Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security. He designed the popular cryptographic functions BLAKE2 and SipHash, initiated the Crypto Coding Standard and the Password Hashing Competition. He presented at conferences such as Black Hat, DEFCON, or Troopers about applied cryptography, quantum computing, and platform security. In 2017 he published the book "Serious Cryptography" with No Starch Press. JP tweets as @veorq.
Javvad Malik is a security advocate at Alien Vault, a blogger and a co-founder of Security B-Sides London. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that he was an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors. An active blogger, event speaker and industry commentator Javvad is probably better-known as one of the industry’s most prolific video bloggers with a signature fresh and light-hearted perspective on security. You can follow Javvad on twitter as @J4vv4D
Thanks to the ShadowBrokers we can finally take a peek at some of NSA's tools and exploits.
What do you do with a archive full of NSA binaries? You start reverse engineering them!
This time we are diving into the internals of a cross platform NSA port-knocking RAT.
After finishing reversing its port-knocking protocol I asked my good friends at BinaryEdge.io if they could scan the whole Internet for live instances of this particular RAT.
Surprise surprise, they found live NSA hacked hosts all over the world.
No videos or slides to be published so be there or miss all the fun.
(We can no longer see those hosts using this RAT but I don't want to get into trouble :P)
Poupas always complains my presentations are too low level and this is no exception!
Sorry, web hacking is for wussies :P (Hi JustPassingBy!)
Once a world famous speaker, fG! is currently retired from the hard life of con-touring the world for free and instead established speaker residency at BSides Lisbon four years ago, way before Madonna and all the other hipsters.
On his spare time fG! likes to troll around the Internet (this bio was written on company time!).
fG! is known for presenting too many slides and not respecting his time slot. Too many interesting things to talk about!
For a few years held Syscan's WhiskeyCon world record due to these bad habits.
Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.
In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds - either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.
In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.
What is Intel AMT?
Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.
Parth Shukla is a Security Engineer at Google in Switzerland. He works on efforts related to firmware/hardware security as part of the Enterprise Infrastructure Protection team. He worked for Google in Sydney, Australia for 3 years before moving to Zurich, Switzerland.
Prior to Google, Parth was an Information Security Analyst at the Australian Computer Emergency Response Team (AusCERT). While at AusCERT, Parth analysed the non-public data of the Carna Botnet that he obtained exclusively from the anonymous researcher of Internet Census 2012. Parth released a white paper on this analysis (bit.ly/carna-paper) and presented on it at various conferences, including: DeepSec 2013 in Vienna, Austria; Blackhat Sao Paulo 2013 in Sao Paulo, Brazil; APNIC 36 in Xi’an, China and AusCERT 2013 in Gold Coast, Australia.
In this talk, the author will present real case scenarios (aka hacking to PoC) showing the danger of large organizations ignoring high and critical security issues, with repercussions that would affect millions should the security threats fall into the wrong hands. Additionally, this talk will share tips on how to properly disclose bugs to companies without being a real Trump.
David Sopas is an AppSec research team leader at Checkmarx and is the co-founder of Char49. Google, Yahoo!, eBay, Microsoft, and many other companies have acknowledged his work. David is also a proven bug bounty hunter, currently ranking number 1 on Cobalt and best portuguese at HackerOne.
ZigBee is a wireless protocol with an extremely low energy consumption rate and has been widely adopted in Internet of Things technologies. A predominant concern for security has been a characteristic since its first standard and has remained in all the following versions.
The main goal of this talk is to analyse ZigBee security. It includes a vulnerability survey and a list of all the available tools to help detecting those vulnerabilities.
As a case-study, it is used a commercial system with the purpose of obtaining electrical consumption detailed information and controlling locally or remotely smart plugs of clients home. Through this product it is possible to switch equipments on or off, receiving alerts for any anomalies, monitoring consumption in real-time or over period of time, among many other functionalities.
The study of the platform also included the web portal and its connection to the ZigBee network made through the IP network.
