Thursday, March 24th
Friday, March 25th
Keynote
Riccardo Sibilia (Head of Computer Network Operations Team, Swiss Armed Forces)
SPEAKER BIO
The challenge of integrating a complex and fast developing field of activity as Cyber Defence in the context of an army of conscripts requires to follow new paths in different areas. This starts with the selection of the personnel, based on the potential to rapidly acquire and integrate knowledge and to collaborate with skilled colleagues on a team or task force. In this talk both the current status and the ongoing and future developments towards an increasingly capable and reactive Cyber Force within the Swiss Army are presented.
Adventurous tales of Online Voting in Switzerland
Christian Folini
SPEAKER BIO
The Swiss tale with online voting serves as a typical example for the iterative development of highly critical IT systems and the eventual involvement of scientist as a necessary step for a government that is willing to learn from past mistakes.
Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out.
In 2019, Swiss Post published the source code of its online voting system, that last system that was still in the race.
Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections.
In 2020, the government rebooted the process by inviting two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the new regulation that was put on a public consultation in Spring 2021.
After an extensive feedback summing up some 700 pages, the new regulation is expected for 2022. It is meant to allow Swiss Post to get back into the online voting business with their new and overhauled system that is now open source to a wide extent.
A Common Bypass Pattern to Exploit Modern Web Apps
Simon Scannell
SPEAKER BIO
During our vulnerability research, we broke the defenses of some of the most popular open-source web applications. We realized that many code vulnerabilities we discovered share a common theme. In this presentation, we want to express this common denominator as a simple, abstract methodology that seems to have gone unnoticed in the industry. Developers and security researchers can apply this pattern to find and prevent similar vulnerabilities in any project of any size, language, or environment. To turn our theoretical pattern into an entertaining presentation, we explain and demo related vulnerabilities that we discovered in applications such as Magento2, WordPress, and Zimbra.
Two bugs to rule them all: taking over the PHP supply chain
Thomas Chauchefoin
SPEAKER BIO
Package managers are essential components of the modern developer toolkit. They give the ability to deploy and update dependencies from a central repository in a click, significantly reducing operation costs. The majority of these tools are open-source, and the backend infrastructure that powers entire language ecosystems is run by volunteers. These services are provided on a best-effort basis and offer no guarantees, both in terms of availability and security.
Yet, virtually all software companies need these package managers to operate: compromising this segment of their supply chain is a very effective and subtle attack vector. A recent report of the European Union Agency For CyberSecurity (ENISA) studied 24 attacks reported from January 2021 and early July 2021 and highlighted that 50% of these attacks came from known threat actors and predicted a fourfold increase in 2021 as ransomware groups are joining the trend.
In this talk, we present the technical details of the vulnerabilities that allowed us to compromise the infrastructure behind the two PHP package managers, Composer and PEAR. Together, they serve more than a billion monthly package downloads, and the exploitation of these bugs by malicious actors could have led to a massive disruption of all companies using PHP. We will also discuss the way that we could reduce the risks of such an attack happening again and the actions that package managers could take to protect themselves.
Hunting for Bugs in "Ethereum 2.0"
Denis Kolegov & Jean-Philippe Aumasson
SPEAKER BIO
JP is co-founder and CSO of [Taurus](https://taurushq.com), and holds a PhD in cryptography from EPFL. He has been doing cryptography for 15 years, and notably designed the ubiquitous algorithms BLAKE2 and SipHash. He wrote the reference books Serious Cryptography and Crypto Dictionary. His previous research works can be found on [https://aumasson.jp](https://aumasson.jp). He is [@veorq](https://twitter.com/veorq) on Twitter.
Over the last 6 months, we looked for bugs in protocols and software of Ethereum's beacon chain (previously called "Ethereum 2.0"), including the recent Altair fork. In this talk, we will describe some of the most interesting security issues we have found. We will describe security shortcomings in the libp2p and discv5 handshake protocols, BLS signatures, and API implementations. Then we will discuss supply chain and fingerprinting risk analysis results. Finally, we will draw some lessons from our experience.
Hook, Line and Sinker - Pillaging API Webhooks
Abhay Bhargav
SPEAKER BIO
Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps
He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. In addition, Abhay has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron, from we45. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook.
Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He’s authored two international publications on Java Security and PCI Compliance as well.
Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.
In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.
