Talks Schedule 2020

Thursday, March 19th

Time TRACK 1 TRACK
09:00 TBA TBA
10:00 COFFEE
10:30 Hacking the DevOps Butler: the road from nothing to admin
by Nimrod Stoler
Fun with Windows processes: code injection techniques and where to find them
by Christophe Tafani-Dereeper & Nicolas Reich
11:30 Practical security in the brave new Kubernetes world
by Alex Ivkin
TBA
12:30 LUNCH
13:30 [In]secure deserialization, and how [not] to do it
by Alexei Kojenov

Hypervisor-level malware monitoring and extraction system - current state and further challenges
by Michał Leszczyński & Krzysztof Stopczański
14:00 - 18:00
Splunk Boss Of The SOC
14:30 Practical OWASP CRS in High Security Settings
by Christian Folini
SMoTherSpectre: Exploiting speculative execution through port contention
by Atri Bhattacharyya & Mathias Payer
15:30 COFFEE COFFEE
16:00 30 CVEs in 30 Days
by Eran Shimony
Scaling Malware analysis & Threat Intelligence pipeline towards infinity & beyond!!
by Abhinav Singh
17:00 Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems
by Sanjay V
CiscoASA: The Wall is on Fire
by md4

Friday, March 20th

Time TRACK 1 TRACK 2 TRACK 3
9:00 Hacking your Smart Coffee Machine
by Axelle Apvrille
To Logical, Through Physical, Via Social: Accessing internal networks through physical access using social engineering techniques
by Tinker Secor
TBA
10:00 COFFEE
10:30 Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software
by Sunil Kumar Sakoti
Travel for Hackers
by Kirils Solovjovs
TBA
11:30 Car Hacking On Simulation
by Rohan Aggarwal
Back to the future: Computer science and systems biology
by Noa Novogroder & Dr. Lorenz Adlung
TBA
12:30 LUNCH
13:30 TBA Social Engineering through Social Media: Profiling, Scanning for Vulnerabilities and Victimizing
by Christina Lekati
TBA
14:30 A Journey into Malware HTTP Communication Channels Spectacles
by Mohamad Mokbel
TBA TBA
15:30 COFFEE
16:00 Symbolic Execution Demystified
by Jannis Kirschner
TBA TBA
17:00 Closing Keynote
The price of cybercrime
by Rob May
18:15 18:15 - 04:00
Capture The Flag

Hacking the DevOps Butler: the road from nothing to admin

Nimrod Stoler
SPEAKER BIO

Nimrod is a cyber security researcher at CyberArk Labs where he focuses on researching the latest attack techniques, and applying lessons learned to improve cyber defenses. Nimrod's primary research areas are network defense, DevOps analysis and security and Linux containers. Prior to CyberArk, Nimrod served in several high-technology roles doing research and development of software and hardware.

Nimrod holds an LLB in Law and BA in economics.

ABSTRACT
Jenkins, also referred to as the DevOps Butler, is an open source automation server used to accelerate the software delivery process. It is now widely considered the de-facto standard in open source continuous integration tools. For many organizations, Jenkins effectively acts as the DevOps engine, addressing everything from source code management to delivering code to production.

Jenkins is an indispensable part of technology stacks around the world. Facebook, Netflix, Lyft, ebay and LinkedIn are examples of very large organizations that utilize Jenkins in their software DevOps stacks.

During our research of the Jenkins software we discovered several interesting vulnerabilities, 6 of them got CVEs. In this talk we mainly speak of two of them. The two combine together to create a security hole, allowing anonymous (completely unauthenticated) attackers to take over, and gain full privileges on Jenkins to become admins by sending specially crafted HTTP packets to the Jenkins master. This attack allows anyone to login to Jenkins as admins and gain complete control of the entire Jenkins infrastructure, and although these issues were fixed, thousands of Jenkins servers are still vulnerable.

In this talk we will describe in detail the code reverse-engineering process that led us to discover these vulnerabilities and how we managed to exploit them to trip the Jenkins security switch OFF and gain control over the entire Jenkins infrastructure.