Worked as System and Network Administrator for 15 years but always having a sharp eye on security. During the last couple of years embraced security as a profession and became security analyst at Centro Nacional de Cibersegurança.
This talk is about a real war story. The intention of the talk is to show beginners in the Penetration testing field, and experienced testers, about the importance of all security findings, even those that we commonly care less about or dismiss due to their lower risk nature.
Sometimes low risk findings in a web application can help lead to other vulnerabilities, which in turn might be even more severe and could lead an attacker to compromise an entire application or in some cases an entire enterprise network.
The talk will walkthrough and explain a chain of hacks used on a real-world penetration testing engagement which resulted in compromise of an entire corporate network through a simple web application. Along the way we will explain each misconfiguration or mistake made by the target and will show the audience why penetration testing is so valuable to an organization beyond just point-and-click automated vulnerability scanning.
Pedro Fortuna and Paulo Silva
Current Man-in-the-Browser (MITB) trojans like Trickbot or Dridex are pretty much similar to first generation bots like Zeus or Zbot. They all include a list of targets and corresponding webinjects and still offer essentially the same features such as keylogging, form-data harvesting and remote control (RAT) capabilities.
Today, we are seeing a number of client-side defense proposals being rushed through the standardization process, such as CSP, Subresource Integrity and HPKP. In part, these standards are a response to the permissiveness of the browser against injection attacks.
We argue that it is important to understand how effective these standards can be against MITB attacks specifically and anticipate how attackers will evolve the MITB trojans in an attempt to defeat those defenses.
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes on web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.
Paulo Silva is an IT security practitioner with +15 years of experience as Web Developer and a freedom enthusiast: Free Open Source Software (FOSS), World Wide Web (WWW) and Cross Country (XC). With a bachelor degree in Computer Sciences and a Master course in Innovation and Technological Entrepreneurship, over the last three years he has been focused researching DOM-based attacks such as M an-in-the-Browser (MitB) and how to bring Runtime Application Self-Protection (RASP) to the client-side. When not researching or breaking stuff, you'll probably find him riding his Mountain Bike all over the world.
Android provides an In-app Billing API so that developers can sell extra features directly in their applications. In-app purchases are often used in games to buy credits enabling to get extra content, lives, etc...
But the integration of the payment feature is most of the time misunderstood: code running on the smartphone cannot be trusted.
Hence all the payment checks and attribution of content should be done on the server side. As it is not crystal clear in the documentation provided by Google, lots of games still do the processing client side.
We will exploit a real world Android game to get free credits. And see how easy it is to reverse engineer it and discover that checks are done client side.
Then thanks to Xposed frameworked we will write a one-line only hook bypassing the payment.
After that, we will show how to patch the bytecode of this application, injecting the content of the hook, to be able to redistribute it.
Finally, we will provide actionable recommendations on how to avoid that by having a quick look at what is done in AngryBirds.
Jérémy Matos has been working in building secure software for more than 10 years.
With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution.
He led code reviews and security validation activities for companies exposed to reputation damage or where the insider is the enemy.
He now provides software security services at his own company.
And presented last year at DefCon Crypto Village a new attack vector on encrypted messaging apps called Man In The Contacts.
He also teaches application security and blockchain technologies in Swiss and French universities."
Hardware is everywhere and 'hardware hacking' has grown massively in popularity over the last few years.
Despite this it is still considered to be somewhat of a black art, useful materials can be relatively hard to come by especially for those without an electrical engineering background.
In addition to this there are a huge number of facets to ‘hardware hacking’ and an array of ‘end goals’ which muddies the water even more.
This talk aims to cover a number of basic attack techniques from gaining a simple root shell via UART to jtags to some complex attacks such as side channel analysis and side channel attacks via power glitching.
Graduate of Abertay currently working as a Senior Consultant at NCC Group living in Munich, Germany. Interested in 'hardware hacking' as a hobby/side project.
