Thursday 21st March

9h Keynote
by Mauro Vignati, Federal Intelligence Service (Switzerland)
10h30 Growing Hypervisor 0day with Hyperseed
by Shawn Denbow, Microsoft
The way from App to Brain: attack surfaces of smart medical infrastructure
by Denis Makrushin
11h30 The Evolution of Cloud Threats
by Paolo Passeri (@paulsparrows), Netskope
Spyware, Ransomware and Worms. How to prevent the next SAP tragedy
by Jordan Santarcieri, Vicxer
12h30 LUNCH
13h30 Building a flexible hypervisor-level debugger
by Mathieu Tarral
SD-WAN - Yet Another Way to Unsafe Internet
by Denis Kolegov, Bizone
14h30 Security Analysis on the Attack Surface of Blockchain Client
by Chen Nan & Kame Wang, Tencent
Redesigning Open Source Ransomware
by Raul Alvarez, Fortinet
15h30 COFFEE
16h Analyzing a Portable Wireless Storage Device From Zero to Remote Code Execution
by Qinghao Tang & Shuo Yuan, Qihoo 360
Boss Of The SOC
in Room B
17h Let's hack the IoT Hub with Pwnhub dudes: IoT Hub Exploitation and countermeasure
by Jisub Kim, Kanghyun Choi

Friday 22nd March

9h Keynote : Medieval Castles and Modern Servers
by Christian Folini
10h20 These are the Droids you are looking for - practical security research on Android
by Elena Kovakina, Google
Sneaking Past Device Guard
by Philip Tsukerman, Cybereason
Intelligence-driven Red Teaming
by Peter Hladký, Credit Suisse
11h20 Vulnerabilities of mobile OAuth 2.0
by Nikita Stupin,
Turning your BMC into a revolving door: the HPE iLO case
by Alexandre Gazet, Fabien Perigaud (@0xf4b), Joffrey Czarny (@_Sn0rkY)
NSX-T Architecture & Benefits
by Erik Bussink, VMware
12h20 LUNCH
13h20 Betrayed by the Android User Interface: Why a Trusted UI Matters
by Yanick Fratentonio, Eurecom
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
by Martijn Bogaard, Riscure
Digitalisation demands defensive action
by Daniel Caduff, FONES
14h20 Cryptocurrency mobile malware
by Axelle Apvrille, Fortinet
Threat Hunting Research Methodology: A Data Driven Approach
by Roberto Rodriguez, SpecterOps & Jose Luis Rodriguez
Addressing privacy: GDPR, Cloud, and You
by Chris Esquire
15h20 COFFEE
15h40 How to investigate iOS devices
by Paul Rascagneres, Talos
Dear Blue Team: Forensics Advice to Supercharge your DFIR capabilities
by Joe Gray
From the cloud to the internal network – Offense vs Defense
by Snir Ben-Shimol, Varonis
16h40 Wake up Neo: detecting virtualization through speculative execution
by Innokentii Sennovskii
Exploits in Wetware
by Robert Sell
18h00 Capture The Flag
in Room B


By Mauro Vignati, Federal Intelligence Service (Switzerland)

Mauro worked for the last 15 years in the field of the fight against cyber threats. Today he is head of cyber within the Swiss Federal Intelligence Service.

Keynote: Medieval Castles and Modern Servers

By Christian Folini

Christian Folini is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so, he turned to defending web servers, which he finds equally challenging. He brings more than ten years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling.

Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference, the prime security conference in Switzerland. Christian is the vice president of the Swiss federal public-private-partnership "Swiss Cyber Experts" and he helps to edit the Center for Internet Security "Apache Benchmark". He is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.

We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day.

Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels.

Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.

Spyware, Ransomware and Worms. How to prevent the next SAP tragedy

By Jordan Santarcieri, Vicxer

Mr Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.
He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer's customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.
Jordan has also discovered critical vulnerabilities in Oracle and SAP software, and is a frequent speaker at international security conferences such as Black-Hat, Insomnihack, YSTS, Auscert, Sec-T, HITB, Rootcon, NanoSec Hacker Halted, OWASP US, 8dot8 and Ekoparty.
Is not a secret that SAP is a market leader and one of the principal software providers of the core business applications around the world, nearly 95% of the Fortune-500 companies heavy rely on SAP to perform their most critical and daily operations such as processing payroll, benefits, storing sensitive customers’ information, handling credit cards, logistics and many more.
Due to the “ERP Complexity of the simple things” and in combination with several proprietary protocols, entry-points and default misconfigurations, ERPs are particularly vulnerable to Spyware, Ransomware and Worms, making them the ideal targets for this type of attacks due to the economical significance that these systems hold. Join me on this completely new and highly technical talk, in which I’m going to explain trough several live demos how the different types of malware could impact SAP and what actions you could take to prevent the next SAP tragedy.
As an added value, we will reveal for the first time, our very own project “ARSAP”, a semiautomatic mechanism that detects and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components, etc.

