or handcuff keys, no radio transmitters except when those are part of laptops or mobile phones...
Many of these restrictions are completely unexpected to your average hacker. But we do want to abide the law when at all possible. 😉
I'm here to help you.
Car Hacking On Simulation
He is also a part-time bug bounty hunter on Hackerone and Synack. He has found security vulnerabilities in big companies like Yahoo, Twitter, Goldman Sachs, Matomo, BrickFTP, Pixiv, etc.
He has presented a talk at SecTor International Security Conference & Microsoft Azure Bootcamp, delivering training on IOT, Web Application and Cloud Hacking.
Cars are no longer only mechanical vehicle. They may be getting more advanced, but that doesn’t mean they are immune to hacks. One particularly sensitive entry point for hacking car is the legally required OBD II port, which is basically “the Ethernet jack for your car”. This port works on a signaling protocol called CAN which is a de facto standard for the in-vehicle network. However, lack in security features of CAN protocol makes vehicles vulnerable to attacks..
This session introduces the basic theory about the CAN bus and how vulnerable it is. We will also provide an Instrument Cluster Simulator to get hands-on experience of hacking a real car by creating a functioning CAN simulator with a dashboard just like the one in your car and performing attacks on it.
The benefit of this session is that attendees can reproduce attacks on their system right there as well as at their home without the need of any hardware as everything will be done on a real-world simulation of Car Instrument Cluster.
Back to the future: Computer science and systems biology
Noa Novogroder & Dr. Lorenz Adlung
Dr. Lorenz Adlung (@lorenzadlung) obtained his PhD from Heidelberg University in Germany. Since 2017 he's a visiting scientist at the Weizmann Institute of Science in Israel working in the field of computational biology, with strong emphasis on both, the computation and the biology. Besides his profession, his main passion is science communication, preferably through poetry and performance.
Which creature implemented code injection 1.5 billion years before any computer malware did? What is the decoding algorithm being used in each of our cells to run the program written in our genes?
As computer scientists, we are pushing the edge to develop disruptive technologies for the future. In fact, we can learn from an industry that has been evolving since long before humankind existed: The evolution of biological systems.
With our proposal we hope to show the incredible parallels between bacteria and computer malware, the complex algorithms implemented in each of our cells, and how each plays a pivotal role in furthering the research of the other.
This lecture will take the audience on an educational journey through both disciplines. This will foster interdisciplinary collaboration and inspire innovative solutions to future challenges for instance in the context of synthetic biology (i.e. creating artificial life), or personalized medicine (i.e. machine learning to treat patients).
Scaling Malware analysis & Threat Intelligence pipeline towards infinity & beyond!!
Malware and threat analysis plays a key role in security operations, research and forensic investigations. For businesses and applications moving to the cloud, this talk will provide “Security as Infrastructure” approach towards creating a scalable and robust threat detection pipeline in the cloud. This talk will demonstrate a novel approach towards building a threat detection pipeline by utilizing the public cloud infrastructure and services like serverless functions, containers and AMIs. This solution adapts a “DevSecOps” approach towards infrastructure security which is highly scalable and can scan over a million files every day.
Social Engineering through Social Media: Profiling, Scanning for Vulnerabilities and Victimizing
Contrary to typical career paths, her history and involvement in the cyber-security field started quite early in her life. Being raised by a cyber security expert, she found herself magnetized by the security field at a very young age. Growing up, she was able to get involved in different projects that were often beyond her age, that gave her an edge in her own knowledge and experience.
Christina has participated among other things in penetration tests, in training to companies and organizations, and in needs and vulnerability assessments.
She is working with Cyber Risk GmbH as a social engineering expert and trainer. Christina is the main developer of the social engineering training programs provided by Cyber Risk GmbH. Those programs are intertwining the lessons learned from real life cases and previous experiences with the fields of cybersecurity, psychology and counterintelligence. They often cover unique aspects while their main goal is to inspire delegates with a sense of responsibility and a better relationship with security.
