Thursday 21st March
Friday 22nd March
Keynote: Federal Intelligence Service: How We Help To Protect Switzerland Against Serious Cyber Threats
By Mauro Vignati, Federal Intelligence Service (Switzerland)
The Swiss Federal Intelligence Service is mainly focusing on APTs. This presentation is a “Behind the scenes” of the activities to protect Switzerland against the most sophisticated state sponsored cyber-attacks.
Keynote: Medieval Castles and Modern Servers
By Christian Folini
Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference, the prime security conference in Switzerland. Christian is the vice president of the Swiss federal public-private-partnership "Swiss Cyber Experts" and he helps to edit the Center for Internet Security "Apache Benchmark". He is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.
We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day.
Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels.
Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.
Spyware, Ransomware and Worms. How to prevent the next SAP tragedy
By Jordan Santarcieri, Vicxer
He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer's customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats.
Jordan has also discovered critical vulnerabilities in Oracle and SAP software, and is a frequent speaker at international security conferences such as Black-Hat, Insomnihack, YSTS, Auscert, Sec-T, HITB, Rootcon, NanoSec Hacker Halted, OWASP US, 8dot8 and Ekoparty.
Is not a secret that SAP is a market leader and one of the principal software providers of the core business applications around the world, nearly 95% of the Fortune-500 companies heavy rely on SAP to perform their most critical and daily operations such as processing payroll, benefits, storing sensitive customers’ information, handling credit cards, logistics and many more.
Due to the “ERP Complexity of the simple things” and in combination with several proprietary protocols, entry-points and default misconfigurations, ERPs are particularly vulnerable to Spyware, Ransomware and Worms, making them the ideal targets for this type of attacks due to the economical significance that these systems hold. Join me on this completely new and highly technical talk, in which I’m going to explain trough several live demos how the different types of malware could impact SAP and what actions you could take to prevent the next SAP tragedy.
As an added value, we will reveal for the first time, our very own project “ARSAP”, a semiautomatic mechanism that detects and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components, etc.
These are the Droids you are looking for - practical security research on Android
By Elena Kovakina, Google
Elena holds a Master’s degree in Computer Science from the University of Liverpool, as well as a degree in psychology.
In case you haven’t noticed, Android is the world’s most used OS these days. With the diversity of uses and devices, comes the need to be able to better understand these black (white, purple, orange) boxes full of secrets, that over 2 billion people carry in their pockets.
During my talk I will go through some crucial aspects of Android’s security model, focusing on how applications fit into it, and what tools and solutions are in place to ensure apps are not running wild.
I will share some practical tips on how to diagnose problems with a “pre-owned” device, how to pin down malicious activity on device using live monitoring and bugreports, and on how to not get lost in Android logs.
Growing Hypervisor 0day with Hyperseed
By Shawn Denbow, Microsoft
Virtualization technology is progressively becoming the authority on which platform security is built and clouds are secured. Hyper-V, Microsoft's virtualization stack, is the backbone to Azure and held to a high security standard. Microsoft offers a bug bounty program with rewards up to $250,000 USD for vulnerabilities in Hyper-V. The hypervisor provides a calling mechanism for guests referred to as hypercalls. Not only could hypercalls offer an avenue for VM escapes, but with the introduction of virtualization-based security (VBS) hypercalls may be abused to bypass Virtual Secure Mode (VSM). In this presentation, we'll discuss our research into developing Hyperseed, our format-aware hypercall fuzzer. We'll dive into the hypercall interface detailing the classes of hypercalls Hyper-V supports, the design of hyperseed, and culminate with details on vulnerabilities we found in hypercall handlers.
Turning your BMC into a revolving door: the HPE iLO case
Currently is an information security researcher at Airbus Evaluation Team after having previously worked as a senior security researcher at Quarkslab. He specializes in reverse engineering, low-level and embedded systems security. He has spoken at security conferences worldwide, i.e., REcon (Canada, Brussels), ZeroNights, Hack In The Box ((Malaysia, Netherlands), SSTIC (France), etc. He is also a co-author of the reverse engineering textbook, Practical Reverse Engineering: x86, x64, Windows kernel, and obfuscation, published by John Wiley & Sons.
Fabien Perigaud (@0xf4b), Synacktiv
Is an information security researcher working at Synacktiv after having previously worked as a reverse engineer at Airbus Defence and Space Cybersecurity. He is mainly focused on reverse engineering and vulnerability research, with a specific enthusiasm for embedded devices. He has spoken at various security conferences, such as Recon (Belgium), ZeroNights (Russia), SSTIC (France), etc.
Joffrey Czarny (@_Sn0rkY), Medallia
Is a Redteam leader at Medallia, Security researcher and VoIP hacker at night, Ambassador of Happiness and Healthy Living. Since 2001, he is a pentester who has released advisories and tools on VoIP Cisco products, Active Directory and SAP, he has spoken at various security-focused conferences Hack.lu, Troopers, ITunderground, Hacktivity, HITB, SSTIC, REcon and Black Hat Arsenal...