These are the Droids you are looking for - practical security research on Android

By Elena Kovakina, Google

Elena Kovakina is a security analyst and researcher in Google for over 10 years. Over the years she’s been involved in numerous product areas, such as Android malware analysis, scaling up user protection against malware throughout the Android ecosystem, and hardening the OS against abuse. Current areas of interest include large scale threat detection and incident response, cross-platform user protection, digital forensics and data mining.

Elena holds a Master’s degree in Computer Science from the University of Liverpool, as well as a degree in psychology.

In case you haven’t noticed, Android is the world’s most used OS these days. With the diversity of uses and devices, comes the need to be able to better understand these black (white, purple, orange) boxes full of secrets, that over 2 billion people carry in their pockets.

During my talk I will go through some crucial aspects of Android’s security model, focusing on how applications fit into it, and what tools and solutions are in place to ensure apps are not running wild.

I will share some practical tips on how to diagnose problems with a “pre-owned” device, how to pin down malicious activity on device using live monitoring and bugreports, and on how to not get lost in Android logs.

Growing Hypervisor 0day with Hyperseed

By Shawn Denbow, Microsoft

Shawn Denbow is a security engineer in Microsoft's Virtualization Security Team. His main interests are application security, reverse engineering and virtualization security. Before joining Microsoft, Shawn spent 4 years in the U.S. Air Force conducting cyber operations.
Virtualization technology is progressively becoming the authority on which platform security is built and clouds are secured. Hyper-V, Microsoft's virtualization stack, is the backbone to Azure and held to a high security standard. Microsoft offers a bug bounty program with rewards up to $250,000 USD for vulnerabilities in Hyper-V. The hypervisor provides a calling mechanism for guests referred to as hypercalls. Not only could hypercalls offer an avenue for VM escapes, but with the introduction of virtualization-based security (VBS) hypercalls may be abused to bypass Virtual Secure Mode (VSM). In this presentation, we'll discuss our research into developing Hyperseed, our format-aware hypercall fuzzer. We'll dive into the hypercall interface detailing the classes of hypercalls Hyper-V supports, the design of hyperseed, and culminate with details on vulnerabilities we found in hypercall handlers.

Turning your BMC into a revolving door: the HPE iLO case

By Alexandre Gazet, Fabien Perigaud (@0xf4b), Joffrey Czarny (@_Sn0rkY)

Alexandre Gazet, Airbus
Currently is an information security researcher at Airbus Evaluation Team after having previously worked as a senior security researcher at Quarkslab. He specializes in reverse engineering, low-level and embedded systems security. He has spoken at security conferences worldwide, i.e., REcon (Canada, Brussels), ZeroNights, Hack In The Box ((Malaysia, Netherlands), SSTIC (France), etc. He is also a co-author of the reverse engineering textbook, Practical Reverse Engineering: x86, x64, Windows kernel, and obfuscation, published by John Wiley & Sons.

Fabien Perigaud (@0xf4b), Synacktiv
Is an information security researcher working at Synacktiv after having previously worked as a reverse engineer at Airbus Defence and Space Cybersecurity. He is mainly focused on reverse engineering and vulnerability research, with a specific enthusiasm for embedded devices. He has spoken at various security conferences, such as Recon (Belgium), ZeroNights (Russia), SSTIC (France), etc.

Joffrey Czarny (@_Sn0rkY), Medallia
Is a Redteam leader at Medallia, Security researcher and VoIP hacker at night, Ambassador of Happiness and Healthy Living. Since 2001, he is a pentester who has released advisories and tools on VoIP Cisco products, Active Directory and SAP, he has spoken at various security-focused conferences, Troopers, ITunderground, Hacktivity, HITB, SSTIC, REcon and Black Hat Arsenal...

Unmonitored and unpatched BMC (remote administration hardware feature for servers) are an almost certain source of chaos. They have the potential to completely undermined the security of complex network infrastructures and data centers.

Our on-going effort to analyze HPE iLO systems (4 and 5) resulted in the discovery of many vulnerabilities, the last one having the capacity to fully compromise the iLO chip from the host system itself.

This talk will show how a combination of these vulnerabilities can turn an iLO BMC into a revolving door between an administration network and the production network.

Security Analysis on the Attack Surface of Blockchain Client

By Chen Nan & Kame Wang, Tencent

Chen Nan is a Security Researcher at ZhanLu Lab,Tencent. He has spoken at 44con (London) and CSS (Beijing) International Conferences His research content includes blockchain, windows kernel and Virtualization. Currently he is focusing on security research abount the blockchain underlying client. Previously,he has discovered 10+ vulnerabilities in a short period of time.