While to the rest of the world social media are friendly platforms of communication and sharing, for the fellow OSINT analysts, hackers, social engineers and attackers, they are targeting and information harvesting platforms. Undoubtedly, online presence is important to all of us. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities.
This talk will demonstrate how one's online presence on social media can attract social engineers to target them and victimize them to “open doors” through the organizational security. It will also discuss how social engineers and penetration testers can utilize social media for their engagements in creative ways and to identify their pretexts.
The talk covers the topic of information gathering through social media (a discipline called Social Media Intelligence, or SOCMINT, being a sub-division of OSINT) and explains how even seemingly innocent information can be used to manipulate and victimize targets. Case studies will be provided. A two-part demonstration is included on how a hacker's mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to.
A Journey into Malware HTTP Communication Channels Spectacles
Over the years, malware have used different communication protocols that sit at various layers in the OSI model to establish an exchange link with its C&C server(s). In particular, as malware C&C communications shifted its focus to HTTP, certain peculiarities, intentional or unintentional, blunders, and obvious errors in the usage of the protocol were spotted. For example, using specific headers in a GET request that only make sense in a POST request, or using wrong Content-Length value that doesn’t match the actual payload size, and the use of a unique non-standard header in a non-standard compliant way among others.
This talk will go through various use-cases of different malware families that have committed several interesting mistakes, deliberate or non-deliberate in their HTTP C&C communication protocols. The ultimate goal is to figure out those mistakes, understand the reason(s) behind them (e.g., bypass security solutions, trick automated systems…), and provide detection guidance. More importantly, how to look for such anomalies and others, synthetically, on the network, be it for threat hunting or data mining of traffic captures. To our knowledge, this is the first paper that attempts to survey, document and perform root-cause analysis on such cases.
Symbolic Execution Demystified
Symbolic Execution is awesome!
From modern fuzzing tools, over automated exploit generation to solving complex reverse engineering challenges - frameworks like "angr" are getting increasingly popular.
There are a lot of crackme-style ctf challenges where the intended solution is to find a specific path through a binary while your input has to match various conditions.
Before symbolic execution techniques became popular you had to manually analyze these binaries, extract all the constraints by hand and use tools like the z3 theorem prover to solve the task. Depending on the binary size this would turn out to be a very tedious and time-consuming process.
What if there was a more effective way to tackle such a problem and supercharge your reverse engineering skills?
This introduction to symbolic execution is for everybody that might've already heard of the "angr" framework but never got to learn it. New CTF players will get a headstart into crackme solving, seasoned reverse engineers will discover a powerful technique for their toolbox.
You will learn where you can apply symbolic execution frameworks, how they work under the hood and how to integrate them into your reverse engineering workflow. Naturally the practical part won't fall short, so we'll apply the newly learned techniques on several demos.
GSuite Digital Forensics and Incident Response
It’s the norm now to hear companies discussing “moving to the cloud”. Before long your data center servers are going to be antiquated technology. Though the transition to the cloud marks an exciting time in Information Technology, digital forensic investigators and incident responders are facing new, unknown territory. Rather than tackling such a large topic and issue in 30 minutes, this talk aims to provide a real-life case study of what it is like to respond to an incident in GSuite, Google’s cloud business suite. With a few million businesses subscribed to GSuite and that number climbing it is likely that DFIR professionals will eventually need to handle an incident for a company that is using GSuite for business operations. Speaking from experience, the presenter of this talk hopes to use a real-life example of how incident responders would handle an account compromise that occured to a business using GSuite. Furthermore, the speaker will apply the SANS Incident Response process to the situation and briefly discuss the forensics surrounding GSuite incidents. The goal is that by reviewing this case study the audience will not only learn about GSuite DFIR but also begin to think about how this extends to all cloud environments.
