If you ask a group of people at a security conference, “tell me about you background?”. Chances are, the answers you’ll get, won’t be conventional. We are lucky to have an eclectic community. Each person with their own unique education, experience and interests. Yet much of how things are done, aren’t defined by these qualities.
If you’ve attended a conference in the last ten years, you’ll have encountered a pattern. Once the fun is done (research), findings are relegated to presentations. As an attendee you’ll struggle to experience the genius of the work. The research confined to slow motion 2D experience. But what if we could experience presentations under different circumstances? Outside of rigid structures. Join me in a journey through curiosity, resourcefulness and imagination. This is a story about re-defining the way in which we share information. A story about using our hidden talents to guide the work that we do and imparting a little magic into the every day.
Leigh-Anne Galloway is a Security Researcher who specializes in application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. Which is where she discovered her passion for payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities. Having previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, Troopers and Black Hat USA. She loves her cat, 8-bit music and Frida Kahlo. She believes we can all bring a little bit of magic to the world.
After two decades, the security industry is now an adult and this talk looks back at how we have had the irresponsible teenage years and where we now need to embrace a model of responsible research and disclosure as we are now an adult.
Daniel Cuthbert is the Global Head of Security Research for Banco Santander. With a career spanning over 20 years on both the offensive and defensive side, he's seen the evolution of hacking from a small groups of curious minds to organized criminal networks and nation state we see today. He is the original co-author of the OWASP Testing Guide, released in 2003 and now the co-author of the OWASP Application Security Verification Standard (ASVS).
Not another hardware hacking talk. This talk is about hacking *with* hardware. Creative hackers have built their own hardware throughout our (short) history. Today is easier than ever to build your custom purpose hacking gadgets. We will talk about what was built and how can you make your own, by analysing a custom hacking hardware that will be released during the talk.
A full fledged hacker loves to build stuff. Who doesn't dream to have their own 'hollywood' style hacking gizmo, designed and built by his own self?
In this talk, I will walk a bit down the memory lane and talk about the very first pieces of hardware that were built out of need to hack into something. Alan Turings 'Bombe', Blue boxes, Rubber Ducky and Proxmark are some of the examples. Then I will show how hackers with little electronics background can start their own projects, which resources they can use, some tips & tricks, culminating in the analysis of the build process, from simple schematics to fully working prototype, of my own *unreleased* piece of hardware: XXXXXX.
We live in exciting times, with hardware cheaper than ever, extensive part documentation and almost an online community for every part. It's the perfect time to start building our own hacking hardware.
Pedro is a security researcher by day and Hackaday contributor by night. He started messing around with computers on a Spectrum, watched the bulletin board systems being dropped for the Internet, but still roams around in IRC. Known by the handle [kripthor], he likes all kind of hacks, hardware and software. If it’s security related even better.
Sergio Serrano and Marcelo Almeida
With or without zero-trust network architectures, VPNs are always an interesting piece of infrastructure. Like always the mythical balance between usability and security needs to be tackled but we intend to handle that with a scalable solution, meaning that dealing with one or one thousand users imposes constant operational cost, while not eroding the security properties defined.
In this talk, we're going to show how we bypassed some hurdles that an enterprise VPN requires using cutting-edge technologies like [WireGuard](https://www.wireguard.com/) and [HashiCorp Vault](https://www.vaultproject.io/).
After delving for years with VPN solutions that always seemed lacking something from what a truly secure solution should offer, we finally heard of WireGuard. Its design principles seemed the answer to all our prayers. That meant one thing and one thing only... "too good to be true". Well, challenge accepted!
Choosing WireGuard imposed several challenges, mainly due to the lack of tooling around such an important piece of infrastructure. Nevertheless, it was still an extremely interesting option and in this talk, we present some solutions for the challenges we found.
The problems we were trying to solve
- Auditing capabilities
- Session management
- Simple client setup
- Connection stability
- Low complexity of server setup
- Per client ACLs
- Low key sprawling
How do we solve them?