Kame Wang is an information security researcher from Zhanlu Lab, Tencent Inc. I am a PhD graduated from University of Chinese Academy of Sciences. I have made my research on information securities for about 6 years. My research interests are blockchain security, mobile vulnerability mining and browser vulnerability mining. During my Ph.D. study, I used to make a speech about my vulnerability mining results targeting Android system on one of the flagship academic conference of information security, which is ACM Conference on Computer and Communications Security 2016. You can find my paper on the following webpage.

Security Analysis on the Attack Surface of Blockchain Client

Since 2017, Tencent Zhanlu Lab started to research the BlockChain Client Security and we have found 10+ vulnerabilities.

BlockChain is a new industry. There are many kinds of clients. Every day there are a lot of upgrades, which include protocols, complex logic, and wide ranges of attack surfaces. Inexperienced developers or algorithm design unreasonable will lead to the security flaw.

We will introduce the potential attack surfaces of blockchain clients, which includes RPC interfaces, P2P discovery protocol, P2P SYN protocol, P2P consensus protocol, smart contract interpreting、smart contract syscall interfaces.

In addition, real cases (some are first disclosed) are used to explain the vulnerabilities in these attacks, such as RPC attack on Ethereum clients, integer overflow vulnerability in smart contract interpreting vulnerability in EOS, and logical flaw in BTH consensus protocol.

At the same time, we will also introduce the process of bug hunting, how to quickly audit in a large amount of code, how to quickly locate the attack surface code and so on.

Finally, we will introduce how to exploit, including RPC, P2P, and Smart Contract.

The following is part of the CVE number we obtained: CVE-2018-16733 CVE-2018-18206 CVE-2018-18078 CVE-2018-18079 CVE-2018-18080 CVE-2018-18081

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

By Martijn Bogaard, Riscure

Martijn Bogaard is a Senior Security Analyst at Riscure where he focuses most of his time on analyzing the security of low-level embedded software (bootloaders, operating systems) and is slowly expanding into embedded hardware security. Recent research interests include the effects of fault injection on software, TEE (in-)security and levering the hardware to attack software.
Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.

While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.

An attacker in procession of the binary of his target can use such simulator to find the ideal glitch location while developers of these systems can use such a tool to verify the effectiveness of their countermeasures against specific types of fault attacks.

We used our simulator to identify locations in the binaries of several real-world targets where due to a successful glitch the security could be compromised. For example, a successful glitch would result in bypassing the authentication of the next boot stage or arbitrary code execution in the context of the boot process. This would then reveal the cryptographic keys used to protect the system or gives access to additional information required to develop a more scalable attack not requiring fault injection.

Sneaking Past Device Guard

By Philip Tsukerman, Cybereason

Philip is a security researcher for Cybereason, and not at all a sentient colony of bees masquerading as a human being.
Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.

This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables (which Microsoft acknowledged as a vulnerability, and will be fixed this November). All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service most of these techniques with an update.

During the the talk, we'll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard.

Dear Blue Team: Forensics Advice to Supercharge your DFIR capabilities

By Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.
In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics and Incident Response (DFIR). Most DFIR talks and advice discuss what to do once an incident has occurred. Instead, this talk provides Security Architects, System Administrators, SOC teams, and management new techniques and advice to supercharge their IR capabilities by preemptively collecting forensic evidence as a baseline.

The content provided in this presentation goes beyond the age-old advice of verbose logging and asset inventories. It will promote a cooperative relationship between DFIR and the rest of the “Blue Team.” We will kick this presentation off with a discussion about Threat Hunting versus Forensics. During this presentation, blue teamers and management will be armed with actionable advice as to how to pre-emptively capture artifacts as baselines BEFORE anything ever happens and the actions to take WHEN something happens.

Exploits in Wetware

By Robert Sell

Robert is a Senior IT Manager in the aerospace industry. He works at an international level and spends most of his time managing information security teams. While these teams focus on the traditional risk mitigation, most of Robert’s focus is on finding better ways of securing the business. Robert has spent an increasing amount of time building defenses against social engineering. He has spoken about the rising social risk at numerous events and on different security podcasts. In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years) and since then has been teaching organizations how to defend against social attacks and how to reduce their OSINT footprint. In 2018 he actually managed a CTF while participating in a CTF at Defcon Vegas. Robert is the creator of the Trace Labs Organization which is a crowd sourced OSINT platform for locating missing persons. The organization is also creating an OSINT curriculum for first responders. Robert is also a ten year volunteer with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker.
Robert will discuss his third place finishes and experiences at the Defcon 2017 and 2018 Social Engineering CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff. With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired? Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift.

Building a flexible hypervisor-level debugger

By Mathieu Tarral

Mathieu Tarral is a security researcher and explores Virtual Machine Introspection’s possibilities for malware behavioral analysis.

In this context, he is the maintainer of Nitro, a syscall interception framework based on KVM.

