Back to top

Keynote Speakers

Stefan Friedli

Keynote: The Infosec Survival Field Guide

Information Security, what an exciting field to be working in. You get to be a part of a global community that secures technology and ensures a safe, digital environment for everyone.
Or at least, you get to try. While at the same time juggling half a dozen different, conflicting demands from stakeholders, trying not to get into a Twitter shitstorm just yet, somehow trying to figure out if shelling out some bucks for another industry certification might land you a better job.
This talk will take a look at the security industry and community and ask: Is that really what we signed up for? How can we cope with the growing pains of becoming a 124 billion dollar industry - and why?

About the Speaker:

Stefan Friedli has been working in infosec since 2003 after wasting his teenage years on assembler and shareware nag screens. He is a well-known face in the European Infosec Community. As a speaker at various conferences, co-founder of the Penetration Testing Execution Standard as well as a board member of the Swiss DEFCON groups chapter, he still strives to push the community and the industry forward

Mario Heiderich

Keynote: How to build your own Infosec Company - An Ode to the Boutique, not the Behemoth

Hate your job, hate your boss, hate your coworkers even more, cannot stand getting up every morning at seven, just to commute right into an office full of nightmares? Worry no more, rescue is near.
This keynote will give you an overview on how to best get started with first building and the running your own security company. Without going insane or even bankrupt in the process.
The speaker, whose handsomeness is obviously growing proportionally with his age, will share his own experiences in this realm, tell you about the pitfalls and death traps that accompany this process, and get you ready for the magic moment - you looking at your own small security company.
This talk will be quite honest, so don't expect the usual start-up convention garbage presentation for "serial entrepreneurs" and similar folks.

About the Speaker:

Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides.


Steve Lord

Reverse Engineering Microcontroller Firmware

Sometimes you find a microcontroller, and you just need to know what it does. In this talk, I will show you my approach to finding out.

Microcontrollers are typically used in everything from musical gift cards to space stations cooling systems. Microcontrollers are seen as magical black boxes, when in reality they're usually designed to run software that does one or two things.

In this talk I'll show you how to go from knowing nothing about a microcontroller, to dumping the firmware and reversing the contents. Then I'll talk a little bit about approaches to exploring the attack surface and some things I've learned along the way.

This talk is about my workflow and approach to reversing microcontroller firmware. I'll put the demo firmware I reverse up online so you can play along. To play this game, you'll need:

* radare (http://radare.org/r/")
* avr-binutils (esp avr-objdump)
* a text editor

This talk will only be given at BSides Lisbon and will not be recorded. If you want to see it, you have to come here :)

About the Speaker:

Steve is the co-organizer of 44CON, the UK's best security conference. When not doing 44CON things, Steve likes to break things, reverse engineer hardware and do the odd bit of pentesting and forensics.

Rose Regina Lawrence

Social Engineering, Applied Educational Theory, and the Gap Between Them

In this space, we glorify and revel in impressive and amusing social engineering hijinks. This is all fun and good, until the point where we need to get our colleagues to be better about security and the only "soft skills" that we have learned about related to security are based on deception and manipulation.
While the framing of this talk is for changing security behaviours, the ideas are fairly broadly applicable for any situation where you are trying to support people making better, more informed choices.

While social engineering can be powerful for getting people to do things for you, the effect is short acting and requires your constant intervention. Changing individual and organisational security practices requires a different approach to be effective, especially in the medium and long term. Effectively building awareness and competency on security behaviours is much more like other kinds of teaching and other kinds of behaviour change interventions, like public health. This talk will explore for basic ideas from these fields and how they can be applied. I will also cover the problems with using social engineering on your coworkers for effecting security behaviours and how and why it is counter-productive.

About the Speaker:

Rose Regina Lawrence is the digital security coordinator at Tactical Tech in Berlin. She has supported activists, human rights defenders, and journalists in heightened risk settings both in the US and internationally for over a decade. In 2012, she organised a workshop for OWS activists, clips of which later appeared in Laura Poitras’ Citizen Four documentary. Her graduate level training in Public Health/ Community Health Education with a focus on communicating for behaviour change on individual and collective risk has deeply shaped her approach to digital security education. In addition to digital security workshops and interventions for activists and their attorneys, she has developed materials and presented on digital security and sexuality, including the specific needs of sex workers, people who have experienced domestic and intimate partner violence, and the queer community.