Unmonitored and unpatched BMC (remote administration hardware feature for servers) are an almost certain source of chaos. They have the potential to completely undermined the security of complex network infrastructures and data centers.
Our on-going effort to analyze HPE iLO systems (4 and 5) resulted in the discovery of many vulnerabilities, the last one having the capacity to fully compromise the iLO chip from the host system itself.
This talk will show how a combination of these vulnerabilities can turn an iLO BMC into a revolving door between an administration network and the production network.
Security Analysis on the Attack Surface of Blockchain Client
By Chen Nan & Kame Wang, Tencent
Kame Wang is an information security researcher from Zhanlu Lab, Tencent Inc. I am a PhD graduated from University of Chinese Academy of Sciences. I have made my research on information securities for about 6 years. My research interests are blockchain security, mobile vulnerability mining and browser vulnerability mining. During my Ph.D. study, I used to make a speech about my vulnerability mining results targeting Android system on one of the flagship academic conference of information security, which is ACM Conference on Computer and Communications Security 2016. You can find my paper on the following webpage.
Security Analysis on the Attack Surface of Blockchain Client
Since 2017, Tencent Zhanlu Lab started to research the BlockChain Client Security and we have found 10+ vulnerabilities.
BlockChain is a new industry. There are many kinds of clients. Every day there are a lot of upgrades, which include protocols, complex logic, and wide ranges of attack surfaces. Inexperienced developers or algorithm design unreasonable will lead to the security flaw.
We will introduce the potential attack surfaces of blockchain clients, which includes RPC interfaces, P2P discovery protocol, P2P SYN protocol, P2P consensus protocol, smart contract interpreting、smart contract syscall interfaces.
In addition, real cases (some are first disclosed) are used to explain the vulnerabilities in these attacks, such as RPC attack on Ethereum clients, integer overflow vulnerability in smart contract interpreting vulnerability in EOS, and logical flaw in BTH consensus protocol.
At the same time, we will also introduce the process of bug hunting, how to quickly audit in a large amount of code, how to quickly locate the attack surface code and so on.
Finally, we will introduce how to exploit, including RPC, P2P, and Smart Contract.
The following is part of the CVE number we obtained: CVE-2018-16733 CVE-2018-18206 CVE-2018-18078 CVE-2018-18079 CVE-2018-18080 CVE-2018-18081
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
By Martijn Bogaard, Riscure
Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.
While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.
An attacker in procession of the binary of his target can use such simulator to find the ideal glitch location while developers of these systems can use such a tool to verify the effectiveness of their countermeasures against specific types of fault attacks.
We used our simulator to identify locations in the binaries of several real-world targets where due to a successful glitch the security could be compromised. For example, a successful glitch would result in bypassing the authentication of the next boot stage or arbitrary code execution in the context of the boot process. This would then reveal the cryptographic keys used to protect the system or gives access to additional information required to develop a more scalable attack not requiring fault injection.
Sneaking Past Device Guard
By Philip Tsukerman, Cybereason
Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.
This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables (which Microsoft acknowledged as a vulnerability, and will be fixed this November). All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service most of these techniques with an update.
During the the talk, we'll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard.
Dear Blue Team: Forensics Advice to Supercharge your DFIR capabilities
By Joe Gray
In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics and Incident Response (DFIR). Most DFIR talks and advice discuss what to do once an incident has occurred. Instead, this talk provides Security Architects, System Administrators, SOC teams, and management new techniques and advice to supercharge their IR capabilities by preemptively collecting forensic evidence as a baseline.
The content provided in this presentation goes beyond the age-old advice of verbose logging and asset inventories. It will promote a cooperative relationship between DFIR and the rest of the “Blue Team.” We will kick this presentation off with a discussion about Threat Hunting versus Forensics. During this presentation, blue teamers and management will be armed with actionable advice as to how to pre-emptively capture artifacts as baselines BEFORE anything ever happens and the actions to take WHEN something happens.
Exploits in Wetware
By Robert Sell
Robert will discuss his third place finishes and experiences at the Defcon 2017 and 2018 Social Engineering CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff. With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired? Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift.
Building a flexible hypervisor-level debugger
By Mathieu Tarral
In this context, he is the maintainer of Nitro, a syscall interception framework based on KVM.
This has led him to create the KVM-VMI organization on Github, to help the common effort of bringing an official VMI API on KVM.