Practical security in the brave new Kubernetes world

Alex Ivkin
SPEAKER BIO

Alex Ivkin is a director of solutions at Eclypsium, a US security company. His focus is on secure deployments of (in)secure software, including container orchestration, application security, and firmware security. Alex has two decades of security integration experience, presented at numerous security conferences, delivered trainings, holds Masters in Computer Science, co-authored the ISACA CSXP certification and climbs mountains in his spare ime.
ABSTRACT
Dive into a typical Kubernetes cluster by messing with the default security controls, popular sidecar containers and supporting infrastructure.

Kubernetes' broad adoption has triggered a growth of frameworks, tools and technologies supporting it. It also means a growth in the attack surface. Instead of taking Kubernetes clusters head on, learn how to do a recon on a real-world k8s cluster and the common sets of sidecar containers that it relies on. Then see what it takes to pwn ingress point, service mesh, network infrastructure, package manager and performance monitoring tools. From there, get persistence in Docker registries and images.

Fun with Windows processes: code injection techniques and where to find them

Christophe Tafani-Dereeper & Nicolas Reich
SPEAKER BIO

Christophe (@christophetd) holds a Computer Science Master's degree from EPFL and works in the security team of Nexthink. He holds a blog where he writes about infosec.

Nicolas Reich (@hatted_loutre) - Security engineer at Hacknowledge, graduated from EPFL, incidentally grew up 5 minutes from the conference's location

ABSTRACT
More and more corporate environments are adopting commercial antivirus and EDR solutions, forcing attackers to step up their game. In this context, malware and offensive actors increasingly use code injection techniques, allowing them to hijack legitimate processes and have them run malicious code in a stealthy manner. In our talk, we start by laying out some foundations on the internals of Windows processes. Building upon this, we present techniques to masquerade malicious processes, bypass EDRs, and inject code into legitimate processes. We include reusable proofs-of-concept and detection methods using forensics or live system monitoring tools.

[In]secure deserialization, and how [not] to do it

Alexei Kojenov
SPEAKER BIO

Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in delivering secure code, as well as security consulting. He holds OSCP and CISSP, and currently works as a senior product security engineer for Salesforce.
ABSTRACT
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk.

In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain several code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, cause a denial of service, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java, Python and .NET serialization, as well as JSON and XML formats. Of course, we’ll also talk about how to deserialize in secure way!

Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!

Hypervisor-level malware monitoring and extraction system - current state and further challenges

Michał Leszczyński & Krzysztof Stopczański
SPEAKER BIO

Michał Leszczyński (@icedevml) - Works at CERT Polska where his main duties are related to the development of a custom infrastructure for malware analysis. Contributor to the DRAKVUF project. He's also doing some DevOps or x86 reverse engineering from time to time. Previously specialized in web security&development. Still fascinated by the number of ways Internet can be broken.

Krzysztof Stopczański - Fascinated in computer security and low-level stuff since his childhood. Currently working as an IT Security Specialist in CERT Poland, taking care of securing Polish people from cryminals. From time to time playing CTFs, previously with CodiSec, currently with p4 team.

ABSTRACT
During the talk, we will present DRAKVUF, an open-source blackbox binary analysis system. This project leverages Virtual Machine Introspection and Xen’s altp2m in order to serve its purpose in a very stealthy manner. We will describe our recent contributions to the project, including Windows API tracing and heuristic malware unpacking. Moreover, we will present how this approach can be used to extract configuration out of malware samples. In addition, we would like to present some unique challenges that can be encountered when developing hypervisor-level monitors.

Practical OWASP CRS in High Security Settings

Christian Folini
SPEAKER BIO

Christian Folini (@ChrFolini) is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so he turned to defending web servers, which he finds equally challenging. He brings more than ten years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling.

Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference, the prime security conference in Switzerland. He helps to edit the Center for Internet Security "Apache Benchmark". He is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.

ABSTRACT
Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use. However, the release of CRS 3.0 in 2017 and the advancements made with CRS 3.1 and 3.2 successfully removed most of the false positives in the default installation. This improved the user experience when running the only general purpose open source web application firewall. The presentation explains how to operate CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and complementary whitelisting rule sets. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.

SMoTherSpectre: Exploiting speculative execution through port contention

Atri Bhattacharyya & Mathias Payer
SPEAKER BIO

Atri Bhattacharyya is a doctoral student at the Ecole Polytechnique Federale de Lausanne. With a background in computer architecture, Atri is researching attacks and defenses in the space of microarchitecture. He has already published the first paper using transient side-effects of speculative execution to leak data. His future work aims to protect upcoming server architectures from practical microarchitectural attacks.