Daniele Timo Secondi

OAuth 2: Beyond the Specs

What if you roll out OAuth, and realize there are a bunch of small things you didn’t consider? It’s what happened to us at Pipedrive, and although it’s likely not over just yet, we’re running smoothly. It’s a good time to share what we’ve learned and save others some time.

While building Pipedrive’s marketplace for third-party apps, we transitioned from API token authentication to OAuth, and it’s been an interesting learning experience.
In this talk, I will explain how the protocol works, discuss differences in how OAuth is implemented on different platforms, and explain how we managed the transition from API token to OAuth.
I will explain how CSRF attacks work in OAuth, how the state parameter can prevent them, how to manage synchronization between server and clients, and what you can run into when you roll out OAuth for dozens of apps.

About the Speaker:

I graduated in Computer Science in 2007 in Italy. I started developing Flash games when they were still a thing. Since then, I've worked on web projects for important brands in tech and digital publishing, moving from front-end to back-end. I now work in Developer Relations at Pipedrive, helping developers build integrations and sharing useful content.

Pedro Fortuna

Protecting Crypto Exchanges from a new wave of Man-in-the-Browser attacks

In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp.

Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as Coinbase.com or Blockchain.info.

In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We’ll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.

The fact is that unless we can assure that users are not infected with trojans, which right seems an impossible task, we’d better assume a few of them will end up having sessions with web injects.
We’ll demo a new set of techniques that instead of trying to prevent web injections, they aim to detect and react to them.
These techniques, based on our work, rely on a combination of recent browser features (such as Mutation Observers) and the implementation of tamper-resistant integrity checks using a JavaScript agent running in an exchange webpage.
We’ll demo how the integrity of the exchange webpage can be protected even in the presence of a trojan installed on the client device.
We conclude with an evaluation of the effectiveness of this approach and discuss the value that it adds to existing solutions in the mitigation of MITB attacks.

About the Speaker:

Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.
Presented at OWASP AppSec USA, OWASP AppSec EU, OWASP AppSecCali, BSides San Francisco, BSides Austin, Bsides Lisbon, PHV@DEFCON26.

Martin vK

CookieMonstruo: Apple Flavour

A look on web cookies security on macOS and how the idea that anti-malware solutions are not needed on the Apple world.

This talk will build on the "CookieMonstruo: Hijacking the Social Login" talks performed in 2016 at different security conferences. In that talk I have presented a post-exploitation powershell module that targeted Windows machines in order to gain access to the web cookies local storage and the implications of an attacker gaining access to that information.

In this talk we would like to expand the attack to the Apple operating system, discuss the challenges and additional security features that need to be bypassed and evaluate how effective anti-malware solutions are at stopping these exploits.

About the Speaker:

Martin von Knobloch has been doing IT security stuff for the last 5 years. Apart from his role as a pentester and security advisor, he enjoys evangelizing the regular citizens about what a dangerous place the Internet can be, while advising them how to engage in safe IT security practices. Tired of the getting the usual question that immediately follows after introducing himself as a white-hat hacker: “Oh, does that mean that you can hack my [insert social media site/e-mail provider/etc.]?”, he decided to embark on a journey of discovering a “real” hacker’s approach to achieving this goal.

Yevgen Goncharuk

Living with Kodi and a hole in your network

This presentation will show how big a risk abandoned kodi extensions and plugins can be by exploiting one and showing the potential damage that could come from an attack using sinkhole data. (No innocent kodis were harmed in the process)

Kodi is one of the most used media players and in large part this is due to its extensibility, the ability to install plugins and the wide range of devices it supports. However, kodi plugins are a bigger source of trouble than it appears.

In this talk I will show how kodi extensions are commonly abandoned and how someone could easily exploit this to gain access to a large number of networks or to build a massive botnet.