Virtual Machine Introspection is a technique which leverages the hypervisor to allow the virtual machine hardware state (VCPU registers, virtual/physical memory) to be inspected in real-time. This technology has interested security researchers since a long time as the first scientific paper on the topic dates back to 2003. However, the complexity of hypervisors has restrained the existing attempts from gaining a wider audience. Furthermore, the semantic gap to be solved while interpreting the context of the virtual machine and the performance overhead induced by the introspection has prevented it from breaking out of the research sphere, despite his alleged benefits. This situation has persisted for many years until a set of memory introspection patches were submitted and later merged in Xen in 2009.
As of today, Xen is offering the most complete VMI API available, and successful projects such as a stealth malware analysis sandbox (Drakvuf) or an agentless cloud monitoring solution (BitDefender HVI) have been built on top of it. This is shifting our view of virtual machines, from opaque containers to transparent and monitorable systems.
Applying the same principle to our debuggers gives us huge benefits, among them being the stealth and robustness required to analyze unknown samples. In 2017, FireEye released rVMI, a rekall based full system analysis debugger, leveraging VMI on top of KVM and demonstrating the effectiveness of such tools.
In this talk, I would like to present pyvmidbg, a VMI debugger LibVMI. Pursuing the research on the topic, it introduces 2 critical changes: First, it has been build with libvmi and is therefore agnostic of the underlying hypervisor (Xen or KVM). Second, it relies on GDB protocol to keep the compatibility with our exisiting reverse-engineering frameworks.
How to investigate iOS devices
By Paul Rascagneres, Talos
In the last few months, Cisco Talos had to investigate iOS malware. It is not a popular platform for malware analysts however we identified campaigns targeting iphone devices. In this presentation, we will present how to handle this kind of investigation. First we will describe the iOS architecture, then the useful tools such as IDA Pro, Frida and how to debug iOS apps. We will also present how to deploy apps and the classical tricks used by malware developers on this platform. We wil provide several demos on the presented tools.
Let's hack the IoT Hub with Pwnhub dudes: IoT Hub Exploitation and countermeasure
By Jisub Kim, Kanghyun Choi
Jisub Works at the Republic of Korea Airforce CERT and do Vulnerability Analysis.
Jisub likes IoT, web hacking and embedded hacking, and is a CTF player with $wag.
Kanghyun Choi graduated from KITRI BoB Vulnerability analysis track Security researcher.
Kanghyun likes IoT, system hacking(pwnable) and embedded hacking. Kanghyun plays CTF with team $aw
With the advent of the Internet of Things, our daily life is becoming more convenient. The IoT market continues to grow. To manage various IoT devices at once, it is changing the way to manage all IoT devices easily and conveniently through IoT hub, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high lisk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches.
We will show the overall IoT Hub exploit process from acquiring root shells and firmware of multiple IoT Hub to analyze and derive vulnerabilities. We made data flow diagram(DFD) through network packet and firmware analysis, where we collected attack vectors on attack surfaces, analyzed security threats, and vulnerabilities of IoT Hub. It also discusses the vulnerabilities found in recently commercialized IoT Hub, and introduces the threats that could be derived from the vulnerabilities.
Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock and sniffing password”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.
Wake up Neo: detecting virtualization through speculative execution
By Innokentii Sennovskii
There has been several Speculative Execution vulnerabilities allowing to read privileged data from kernel mode, other processes and even hypervisors. However, there are several more ways in which speculative execution can be leveraged by adversaries. I have discovered one such technique, which allows the attacker on the system to get information allowing them to evade detection by modern sandboxes and AV software. This technique led to the discovery of Spectre Variant 3a virtualization detection vulnerability in Intel CPUs. This virtualization detection technique stands apart from other techniques, since it can't be evaded by fixing rdtsc timing on vmexits and it doesn't require CPL=0. It can also thwart a reverse engineer analyzing it in a VM, since instead of binary checks for virtualization and specific sandboxes, the computation of initial data (such as keys for unpacking) can be turned off opaquely by virtualization.
Analyzing a Portable Wireless Storage Device From Zero to Remote Code Execution
By Qinghao Tang & Shuo Yuan, Qihoo 360
Shuo Yuan is a security researcher, 360 MarvelTeam, Qihoo 360, China Beijing
Shuo Yuan is a member of 360 Marvel team from Qihoo 360 Technology Co.Ltd. who previously conducted security research on Linux system vulnerabilities and now focuses on security research in the IOT direction.
My Passport Wireless Pro is a portable wireless WIFI storage device designed by the famous company Western Digital for outdoor photographers and Internet of Things enthusiasts. It can be used as a wifi server or wifi client to establish a connection with the user's mobile device. Users can access the data in the storage device through the local area network. This type of IoT product has rarely been discussed at security conferences, and no clear project has been identified. This presentation will showcase our findings on the My Passport Wireless Pro device, a remote code execution 0day vulnerability was discovered. By using this vulnerability, hackers can get the remote root shell of the device operating system without any credentials, and can read and write any data in the hard disk. This vulnerability not only causes the loss of private data, but also can be used as a springboard for a larger attack, that is, spread Trojans on the LAN by infecting certain files located on the storage device. The content of this presentation will cover the entire process of analyzing hardware, analyzing firmware, fuzzing, and exploiting vulnerabilities, as well as our new perspective on IOT device security. Finally, a complete demonstration of remotely acquiring device control and obtaining important files of the device will be given.