Trafficking of counterfeit pharmaceuticals is a massive industry, and have been known for its persistent usage of different blackhat techniques in order to maintain its operation. A large part of those attempts are web application attacks, which are used in order to operate a huge network which generates substantial income to its operators.
In this session we're going to introduce some of the main Methods of Operation for these groups, estimate the size of this operation, and why it matters.
We will walk through real attack data, to see some of the latest attacks generated by these organizations, and discuss how organizations can be better protected against those attacks.
Ben has years of experience in hacking stuff, writing code, and in his past was a red team leader, and technical leader as a CTO and research manager.
Ben is the group manager of Imperva's research group, consisting of elite security researchers and developers - researching Applications Securtiy, Network Security, Data Analytics & Machine Learning.
Monitoring botnet activity to produce threat intelligence often requires the development of specialized tools that speak the malware protocol, join the botnet and extract relevant information or exploits some of its weaknesses. The development of these tools (often called trackers, crawlers or milkers) can be hard and time consuming as it involves long reverse engineering hours, re-implementing network protocols from scratch, and operating it without being detected by the botnet operators. This presentation will share a few fun moments developing and deploying these tools and show how to make the process (slightly...) less painful, by using memory injection and binary instrumentation to re-purpose real malware as a botnet monitoring tool, while disabling its malicious capabilities.
Tiago Pereira is an information security professional with over 10 years of experience, during which, he has had the opportunity to work with multiple organisations ranging across several industries (e.g. Telecommunications, Finance, Energy, Government), and to perform hundreds of different projects in diverse areas of security such as consulting, penetration testing, security auditing, forensics, incident response and threat intelligence.
Passionate about forensics and reverse engineering, he is currently a threat researcher at Bitsight Technologies (Anubis Labs Team) where he focuses on malware and threat research.
Vincent Ruijter and Bernardo Maia Rodrigues
Personal computer systems are now considerably more secure than embedded devices. Trusted Platform Module (TPM) and secure boot are readily available and even default in a lot of new desktop computers and laptops. Numerous small office and consumer devices, including routers and smart televisions, however, are lacking even the most basic security features.
In this talk we will demonstrate and describe the inner-workings of a custom developed (Fully Weaponised IoT Cyber™) bootkit, which gains persistence on U-Boot based embedded devices, at a lower level than even the firmware. Firmware updates and factory resets usually do not interfere with the bootloader, as a small problem could render the device unusable for an end-user: the bootkit will therefore remain present. By including a properly functioning killswitch and a multi-boot like technique, it is possible to switch between a regular and a backdoored image to thwart detection.
Enterprises and ISPs must take this additional attack surface into account, and put effort into detecting and responding to this threat. Well-known security researchers have long advocated for easier ways to verify and demonstrate the integrity of hardware, but this comes at a price that vendors are not willing to pay for security. Recently however, regulatory bodies have started to enforce vendors to lock-down their wireless devices, in order to prevent them from operating outside of their certified frequencies. But these 'vendor lock-downs' are not sufficient to increase the device security, as we will demonstrate, it's just a minor inconvenience.
Bernardo: Bernardo works as an Ethical Hacker for KPNs (Royal Duth Telecom) REDteam. He enjoys hacking (and bricking) embedded devices including routers, modems and TVs. He presented on security topics at the NullByte Conference, the null Amsterdam chapter and local venues. He frequently participates in CTFs with TheGoonies and is famous for not using buzzwords like IoT, APT and Cyber in his bio.
Vincent: Pacifistic Internetveapon @ KPNs (Royal Dutch Telco) REDteam, who thinks he knows Linux. Moderator @ null Amsterdam chapter, with an endless curiosity for all things binary. Knows how to quit Vi ^[ESC!wqwq:wq!
Luís Grangeia and José Moreira
This talk with be an introduction to software defined radio (SDR) for security professionals with little to no experience in this topic. We are security professionals that started to explore the RF spectrum to look for vulnerabilities and will share our experience and learned lessons.