To do this, I'l briefly explain what kodi is and how it works, show how to write an exploit to execute code on any kodi installation, and show the results of sinkholing a large number of kodi extension based domains.

I'l also share a few ideas on why having your Kodi behind a TOR/your 1$ VPN provided is not that fun.

About the Speaker:

Security researcher at BitSight Technologies. I love hacking and doing cyber stuff while drinking vodka and creating cool ICO ideas in my mind.

Pedro Chaves and Jan Pospisil

Data Analytics-Based Detection at Scale

On this talk we plan to present a data analytics platform built in-house, including some key components that enable us to efficiently correlate events and detect more sophisticated attacks.

In 2017, an average of 200,000 new malware samples have been captured, each day, increasing by 328% from the previous year. Cybercriminals have stepped up their game, and they already use advanced techniques to penetrate organization defenses.

In order to tackle the tremendous increase in attacks, we built a next generation Data Analytics platform to extend and enhance the current systems in place.

On this talk, we will explore some of the challenges of building in-house a data analytics platform. These components include a fully featured correlation engine that is highly scalable while maintaining low latencies and the use of machine learning algorithms to detect more sophisticated attacks. We plan to provide an overview of this detection platform and discuss in detail some components, leveraging Big Data Technologies - like Apache Flink and Spark, for complex correlation processes and data transformations on live streams of events. Moreover, we will discuss how we used a Deep Learning approach to identify malicious domains on Command and Control server traffic.

About the Speaker:

Pedro Chaves: I work at Siemens mainly as a developer for a next generation detection platform, which aims to improve the current Siemens detection capabilities. Prior to that, I received my Masters degree in information security at Universidade de Lisboa, Faculdade de Ciências. My professional interests mainly include distributed systems and stream/batch processing frameworks.
I love programming, playing video games and on occasion to play football with a group of friends.

Jan is Chief Data Scientist at SIEMENS Cyber Defense Center. He has a background in Artificial Intelligence and Machine Learning. Currently his focus is on building a SIEMENS-wide cyber defense platform based on AI. Before joining Cyber Defense Center Jan was Head of Data Science at SIEMENS MindSphere IoT platform. There his focus was on manufacturing optimization, predictive maintenance and digital twin.

Chris Le Roy

Hunting Android Malware: A novel runtime technique for identifying malicious applications

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the heap of Android applications at runtime.

Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK.

What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications.

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour.

The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.

About the Speaker:

Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which led him to breaking things full-time. The breaking of things full-time has allowed Chris to share his ramblings at multiple conferences in the USA and Europe where he enjoys sampling local beers. In his spare time, Chris attempts to make sauerkraut and make sense of Dalvik opcodes.

David Sopas and Pedro Umbelino

Exfiltrate all the things!

This talk is based on our research on airgap systems and covert channel exfiltration methods. Nation state spying users seems pretty common these days and we will show the audience how to implement these covert channels using NFC and visible light.

The presentation will be divided into two parts. Starting with a brief explanation on airgaps and data exfiltration, moving on to some of the existing techniques and finishing it with some of our own unpublished research, live demos included.

The speakers will show how is possible to exfiltrate information using two different methods. First by abusing an IoT Bluetooth Low Energy light bulb and retrieve the information reflected off a wall or any other surface with an off-the-shelf smartphone. Then a different approach on NFC will be shown. What if you can use the NFC chip of a device with a longer range? And transmit information even behind walls?

By the way, the speakers are not responsible for feds getting ideas on this talk. This is kind of a disclaimer.

About the Speaker:

David Sopas leads a team of security researchers at Checkmarx and he's the co-founder of Char49. With more than 15 years experience in pentesting and vulnerability research, he have been acknowledged by companies like Google, Yahoo!, eBay and Microsoft. Retired from this bug bounty hunting "career", David now focus more on IoT security and tries to learn new things every day.

Pedro is a security researcher and consultant by day and Hackaday contributor by night. He started messing around with computers on a Spectrum, watched the bulletin board systems being dropped for the Internet, but still roams around in IRC. Known by the handle [kripthor], he likes all kind of hacks, hardware and software. If it’s security related even better.