This has led him to create the KVM-VMI organization on Github, to help the common effort of bringing an official VMI API on KVM.

Virtual Machine Introspection is a technique which leverages the hypervisor to allow the virtual machine hardware state (VCPU registers, virtual/physical memory) to be inspected in real-time. This technology has interested security researchers since a long time as the first scientific paper on the topic dates back to 2003. However, the complexity of hypervisors has restrained the existing attempts from gaining a wider audience. Furthermore, the semantic gap to be solved while interpreting the context of the virtual machine and the performance overhead induced by the introspection has prevented it from breaking out of the research sphere, despite his alleged benefits. This situation has persisted for many years until a set of memory introspection patches were submitted and later merged in Xen in 2009.

As of today, Xen is offering the most complete VMI API available, and successful projects such as a stealth malware analysis sandbox (Drakvuf) or an agentless cloud monitoring solution (BitDefender HVI) have been built on top of it. This is shifting our view of virtual machines, from opaque containers to transparent and monitorable systems.

Applying the same principle to our debuggers gives us huge benefits, among them being the stealth and robustness required to analyze unknown samples. In 2017, FireEye released rVMI, a rekall based full system analysis debugger, leveraging VMI on top of KVM and demonstrating the effectiveness of such tools.

In this talk, I would like to present pyvmidbg, a VMI debugger LibVMI. Pursuing the research on the topic, it introduces 2 critical changes: First, it has been build with libvmi and is therefore agnostic of the underlying hypervisor (Xen or KVM). Second, it relies on GDB protocol to keep the compatibility with our exisiting reverse-engineering frameworks.

How to investigate iOS devices

By Paul Rascagneres, Talos

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 8 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.
In the last few months, Cisco Talos had to investigate iOS malware. It is not a popular platform for malware analysts however we identified campaigns targeting iphone devices. In this presentation, we will present how to handle this kind of investigation. First we will describe the iOS architecture, then the useful tools such as IDA Pro, Frida and how to debug iOS apps. We will also present how to deploy apps and the classical tricks used by malware developers on this platform. We wil provide several demos on the presented tools.

Let's hack the IoT Hub with Pwnhub dudes: IoT Hub Exploitation and countermeasure

By Jisub Kim, Kanghyun Choi

Jisub Kim graduated from KITRI BoB Vulnerability analysis track Security researcher.
Jisub Works at the Republic of Korea Airforce CERT and do Vulnerability Analysis.
Jisub likes IoT, web hacking and embedded hacking, and is a CTF player with $wag.

Kanghyun Choi graduated from KITRI BoB Vulnerability analysis track Security researcher.
Kanghyun likes IoT, system hacking(pwnable) and embedded hacking. Kanghyun plays CTF with team $aw

With the advent of the Internet of Things, our daily life is becoming more convenient. The IoT market continues to grow. To manage various IoT devices at once, it is changing the way to manage all IoT devices easily and conveniently through IoT hub, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high lisk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches.

We will show the overall IoT Hub exploit process from acquiring root shells and firmware of multiple IoT Hub to analyze and derive vulnerabilities. We made data flow diagram(DFD) through network packet and firmware analysis, where we collected attack vectors on attack surfaces, analyzed security threats, and vulnerabilities of IoT Hub. It also discusses the vulnerabilities found in recently commercialized IoT Hub, and introduces the threats that could be derived from the vulnerabilities.

Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock and sniffing password”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.

Wake up Neo: detecting virtualization through speculative execution

By Innokentii Sennovskii

Graduated from NRNU MEPhI with a degree in Information Security. Currently work at BiZone LLC as a Reverse Engineering specialist. Member of LC\BC CTF team. My primary interests lie in the fields of applied cryptography, reverse engineering and side channel attacks. Discovered Spectre Variant 3a in Intel CPUs.
There has been several Speculative Execution vulnerabilities allowing to read privileged data from kernel mode, other processes and even hypervisors. However, there are several more ways in which speculative execution can be leveraged by adversaries. I have discovered one such technique, which allows the attacker on the system to get information allowing them to evade detection by modern sandboxes and AV software. This technique led to the discovery of Spectre Variant 3a virtualization detection vulnerability in Intel CPUs. This virtualization detection technique stands apart from other techniques, since it can't be evaded by fixing rdtsc timing on vmexits and it doesn't require CPL=0. It can also thwart a reverse engineer analyzing it in a VM, since instead of binary checks for virtualization and specific sandboxes, the computation of initial data (such as keys for unpacking) can be turned off opaquely by virtualization.

Analyzing a Portable Wireless Storage Device From Zero to Remote Code Execution

By Qinghao Tang & Shuo Yuan, Qihoo 360

Qinghao Tang is a security researcher at 360 MarvelTeam, Qihoo 360, China Beijing Qinghao Tang is the team leader of 360 Marvel Team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud computing security and linux kernel security . He was the speaker of Pacsec 2015 , Syscan 2016 , hitb 2016 , CanSecWest 2017, POC 2017,Blackhat EU 2018.