TX shift left (DevSecOps) Initiative
Next to Agile CISO and Zero Trust, one main pillar of the TX Group security strategy is DevSecOps. This talk will give a glimpse into the tools and methods used by TX Groups companies to achieve built-in security with new digital products.
Redback: advanced static binary injection
Nguyen Anh Quynh & Do Minh Tuan
As a passionate coder, Dr. Nguyen is the founder and maintainer of several open source reversing frameworks: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) and Keystone (http://keystone-engine.org).
Do Minh Tuan (hardtobelieve) is a security researcher of CyStack, Vietnam. Soon going to finish his university study, he already has 4 years of working experience. He has some presentations at Xcon & T2. A passionate member of BabyPhD CTF team, Tuan also enjoys exploring deeply technique of fuzzing and software exploitation.
Static binary injection is a technique to permanently insert external code to an executable file, in order to observe or modify target behavior at run-time. From an attacker's perspective, this is helpful to enable persistent infection. For the defense side, this plays a crucial step in binary instrumentation. Unfortunately, good injection tools are seriously lacking: firstly, existing tools only support some limited platforms or CPU architectures. Secondly, they all restrict the injected code to be written in low-level assembly, which significantly raises the cost of development and maintenance.
It is highly complicated to implement a good static injection tool, which in essential requires to build an advanced static linker to properly link target binary with external code, so the output executable can be legitimately executed on modern systems with many mitigation techniques enabled by default. Considering that we wish to inject code built from high-level languages such as C/C++, the task is much more challenging.
This work provides a comprehensive overview on how static code injection is done on all platforms (Windows, MacOS, Linux, BSD). We will present all the technical issues we had to overcome, including understanding different executable file formats, how to expand the original binary to accommodate new code, data and meta-data coming from external binary, and how our static linker leverage the OS dynamic linker to do heavy lifting job for us.
We implemented all the ideas in a new solution named Redback. Our tool can inject code built from high-level languages like C/C++ into target executable of all platfoms (Windows, MacOS, Linux, BSD are confirmed). Redback also works cross-architecture (with support for ARM, ARM64, Mips, PPC, X86), and can handle multiple executable formats (PE/PE+, MachO & ELF).
This presentation will be concluded with some exciting demos. Redback will be released after our talk, with full source code.
SYNwall - A new kind of IoT firewalling
Cesare Pizzi & Miso Mijatovic
He develops software and hardware, and tries to share this with the community.
* He play CTFs for fun
* He gave some presentations in different conferences:
- DEFCON 25 HHV: Ardusploit: PoC of Arduino code injection
- BSides 2018 Milano: Ardusploit evolution
- Italian Hacker Camp 2018: 0-ITM portable malware analysis lab
- DEFCON 27 PHV: Sandbox creative usage
* He developed a Volatility plugin for powershell analysis (available on Volatility Community repo)
Miso Mijatovic - DevOps passionate about programming, security and communication at Sorint.lab.
Personal project: https://underattack.today
A lots of words has been spent in the last years about IoT security: but instead of thinking to deploy a new device, let's try
to stay on what we already have: we have a TCP/IP stack. And what we don't want to have? Complicated and cumbersome security configurations.
The aim of SYNwall is to build an easy to configure, no new hardware, low footprint, lightweight and multi-platform security layer on TCP/IP: with a one
way OTP authentication, SYNwall can make every device more secure and resilient to the real world networking reconnaissance and attacks.
If we think at some of the IoT installations (may be directly internet exposed, in difficult environments, with no support infrastructure
available), the possibility to have an on-board and integrated way to control access, can make a huge difference in terms of
The device will became virtually unaccessible to anyone who don't have the proper OTP key, blocking all the communications
at the very first level of it: the SYN packet. No prior knowledge of who need to access is required at this point, making configuration and
deploy a lot easier.