The talk starts with a detailing of webhooks and typical webhook functionality that are provided by popular CI, CRM, Project Management, Payment Gateways and other applications. Subsequently, I'll be showcasing demos of multiple techniques that can be used in this attack approach, with special emphasis on evasive payloads as well.
Next, I will showcase the success of this attack against several popular bug-bounty targets to highlight the impact of these attacks at scale.
Finally, I will present multiple approaches to defending against these vulnerabilities and developer best practices that should be applied when defining webhook functionality.
Symbolic Execution Demystified
Jannis Kirschner
SPEAKER BIO
Symbolic Execution is awesome!
From modern fuzzing tools, over automated exploit generation to solving complex reverse engineering challenges - frameworks like "angr" are getting increasingly popular.
There are a lot of crackme-style ctf challenges where the intended solution is to find a specific path through a binary while your input has to match various conditions.
Before symbolic execution techniques became popular you had to manually analyze these binaries, extract all the constraints by hand and use tools like the z3 theorem prover to solve the task. Depending on the binary size this would turn out to be a very tedious and time-consuming process.
What if there was a more effective way to tackle such a problem and supercharge your reverse engineering skills?
This introduction to symbolic execution is for everybody that might've already heard of the "angr" framework but never got to learn it. New CTF players will get a headstart into crackme solving, seasoned reverse engineers will discover a powerful technique for their toolbox.
You will learn where you can apply symbolic execution frameworks, how they work under the hood and how to integrate them into your reverse engineering workflow. Naturally the practical part won't fall short, so we'll apply the newly learned techniques on several demos.
Exploiting WebKit to break Authentication and Authorization
Sachin Thakuri & Prakash Sharma
SPEAKER BIO
When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we talk about a vulnerability in Safari and a security feature in browsers which when abused allowed us to leak certain cross-site information which alone made almost every application vulnerable- even giving us instant access to visitors' accounts.
We will explain how we were able to exploit hundreds of companies with over billions of users and were able to harvest over $100k in bounties. Even corporations like Google, Facebook, Gitlab, Coinbase and others who are very cautious with security measures were all vulnerable. The exploit, on one hand, demonstrates how sometimes not adhering to a simple looking specification can turn into a disaster and on the other hand, how simply following the specification might not be enough.
We'll also talk about programs' responses to our reports and a general understanding of such vulnerabilities, fixes and bypasses we came up with. Finally, we'll conclude with how to address such vulnerabilities using yet another browser feature.
Cyberterrorism and the Energy Sector: A Framework to Improve Collaboration Between Lawmakers and Cybersecurity Experts
Chris Esquire
SPEAKER BIO
Chris has over 22 years of IT, communications and Cyber Security experience. He has several industry recognized certifications to include the CISSP, CEH and CCSK. He holds several degrees to include an BSIS focused in IT and Accounting forensics, a MSISM focused on Project Management, and Juris Doctor. He is finishing a dual PhD’s in Management Information Systems Business Administration focused on Information Security with his dissertations focused on the legal implications of security breaches on organizations and legal and ethical issues in security management.
He has presented as a speaker and his award-winning research used as materials for several conferences by the American Bar Association and universities. He is a chapter lead and section author for the International Guide to Cyber Security 2nd edition to be published by the American Bar Association for the topics of Enterprise Systems and Technology Issues, A/V & Malware Detection, IDS/IPS & Firewalls, Whitelisting, NERC, & OWASP.
Terrorism has begun to shift the battlefield from the traditional landscape of physical land to a boundaryless cyber environment. The legal community is not addressing the actions of terrorists that are targeting the energy critical infrastructure sector effectively. Because of the number of individuals that a single cyberattack can impact, there has been discussion that the international legal world should create international laws to address the problem. War crimes are already considered international crimes. There currently is a movement to have cyberterrorism classified under the scope of a war crime or a broader terroristic crime definition to include cyberterrorism. If there is not a sweeping movement across the world in regards to cyberterrorism, there is a considerable risk to both lives and the economy as a whole. The challenge presented would be furthering the scope to include the elements of cyberterrorism under an existing international crime. This discussion presents the research conducted and provides a proposal that countries can use to better combat cyber terrorism.
Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems
Nitin Lakshmanan & Sunil Kumar
SPEAKER BIO
Sunil is an industry expert in security research, product security assessment and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure and mobile solutions. Sunil is skilled in JavaScript and Python scripting, and has developed numerous security tools and applications. He regularly speaks at local and international security conferences, including at FIRST Annual Conference, FIRST TC, ISC2 events, and so on. He currently works as a Principal Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. **In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.**
Forging golden hammer against Android app protections
Georges-Bastien Michel
SPEAKER BIO
Today most of serious mobile applications relay on industrial-grade software protection tools to detect and slow down reverse engineering. It forces attackers to waste a precious time bypassing obfuscation and RASP before deep diving into app specific logic. So, If each tool tries to detect non-app specific threats such as hooking, rooted device, emulator, debugger, rogue certificate, and so, we postulate we can design an universel tool to bypass all of them. In our talk, we start by reversing protections from most popular and certified Android app protection tools, and we follow by designing instrumentation to defeat all tools.
After this talk, the public repository will be populate with Ghidra and Frida scripts.
Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software
Nitin Lakshmanan & Sunil Kumar
SPEAKER BIO
Sunil is an industry expert in security research, product security assessment and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure and mobile solutions. Sunil is skilled in JavaScript and Python scripting, and has developed numerous security tools and applications. He regularly speaks at local and international security conferences, including at FIRST Annual Conference, FIRST TC, ISC2 events, and so on. He currently works as a Principal Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.
Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.
The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.
Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. **In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.**
An Insider Threat: What is Social Engineering?
Crux Conception
SPEAKER BIO
Law Enforcement experience:
•Homicide Detective
•Criminal Profiler
•Gang Unit Specialist Detective
•Hostage Negotiator
•Crisis Intervention Team (CIT) Officer
•School Resources Officer (SRO)
•Five years as a Special Agent with the DEPARTMENT OF HOMELAND (DHS)
Crux, now retired, worked as a Homicide Detective, Criminal Profiler, and Hostage Negotiator with the Fort Wayne (Indiana) Police Dept.
Teaching experience:
Currently, Crux is an Adjunct Professor:
•Psychology
•Business Psychology
•Social Media Psychology
•Criminal Profiling
•Criminal Behavior
•Computer Psychology
•Sociology (Group Dynamics)
Education:
•Bachelor of Science degree; Criminology (Ball State University, 1994).
•Master’s degree; Forensic Psychology (Walden University, 2012).
•Currently, a Ph.D. Candidate (Forensic Psychology), at Walden University
This lecture will display individual methods to infiltrate social media accounts using fake accounts and collect data from unknowing account holders. (using altered photos, which will appear original and pass a "google photo search," disseminating false or misleading information, and more).
The presentation will engage the audience: We will focus on their psychological motivations to identify the emotional precursors. We will combine open discussions, media, and PowerPoints, to illustrate cultural adaptation, borderline personality disorder, psychological autopsy, precursors to Espionage, Spying, and Theft of Data.
The presentation will give participants innovative insights to conduct psychological field profiles/assessments and verify potential risk factors. This presentation will outline the mental aspects of Data Breaching and possible prevention of Data Loss.
In today's cyber-risk and cyber-security world, we sometimes forget about the individuals or suspects behind the breach, attack, or theft. We neglect these individuals until it is too late and the damage has been done.
Breaking SecureBoot with SMM
Itai Liba & Assaf Carlsbad
SPEAKER BIO
Ever since its introduction, SMM was considered by many to be one of the most powerful execution modes of Intel CPUs. Unfortunately, practice has shown that more often than not, SMM code provided by most OEMs is poorly written and suffers from a myriad of security issues that can be exploited by attackers to elevate their privileges. In this talk we will dive into a vulnerability we’ve found in the Intel BIOS reference code and how we exploited it to gain SMM read, write and execute primitives. Will will show how we combined these primitives to get a full dump of SMRAM and break UEFI’s SecureBoot mechanism which allows us to load an unsigned bootloader. We will finish by discussing possible mitigation strategies.
The Rat-Race Detection Game
Myriam Leggieri
SPEAKER BIO
In a medium-sized company, security threats are identified at a rate of at least 10 per month, while building methods to detect each can take a month or longer for a single engineer - an unsustainable ratio of threats-to-effort. Building detections can also require thousands of lines of code to be written, causing complexity and maintainability challenges. In this talk, we will demonstrate an ideal detection pipeline driven by templates and configuration-based rules which automatically creates threat detectors actionable by Security Operations. This approach drastically cuts down on complexity and maintainability as well as on detection building time. With early testing showing a significant increase in detection coverage, this pipeline could become an important improvement in industry state of the art.