Shuo Yuan is a security researcher, 360 MarvelTeam, Qihoo 360, China Beijing
Shuo Yuan is a member of 360 Marvel team from Qihoo 360 Technology Co.Ltd. who previously conducted security research on Linux system vulnerabilities and now focuses on security research in the IOT direction.

My Passport Wireless Pro is a portable wireless WIFI storage device designed by the famous company Western Digital for outdoor photographers and Internet of Things enthusiasts. It can be used as a wifi server or wifi client to establish a connection with the user's mobile device. Users can access the data in the storage device through the local area network. This type of IoT product has rarely been discussed at security conferences, and no clear project has been identified. This presentation will showcase our findings on the My Passport Wireless Pro device, a remote code execution 0day vulnerability was discovered. By using this vulnerability, hackers can get the remote root shell of the device operating system without any credentials, and can read and write any data in the hard disk. This vulnerability not only causes the loss of private data, but also can be used as a springboard for a larger attack, that is, spread Trojans on the LAN by infecting certain files located on the storage device. The content of this presentation will cover the entire process of analyzing hardware, analyzing firmware, fuzzing, and exploiting vulnerabilities, as well as our new perspective on IOT device security. Finally, a complete demonstration of remotely acquiring device control and obtaining important files of the device will be given.

The way from App to Brain: attack surfaces of smart medical infrastructure

By Denis Makrushin

Denis has gained diverse experience while working in the information security area. On the defensive side, as a Security Architect, he is responsible for building a security architecture of distributed IT infrastructure across various international business units for a global Fortune 500 company. As a security researcher with the Global Research and Analysis Team at Kaspersky Lab, he was focused on vulnerability research and security assessment of emerging technologies. Based on his offensive expertise, he's been a founder and leading expert in the development of a threat intelligence product. Having graduated from the Information Security Faculty of the National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), he is continuing his research project related to methods of targeted attack detection as a Ph.D. candidate. Denis has presented at many public international security conferences, including Defcon, RSA Conference, CARO, BSides, Infosecurity, as well as multiple closed-door invite-only security industry events.
The concept of “SCADA for human” is central in focus of modern medicine. The realization of the systems that collects and proceed information about human body parameters, builds on current infrastructure and technology implementations. In the cases of some treatment procedures, data transferred via vulnerable medical networks and management software could be compromised, which could lead to an attacker being able to tamper with massive groups of patients at the same time. The goal of this talk is to provide the results of offensive research of networks and online-management software that uses in daily medical practice. We show not only typical entry points in medical infrastructure, but also highlight the vulnerabilities in software that popular with surgical teams, also permitted attackers to access sensitive data and even affect treatment procedures.

Vulnerabilities of mobile OAuth 2.0

By Nikita Stupin,

Nikita is an Information security analyst at Mail.Ru Group.
He's also a Bug Bounty Hunter: Airbnb, Semrush, Yandex and others. He's the Dean of the faculty of Information Security, GeekBrains
Nikita has a Degree from Bauman Moscow State University, Information Security
Mobile applications are increasingly implementing the OAuth 2.0 protocol. Despite this, vulnerabilities in mobile OAuth 2.0 implementations are still found even in the products of large companies.

In this report we will look at following vulnerabilities of mobile OAuth 2.0:
1. Authorization Code Interception Attack
2. OAuth 2.0 CSRF
3. Vulnerabilities caused by WebView usage
4. Vulnerabilities that increases probability of phishing

Also we will cover most wide-spread and critical vulnerabilities of usual OAuth 2.0:
1. Vulnerabilities in redirect_uri checks
2. MitM of authorization_code/access_token
3. Poor OAuth 2.0 protocol implementation
4. ... and some others 🙂

Vulnerabilities will be accompanied with real-world examples from my bug hunting experience.

Protection techniques will be presented from pentester's point of view. We will discuss defensive mechanisms such as:
1. Proof Key for Code Exchange
2. Crypto properties of OAuth 2.0 tokens (access_token, authorization_code, code_verifier and others) and how they are managed
3. IPC as more simple (compared to HTTP) and secure transport
4. When client_id and client_secret do more harm than virtue?

We will cover three flows of OAuth 2.0 protocol:
1. Authorization Code Grant
2. Implicit Grant
3. Implicit Grant with IPC transport

Redesigning Open Source Ransomware

By Raul Alvarez, Fortinet

Raul is a Senior Security Researcher/Team Lead at Fortinet. I am a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.

He has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, HackInParis, Kwantlen, HackFest, Sec-T, and DeepSec.

He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where I have published 22 articles.

Currently a member of DefCamp Conference Advisory Committee.