Vitor Ventura

(in)Secure Messaging Apps - A lateral movement into your privacy

In a always connected world privacy is becoming more and more important. Privacy is important for all kinds of people no matter what business or social status they are in. One of the cornerstones of privacy in our days is the secure messaging applications like Signal, WhatsApp or Telegram, which deploy end-to-end encryption to protect the communications. However, having such a heterogenous userbase means that not everyone will be technologically educated enough to understand all features and defaults of such applications. A deeper look into these applications showed that they lack transparency and bad defaults are the perfect combination to break great crypto. Leading to session hijacking at different levels resulting in different user experiences and privacy exposures.

With the intent of showing that these applications are not transparent in the way they advertise their features I will start by doing a quick round-up on the messaging applications. Talking about their defaults, features and claims. This will set the stage for the whole presentation.
After which I will explain how the sessions can be hijacked and the limitations that come with it. The process it self is the first hole in some of the applications claims. A demonstration on how each application deals with the hijacked sessions is the second hole. And finally the third hole is how the users are asked to deal with it. While also showing what are the implications on each case for the users privacy. To show that this is not only theoretical I will finally I will show a malware that was found in the wild that explores this method to allow its operators to hijack sessions. The presentation will end with a review of the initial claims of each application and how they can be refuted due to bad defaults and lack of transparency.

About the Speaker:

Vitor Ventura has worked in IT Security for over 17 years, including secure architecture design, firewall management, Identity and access management solution design and implementation, IDPS Management, computer forensics, incident management and product evaluation. He thus has a very broad knowledge of computer operating systems and hardware. In IBM X-Force RED Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, along with other IoT security projects, which lead to a presentation at Recon.cx Europe in 2017. Has IBM X-Force IRIS European Manager, Vitor has worked on many cases system compromised and involving malware, investigating malware infections in detail and performing reverse engineering of malware samples leading to some worldwide alerts. Vitor has also supported several customers on DDoS ransom incidents, determining where the weaknesses are and how to remove or mitigate them contributing to SecurityIntelligence.com articles. Vitor was the lead responder on several high profile organizations affected by the WannaCry and Nyetya infections, helping to determine the extent of the damage and to define the recovery path. Vitor is currently a security researcher member of the Cisco Talos Group in Europe, were he has published several analysis at talosintel.com. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager), MITS (Master IT Specialist – Security).

Ricardo Gonçalves

Rogue One: A WiFi story

An always on, all times and everywhere connected life is today's mantra. This in turn adds the need for an increasing number of available Wi-Fi Access Points (APs). These can be located almost everywhere: schools, coffee shops, shopping malls, airports, trains, buses, hotels... This proliferation raises the following questions:

- Among all these APs how can a user be sure that (s)he is connecting to a trusted source?
- In a small-medium sized company how do they guarantee their wireless security in a cost-effective way?

In order to address these questions there is the need to effectively detect Rogue Access Points (RAPs). There are open source solutions described in the literature and others developed within enterprises for commercial purposes. Relative to the latter, it has become obvious that they are not accessible to everyone due to their high costs, and the former do not address all the types of RAPs.

In this work, we research the solutions to detect RAPs and do a thorough survey study of the most commonly used and recent Wi-Fi type of attacks. Based on this knowledge we developed a solution to detect RAPs, Rogue AP Detector , which covers the most commonly known attacks. This proposed solution, is a modular framework composed of Scanners, Detectors and Actuators, which are responsible for scanning for available APs, apply a set of heuristics to detect them and apply a countermeasure mechanism.

About the Speaker:

Working as a security tester at a stock exchange during day, and as a security researcher at night, Ricardo likes to find creative ways to find and exploit vulnerabilities. He's driven by the thrilling of learning new subjects and acquiring new knowledge. Breaking security for a better security.

Vincent Ruijter

Securing Attacking Kubernetes

A purple team talk targeting Kubernetes deployments. Demonstrating several attack vectors and the corresponding mitigations.

