Dan Guido - Keynote - The Smart Fuzzer Revolution
Dinis Cruz - Keynote - Hacking Portugal and making it a global player in Software development
Pedro Vilaça - Memory Corruption is for Wussies!
Diogo Monica - MTLS in a Microservices World
David Sopas - The way of the bounty
Oliver Kunz - Semi-Offline Attack on the Android Full-Disk Encryption
David Sancho - From your PC to your nearest ATM: a history of the sneakiest financial malware
Tiago Balgan Henriques, Florentino Bexiga, Filipa Rodrigues, Ana Barbosa - I for one welcome our new Cyber Overlords! An introduction to the use of machine learning in cybersecurity
Jonathan Claudius - Lessons Learned from a Bug Bounty Operator
Jérémy Matos - Introducing Man In The Contacts attack to trick encrypted messaging apps
Bárbara Vieira - Challenges of secure coding
Francisco Ribeiro - Hacking Python
Filipe Bernardo - Attackers Gh0st st0ries
Dima Bekerman - Brace YoSelf: DDoS is Coming
Dan Guido
Keynote - The Smart Fuzzer Revolution
The last 2 years has seen greater advances in automated security testing than the 10 before it. AFL incorporated known best practices into an easy-to-use tool, the DARPA Cyber Grand Challenge provided a reliable competitive benchmark and funding for new research, and Project Springfield (aka SAGE) is now available to the public. These new technologies have the potential for massive impact on our industry.How do these tools work and what sets them apart from past approaches? Where do they excel and where are their limitations? Is it possible to use them today? How will these technologies advance and what further developed is needed? How much longer do humans have as part of the secure development lifecycle? I will discuss answers to these questions and more in the "The Smart Fuzzer Revolution."
About the Speaker:
Dan Guido leads the strategic vision for Trail of Bits’s products and services, and manages its day-to-day operations. Dan prioritizes work on automated, scalable tools that make a measurable impact for elite organizations ranging from Facebook to DARPA.
Since founding Trail of Bits in 2012, Dan has built the company with people that span the gap between academic research and real-world problems. He pushes his team to study complex computer science topics, and modern attackers’ tactics, techniques and procedures.
It’s through this approach that Trail of Bits addresses the root causes of its clients’ challenges, and develops tools that make a lasting impact. When possible, Dan prefers to share the knowledge those tools embody, and to open-source them to the infosec community for use, maintenance and improvement.
In addition to his professional work, Dan helps moderate Reddit Netsec, organizes Empire Hacking, and supports ambitious startups through hack/secure’s advisory board.
Dinis Cruz
Keynote - Hacking Portugal and making it a global player in Software development
As technology and software becomes more and more important to Portuguese society it is time to take it seriously and really become a player in that world. Application Security can act as an enabler, due to its focus on how code/apps actually work, and its enormous drive on secure-coding, testing, dev-ops and quality. The same way that Portuguese navigators once looked at the unknown sea and conquered it, our new digital navigators must do the same with code. This presentation will provide a number of paths for making Portugal a place where programming, TDD, Open Source, learning how to code, hacking (aka bug bounty style) and DevOps are first class citizens.About the Speaker:
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is “Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating”. This ‘Immediate Connection/Feedback’ concept is deep rooted in the development of the O2 Platform, and is something that will keep Dinis busy for many years.
Pedro Vilaça
Memory Corruption is for Wussies!
This is a technical presentation about a very interesting non-memory corruption bug that (still) exists in every OS X version except El Capitan 10.11.4 or higher. The bug allows arbitrary code execution of any binary, which can be abused for privilege escalation, bypassing System Integrity Protection (SIP) and also kernel code execution - essentially bypassing all OS X protection mechanisms with a single vulnerability.The goal of this presentation is to take the attendees on a ride into OS X kernel internals and a bit about SIP implementation, and of course dive into the details of this bug and how to exploit it. It is a really cool vulnerability that deserves a glorious death.
If time permits I should also try to present another non memory corruption vulnerability in Little Snitch firewall, to illustrate how powerful logical vulnerabilities can be.
About the Speaker:
A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks DRM protections for fun and profit, annoys HackingTeam, trolls Apple’s product security team, loves to solve weird problems, and tries to spread some knowledge. Lately very interested in improving OS X security and malware research. Wrote a long OS X rootkits article for Phrack last year.
Currently working at SentinelOne, a next-generation AV company, where I co-authored its Mac produc. These days I break random stuff and create proof of concept security technology.
Diogo Monica
MTLS in a Microservices World
One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment.The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections.
In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.
About the Speaker:
Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.
David Sopas
The way of the bounty
"The way of the bounty" tells the experience that I had in the last year regarding bug bounty programs. I'll give a brief introduction to what bug bounties is but my main focus will be to deliver the best and most of the common vulnerabilities I found on bug bounty programs. Where to search? Can I still find issues on public programs? Does bug bounty affects the security industry in some way?About the Speaker:
I’m security consultant for Checkmarx and security team leader for Char49. I love to hack web applications and I’ve been acknowledged by discovering security issues in Google, Yahoo!, eBay, Microsoft and many others companies.