Mathias Payer (@gannimo) is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques.

ABSTRACT
Spectre, Meltdown, and related attacks have demonstrated that kernels, hypervisors, trusted execution environments, and browsers are prone to information disclosure through micro-architectural weaknesses. However, it remains unclear as to what extent other applications, in particular those that do not load attacker-provided code, may be impacted. It also remains unclear as to what extent these attacks are reliant on cache-based side channels.
We introduce SMoTherSpectre, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process. SMoTher is a fine-grained side channel that detects contention based on a single victim instruction. To discover real-world gadgets, we describe a methodology and build a tool that locates SMoTher-gadgets in popular libraries. In an evaluation on glibc, we found hundreds of gadgets that can be used to leak information. Finally, we demonstrate proof-of-concept attacks against the OpenSSH server, creating oracles for determining four host key bits, and against an application performing encryption using the OpenSSL library, creating an oracle which can differentiate a bit of the plaintext through gadgets in libcrypto and glibc.

30 CVEs in 30 Day

Eran Shimony
SPEAKER BIO

Eran Shimony is a security researcher at CyberArk.
Eran has an extensive background in security research that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities, he has several dozens of acknowledged vulnerabilities across major vendors, like Microsoft, Intel, Samsung, and many others. Besides finding security bugs, he enjoys making cocktails and listening to heavy metal and classical music.
ABSTRACT
In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using the method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.
Some things never die, in this session, we'll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim - finding new vulnerabilities.
Our mindset was - choose software that is prone to be vulnerable: installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We're only scratching the surface; we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems

Sanjay V
SPEAKER BIO

Sanjay (@sanjayvt) is a Security Analyst at Deep Armor. He is skilled in vulnerability assessment and penetration testing of IoT systems and web applications. He has advanced knowledge of AWS, and has developed numerous software stacks and tools for cloud-hosted web applications. In his previous role as a Business Technology Analyst at Deloitte India, he led project management and operations, focusing on stakeholder management, communication and program delivery.
ABSTRACT
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.

CiscoASA: The Wall is on Fire

md4
SPEAKER BIO

CTF player in 0ops
Security Researcher in Dbappsecurity for network devices including Cisco, Juniper, Checkpoint.
Speaker in HITB, Zeronight.
Bug hunter in web&&pwn (CVE-2018-11481, CVE-2018-11482, CVE-2016-7781, CVE-2016-7782, CVE-2016-7783,CVE-2016-7788 etc.)
ABSTRACT
This presentation will disclose an 0day vulnerability affecting most major version of the Cisco ASA devices, as well as discuss a new kind of exploit technique which can remote code execute in the Cisco ASA with an authenticated user.

Hacking your Smart Coffee Machine

Axelle Apvrille
SPEAKER BIO

Axelle Apvrille (@cryptax) is principal security researcher at Fortinet. She specifically looks into mobile malware and smart devices (not always that smart...).
She is the lead organizer of Ph0wn CTF, a Capture The Flag dedicated to smart devices. Finally, she enjoys drawing comics and 3D printing.
ABSTRACT
When you organize a CTF dedicated to smart devices, you've obviously got to prepare challenges that involve smart devices, and all the better if those are known, off-the-shelf, devices. Additionally, we were looking for a visual challenge, where everybody can notice when a team flags. After some time, we found the right object: an affordable smart coffee machine. Just the perfect IoT for geeks, and a CTF 😉 However, the challenge for me as an organizer was to manage to create a challenge out of that, starting from scratch on this topic (I don't even drink coffee). I was lucky in that case and found a nice feature, present on the device, but not available through the mobile app.

In this talk, I will explain:
- How this smart coffee machine works
- How I managed to hack the volume of coffee cups
- How I made the machine available on wifi, although it only nativelys supports Bluetooth Low Energy.