Delegating Kerberos to bypass Kerberos delegation limitation
Shutdown (Charlie BROMBERG)
SPEAKER BIO
Within Active Directory Domain Services, Kerberos delegations allow services to access other services on behalf of other principals (i.e. domain users). Three main types of delegations exist: Unconstrained, Constrained and Resource-Based Constrained.
Kerberos Constrained Delegations (KCD) come in two flavors: with, and without protocol transition. KCD-without-protocol-transition limits the attackers lateral movement capabilities. Or does it?
Let's see how the limitation induced by "Kerberos Constrained Delegation without protocol transition" is actually bypassable with... **Kerberos delegation!**
REW-sploit: dissect payloads with ease
Cesare Pizzi
SPEAKER BIO
He develops software and hardware, and tries to share this with the community. Mainly focused on low level programming, he developed a lot of OpenSource software, sometimes hardware related (to interface some real world devices) sometimes not.
Doing a lot of reverse engineering too, so he feels confident in both "breaking" and "building" (may be more on breaking?). He gave some presentations in different conferences:
- DEFCON 25 HHV: Ardusploit: PoC of Arduino code injection
- BSides 2018 Milano: Ardusploit evolution
- Italian Hacker Camp 2018: 0-ITM portable malware analysis lab
- DEFCON 27 PHV: Sandbox creative usage
- BHUSA 2020 Arsenal - SYNwall: A Zero-Configuration (IoT) Firewall
Contributor of several OS Security project (Volatility, OpenCanary, CETUS, etc) and CTF player.
Need help in analyzing Windows shellcode or attack coming from **Metasploit Framework** or **Cobalt Strike** (or may be also other malicious or obfuscated code)? Do you need to automate tasks with simple scripting? Do you want help to decrypt **MSF** generated traffic by extracting keys from payloads?
REW-sploit do some heavy lifting and provide you an interface to analyze Windows based code (EXE, DLL or shellcode) and give you some useful insight!
Practical bruteforce of military grade AES-1024
Sylvain Pelissier & Boi Sletterink
SPEAKER BIO
IT Security, crypto and salsa nerd.
Sony, SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products. The software is already present when buying a new product and used to keep data on the storage safe. This solution is developed by a 3rd party called ENCSecurity. The security claims of this solution were very strong *i.e.* "Ultimate encryption using 1024 bit AES keys Military grade". Our analysis of the DataVault software revealed three serious flaws impacting the security of the DataVault solution. This presentation is a look the flaws we identified along with our process for discovery and how the vulnerabilities were addressed.
Introduction to Open Source Investigations
Aiganysh Aidarbekova
SPEAKER BIO
Everyday an enormous amount of content is uploaded on the internet. Some of them like Google Map's satellite imagery, an Instagram post, or a random website can be the key to journalistic investigations from identifying neonazi criminals to tracking the use of chemical weapons to environmental research. In this session you will learn the basics of open source investigations, practical tools, methods and case studies from Bellingcat's experience.
Automatically extracting static anti-virus signatures
Vladimir Meier
SPEAKER BIO
Since 2015, his main focus has been to leverage old and new techniques to get around antivirus, EDR and whatever they may be called in the next years 😉 While graduating from the School of Engineering and Architecture of Fribourg in Switzerland, he authored 3 thesis for SCRT on this subject, which culminated in the realization of the open-source tool https://github.com/scrt/avcleaner, a C/C++ source-code obfuscator for antivirus evasion.
Antivirus software are black-box software that run on a multitude of devices around the world. From mobile devices to enterprise servers, they are given the critical role of monitoring files and network traffic to detect and block malicious code. Our information systems include an immense variety of ways a malware can spread and compromise machines. Furthermore, thousands of new malware are born each day. Faced with such a hostile environment, how would security software companies address this problem and detect threats in Office documents, executable files, scripts, e-mails,... ?
Well, we don't really know because it's not documented. Though it is known that they are imperfect and vulnerable by design to the problem of false positives, they have done sufficiently well that people might blindly rely on their protection, and be surprised when a real-world malware goes through its net.
Beyond the false of security they might provide, they might also hide severe security issues from pentesters and security researchers in engagements by detecting their audit tools. It is widely accepted that security should be implemented as intertwined layers of protections and controls, and that there is no silver bullet.