Regarding bug bounties I’m ranked top30 at HackerOne and number 1 at Cobalt.
Oliver Kunz
Semi-Offline Attack on the Android Full-Disk Encryption
With Android 5.0, Google announced to enable full-disk encryption with every device out-of-the-box. Along with other smartphone manufacturers announcing similar efforts, this lead to criticism by law enforcement officials. Interested in how "dark" we are actually going, we have analysed the security of Andoird's full-disk encryption. The assessment revealed that the previously known Offline Attack indeed was resolved by Google. However, by changing a small aspect in the attack prerequisites, we have discovered that a similar attack is still possible. We named this attack the Semi-Offline Attack, pinpointing that the device is required during the attack. Though, the computationally intensive calculations of key derivation functions is still leveraged to a different and more powerful host. While increasing the attack time and complexity, the difference between the Offline and Semi-Offline Attack are not huge.About the Speaker:
Oliver Kunz is an information security consultant. Working in the field of information security for several years. He has assisted his clients to resolve incidents, perform risk assessments, and analyse the security of applications. His current main field of research is mobile related security, in particular of Android systems and applications.
David Sancho
From your PC to your nearest ATM: a history of the sneakiest financial malware
The traditional way of milking dry a bank's automated teller machine (ATM) was to blow it up. Literally, steel and everything... but there's a new kid on the block. Modern criminal gangs around the world have now figured out that deploying ATM malware is an easy shortcut to jackpot up to the latest banknote inside. In this talk, we describe all the reasons that have led the criminals to develop their new golden goose, the strategies they use and each of the main malware families in this new battlefield as well as the criminal organizations responsible for this new threat. The challenge these malware writers face is accessing the special hardware of these machines: pinpad, card reader and the cash cassettes. Different malware families solve this their own particular way. The paper describes each family in detail as well as the geographical area it comes from. An overview of the criminal organizations behind these threats is presented. We will conclude with some lessons learned and recommendations on how to protect these very special machines.About the Speaker:
David Sancho joined Trend Micro in 2002, having fulfilled a variety of technical security-related roles. Currently, his title is Senior Anti-Malware Researcher, and he specializes in web threats and other emerging technologies. In his more than 17 years of experience in the security field, David has written and published a number of research papers on malware tendencies, has been featured in the media, and has participated in customer events where he has presented on business issues and malware-related topics. His interests include web infection methods, vulnerability exploitation, and white-hat hacking in general.
Tiago Balgan Henriques, Florentino Bexiga, Filipa Rodrigues, Ana Barbosa
I for one welcome our new Cyber Overlords! An introduction to the use of machine learning in cybersecurity
In this talk we will present some techniques that we use on a day to day basis in our research, where we combine our internet-wide data scanning and acquisition platform with ML/Data science techniques which allows us to find things faster or extract results in a more automated way. We will focus on practical cases and examples that even our audience at home will be able to use if they want. A couple of examples we will look at is how to classify images such as VNC screenshots, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used.We will start by giving a very brief entry to the data science world and talk about:
- Technologies
- Techniques
- How these relate to infosec
- Algorithms and how they can be used
- How people can come into the world of data and machine learning
- Data visualization techniques and what are the best choices for different types of data
We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used. Some specific examples of our research that should give you an idea of some things we will talk about can be seen here:
About the Speaker:
Tiago, Filipa, Ana and Florentino swim in data every single day. From looking at what people are downloading to how they are exposing themselves, we LOVE DATA!
Tiago (@Balgan) is the CEO and Data necromancer at BinaryEdge however he gets to meddle in the intersection of data science and cybersecurity by providing his team with lovely problems that they solve on a daily basis.
Filipa (@filipacsr) is the Data Diva at BinaryEdge, she dances the macarena with numbers to get them to tell her all their dirty secret.
Florentino (@fbexiga) is the Data MacGyver at BinaryEdge, on a daily basis he needs to deploy infrastructure used to analyse big and realtime data.When not doing that he can be found creating models to analyse data,give me an orange, i’ll give you a skynet. Why an orange you ask? I’m hungry and like oranges, there!
Ana (@ana_barbosa90) is the Data Ferret at BinaryEdge. She is small and hides between the 110th and 111th characters of the ascii code to see and show data in that unique perspective of someone who can’t reach the box of cookies stored on top of the capitol ‘I’
Jonathan Claudius
Lessons Learned from a Bug Bounty Operator
Mozilla operates (one of) the oldest bug bounty programs in existence. In this presentation, I will share some of my experiences helping operate the web bug bounty program at Mozilla and some of the lessons I've learned along the way; the good, the bad, and the ugly.The goal of this presentation is two fold:
- Help other organizations understand the benefits/struggles of running their own bounty program
- And provide tips to bounty hunters to maximize bounties
About the Speaker:
Jonathan Claudius is a Pentester at Mozilla. He is a member of Mozilla’s Enterprise Information Security team; where he’s focused on security assessments, the Mozilla Web Bug Bounty program, and security engineering efforts.