To Logical, Through Physical, Via Social: Accessing internal networks through physical access using social engineering techniques

Tinker Secor
SPEAKER BIO

Tinker Secor (@TinkerSec) is a full scope penetration tester with experience in testing and bypassing the security of logical, physical, and social environments. He has conducted red team engagements in the United States, Canada, and Europe. These have included network and systems hacking, social engineering in person and over voice and text, and physical entry and security bypass. Tinker has built up, managed, and trained red team and penetration testing teams. Prior to this, Tinker served in the SOC trenches as an Intrusion Detection Analyst. Prior to that, he served in the United States Marine Corps. He is currently Red Team Principal Consultant at company.
ABSTRACT
Logical, physical, and social environments are all connected. One can gain access to an internal network by breaking into a physical location and plugging into an ethernet jack or one could gain access to a physical location by hacking into a computer network, accessing the badge access system, and picking up an access badge at a front desk. All the while, users and people interact in physical and logical spaces, hardening the systems and creating vulnerabilities at Layer 8.

In this presentation, we'll discuss pragmatic applications of social engineering and give specific techniques to gain illicit entry into physical spaces for the purposes of accessing internal networks and gaining physical access to computing devices. We'll cover initial breach, lateral movement, privilege escalation, and actions on target. In the end, your mark will watch and encourage you to plug into their network and hack their devices.

Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software

Sunil Kumar Sakoti
SPEAKER BIO

Sunil (@sunils2991) is an industry expert in security research, product security assessment and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure and mobile solutions. Sunil is skilled in JavaScript and Python scripting, and has developed numerous security tools and applications. He regularly speaks at local and international security conferences. He currently works as a Senior Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.
ABSTRACT
Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.

The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.

Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.

Travel for Hackers

Kirils Solovjovs
SPEAKER BIO

Kirils Solovjovs (@KirilsSolovjovs) is Lead Researcher at Possible Security, bug bounty hunter, IT policy activist, and the most visible white-hat hacker in Latvia having discovered and responsibly disclosed or reported multiple security vulnerabilities in information systems of both national and international significance. Kirils has developed the jailbreak tool for Mikrotik RouterOS. He has extensive experience in social engineering, penetration testing, network flow analysis, reverse engineering, and the legal dimension.

He has spoken at many amazing conferences including Hack In The Box, Hack in Paris, Hackfest, Nullcon, SHA2017, 35C3, CONFidence, BalCCon, and TyphoonCon.

ABSTRACT
Travelling to India? Europe? USA? Belarus? Peru? Japan? Latvia?
The seasoned traveller will know that there are limits on tobacco, alcohol and currency. That's basically universal. However, that's not what interests most hackers.

Did you know some of these countries only allow to bring in just one puny laptop, a single portable calculator? No more than 20 CDs or 4 USB drives... No "politically sensitive literature", erotica... No lock picks or handcuff keys, no radio transmitters except when those are part of laptops or mobile phones...

Many of these restrictions are completely unexpected to your average hacker. But we do want to abide the law when at all possible. 😉

I'm here to help you.

Car Hacking On Simulation

Rohan Aggarwal
SPEAKER BIO

Rohan (@nahoragg) is an Offensive Cyber Security Analyst at TCS where he does IOT, Hardware, Web & Android application hacking.
He is also a part-time bug bounty hunter on Hackerone and Synack. He has found security vulnerabilities in big companies like Yahoo, Twitter, Goldman Sachs, Matomo, BrickFTP, Pixiv, etc.
He has presented a talk at SecTor International Security Conference & Microsoft Azure Bootcamp, delivering training on IOT, Web Application and Cloud Hacking.
ABSTRACT
Cars are no longer only mechanical vehicle. They may be getting more advanced, but that doesn’t mean they are immune to hacks. One particularly sensitive entry point for hacking car is the legally required OBD II port, which is basically “the Ethernet jack for your car”. This port works on a signaling protocol called CAN which is a de facto standard for the in-vehicle network. However, lack in security features of CAN protocol makes vehicles vulnerable to attacks..

This session introduces the basic theory about the CAN bus and how vulnerable it is. We will also provide an Instrument Cluster Simulator to get hands-on experience of hacking a real car by creating a functioning CAN simulator with a dashboard just like the one in your car and performing attacks on it.

The benefit of this session is that attendees can reproduce attacks on their system right there as well as at their home without the need of any hardware as everything will be done on a real-world simulation of Car Instrument Cluster.