In view of that, we open-source a tool that has been used for 4 years at SCRT in order to automatically extract signatures from static antivirus engines, with the following goals in mind:
- to show customers what they can realistically expect from their security software by evidencing how they actually work.
- to offer pentesters a way to conduct security assessments that can be as exhaustive as possible when such software are in the way.
How we've built one of the most secure media companies in the world
Andreas Schneider
SPEAKER BIO
TX Group (with the media brands Tamedia and 20min) run various modern security technologies like a Zero Trust Architecture, passwordless authentication, Cloud only environment with Cloud Native Security elements, scaling infrastructures, proven DDOS protection and public Bug Bounty Programs. All driven with a lean/agile security team with lots of love for Boba Fett and tree planting
Managing large-scale response
Mathias Fuchs
SPEAKER BIO
Large-scale incident response is not about scaling classical forensic approaches, it's an entirely different field. In his talk, Mathias will focus on the various pitfalls when handling major breaches in organizations with well above 100.000 endpoints. While there are many points to cover, the main focus of the talk will be on documentation and how it ties into managing resources, the victim and other stakeholders.
Good Incident Response Leads need to be able to brief a non technical client as well as a new team member on the case at every given time - not just in pre-scheduled status calls. This requires a stable set of information at the IR Lead's finger tips. To consolidate all the information in one place, Mathias created and maintains the Aurora Incident Response tool that strives to bring Incident Response documentation to the next level. Many years ago Mandiant coined the term SOD (Spreadsheet of Doom) which is the general source of truth and stores all the key findings in an investigation. While the original SOD was an Excel template, Aurora is an SOD on steroids. It enables responders to work as a team, offers instant visualizations of lateral movement and a graphical timeline. It ties into MISP and Virus Total for a streamlined intelligence workflow. That way responders never lose the oversight or get lost in details as they can always step back to get the helicopter view on the case.
Resource management is a key topic in large-scale incident response. If responders use a linear scaling approach they will fail. Good IR teams can usually handle large-scale response for over 100.000 hosts with only 3-4 FTEs. Mathias will introduce strategies on how to optimize resource allocation and allow for personnel swaps easily. All of these strategies rely on a number of factors like technical team skills, tools and the IR lead's soft skills. Resource management is also strongly supported by Aurora-based documentation.
The target audience for the talk are security specialists who want to understand how to improve their IR readiness as well as everyone else who wants to hear some cyber war stories.
Stop this car || GTFO
Karim Sudki
SPEAKER BIO
Car trackers have been around for more than a decade to tackle the surge in vehicle thefts especially in the USA. Their features have evolved from simple vehicle positioning to full access to the car internals like current speed, possibility to remotely query information and even disable the engine ignition.
This talk aims at shedding some light on the security level of one specific tracker. Starting from the hardware aspects, through firmware reverse engineering up to the remote communication protocol analysis. Needless to say that mistakes were made by the manufacturer along the way, with potentially harmful consequences.
Raising employee awareness : which training strategy to go for?
Eric Bärenzung
SPEAKER BIO
From data leak following human errors to ransomware activation, the human looks like the weakest link in the security landscape, but mostly because humans are the most targeted.
You need to build a proper security culture to make a powerful ally out of your employees in your fight against cyberattacks.
In this talk, we will address:
- Why raising security awareness is key
- How to do to ensure a successful training
- What you should train your audience on (at least some suggestions)
Blacksmith: A Blackbox Fuzzer for Bypassing Rowhammer Mitigations on DDR4 DRAM Devices
Patrick Jattke & Stijn Gunter
SPEAKER BIO
Stijn Gunter is a final-semester Master's student in Computer Science at ETH Zürich. He is currently working on a thesis in hardware security and worked on Blacksmith as part of a semester project. Prior to his studies at ETH Zürich, he obtained Bachelor's degrees in Applied Mathematics and Computer Science and Engineering from the Eindhoven University of Technology.
The Rowhammer vulnerability was first discovered in 2014 and allows inducing bit flips in DRAM memory by quickly repeating memory accesses. There has been a plethora of work showing that Rowhammer attacks are practical, for example, in browsers using JavaScript, over the network, and across co-located VMs. This talk presents Blacksmith, our latest work on Rowhammer. Our discoveries led to a new class of Rowhammer access patterns that can bypass the undocumented, proprietary in-DRAM Target Row Refresh (TRR) mechanism that aims to protect current DDR4 devices against Rowhammer. Blacksmith, a scalable Rowhammer fuzzer that generates these new access patterns, can find bit flips on all of our 40 recently purchased DDR4 DIMMs. To show the exploitation power of these bit flips, we use them to revive the Flip Feng Shui attack. Flip Feng Shui leverages these new bit flips and memory deduplication, an OS feature used to reduce the memory footprint, to compromise co-hosted victim virtual machines in the cloud by corrupting the victim’s SSH public key with Rowhammer.