This talks’ focus lays on a popular containerization tool called Kubernetes.
Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a ‘purple team’ talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.

Technical details
This talk will demonstrate some techniques on how to attack containers (pods) and perform privilege escalation attacks on Kubernetes instances. Kubernetes containers are usually configured to run as root and allow the so-called ‘privileged mode’. This feature can facilitate a guest-to-host escape, as privileged mode enables full access to the nodes’ block devices (/dev/sda1, volume groups etc.).
Running the container as root and mounting the file system results in full host compromise.
It is however possible to protect against these attacks by creating a network policy, pod security contexts, and by including other additional security measures, which will be introduced and demonstrated during the talk.
Several demos are planned: the first demo will demonstrate an attack through the Kubelet API (the core API), which spawns a privileged container with a mount to the hosts’ root file system. The second demo will demonstrate the attack through an insecure Kubernetes Dashboard deployment. Other examples and recent attack examples will be provided and explained, including the SSRF vulnerability found in Shopify which lead to root access on any container in the instance.

About the Speaker:

Pacifistic Internetveapon @ KPNs (Royal Dutch Telco) CERT, who thinks he knows Linux. Moderator @ null Amsterdam chapter, with an endless curiosity for all things binary. Knows how to quit Vi ^[ESC!wqwq:wq!

Ivo Ricardo Guerreiro Vacas

Open Source Intelligence based Intrusion Detection System

The presentation shows the implementation of an Intrusion Detection System based on Open Source Intelligence and how it behaves.

Cybercrime has steadily increased over the last years, being nowadays the greatest security concern of most enterprises. Institutions often protect themselves from attacks by employing intrusion detection systems (IDS) that analyze the payload of packets to find matches with rules representing threats. However, the accuracy of these systems is as good as the knowledge they have about the threats. Nowadays, with the continuous flow of novel forms of sophisticated attacks and their variants, it is a challenge to keep an IDS updated. Open Source Intelligence (OSINT) could be explored to effectively obtain this knowledge, by retrieving information from diverse sources.
This presentation proposes a fully automated approach to update the IDS knowledge, covering the full cycle from OSINT data feed collection until the installation of new rules and blacklists. The approach was implemented and was assessed with 49 OSINT feeds and production traffic. It was able to identify in real time various forms of malicious activities, including botnet C&C servers communications, remote access applications, brute-force attacks, and phishing events.

About the Speaker:

On the past few years I've been a IT Support, Network and Telecommunication Administrator and right now I'm a IT Security Analyst at Centro Nacional de Cibersegurança. I recently ended my Masters in Information Security so my present academic vein made me wrote a couple of papers with focus on cybersecurity and networks. More (or less) info @ https://www.linkedin.com/in/ivo-vacas-84960a102

Saâd Kadhi

Cruising Ocean Threat with TheHive, Cortex & MISP without Sinking

TheHive, Cortex and MISP is a **highly integrated**, free, open source stack used by many teams to perform CTI & DFIR related activities. In this talk we'll showcase the main features of this powerful trio and cover some automation, collaboration and response use cases.

TheHive, a Security Incident Response Platform and its sidekick Cortex, a powerful observable analysis and response engine are feature-packed free, open source software, used by many teams of all sizes around the world to manage alerts and notifications from various sources (emails, SIEM, IDS/IPS, intelligence providers...), security incidents and collaborate through a field-proven workflow to handle their investigations swiftly, analyze observables at scale using more than 80 different analyzers and perform active response.

TheHive & Cortex are more efficient when used alongside MISP, the *de facto* standard for threat sharing with which they are highly integrated. Thanks to MISP, TheHive & Cortex can pull events from multiple instances, search for key indicators of compromise in those instances and others and share investigation results selectively with different communities.

In this talk we will introduce TheHive, Cortex and MISP to the audience, cover their main features to help automate and mature CTI and DFIR activities and provide a few use cases to demonstrate their power.