Our proposed solution is based on WireGuard for the VPN service and HashiCorp Vault for secret management and dynamic VPN service management. We will be managing peers with Vault via their public keys and update WireGuard server configuration dynamically. To achieve this we've developed a Vault plugin that is able to dynamically distribute and at the same time keep some control on peers IPs (like a simple DHCP server), be a configuration generator and distribution facilitator to end-users, peers, and populate WireGuard configuration to enable users to establish connections to the VPN server.
All the above reasons are very true, however, we also really wanted to try a solution that enabled the deployment of a VPN with minimal configuration, a.k.a. IPSec was not a solution, took advantage of modern cryptographic options like ChaCha20 and provided users with a simple, secure and stable VPN solution. Also, as fans of the Unix "doing one thing well" philosophy, WireGuard was an awesome candidate. All this was glued together with Vault for most of the tooling and plumbing, and since we already know the capabilities of Vault, it gave us good reasons to try out this solution. Also, as fans of the open-source philosophy, we wanted to present this work to others so that it could be criticized and improved.
Sérgio Serrano is a security engineer with over 15 years of experience, from software development, to network engineering, crossing through mine fields of security endeavors and jumping over platforms of cartoons. Currently works as Security Technology Advisor at Talkdesk.
Marcelo: Highly passionate about automation, monitoring, and reliability. Always looking forward to building ultra-scalable and highly reliable and resilient systems. And also love to ride bikes ?.
Although block encryption systems are nowadays mostly used, stream encryption systems have not disappeared. They are still widely used in telecommunication systems (ISO/IEC standard IS 18033-4, 3GPP encryption algorithms UEA2 and UIA2, TETRA [TEA2]...). Stream ciphers are still often used for their speed and simplicity of implementation in hardware and the rise of IoT is likely to increase a wider use. In addition, they are still widely used in the field of military cryptology due to a better guarantee in terms of security in the implementation and operational management of encryption operations. The main problem is that these systems are often proprietary and therefore the algorithm is secret and hidden in the depths of the silicon. It is worth considering that their implementation is easier and less expensive than for block systems when hardwired into the silicium. The main question is to determine whether it is possible to introduce mathematical backdoors (at the algorithm level itself) without degrading the cryptographic quality of the suite combined with the plain text for encryption. This issue has been initiated with the BSEA-1 algorithm presented at Ruscrypto 2019 (published on https://arxiv.org/abs/1903.11063). The present is the continuation of the research for a class of backdoors of larger complexity.
The objective of this talk is to present a particular class of backdoors for stream encryption systems that not only preserves the cryptographic quality of the pseudo-random sequence (which is bit-wise xored to the plaintext) but also prohibits all known classical attacks. To exploit this class of weakness it is necessary to change the way of thinking about cryptanalysis techniques. A 128-bit key algorithm has been designed with such a backdoor and will be presented during the talk. It is inspired by real cases in the field of military cryptography from the 90s that we will also present and explain. This algorithm uses optimal cryptographic primitives according to current cryptographic security criteria.
The state-of-the-art with respect to encryption backdoors
History of the XX/XXIth centuries
2.- Technical principles
What are stream ciphers?
Where to put backdoors
3.- Presentation of the backdoored stream cipher
Security rationale (wrt to the known existing cryptanalysis techniques)
4.- Exploiting the backdoor
Why classical cryptanalysis are bound to fail
New cryptanalysis approach
The future of backdoors
Eric Filiol is professor at ENSIBS and IRISA, France and senior consultant in offensive cybersecurity and intelligence. Has has been head of cybersecurity research at ESIEA, France for 12 years. He spent 22 years in the French Army (Infantry/Marine Corps). He holds an Engineer diploma in Cryptology, a PhD in applied mathematics and computer science and a Habilitation Thesis in Computer Science. He is graduated from NATO in InfoOps and Intelligence systems. He is the Editor-in-chief of the Springer Journal in Computer Virology and Hacking Techniques. He has been a speaker at international security events including Black Hat, CCC, CanSecWest, PacSec, Hack.lu, Brucon, H2HC…
Traditional network scanning is still very popular when we need to evaluate firewall rules, find trivial vulnerabilities, and make an inventory of our network perimeter. Nmap is undoubtedly the most recognized tool for this purpose, but it is not very efficient at scale. What can we do in 2019 to improve scanning perfomance and get as much value as possible at the lowest cost? Opera Security Team uses multiple cloud environments, a simple queue management protocol, fast and efficient pre-scanning, and task/plugin-based approach to perform efficient network assessment. This talk is primarily targeted at DevSecOps and all those who appreciate simple solutions in complex environments.