Back to the future: Computer science and systems biology

Noa Novogroder & Dr. Lorenz Adlung
SPEAKER BIO

Noa Novogroder (@noanovo) graduated from the first round of the Israeli cyber security academy and is currently a master student at the Weizmann Institute of Science in Israel. Before turning into biology, she’s worked for several years at Checkpoint, an Israeli high-tech company in the field of cyber security. In her free time, she likes to swim and offer cure to obese mice.

Dr. Lorenz Adlung (@lorenzadlung) obtained his PhD from Heidelberg University in Germany. Since 2017 he's a visiting scientist at the Weizmann Institute of Science in Israel working in the field of computational biology, with strong emphasis on both, the computation and the biology. Besides his profession, his main passion is science communication, preferably through poetry and performance.

ABSTRACT
Which creature implemented code injection 1.5 billion years before any computer malware did? What is the decoding algorithm being used in each of our cells to run the program written in our genes?
As computer scientists, we are pushing the edge to develop disruptive technologies for the future. In fact, we can learn from an industry that has been evolving since long before humankind existed: The evolution of biological systems.
With our proposal we hope to show the incredible parallels between bacteria and computer malware, the complex algorithms implemented in each of our cells, and how each plays a pivotal role in furthering the research of the other.
This lecture will take the audience on an educational journey through both disciplines. This will foster interdisciplinary collaboration and inspire innovative solutions to future challenges for instance in the context of synthetic biology (i.e. creating artificial life), or personalized medicine (i.e. machine learning to treat patients).

Scaling Malware analysis & Threat Intelligence pipeline towards infinity & beyond!!

Abhinav Singh
SPEAKER BIO

Abhinav Singh is an information security researcher for Netskope, Inc. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.
ABSTRACT
Malware and threat analysis plays a key role in security operations, research and forensic investigations. For businesses and applications moving to the cloud, this talk will provide “Security as Infrastructure” approach towards creating a scalable and robust threat detection pipeline in the cloud. This talk will demonstrate a novel approach towards building a threat detection pipeline by utilizing the public cloud infrastructure and services like serverless functions, containers and AMIs. This solution adapts a “DevSecOps” approach towards infrastructure security which is highly scalable and can scan over a million files every day.

Social Engineering through Social Media: Profiling, Scanning for Vulnerabilities and Victimizing

Christina Lekati
SPEAKER BIO

Christina Lekati (@ChristinaLekati) is a psychologist and a social engineer. With her background and degree in psychology, she learned the mechanisms of behavior, motivation, decision making, as well as manipulation and deceit. She became particularly interested in human dynamics and passionate about social engineering.

Contrary to typical career paths, her history and involvement in the cyber-security field started quite early in her life. Being raised by a cyber security expert, she found herself magnetized by the security field at a very young age. Growing up, she was able to get involved in different projects that were often beyond her age, that gave her an edge in her own knowledge and experience.

Christina has participated among other things in penetration tests, in training to companies and organizations, and in needs and vulnerability assessments.

She is working with Cyber Risk GmbH as a social engineering expert and trainer. Christina is the main developer of the social engineering training programs provided by Cyber Risk GmbH. Those programs are intertwining the lessons learned from real life cases and previous experiences with the fields of cybersecurity, psychology and counterintelligence. They often cover unique aspects while their main goal is to inspire delegates with a sense of responsibility and a better relationship with security.

ABSTRACT
While to the rest of the world social media are friendly platforms of communication and sharing, for the fellow OSINT analysts, hackers, social engineers and attackers, they are targeting and information harvesting platforms. Undoubtedly, online presence is important to all of us. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities.

This talk will demonstrate how one's online presence on social media can attract social engineers to target them and victimize them to “open doors” through the organizational security. It will also discuss how social engineers and penetration testers can utilize social media for their engagements in creative ways and to identify their pretexts.

The talk covers the topic of information gathering through social media (a discipline called Social Media Intelligence, or SOCMINT, being a sub-division of OSINT) and explains how even seemingly innocent information can be used to manipulate and victimize targets. Case studies will be provided. A two-part demonstration is included on how a hacker's mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to.