We will look in some detail to our explorations in the portuguese RF spectrum such as: sniffing and manipulating Bluetooth Low Energy traffic, tuning into SIRESP (TETRA based emergency services network), looking at the signal for Via Verde (portuguese e-toll system), rolling your own GSM network and more.
We will cover the basics of what you need to get started in this area and try to make a point that the RF space needs a closer look by information security professionals.
José Moreira is a Mobile Hacker, Reverser, Linuxer. Author of the best camera mod ""Xperia Camera Unlocked"". Love to watch the world burn. Started with a basic RTL-SDR dongle, and last christmas, santa gave him a HackRF to hack around.
Luis Grangeia is an infosec professional for about 17 years, mostly doing security audits and pen-tests. He recently bought a BladeRF software defined radio that he intends to use to hack all the things.
Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does that really mean? And what real impact does it have on the security team?
Threat hunting looks at a mountain of security data already being produced daily by the traditional monitoring solutions such as netflow data, firewall events and logs. Now include end point data and the events to review explode exponentially. The claim, from various vendors, is that the additional data provides greater visibility but for whom. Traditional incident detection doesn't necessarily take into consideration the endpoint events. Building a threat hunting activity scoped to start with end point data can significantly change the game.
This talk is a journey of how to dive into threat hunting and will cover the principals of threat hunting as a foundation while examining the challenges of working with large datasets that can be generated by end point data and analyse some of the tools claiming to ease this burden including machine learning.
As Global Security Advocate at Digital Guardian, Thomas plays a lead role in advising customers on their data protection activities against malicious parties. Thomas' 25+ years background in IT includes varying roles from incident responder to security architect at fortune 500 company, vendors and consulting organizations. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and ISSA UK chapter board member .
There is a cliche that refuses to die that every malicious actor is some guy in his mom's basement downing Cheetos and Red Bull while furiously slamming away on the keyboard. But that is not the case, especially with most large campaigns. This presentation will discuss the business side of ransomware. Understanding how ransomware actors make money, how they are organized and how to hurt them provides practical and strategic information that both defenders and managers can use to better protect their organizations.
Allan Liska is a solutions architect at Recorded Future. Allan has more than 15 years' experience in the world of information security and has worked as both a security practitioner and an ethical hacker. He is the author of The Practice of Network Security, Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart Guide and the co-author of DNS Security: Defending the Domain Name System and Ransomware: Defending Against Digital Extortion.
João Pena Gil (Jack64) and Luis Gomes (JustPassingBy)
Out-of-Band exfiltration using 802.11 has been around for a while, but the code that is publicly available has limited functionality and not well suited for use in a real-world scenario.
In this talk, we will demonstrate a red-team vs. blue-team scenario live on stage, where an attacker will attempt to perform data exfiltration using the known techniques, and show how it is possible for the defense team to detect and even block or interfere with the exfiltration attempts. We will then escalate the red-team side by showing off a new method of data exfiltration that makes it a lot harder for the blue team to interfere, track or detect that it is in process, raising the bar for wireless IDS.
Luis has been in this area for 8+ years, spent most of it as a Security Engineer and Penetration tester. He has worked for various clients in the private banks and public sector, gambling and compliance projects and also some tech giants. Loves coding his own tools and breaking into security giving clients the best possible service.
João has worked in information security for 3+ years, making contributions for big open source projects like Metasploit, co-developed airpwn-ng, a tool for 802.11 packet injection and was a workshop instructor at DEFCON 25. He currently works as an Application Security Analyst at Checkmarx by day and as a Core Researcher at Cobalt IO, by night.
Álvaro Felipe Melchor
In this talk I will present how open source frameworks can be leveraged to carry out successfully mobile assessments. Nowadays, in the consultancy world you have to be ready at the time of evaluating mobile security. Therefore, knowing different frameworks and building your own tools are mandatory.
At the beginning of the talk will be presented different frameworks such as Frida and radare2 aimed for different kind of analysis (static vs dynamic) showing their strengths and how to use them to get the job done. Last but not least, a tool built from the ground up using Frida will be presented allowing to automatize many tasks such as cert pinning bypass, root detections, etc..