Too much crypto
This talk will present controversial research about cryptographic, arguing that most cryptographic algorithms we use (such as AES, BLAKE2, ChaCha20, SHA-3) could achieve the same security by doing way fewer computations, and thus being much faster, and greener! Based on a review of 20 years of research and on a risk-based approach, this non-technical talk will review why and how cryptographic algorithms are selected, what can be improved, and suggest tweaks to make cryptography up to 2.5 times faster in your applications.
Phishing Test Recommended Practice
Adrian Koster (MELANI)
Many organizations carry out phishing tests (simulated phishing campaigns) as part of broader information and awareness campaigns on the risks and dangers of IT and Internet usage. Such campaigns can lead to reports to CERTs and several other organizations witch then investigate and may take a variety of measures.
In collaboration with the Swiss ccTLD registry and a major ISP, and after consultation of members of the security industry, the Swiss Government has issued a recommended practice for phishing tests.
The recommendation lists several technical, legal and organizational aspects to consider when performing phishing tests so they can be carried out as intended and without interruptions or collateral damage.
How much does it cost to build industrial APT?
Vladimir Dashchenko & Sergey Temnikov (Kaspersky)
BlackEnergy/Sandworm has exploited a set of bugs in 2014-2016 in Siemens, Advantech and GE SCADAs. Usually most of the APT actors who is exploiting a set of 0days need to do a lot of research for identifying these 0days. But how much does it cost? Do they spend a lot of time? We decided to take a look and measure how long you need to invest into 0day research in Siemens WinCC, Advantech WebAccess, GE Cimplicity to recreate attacker's steps. We will provide technical details on how difficult was to find those bugs with live demo.
Thinking Like a Cybercriminal
Etay Maor (Intsights)
Previously, Etay was an Executive Security Advisor at IBM where he created and led breach response training and security research. Prior to that Etay was the Head of RSA Security’s Cyber Threats Research Labs where he managed malware research and intelligence teams and was part of cutting edge security research and operations.
Etay is an adjunct professor at Boston College and holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism Etay contributed to the ICT (International Institute for Counterterrorism) in cybersecurity, fraud and dark web topics and is a frequent featured speaker at major industry conferences. He is often tapped by major news outlets for his astute commentary on and insights into the cybersecurity news of the day.
We read about hacks and breaches on a daily basis, but what do we actually know about these cybercrime groups and how they conduct these attacks? In this session, we will dive into basic hacking techniques, demonstrate what types of tools hackers are using today, examine the scope of these attacks, and discuss best practices on how to protect ourselves and our businesses. Demonstrations will include Phishing, WiFi attacks, USB based attacks, social engineering, OSINT (Open Source Intelligence) and more. It is only once you understand how the attacker operates that you can defend forward against these attacks using tools like MITRE ATT&CK and operationalization of threat intelligence.
Failles de sécurité : comment éviter que la victime ne devienne coupable
À l'Université, il est Directeur de la Maîtrise universitaire en Droit, criminalité et sécurité des technologies de l'information (M DCS) et Membre de la Commission d’éthique de la recherche de l’Université de Lausanne (CER-UNIL). Il tient depuis 2010 un blog (www.smetille.ch/blog) sur les enjeux des nouvelles technologies.
Inscrit au barreau depuis 2005, il est reconnu par les principaux guides juridiques (Chambers & Partners, Legal500 and the Best Lawyers) dans les domaines de la protection des données, médias, technologies et télécommunication. Il y est décrit comme an outstanding data protection expert”, who “always thinks at least two steps ahead”, “intelligent and pragmatic”. Titulaire d'un doctorat en droit de l'Université de Neuchâtel (2010), il a été invité comme Visiting Scholar par le Berkeley Center for Law and Technology (University of California) en 2010-2011.
L’entreprise victime d’une cyberattaque doit souvent réagir dans l’urgence pour sécuriser et rétablir son infrastructure. Si des données personnelles sont exposées, cela peut déclencher une obligation de notification aux autorités de contrôle suisses et étrangères dont la violation peut être sévèrement sanctionnée. Mais une notification inutile peut aussi révéler des mesures de protection insuffisantes et ouvrir la voie à d’autres sanctions. Les délais sont très brefs et exigent qu’un processus clair ait été préalablement mis en place.