It’s Raining Shells - How to Find New Attack Primitives in Azure?
Andy Robbins
SPEAKER BIO
What if you could go back in time, to the time before Kerberoast, Responder, or Mimikatz? What if you could protect or attack Active Directory in 2012 with the knowledge we now have in 2022? That time is now in the world of Microsoft Azure.
In this talk, I will explain the opportunity that exists for security researchers targeting Azure services. I will also explain, using my recent research into MS Graph, my own abuse research methodology - a methodology that anyone can use to find new abuse primitives in Azure.
Ransomware Encryption Internals: A Behavioral Characterization
Antonio Cocomazzi (SentinelOne)
SPEAKER BIO
Ransomware is a particular class of malware which performs a series of operations on the target to inhibit and disrupt the normal functioning of the systems.
Usually Ransomware are developed by financially motivated threat actors. The main goal of these attackers is to earn money. This kind of malware is the means that allows them to convince victims into paying a ransom and offer to restore the functioning of their systems as an exchange. These attackers have been very successful in their intent to extort money from their victims because the ploy to inhibit and restore the functioning of the systems is well structured and effective.
In modern Ransomware the main strategy to apply a reversible restriction to the target systems is the data encryption. This includes a series of crypto algorithms that combined together realize an hybrid encryption scheme strong enough to ensure the decryption only to the Ransomware developers.
This research focuses on the main task that enables the Ransomware to carry out their malicious operations: the data encryption.
The scope of this research is not strictly related to the cryptography implementation, but it includes a technical deep dive on all the required operations needed for the Ransomware to perform the data encryption: files enumeration, crypto schemes, parallelization and optimizations.
In this talk it will be uncovered all the data encryption features evolution observed in these threats, it will be provided a behavioral characterization and a series of behavioral detections based on overlapping implementations that can be adopted for effective countermeasures.
Noise and Signals – Digging through threat- and APT-stories
Marco Preuss (Kaspersky)
SPEAKER BIO
Join me in digging through different aspects of advanced and sophisticated threats and why it’s not simply “yet another APT”. Along this journey modern ThreatIntel will be addressed as well.
Securing Critical Infrastructures with Fortinet
Dino-Boris Dougoud
SPEAKER BIO
Critical infrastructure protection (CIP) is the process of securing the infrastructure of organizations in critical industries. It ensures that the critical infrastructures of organizations in industries like agriculture, energy, food, and transportation receive protection against cyber threats, natural disasters, and terrorist threats.
CIP typically involves securing critical infrastructures such as supervisory control and data acquisition (SCADA) systems and networks, as well as industrial control systems (ICS) and operational technology (OT). Popular CIP solutions from Fortinet include SCADA for securing critical infrastructure and OT for critical infrastructure protection.
The Nym network deep-dive
Simon Wicky
SPEAKER BIO
When talking about computer security, the privacy aspect is often overlooked. As the internet became an inevitable part of our daily lives, privacy is harder to maintain. Daily, we hear stories about the breach of privacy rights, mass surveillance or illicit harvesting of personal data. In response to that, Nym Technologies, with the help of Exoscale, is developing a decentralized mixnet that provides enhanced privacy to online users. But, how does it perform against well-known traffic analysis attacks, like for example, website fingerprinting? This talk provides a deep dive into the Nym mixnet and its privacy properties. We also present the first empirical analysis of the impact of website fingerprinting attacks on our mixnet.
Loose lips might sink Clouds
Jason Hill & Dvir Sason
SPEAKER BIO
Dvir manages the Varonis Research Team. He has ~10 years of Offensive & Defensive security experience, focusing on red teaming, IR, SecOps, governance, security research, threat intel, and cloud security. Certified CISSP and OSCP, Dvir loves to solve problems, coding automations (PowerShell ❤, Python), and breaking stuff.
The increasingly widespread adoption of cloud-services coupled with the need to rapidly share knowledge, be that with remote employees or customers, continues to provide opportunities for information to end up in the wrong hands.