Álvaro Felipe is a Security Consultant at NCC Group and part of the dev core team of radare2 reverse engineering framework. During his career he has taken part in a large number of security projects and researches, focusing his skills on mobile application assessment, code review projects, fuzzing and application vulnerability research.
In the non-stop struggle between malware authors and anti-malware software, a new strategy is beginning to gain popularity among the firsts. The infection of systems without using regular files, to difficult detection. Using non-binary code and hiding it in the registry is one of these techniques. In this presentation we are going to view real world cases of this type of malware and other potential infection vectors.
Ramon Pinuaga: Pentester and security analyst for more than 16 years in companies like INNEVIS and S21SEC. Currently works as Cybersecurity Audit Manager in PROSEGUR. Specialized in hacking techniques and offensive security. Former speaker in NoConName, RootedCon and Sec-t conferences.
This workshop is a deep-dive into a remote access tool (RAT) distribution campaign. We will do static analysis all the way through, from the weaponised attachment, second stage downloaders, to the RAT config extraction in the end.
What you will learn:
- The workflow of static analysis
- Extract valuable information from a wide range of file formats
- Decompile .NET and Java
- Defeat encoding/encryption puzzles
- Develop python scripts for automation
- Extracting the RAT configuration file
Students are expected to bring their own laptop with VMWare or Virtualbox installed. USB sticks with VM images will be provided in the class. If your host OS is Linux/Mac OS X and you have Docker installed, a Docker file is also provided, for lightning-bolt analysis.
Lets make malware great again.
I'm a cyber security analyst and a passionate malware hunter. For the last 11 years I've been doing incident response, computer forensics and malware analysis.
SWAG (Susceptible Web App Generator) is a new application designed for people learning Web Application testing. The application itself has a web front-end and allows the user to generate a unique vulnerable web application. There are 12 different basic types of web application that SWAG generates e.g. different on-line store, file sharing application, member management etc). Each application created is injected with random vulnerabilities (e.g. SQL injection, file upload vulnerabilities, file injection etc). The SWAG user can then perform a security test of the generated application. SWAG will also generate a report of the injected vulnerabilities for feedback purposes (i.e. the answers). The following video shows the application https://www.youtube.com/watch?v=0MKC1qxkbNU
The workshop will cover:
- The basic use of SWAG.
- Information gathering techniques.
- Enumeration techniques.
- SQL injection.
- Local File Inclusion vulnerabilities.
- File upload vulnerabilities.
Colin McLean is a lecturer in Computing at the University of Abertay Dundee in Scotland. In 2006, Colin developed the world’s first undergraduate degree with the word “Hacking” in the title. The BSc in Ethical Hacking at Abertay University in Dundee, Scotland has since become one of the main providers of graduates to the security testing industry in the UK. In 2016, Colin was featured in the top 100 key figures driving the digital agenda in Scotland by Holyrood Magazine. Colin has been a lecturer at Abertay University for 27 years and has talked at several of the leading Ethical Hacking conferences in Europe including BSides London, DeepSec Austria, BruCon Belgium, BSides Lisbon and BSides Edinburgh.
The excess or absence of information available today combined with the lack of automation makes incident handling a huge challenge. IntelMQ was created for a constant improvement of feed processing so it can support the work of incident response teams.
IntelMQ was developed by FCCN (Fundação para a Computação Científica Nacional) and was later supported by other European CSIRTs with the aim of speeding up the treatment of information and improve the tool through shared development.
Through the collection and processing of feeds it is possible to filter molded data for the desired purpose.
This workshop intends to provide the trainees with the following skills:
[+]Understanding the IntelMQ framework
[+]Installing and configuring IntelMQ
[+]Understanding the structure of a bot
[+]Feed IntelMQ with Kippo SSH Honeypot
André Garrido - Worked as System and Network Administrator for 15 years but always having a sharp eye on security. During the last couple of years embraced security as a profession and became security analyst at Centro Nacional de Cibersegurança.