Keywords: nmap, masscan, gcp, beanstalkd, ruby, openstack, network scanning
An engineer that eventually became a manager, but still loves to do some hands-on work. I've started as a security administrator at my university, then worked as a penetration tester, security auditor and a team lead. Now I'm building security at Opera Software - the browser vendor and internet technology company with 350 million users worldwide.
Tiago Balgan Henriques and Florentino Bexiga
When connecting something to the internet you are automatically exposing your devices to all sorts of traffic. Internet scanners, malicious and benign actors, random startups etc... in this talk I want to talk about all the telemetry that can be obtained from a network of honeypots, how it is useful for your organisation and what sort of observations you can make over a prolonged amount of time.
Honeypots have existed for a long time, in the modern days a lot if interesting telemetry can be extracted from them that can be useful to organizations at multiple levels. I will talk about different types of events seen over a period of time, why its important to generate different types of signatures and what sort of patterns can be found and why they are important.
In this talk I also intend to provide data-centric answers to the following questions:
Is it still worth having one or more in the modern days?
What are the different actors that talk to my edge doing ?
Who are they? Are there any patterns on the different things they are looking for?
Is an attack specific to me or is it happening all over the internet ?
Is the new vulnerability that was just announced already been exploited?
Why was it scanned for before the announcement?
Are there differences between different cloud providers? And residential?
I scan the internets, I listen to the internets, I love data from the Internets.
Philip Gardner and Alek
Commercial SIEMs are expensive, inflexible and risk a vendor lock-in. At Cloudflare, we built a SIEM using Serverless architecture that provides scalability and flexibility to perform various Detection and Response functions. We will discuss this architecture and how it can be built upon to solve many Security problems, in a true pay-as-you-use model.
A SIEM is pivotal to a Threat Detection and Incident Response function. But, commercial SIEMs are expensive both in terms of cost of usage and maintenance, and risk a vendor lock-in. At Cloudflare, we build a SIEM to manage logs from 175+ data centers, 1000s of endpoints and our corporate networks. The SIEM is built using a Serverless architecture in GCP that scales up and down based on usage, for a true pay-as-you-go model. It provides multiple data processing and analyzing paradigms that enable various D&R workflows. In this talk, we will discuss the motivation, constraints and the SIEM architecture. We’ll also dive into our detection, threat hunting and IR workflows using this SIEM.
Philip Gardner is a Security Engineer for Cloudflare. Sometimes he scuba dives.
Alek is a security engineering manager at Cloudflare, based in Lisbon. He's been known to geek out about travel hacking.
Authentication and Authorization are core security concepts that enhance any modern tech stacks. Applying these concepts, it's not always straightforward or trivial, modern design patterns such as microservices or SOA make old methodologies obsolete and difficult to adapt. OpenID and OAuth are living standards that fulfill most of the common uses cases out there, but as the complexity grows, new attack surfaces and risks urge. In this talk, we will explore common flaws and pitfalls, mitigations, and how to take advantage of these protocols in different scenarios.
In this talk, we will learn more about Authentication and Authorization and how different they are.
We will explore two protocols commonly used in new architectures, OAuth 2.0 and Open ID Connect.
Firstly we will see OAuth's terminology and it's grant flows.
Then we will see what role does OpenID Connect plays in modern implementations and what additions does it make to OAuth.
Afterward, which mistakes are commonly done such as Open Redirects, Token Leakage, CSRFs and how can they be mitigated.
Finally, we will travel across some scenarios and see how can these protocols play a role in helping to secure your system.
Security enthusiast from the north of Portugal. Currently working at Farfetch as a security engineer dedicating most of his time to Application Security. Free time is splited between exploring new technologies and learning new methodologies of attack.
The audience is shown the history of a potential 0day exploit for a cloud backup software from the start of an internal network pentest to the end.