One of the reasons that ransomware was so rampant in the last couple of years is the existence of open source code for ransomware. Not only that you can study and learn what works, but you can also modify them for personal use. Grab the open source code, add additional features and voila! New ransomware.

On the other hand, most infamous ransomware in the wild doesn’t give away their source code. We can learn how they tick by reversing its binary. If you want to redesign your ransomware - grab the open source code and add other tricks and features you’ve learned from other existing ransomware.
In this presentation, we will look into a possibility of redesigning open source ransomware and add some features taken from the reverse-engineered version of other ransomware.
We will also look into the general ransomware design based on an open source and reversed-engineered ransomware. I will show how easy it is to modify opensource ransomware, add your crypto wallet address, modify the ransom note, and other things that you can change. Then, we will see where we can insert the extra features that we’ve learned from the in-the-wild ransomware. We will also see if it is feasible to redesign other in-the-wild ransomware by reversing and modifying its binaries.

Since we are actually on the blue side of the fence, we will look into the weaknesses naturally inherent from open source ransomware, and how they can be mitigated.

Finally, we will see how ransomware, in general, is starting to lose its grip into the malware ecosystem.

SD-WAN - Yet Another Way to Unsafe Internet

By Denis Kolegov, Bizone & Oleg Broslavsky

Denis Kolegov is a security researcher and an associated professor in computer security at Tomsk State University. His research focuses on network security, web application security, access control, and covert communications. Prior to this, Denis was the Application Firewall team lead at Positive Technologies. He holds a PhD and associated professor degree in computer security. Denis has presented at different international security conferences including Power of Community, Area41, Zero Nights, Positive Hack Days, and SibeCrypt.

Oleg Broslavsky is a security enthusiast, PhD student at Tomsk State University, and member of the SiBears CTF team. He has given talks about aspects of web security and post-exploitation techniques at some practical security conferences (Positive Hack Days, ZeroNights, POC), developer conferences (HighLoad++) and even academical ones (SibeCrypt).

Today, "SD-WAN" is a very hot and an attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020. At the same time, from a security point of view, SD-WAN is a dangerous mix of Web technologies, custom cryptography, virtualization, immature features and complicated logic.

In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN, disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities. We also deeply explore a design flaw in a well-known SD-WAN product that could allow an attacker to compromise all SD-WAN networks in the World.

Cryptocurrency mobile malware

By Axelle Apvrille, Fortinet

Axelle is one of the lead security researchers with Fortinet. She specifically looks into mobile malware for Fortinet's anti-virus engine, but also investigates threats on uncommon platforms for IoT (smart toothbrush, smart glasses, smart watch etc).
On Windows, cryptojacking has become a big issue. It generates important revenues for their authors: even small botnets generate as much as 500 US dollars per day!

"Why not port it to smartphones?" cybercriminals obvisouly thought. Indeed, we do have cryptocurrency malware on Android smartphones since 2014. We discuss some of the recent ones (AdbMiner, HiddenMiner, Clipper...), and reverse engineer live the most interesting ones.

Despite their increasing power, mining on smartphones has its limits. For example, mining Bitcoin on a smartphone does not make sense. We see which cryptocurrencies are mined on smartphones and discuss how profitable this is for cyber-criminals. We follow the earnings of the authors of HiddenMiner, based on live captures we were able to get.

Threat Hunting Research Methodology: A Data Driven Approach

By Roberto Rodriguez, SpecterOps & Jose Luis Rodriguez

Threat hunting as a process is still being defined for many organizations across various industries. Hence, the justification of its budget becomes even harder. Some security teams don’t have a formalized team in place, and they see threat hunting as an informal, ad-hoc procedure where it becomes the responsibility of all Cyber employees to find malicious activity. Others see threat hunting as a formalized process that requires a full-time team focused more on creating detection strategies for adversaries even when they are not in the production environment. No matter how it is defined, there is still uncertainty pertaining to the impact that threat hunting has to the security posture of an organization. In addition, organizations believe that buying more tools and hiring more people would solve their problem. However, they disregard the fact that they might not even have the right data to start with. In this presentation, we will share a threat hunting research methodology that focuses on assessing what an organization has and needs from a data perspective to validate the detection of an adversary. This talk will show organizations how they can assess the collection and quality of their data and create data analytics to set their teams up for more effective engagements in production networks.