Detecting and Mitigating Cloud-native Threats
Paolo Passeri (Netskope)
The cloud is not only a key element of the digital transformation process, but also a powerful weapon in the hands of cybercriminals. Using cloud services to host malicious infrastructures and launch evasive attacks is now a consolidated modus operandi adopted by malicious actors. Aspects like evasion, implicit trust, and the new concept of perimeter that is user-centric, greatly increase the attack surface and expose organizations to these novel cloud-native threats. This keynote session will explore the latest trends in this domain, suggesting some mitigation scenarios to ensure a secure digital transformation journey.
NSX-T Distributed Firewall & Intrusion Detection
Erik Bussink (VMware)
Managing the firewall rules for a dynamic virtualized environment is hard. It’s an impossible task in the container era when workloads live a very short life. The same is true for IPS: you can’t protect what you don’t know – does your IPS know in realtime, what is behind a workload? This is a follow-up to last year’s workshop: https://youtu.be/08LeF8ceMzk
Protecting Operational Technology (OT) in a converging IT/OT/IoT world
Antoine d’Haussy (Fortinet)
With 20+ years’ experience in product management, sales and marketing, Antoine mostly worked for industrial clients together with General Electric, ALSTOM, and ALTRAN.
In his last product management role with General Electric Automation and Controls (GE A&C), he was leading the digital solution portfolio including the cyber security products and solutions for GE Industrial Control Systems.
A native of Paris, he lived in several countries to finally settle in Zurich area in Switzerland, where he enjoys spending quality time with his wife and two kids.
Antoine is a certified Global Industrial Cyber Professional (GIAC-GICSP) trained at SANS institute, he holds a MSc of Telecom & IT and an MBA.
Digitization and removal of the traditional air-gap between IT and OT leaves Industrial Control Systems vulnerable.
Let’s discover some advance best practices to efficiently secure converging IT/OT infrastructures with real-time integrated detection and protection
- Automate assets discovery and detect intrusions using OT Intrusion Detection System
- Secure IT/OT convergence using Micro Segmentation (Access vLANs)
- Automate OT threat response with IDS integration into Network security management
- Use Case of Fortinet’s Fabric integrated detect-protect capabilities
Hunting Ghosts – Uncovering the Latest Cyber Incidents and How to Hunt Them Down
Lior Chen (Varonis)
Lior has over 20 years of security experience, starting his career in the IDF Technology and Intelligence unit and then serving in several high-technology roles doing research and development of application security, software and hardware.
This session focuses on 3 recent major cyber-attacks discovered as part of a comprehensive study of dozens of evasive incidents managed by our security team.
We will look at major real-world exploits uncovered by Varonis, including Qbot (a large-scale APT), “Norman” (a massive crypto-mining infection), and “Save the Queen” (ransomware) as well as unique insider incidences of employees who went rogue.
You will get an in-depth explanation of the techniques used, how perimeter detection are evaded, and what you can do to detect and hunt such advanced attacks.
Closing Keynote - The price of cybercrime
He delivers keynotes internationally and runs CEO and Director workshops for both Vistage and the Institute of Directors. He speaks as a current and very relevant expert, being founder and Managing Director of ramsac who deliver IT and Cybersecurity services/support, he’s got a team of 70 consultants working with him (and an alliance partnership with PwC).
Rob is the UK Ambassador for CyberSecurity for the Institute of Directors and he is currently ranked No.5 in the Global rankings for CyberSecurity Thought Leaders/Influencers.
His CyberSecurity TED Talk has had approximately 400,000 views (on both TEDx YouTube and also TED.COM). He’s a published author selling his CyberSecurity books on Amazon in 8 countries.
And he makes a complex yet vital subject fun, entertaining, actionable and very relevant.