The talk is a walkthrough of the discovery and development of a cloud backup software exploit starting with the phases of a real internal network pentest reconnaissance, exploitation and ending with remediation. The internal network is deployed in AWS which guarantees another layer of fun.
The exploit will be released during the talk.
Robert Kugler is an information security researcher and pentester who has made his passion for breaking things his job. His background stems from over 9 years of data protection, security management and consulting as well as penetration testing. Robert has helped strengthen the security of companies such as Mozilla, Axel Springer, PayPal, Spotify, Sophos, Sony, Fitbit, and Deutsche Telekom. In the past, he has given several presentations on IoT security, digital self-defense, and the security risks of anti-virus software.
Luis Catarino and Pedro Sousa Rodrigues
Physical access controls are just computers that are able to handle sensitive information, granting physical access or managing assiduity in an enterprise. Our research focuses on the security of these devices and how poorly managed these devices are.
During our investigation, we discovered several vulnerable devices and by reverse engineering (and RTFM’ing) them, it was possible to exploit some of these devices ”Hollywood style”. This research focused on the fragility of the ecosystems and their devices.
This will be a presentation of not only those vulnerabilities, but how the research was done and how can people can replicate it in their devices to discover new vulnerabilities.
We will start by presenting the context of our research, how these devices reach out to us and what indicators left us to question the devices’ security. We will then follow by presenting the protocol and how we reverse engineered it. By doing that we hope to share some concepts of network protocol analysis to the audience, such as type conversion and correlating C/C++ structs to the packet itself. It will also be shown how the performed analysis matches the implemented protocol and how close we were from reality. In order to test the protocol we will show some basic Python Scapy usage, building our own implementation of the protocol and using it to show some already known network attacks (i.e. replay attack). With the protocol implemented we will also show a small example of how to emulate a device to fuzz the protocol and to discover exploits on the application management of these devices (i.e. buffer overflow). By understanding the foundations of the device and communications we delve into the risk assessment of the enterprises, how the solution is build, and for what means (access controls, assiduity, etc.). In this section we will review some implementations architectures that the vendor recommends and show how they can be exploited in multiple scenarios.
1. Embedded devices have a huge role in several organisations and a great number of them don't have the same security scrutiny than other kinds of devices, such as servers;
2. How these devices can be exploited to gather sensitive and private information and how they can be a "way in" into the organisation, either physically or by remote access with some proof of concepts. Also learning some basic protocol reverse engineering;
3. How to analyse unknown network protocols using tools such as Wireshark, Scapy, and some common sense;
4. How to implement the protocol and fuzz it to discover new vulnerabilities;
5 .How the architecture of these solutions is often flawed and what mitigations can be put in placed to reduce the risk of such devices.
Luis is a cyber security enthusiast, currently working as CEO and Penetration Tester at Adamant Sec and teaching Systems Administration and Computer Systems at Instituto Superior de Engenharia do Porto. Counting with several years of experience in the cyber security field, Luis also holds the OSCP (Offensive Security Certified Professional) certification.
Pedro is a computer security enthusiast currently working at Farfetch as a security engineer. Counting with 6 years of experience and some research varying from COTS, network protocols, and bug bounty, that resulted in some CVEs released.
A look into OSINT collection using Sender Policy Framework and how it can be useful for attack and defense purposes.
Sender Policy Framework (SPF) is a commonly used email-authentication technique to protect email services, however, it can be used to get some insights about cloud services used by organizations and their networks.
In this talk, we will walk through the SPF to clearly understand, collect and recursively decouple it, resulting in a full list of hosts which are allowed to send emails using a specific organization domain, even the ones included and "hidden" in other records. We will analyze the data collected and see how can we take advantage for attack purposes or to better protect an organization.
Tomás Lima began his IT Security career in 2012, working on multiple projects and doing incident handling. Tomás is one of the authors of IntelMQ tool an open source project. Nowadays, he is leading a security team at Claranet Portugal.