Misconfigurations, countless instances of over-sharing and, in some cases inviting everyone and their dog to content, provide threat actors with a wealth of useful intelligence that can be later leveraged in targeted attacks against organizations.
In this session, Varonis Threat Labs discuss some of the common issues along with real-world examples to help defenders educate their organizations as well as providing some opens-source intelligence (OSINT) techniques for red-teamers and bug-bounty hunters to use in their future engagements.
Void Balaur: a cyber mercenary from the underground
Feike Hacquebord
SPEAKER BIO
In this session we put a cyber mercenary into the spotlight. This cyber mercenary does not have a shiny office nor does it have a glossy brochure, but it advertises services in underground forums like Probiv. We will explain in detail how we attributed campaigns to this actor we track as "Void Balaur".
Void Balaur came to our attention in Spring 2020. We were contacted by a frequent target of Pawn Storm (APT28). His spouse received a dozen phishing emails and he wanted to know who the sender was. We soon related these phishing emails to Void Balaur, but we needed 6 more months of research to reach high confidence attribution. Using billions of passive DNS records and Trend Micro’s telemetry we found more targets, and related campaigns between 2016 and 2021. Some of these campaigns against Uzbek targets were reported on earlier by Amnesty International (2020) and eQualit.ie (2019), but without attribution. We found that similar campaigns with the exact same targets were still ongoing in 2020 and 2021.
We discuss the service offerings of Void Balaur. These include hacking into many kinds of e-mail accounts, including attacks that do not need any user interaction. Void Balaur also offers personal information like cell tower phone records, airline passenger data, passport details, interception of SMS and the blocking of phone numbers in CIS countries for sale. We will explain how having this information can facilitate serious crime.
In fall 2020 we found out that somebody was hiding behind the eleos.tk VPN network and using a customer system to access control panels of Void Balaur. These control panels appeared not to be protected by any authentication. From that moment on we could follow campaigns in real time and attribute old and new campaigns of Void Balaur with high confidence.
We uncovered about 3000 targets. These included oligarchs, CEOs, politicians, journalists, medical doctors, senior network engineers of ISPs and Telco companies and human right activists, some of which had to flee their home country. We found a small, but clear overlap with the targeting of Pawn Storm (APT28). This shows attackers who are politically and corporate-espionage motivated found their way to this cyber mercenary.
International regulations are not there to protect the targets of cyber mercenaries. Therefore, we will share ways that journalists, human right activists and other targets can protect themselves better against APT attackers and cyber mercenaries.
Elevate your security in the cloud with Telsys and AWS
Colin Szajkowski, Geoffray Schmitt
SPEAKER BIO
Colin Szajkowski, Head of Cloud Infrastructure at Telsys
Geoffray Schmitt, Manager Solutions Architecture at AWS
Come find out how AWS and Telsys are teaming up to guide and assist you on your digital transformation, safely and securely.
Telsys is leveraging decades of datacenter integration and management knowledge to provide you with the best of breed business continuity solutions and migration services leveraging the most secure public cloud services from AWS which will be soon opening its region in Zurich, Switzerland.
Future Proofing your Security Operations Center
Amitabh Singh
SPEAKER BIO
Amitabh is Field CTO EMEA for Palo Alto Networks. He was CISO and CDO for Swisscard (Credit Suisse and American Express JV) and has worked with companies like IBM, HSBC and GE. He has been managing and consulting on Security and Data Privacy for fortune 100 companies in Europe at C level. He is a guest lecturer at University of St. Gallen and Hochschule Luzern. He is also the regional Ambassador of Switzerland for Global Business Blockchain Council (a WEF and Richard Branson promoted think tank).
He is a speaker of repute and has been keynote speaker at various conferences. He is a trusted advisor to boards and companies. He has been a keen interface for Security using Blockchain and believes that Blockchain is one of the most exciting technology to support Security, Fraud prevention and managing real information across IT as well as OT.
He helped set up Girlscancode.ch- an organization to promote programming and STEM for Girls in Switzerland.
Amitabh is an Engineer from Indian Institute of Technology and an MBA from Faculty of Management Studies, New Delhi.
Reactive Security is failing the traditional SOCs...
What is anatomy of an Attack ?
What are the requirements for a next generation SOC?
Key Best practices towards creating an Autonomous SOC
Key insights from a real life Case study and SLAs to be measured