He has over 15 years of experience in IT with the last 13 years specializing in offensive and defensive security roles. Before coming to Mozilla, Jonathan was a Senior Lead Security Researcher at Trustwave SpiderLabs. Jonathan has also presented at DEFCON, BlackHat, BSides Chicago, SOURCE Boston, THOTCON, and other leading security conferences.
Jérémy Matos
Introducing Man In The Contacts attack to trick encrypted messaging apps
Mobile messaging applications have recently switched to end-to-end encryption. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC).Without studying any cryptography, we will examine how WhatsApp, Telegram and Signal behave when an Android application is tampering with the contacts in background. For some scenarios, the end-user can be fooled in talking to the wrong person and a MITM proxy can be implemented.
Finally, we will discuss about countermeasures both at the technical and usability levels.
About the Speaker:
Jérémy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he was involved in designing and implementing a two-factor authentication product with challenging threat models, particularly when delivering a public mobile application. As a consultant he helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
Bárbara Vieira
Challenges of secure coding
At SIG we have an extensive experience in performing secure code reviews and guiding software developers on how to implement security best practices. Secure coding is an extremely challenging task and even trained developers struggle with defining, implementing and adopting secure coding guidelines. Over the last years we have found some gaps in the recommendations for secure coding guidelines that lead to enormous and recurrent difficulties in the development of secure applications. In this talk we will address this topic by presenting the challenges of secure coding, focusing in particular web applications security. We will also report on our findings regarding the ongoing security code review research performed in cooperation with the Radboud University Nijmegen in the Netherlands.About the Speaker:
Bárbara Vieira is a researcher from SIG based in Amsterdam, the Netherlands. Before she was a post-doc in the Digital Security group and PILab, at Radboud University Nijmegen, the Netherlands. She finished her PhD in 2012 at University of Minho, Portugal and has been actively contributing to the areas of information security, cryptography and privacy over the last years.
Francisco Ribeiro
Hacking Python
Python certainly is a great programming language to help you getting things done. It provides such a high level abstraction that makes humans so comfortable and confident about their code.In this talk, I will explore some of the most common bugs and misconceptions that can often be found in Python programs as well as some curiosities that you may find entertaining. I got a little inspiration from "WAT" a lightning talk by Gary Bernhardt.
This is an opportunity to learn more about how this language is designed, about the way its interpreter is implemented and to watch a hands on demo with code working in ways you may find surprising (even if the demo gods are with me and everything goes well!).
About the Speaker:
Francisco Ribeiro is a computer security engineer with over 10 years of work experience in both offensive and defensive sides. Francisco likes science and technology interested in computers since early age. Currently working for Mimecast as a Security analyst, most of his experience has been in penetration testing and source code analysis but also worked in forensic investigations and different aspects of monitoring.
Studied Computer Engineering in Faculty of Sciences on University of Lisbon where also became MSc on System Architecture and Computer Networks, enjoys learning programming languages specially when they come with a different way of thinking towards problems. UNIX, web, memory analysis are some of his areas of interest and lately has been interested in graph databases and machine learning.
Filipe Bernardo
Attackers Gh0st st0ries
This presentation will be about previous pentests i've done i'll show some examples and sometimes scary stuff that one can find in some organizations. The presentation would begin showing some stuff that is possible to do while testing WiFi networks, external networks, and webapps.It will show some default errors and some bad habits that people have, like for example, having default creds on some important services, and a lot of other mistakes or misconfigurations that sometimes could take down an organization.
The theme "Attackers gh0st st0ries" is kindly stolen from @Mubix, and will show also some stuff that sysadmins should protect.
About the Speaker:
Since young age i was very curious about computers, however was never a fan of consoles, but of ZXspectrum yes! (and later of course the PC)
I’ve worked as a Sysadmin for 12 years, mostly on a Public institution and on a Bank institution.
I work as a Pentester since 2011 and this is realy what i like to do!
I like to share experiences from all the work i’ve done as a sysadmin and pentesting.
Dima Bekerman
Brace YoSelf: DDoS is Coming
The interactive workshop starts with a DDoS attack being done against an organization, demonstrating the vague nature of such attacks. From there we continue to:- Learning about DDoS attack techniques - network & application, with different grades of sophistication. This includes live demos.
- Mapping assets, and addressing common organizational assets
- Going through the DDoS defense blocks, both in the organizational/procedural level and the layers of protection which can be used for such attacks
- Getting ready to Dday - Common pitfalls & training
- Network changes & configurations when under attack
- Communicating the attack
About the Speaker:
Dima Bekerman is a security researcher and data scientist at Imperva Incapsula’s security research labs, specializing in Human/Bots classification.
Dima holds a MSC in Cyber Security from Ben-Gurion University in Israel, in which he specialized in machine learning and data mining. Prior to being a security researcher in Imperva Incapsula, Dima was a researcher at Deutsche Telekom innovation laboratories and a developer at Applied Materials.