Privacy is important for all kinds of people no matter what business or social status they are in. One of the cornerstones of privacy in our days is the secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. At the same time these kind of applications have become so important that bug buying companies are now paying up to $500,000 for exploits on these platforms or just $15,000 for information disclosure exploits. It is no news that Telegram has been targeted by several intelligence agencies to allow the interception of messages. Several clone applications have been created and distributed with the intent of spying on their users. I will demonstrate how Telegram registration process abused allowing the message interception on non-rooted Android device and without replacing the official application. Unlike the Signal Protocol, on which Signal Messenger and WhatsApp are based, MTProto Telegram protocol, allows more than one registration to be made on the same device using the same phone number. This will generate two valid sessions which will both receive all communications involving the phone number. To avoid malicious session creation Telegram sends the PIN over a push message to the first installation preventing PIN interception. However, if the timeout is reached and the second application hasn't confirmed the registration request using the PIN, Telegram will resend the PIN via SMS to the phone number. This backup mechanism can be abused in order to create a secondary session and snoop all the messages. There is a 2 factor authentication with a password, but that is only used when the account activation is being done on different devices. A malicious application once installed on the victim’s Android device could create a session, prevent the user from seeing or receiving the push message, while listening for the SMS. Once the SMS arrives it can complete the registration cycle and wait for the messages to flow. Beside the reading SMS permission, other permissions may be required to prevent the user from reading the push message, or the attacker can simply do it while the user is away from the phone. The only user interaction needed would be the installation of the rogue application, there is no need for the device to be rooted or to install a rogue Telegram client. The malicious code can be embedded on any other application.
This is another example on how encryption is not a panacea and that side channel attacks like this are a real problem for otherwise secure applications.
Vitor Ventura is a Cisco Talos security researcher. Has a researcher, he investigated and published various articles on emerging threats. Most of the days Vitor is hunting for threats, investigating, them reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like Recon, Crypto and Privacy Village, BSides Lisbon among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections, helping to determine the extent of the damage and to define the recovery path. Before that he did penetration testing at IBM X-Force Red, where Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).
Get hands-on experience with extracting and auditing passwords from Active Directory (AD) databases and with offline modification of security information in AD.
Limiting access to domain controller hard drives has always been an important aspect of keeping Active Directory secure. However, this task has become more complex in today’s era of virtualization and cloud computing.
Come and discover the endless possibilities that would open to malicious attackers and insiders by gaining read/write access to either a physical or virtual hard drive of a DC containing its ntds.dit database file. We will perform Active Directory password auditing against HaveIBeenPwned, offline password resets, group membership changes and SID history injection and extract DPAPI backup keys, roamed private keys and KDS root keys.
Attendees need to bring their own notebooks with Windows 7 or newer operating system installed either on the physical computer itself or in a virtual machine. Detailed software requirements and lab materials are available at https://1drv.ms/u/s!Ah1NVj_AudV4ifp0zX9ThHj5i5inBg?e=gEFEgZ
Michael (CQURE, GOPAS) is an expert on Active Directory security who works as a cybersecurity consultant, trainer, and researcher. He is best known as the author of the open-source Directory Services Internals (DSInternals) PowerShell module and Thycotic Weak Password Finder, tools used by security auditors and penetration testers worldwide. He holds a master’s degree in Software Engineering and is a former Microsoft MVP.
The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level.
However, people who want to introduce it into their work on existing codebase often face time pressure and very rarely can a company afford “security push”, where all new development stops for a while in order to focus on security. **Incremental threat modelling that concentrates on current additions and modifications can be time-boxed to fit the tightest of agile life-cycles and still deliver security benefits.** Full disclosure is necessary at this point – threat modelling is not the same as adding tests to the ball of mud codebase and eventually getting decent test coverage. You will not be able to get away with doing just incremental modelling, without tackling the whole picture at some point. But the good news are you will approach this point with more mature skills from getting the practice, and you will get a better overall model with less time spent than if you tried to build it upfront.
We will cover the technique of incremental threat modelling, and then the workshop will split into several teams, each one modelling an addition of a new feature to a realistic architecture.
The participants will learn how to find the threats relevant to the feature while keeping the activity focused (i.e. not trying to boil an ocean). This session targets mainly blue teamers, as well as software developers, qa engineers, and architects; but will be also beneficial for scrum masters and product owners.
Irene Michlin is a security consultant at IBM. Before going into application security consultancy, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles and architectures.