Betrayed by the Android User Interface: Why a Trusted UI Matters

By Yanick Fratentonio, Eurecom

Yanick @reyammer Fratantonio is an Assistant Professor at EURECOM, a grad school on the sunny French riviera. He obtained a PhD in Computer Science from University of California, Santa Barbara (2017). His research interests span many areas of systems and software security, and he is currently mostly focusing on mobile/Android security, program analysis, malware detection, and vulnerability analysis. Yanick's work has appeared in numerous prestigious academic and industry conferences. Despite the advanced age, Yanick refuses to grow up and he still significantly involved within the CTF community: he is a Shellphish hacker, EURECOM's NOPS hackademic advisor, and he had the great idea of joining the "Order of the Overflow" team, the current DEF CON CTF organizers. [Narrator: it was not a great idea.]
In the last few years, the Android platform has gone through a lot of changes and security enhancements. Most of these improvements relate to low-level mechanisms and current devices are significantly more difficult to compromise than ever before. However, without a "trusted UI", many of these mechanisms can be bypassed. This talk will provide an overview of two of the biggest UI-related open problems in Android security: clickjacking and phishing. In particular, it will feature UI clickjacking attacks against a wide range of sensitive apps, and how modern features of Android, such as mobile password managers and Instant Apps, can be used to mount the stealthiest phishing attacks known to date. This talk will also discuss why it is so difficult to eradicate these problems and what we can do to defend ourselves.

Digitalisation demands defensive action

By Daniel Caduff, Federal Office for National Economic Supply FONES

Daniel Caduff is the deputy head of the ICT-Division at Switzerland’s Federal Office for National Economic Supply FONES. FONES’ duty is to secure infrastructure that is vital to the Swiss economy in general, while Daniel and his team are focusing on ICT-risks in particular. As a federated country, Switzerland pursues a cooperative approach between various government agencies and the private sector. Switzerland provides assistance to the private sector. Awareness, training, open-source tools and transparent information form the basis for this and establish trust between the State and private sectors. In August 2018 FONES released its “Minimum standard for improving ICT resilience” to the public. This standard is based on the NIST Framework Core and has been added to NISTs “International Resources”. Daniel holds a master degree in political science and international law and is a DIY-Digital Native. Daniel joined FONES as a project leader for Switzerland’s national strategy against cyber-risks, and eventually became Deputy Head of the ICT-Division in 2016. Before joining FONES, Daniel worked for a major Swiss ISP and a consulting company in the field of IT-risk-management-consulting. Nevertheless, there are a few offline activities, he likes as well: Mountainbiking, Snowboarding and Heavy Metal Music, to name a few.
Increasing levels of IT penetration and networking in almost all areas of life opens up both economic and social potential that a highly developed and industrialised nation like Switzerland cannot fail to act upon. At the same time, however, increasing digitalisation also gives rise to new threats to which we must respond quickly and decisively. The particular danger of targeted cyber-attacks on IT infrastructures affects public-sector bodies, operators of critical infrastructures, and other businesses or organisations to the same degree.

These individual businesses and organisations have a fundamen­tal responsibility to protect themselves. However, wherever the functioning of critical infrastructures is affected the state also has a responsibility, based on its remit as laid down in the Federal Constitution, and on the National Economic Supply Act. To address this responsibility, FONES released Switzerland’s ICT-Minimum-Standard in 2018. The ICT Minimum Standard is an expression of the responsibility of the state to protect its citizens, its economy, and its institutions and public administrations. The Minimum ICT Standard comes into play in those areas in which a modern society can least afford outages: in those ICT systems that are important to the functioning of critical infra­structures. Daniel will outline the intention and strategy of FONES to strengthen the resilience of this critical infrastructure against cyber risks.

Intelligence-driven Red Teaming

By Peter Hladký, Credit Suisse

Peter Hladký is a member of the Threat Defense Analysis team of Credit Suisse serving as an internal SME on Red Teaming specializing in intelligence-driven red team testing. Peter held different positions in the field of cyber security in the past. As a Senior Consultant, he worked on number of large-scale cyber security and client data confidentiality engagements in the financial sector. And later, as a Senior Cyber Security Specialist, he worked on building cyber security services, preparing and conducting cyber security training exercises in the defense sector. Peter holds a Master’s degree in Computer Science with specialization in Information Security from the Swiss Federal Institute of Technology (ETH Zurich), as well as OSCP and OSCE certifications from Offensive Security.
Cyber security breaches are repeatedly placed among the top risks by governments and organizations in the private sector. States are revising and improving their national strategies to improve resilience of their critical infrastructure sectors, among them the financial sector. Financial institutions have several motivations to invest and build their own cyber security capabilities. Their services are being increasingly digitized. Cyber security is within the focus of financial regulatory authorities. Financial institutions are being constantly targeted by hacktivists, cyber crime groups, nation-states, or nation-state proxies. Because of these reasons and available resources, financial institutions are in the forefront of developing or adopting novel defensive cyber security capabilities to protect their assets. Two capabilities that stand out are Cyber Threat Intelligence and Red Teaming. The former having a longer history, while the latter is receiving more focus by different regions and regulatory authorities in the recent years. A number of frameworks within the sector were recently developed for conducting intelligence-driven red teaming exercises.