About the Speaker:

Saâd Kadhi, head of CERT Banque de France and TheHive Project leader, has 20 years of experience in cybersecurity. He discovered incident response and digital forensics in early 2008 and has been working exclusively in this fascinating field since then. He built a CSIRT at a French multinational food-products corporation and worked as an analyst at CERT Société Générale before joining the French national central bank where he leads a team of 22 analysts. He frequently writes information security articles in a leading French magazine. He also co-organizes the Botconf security conference.

Nicolas Mattiocco

SecOps Automation and Orchestration

How SecOps Automation and Orchestration tackle today's cybersecurity challenges.

A company, regardless of its size and market power, may go out of business or lose a lot of value because of a security incident on its information system.

The number of vulnerabilities and the interest of cyber-attackers is only increasing. With the advent of the monetization of botnet cyber attacks or the installation of crypto-miners for example, the threats are going more varied and intensified, but less targeted. The vast majority of companies are digital and increasingly exposed on the Internet. The level of cyber exposure is also higher. The "Cyber" risk has become vital.
Today, everything has changed and tomorrow everything will change even faster. Where manual analysis was sufficient, paradigms of risk assessment are moving towards more automation. But we need intelligent automation.

This automation strategy also tends to address the drastic lack of competent cyber security resources and retention of talents. The automation of recurrent, time-consuming and low-value-added tasks will allow teams to focus on more complex and therefore more motivating topics.

Usage of open-source products will be highlighted and returns of experience will be shared:
- SAST and DAST automation (processes and tools) in a CI/CD pipeline
- Quick introduction to PatrOwl, a free, open-source and scalable Security Operations Orchestration platform

About the Speaker:

Expert with 10 years of experience in information security, I have performed various security consulting engagements, from penetration tests to global risk assessments and implementation of security solutions.
I'm currently Freelance since 3 years and onboarded in the Red Team of a CERT in a large financial institution.
Also founder of PatrOwl, a scalable, free and open-source solution for orchestrating Security Operations.

Vitor Ventura and Warren Mercer

VPNFilter - YetAnotherBotNet or maybe not....

VPNFilter - YetAnotherBotNet or is it more than that?! A different view into VPNFilter from the technical analysis of its modules to the possible motivations behind some design decisions.

The massification of the Internet with the IoT, the Wi-Fi routers and media centers has changed the threat landscape. Since the Mirai botnet, launched in August 2016, we are seeing the exploitation of home equipment for illicit activities by the attackers. On the side the existence of groups sponsored by governments is not new and there are many examples of such groups, linked with like countries with Russia or North Korea by both private and public organizations.But until now a botnet with characteristics of a state sponsored group had never been seen. Actually, no official organization had ever attributed a large botnet to a state sponsored group. VPNFilter represents the first botnet based on home devices that has been attributed to a state sponsored group and really had characteristics of a state sponsored group. It has infected over 500,000 router in more than 50 countries, it is highly adaptive and modular all the necessary features of a perfect attack platform. In this talk I will do a technical walk though the modules, and explain the possible motivation behind some of the design decisions. VPNFilter represents a change in the way we look at the security of organizations, while some modules try to attack organizations directly, there are others that are used for attacks lateral. No is only a network the worms, you have been developed with the intention of using the end user as an attack platform, that makes the attribution extremely hard. Also, as its target are the home routers it has total access to the traffic for the Internet. This allows a lateral movement for the computers of the internal network, with a reduced effort. Throughout the presentation I will talk about the geopolitical context and how that has influenced the decisions of its creators. VPNFilter has to be framed at the moment we are living in the cyber security landscape.

About the Speaker:

Vitor Ventura has worked in IT Security for over 17 years, including secure architecture design, firewall management, Identity and access management solution design and implementation, IDPS Management, computer forensics, incident management and product evaluation. He thus has a very broad knowledge of computer operating systems and hardware. In IBM X-Force RED Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, along with other IoT security projects, which lead to a presentation at Recon.cx Europe in 2017. Has IBM X-Force IRIS European Manager, Vitor has worked on many cases system compromised and involving malware, investigating malware infections in detail and performing reverse engineering of malware samples leading to some worldwide alerts. Vitor has also supported several customers on DDoS ransom incidents, determining where the weaknesses are and how to remove or mitigate them contributing to SecurityIntelligence.com articles. Vitor was the lead responder on several high profile organizations affected by the WannaCry and Nyetya infections, helping to determine the extent of the damage and to define the recovery path. Vitor is currently a security researcher member of the Cisco Talos Group in Europe, were he has published several analysis at talosintel.com. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager), MITS (Master IT Specialist – Security).

Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps!

Ana Respício, Fernando Alves, Alysson Bessani and Pedro Ferreira

Project DiSIEM: Diversity Enhancements for Security Information and Event Management

This talk presents the DiSIEM EU H2020 Project (http://disiem-project.eu/) with a special focus on its impact in terms of innovation and the current results of the project development.

The DiSIEM project aims to address the limitations of SIEMs already deployed in production. Instead of proposing novel architectures for future SIEMs or modifications to existing ones, the project addresses these limitations by extending current systems, leveraging their built-in capacity for extension and customisation. The core idea of the project is to enhance existing SIEM systems with several diversity mechanisms, representing five main advances in the state of the art: 1. Integrate diverse OSINT (Open Source Intelligence) data sources available on the web. This data needs to be fetched, analysed, normalised and fused to identify relationships, trends and anomalies and hence help reacting to new vulnerabilities to the infrastructure or even predict possible emerging threats against the infrastructure monitored by the SIEM. 2. Develop novel probabilistic security models and risk-based metrics to help security analysts to decide which infrastructure configurations offer better security guarantees and increase the capacity of SOCs to communicate the status of the organisation to C-level managers. 3. Design and deploy novel visualisation methods to present the diverse live and archival data sets, to better support the decision-making process by enabling the extraction of high-level security insight from the data which will be used by the security analysts working with SOCs that operate the SIEM. 4. Integrate diverse, redundant and enhanced monitoring capabilities to the SIEM ecosystem, to increase the value of the events fed to the system. Likewise, we propose to deploy and integrate novel behavioural anomaly detectors for business-critical applications and thus improve the SIEM’s visibility into the functional security status of these monitored applications. 5. Add support for long term archival of events in public cloud storage services. In order to satisfy the security requirements of such data (which contains a lot of sensitive information), we will store such events in diverse cloud providers (e.g., Amazon, Windows Azure, Google), employing techniques such as secret sharing and information dispersal.

These contributions are materialised through a set of tools and components, in the form of plugins, that can be integrated into existing SIEM systems. For example, redundant diverse analysis and trends obtained through OSINT sources can be fed to the SIEM, while new visualisation and analysis tools can be integrated by fetching data from the SIEM event database.

The talk will provide an overview of the components that have been implemented in DiSIEM.

About the Speaker:

Ana Respício is Assistant Professor at Departamento de Informática da Faculdade de Ciências da Universidade de Lisboa, where she teaches Information Security Risk Analysis and Management in the Information Security Master Program. She is a senior researcher at CMAF-CIO and her research interests include cybersecurity risk management, decision support, and optimization. She serves as vice-chair of the IFIP Working Group 8.3 on Decision Support. Currently she is task leader in the EU Horizon2020 DiSIEM project (cybersecurity) and in the National FCT DOIT project (IoT), and is a member of the COST Action High-Performance Modelling and Simulation for Big Data Applications. Website: respicio.at.di.fc.ul.pt


André Baptista and Federico Bento

Modern Binary Exploitation Techniques for Linux

We are not in the 90’s anymore. Many memory corruption mitigations were introduced through all these years. Are you a curious person about memory corruption vulnerabilities or you want to learn how to develop exploits that will work in the present? We prepared this workshop for you!

In this workshop we will cover modern exploitation techniques, including: ROP chains, read/write-what-where primitives, return to libc, heap exploitation, use-after-free and kernel exploitation techniques. We will focus on Linux, using simple examples, but these techniques can also be used on other operating systems.