A Journey into Malware HTTP Communication Channels Spectacles

Mohamad Mokbel
SPEAKER BIO

Mohamad Mokbel (@MFMokbel) is a senior security researcher at Trend Micro, member of the Digital Vaccine Lab. He’s responsible for reverse engineering vulnerabilities and malware C&C communication protocols, among others, for the purpose of writing custom filters for TippingPoint NGIPS. Prior to joining Trend Micro, Mohamad worked for CIBC in the security operation center, one of the top five banks in Canada as a senior information security consultant - investigator (L3) where he realized that experience in the operation field is extremely important to understand the real sides of offense and defense. Prior to CIBC, Mohamad worked for Telus Security Lab as a reverse engineer/malware researcher for about 5 years. He’s been doing reverse code engineering for the last 14 years. His research interests lie in the areas of reverse code engineering, malware research, intrusion detection/prevention systems, C++, compiler and software performance analysis, and exotic communication protocols. Mohamad holds a MSc. in Computer Science from the University of Windsor and BSc. in Computer Engineering from the Lebanese International University.
ABSTRACT
Over the years, malware have used different communication protocols that sit at various layers in the OSI model to establish an exchange link with its C&C server(s). In particular, as malware C&C communications shifted its focus to HTTP, certain peculiarities, intentional or unintentional, blunders, and obvious errors in the usage of the protocol were spotted. For example, using specific headers in a GET request that only make sense in a POST request, or using wrong Content-Length value that doesn’t match the actual payload size, and the use of a unique non-standard header in a non-standard compliant way among others.

This talk will go through various use-cases of different malware families that have committed several interesting mistakes, deliberate or non-deliberate in their HTTP C&C communication protocols. The ultimate goal is to figure out those mistakes, understand the reason(s) behind them (e.g., bypass security solutions, trick automated systems…), and provide detection guidance. More importantly, how to look for such anomalies and others, synthetically, on the network, be it for threat hunting or data mining of traffic captures. To our knowledge, this is the first paper that attempts to survey, document and perform root-cause analysis on such cases.

Symbolic Execution Demystified

Jannis Kirschner
SPEAKER BIO

Jannis (@xorkiwi) is a Swiss Security Researcher and CTF player. With a passion for reverse engineering and exploit development, he loves to analyze cutting edge technology, finding flaws in highly secured systems and complex applications. Jannis regularly participates in national and international cybersecurity competitions and speaks at various conferences and events.
ABSTRACT
Symbolic Execution is awesome!
From modern fuzzing tools, over automated exploit generation to solving complex reverse engineering challenges - frameworks like "angr" are getting increasingly popular.

There are a lot of crackme-style ctf challenges where the intended solution is to find a specific path through a binary while your input has to match various conditions.
Before symbolic execution techniques became popular you had to manually analyze these binaries, extract all the constraints by hand and use tools like the z3 theorem prover to solve the task. Depending on the binary size this would turn out to be a very tedious and time-consuming process.

What if there was a more effective way to tackle such a problem and supercharge your reverse engineering skills?

This introduction to symbolic execution is for everybody that might've already heard of the "angr" framework but never got to learn it. New CTF players will get a headstart into crackme solving, seasoned reverse engineers will discover a powerful technique for their toolbox.

You will learn where you can apply symbolic execution frameworks, how they work under the hood and how to integrate them into your reverse engineering workflow. Naturally the practical part won't fall short, so we'll apply the newly learned techniques on several demos.

Closing Keynote - The price of cybercrime

Rob May
SPEAKER BIO

Rob (@robmay70) is an award-winning speaker and a Professional Member of the PSA (Professional Speaking Association).

He delivers keynotes internationally and runs CEO and Director workshops for both Vistage and the Institute of Directors. He speaks as a current and very relevant expert, being founder and Managing Director of ramsac who deliver IT and Cybersecurity services/support, he’s got a team of 70 consultants working with him (and an alliance partnership with PwC).

Rob is the UK Ambassador for CyberSecurity for the Institute of Directors and he is currently ranked No.5 in the Global rankings for CyberSecurity Thought Leaders/Influencers.
His CyberSecurity TED Talk has had approximately 400,000 views (on both TEDx YouTube and also TED.COM). He’s a published author selling his CyberSecurity books on Amazon in 8 countries.

And he makes a complex yet vital subject fun, entertaining, actionable and very relevant.