In this talk, I will focus on two capabilities – Cyber Threat Intelligence and Red Teaming. I will begin by exploring frameworks for the purposes of intelligence analysis. Next, I will focus on the role of red teaming, and I will argue why traditional methods of security assessments and testing, are no longer sufficient to assure resilience against sophisticated cyber attacks. Then, I will discuss the interplay of the two capabilities captured by different frameworks for conducting intelligence-driven red teaming exercises. And finally, I will compare exercises in the financial sector with cyber defense exercises such as Locked Shields and Crossed Swords.

Addressing privacy: GDPR, Cloud, and You

By Chris Esquire

Chris Esquire is a lawyer in private practice, professor at two major universities, cyber security curriculum developer and instructor for a private institution, and works a Sr. IT Security Analyst to resolve complex technical and legal issues. He serves the American Bar Association as the Vice-Chair of the Privacy and Computer Crime committee on his second term. He has previously served as Academic Relations/ Research Committee Director for ISACA and vice chair for the American Bar Association’s young lawyers law practice division.

Chris has over 22 years of IT, communications and Cyber Security experience. He has several industry recognized certifications to include the CISSP, CEH and CCSK. He holds several degrees to include an BSIS focused in IT and Accounting forensics, a MSISM focused on Project Management, and Juris Doctor. He is finishing a dual PhD’s in Management Information Systems Business Administration focused on Information Security with his dissertations focused on the legal implications of security breaches on organizations and legal and ethical issues in security management.

He has presented as a speaker and his award-winning research used as materials for several conferences by the American Bar Association and universities. He is a chapter lead and section author for the International Guide to Cyber Security 2nd edition to be published by the American Bar Association for the topics of Enterprise Systems and Technology Issues, A/V & Malware Detection, IDS/IPS & Firewalls, Whitelisting, NERC, & OWASP.

This talk addresses how GDPR affects businesses that operate globally and utilize cloud technology from a privacy and liability perspective. Legal concerns, best practices, and forward areas of research will be presented.

NSX-T Architecture & Benefits

By Erik Bussink, VMware

Solution Architect at VMware, helping Customers & Partners, Design and Architect solutions on Virtualized Infrastructures & Hybrid Cloud.
VMware NSX-T is the network virtualization platform for the software-defined data center (SDDC). This session will detail the overlay model used in NSX-T Data Center and highlight the benefits resulting from decoupling networking from the physical infrastructure. NSX-T can deliver its networking features across an heterogenous range of products and environments: VMs, containers, bare-metal servers…all this, whether they are deployed on-prem or in the cloud. The presentation will also introduce the different components involved in NSX (management plane, control plane, data plane) as well as a summary of its services, including routing and switching.

From the cloud to the internal network – Offense vs Defense

By Snir Ben-Shimol, Varonis

Snir is the Head of Cyber Security at Varonis, leading the security research, forensics and incident response teams. Snir began his career in the IDF Technology and Intelligence unit and continued as a Security Researcher in the Israeli Prime Minister’s Office.

Since then, he has worked in the Advanced Security Center of EY as the Cyber Security Advisory leader, managing red-team operations and risk assessments. He has advised major international corporates and high-profile individuals to build their security resilience and protect their organization. Prior to his current role, he led Radware’s Cyber Security Research division, responsible for innovation and security solution capabilities.

More companies are moving their most critical assets to the cloud, enabling new technologies, frameworks and cloud based applications. Misconfigurations, lack of experience and the extension of external access points turned to a fruitful ground for threat actors. Spear-phishing attacks became more powerful. The impact of simple credential theft and successful brute-force attacks escalating their impact and severity within Hybrid environments.
In this talk, I’ll share real-life attack use cases. How external attackers getting into the network and gaining full control over the internal domain. Those use cases where identified by our researchers and Forensics teams which later on became a base-line for several dynamic threat detections algorithms.
Finally, you’ll see how an organization can use this data in order to develop a powerful Vaccine against unknown attacks and targeted campaigns by leveraging advanced analytics capabilities.

The Evolution of Cloud Threats

By Paolo Passeri (@paulsparrows), Netskope

Paolo Passeri, Netskope Solutions Architect is also a blogger, passionate security enthusiast and evangelist with over 20 years experience in the Information Security arena. Currently, focusing on cloud security, advanced malware detection and risk mitigation, Paolo supports Netskope's customers in protecting their journey to the cloud. In his spare time, he updates his blog, which details timelines and statistics of all the main cyber-attacks occurred since 2011. The blog is a primary source of data and trends of the threat landscape across the Infosec community.
Organizations are increasingly moving to the cloud to reduce costs and enable collaboration between partners, customers, and suppliers. On the other hand, cybercriminals are constantly looking for newer and clever ways to carry on their malicious campaigns, deploying attack vectors that can take advantage of this process. This session will discuss how threat actors are leveraging cloud resources for their malicious purposes and how this trend is influencing the threat landscape.