* Basic knowledge about binary exploitation mitigations (ASLR, NX, Stack Canaries)
* Reverse engineering techniques (static and dynamic analysis)
* Debugging on Linux with GDB (GEF - GDB Enhanced Features recommended)
* Pwntools installed on a Linux distribution (Ubuntu 16.04 recommended)

About the Speaker:

André is a security researcher and bug bounty hunter. Currently, he is an invited professor at the University of Porto (MSc in Information Security) and the captain of the xSTF CTF team. He is a researcher at INESC TEC and he also contributes to C3P (Center of Competence in Cyber Security and Privacy). He's known for finding a critical SSRF on the Shopify cloud infrastructure and being the H1-202 MVH, a live-hacking event organized by HackerOne this year.

Federico is just your average dude who enjoys computer security related topics. He's currently taking his Masters in Information Security at the University of Porto, so if you think he's cool enough, offer him a job that pays him loads of money. He's very much interested in memory corruption type of bugs, exploitation techniques against real-world systems/defenses, reverse engineering and all those nice things. He's known (to his mommy) for having written a couple of exploits against real targets, winning a Pwnie and being nominated for another Pwnie.

Rémi Escourrou and Nicolas Daubresse

Active Directory security: 8 (very) low hanging fruits and how to smash those attack paths

Pentester or attacker often exploit the same obvious vulnerabilities in Active directory. Come learn how to exploit and mitigate them.

Welcome in Noob Firm, the most insecure network ever, we have a very large Active Directory environment and we do no security at all. For now, no one ever hacked our corporate network (at least we hope) but our new CISO requires us to perform a security assessment.
Your mission, should you choose to accept it, is to evaluate our security level and fix the issues.

Detailed content

In this fully hands-on workshop, we’ll guide you through 8 of the lowest hanging fruits weaknesses that we witnessed during numerous penetration tests. You’ll learn how to :
* Spot passwords inside user descriptions
* Find passwords on shared folders
* Spray passwords over accounts
* Quickly detect obsolete workstations and servers
* Get free password hashes by kerberoasting
* Pivot from machine to machine by reusing local credentials
* Spot machines where Domain Admins are connected
* Retrieve Domain Admins credentials in memory

Crackmapexec, Powerview, SharpRoast, Mimikatz will be your best friends during this workshop.
Hand-on exercises will be performed on our lab environnement with more than twenty virtual machines. For each attack, we will also discuss about mitigation techniques.


This training is aimed at people willing to start with Active Directory security and hands-on sessions. There is no specific requirement for attendees except a basic IS and infosec culture.
All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum). Each attendee will be given a USB key with a Windows virtual machine with the necessary pentesting tools to perform the lab sessions.

About the Speaker:

Rémi Escourrou (@remiescourrou) is security consultant at Wavestone. For 3 years, he has been developing his skills as a pentester of IT infrastructure and more specifically on Active Directory environment. He is also involved in the CERT-W as First Responder.

Nicolas Daubresse (@nicolas_dbresse) is security consultant at Wavestone. For 3 years, he has mainly performed penetration tests on global IT infrastructure and Active Directory environments. Involved in the CERT-W, he also had the occasion to see the other side of the attack.

Hans-Martin Münch and Timo Müller

Binary protocol analysis with CANAPE

CANAPE is a Windows toolkit for analyzing binary protocols in a graphical environment, written by James Foreshaw. This workshop provides a practical overview by analyzing an example protocol.

CANAPE is a capture and manipulation tool for arbitrary network protocols. It was developed by James Forshaw during his time at Context IS. Simplified, CANAPE can be described as “Burp forbinary protocols”
Sadly, the tool is not well documented, which often causes trouble for users that never worked with CANAPE before. This workshop tries to fix that by providing an practical overview of CANAPE. It is based on a original workshop that James Forshaw hosted in 2014 at 44con.


Participants must have a Windows system (at least Windows 7), Virtual Machines are fine.

About the Speaker:

Hans-Martin Münch: CEO of MOGWAI LABS GmbH, a small security consulting company from South-Germany

Timo Müller: Timo Müller is a Computer Science student in Ulm working at MOGWAI LABS GmbH. He is passionate about everything regarding IT-Security and CTFs