The way from App to Brain: attack surfaces of smart medical infrastructure
By Denis Makrushin
The concept of “SCADA for human” is central in focus of modern medicine. The realization of the systems that collects and proceed information about human body parameters, builds on current infrastructure and technology implementations. In the cases of some treatment procedures, data transferred via vulnerable medical networks and management software could be compromised, which could lead to an attacker being able to tamper with massive groups of patients at the same time. The goal of this talk is to provide the results of offensive research of networks and online-management software that uses in daily medical practice. We show not only typical entry points in medical infrastructure, but also highlight the vulnerabilities in software that popular with surgical teams, also permitted attackers to access sensitive data and even affect treatment procedures.
Vulnerabilities of mobile OAuth 2.0
By Nikita Stupin, Mail.ru
He's also a Bug Bounty Hunter: Airbnb, Semrush, Yandex and others. He's the Dean of the faculty of Information Security, GeekBrains
Nikita has a Degree from Bauman Moscow State University, Information Security
Mobile applications are increasingly implementing the OAuth 2.0 protocol. Despite this, vulnerabilities in mobile OAuth 2.0 implementations are still found even in the products of large companies.
In this report we will look at following vulnerabilities of mobile OAuth 2.0:
1. Authorization Code Interception Attack
2. OAuth 2.0 CSRF
3. Vulnerabilities caused by WebView usage
4. Vulnerabilities that increases probability of phishing
Also we will cover most wide-spread and critical vulnerabilities of usual OAuth 2.0:
1. Vulnerabilities in redirect_uri checks
2. MitM of authorization_code/access_token
3. Poor OAuth 2.0 protocol implementation
4. ... and some others 🙂
Vulnerabilities will be accompanied with real-world examples from my bug hunting experience.
Protection techniques will be presented from pentester's point of view. We will discuss defensive mechanisms such as:
1. Proof Key for Code Exchange
2. Crypto properties of OAuth 2.0 tokens (access_token, authorization_code, code_verifier and others) and how they are managed
3. IPC as more simple (compared to HTTP) and secure transport
4. When client_id and client_secret do more harm than virtue?
We will cover three flows of OAuth 2.0 protocol:
1. Authorization Code Grant
2. Implicit Grant
3. Implicit Grant with IPC transport
Redesigning Open Source Ransomware
By Raul Alvarez, Fortinet
He has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, HackInParis, Kwantlen, HackFest, Sec-T, and DeepSec.
He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where I have published 22 articles.
Currently a member of DefCamp Conference Advisory Committee.
One of the reasons that ransomware was so rampant in the last couple of years is the existence of open source code for ransomware. Not only that you can study and learn what works, but you can also modify them for personal use. Grab the open source code, add additional features and voila! New ransomware.
On the other hand, most infamous ransomware in the wild doesn’t give away their source code. We can learn how they tick by reversing its binary. If you want to redesign your ransomware - grab the open source code and add other tricks and features you’ve learned from other existing ransomware.
In this presentation, we will look into a possibility of redesigning open source ransomware and add some features taken from the reverse-engineered version of other ransomware.
We will also look into the general ransomware design based on an open source and reversed-engineered ransomware. I will show how easy it is to modify opensource ransomware, add your crypto wallet address, modify the ransom note, and other things that you can change. Then, we will see where we can insert the extra features that we’ve learned from the in-the-wild ransomware. We will also see if it is feasible to redesign other in-the-wild ransomware by reversing and modifying its binaries.
Since we are actually on the blue side of the fence, we will look into the weaknesses naturally inherent from open source ransomware, and how they can be mitigated.
Finally, we will see how ransomware, in general, is starting to lose its grip into the malware ecosystem.
SD-WAN - Yet Another Way to Unsafe Internet
By Denis Kolegov, Bizone & Oleg Broslavsky
Oleg Broslavsky is a security enthusiast, PhD student at Tomsk State University, and member of the SiBears CTF team. He has given talks about aspects of web security and post-exploitation techniques at some practical security conferences (Positive Hack Days, ZeroNights, POC), developer conferences (HighLoad++) and even academical ones (SibeCrypt).
Today, "SD-WAN" is a very hot and an attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020. At the same time, from a security point of view, SD-WAN is a dangerous mix of Web technologies, custom cryptography, virtualization, immature features and complicated logic.
In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN, disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities. We also deeply explore a design flaw in a well-known SD-WAN product that could allow an attacker to compromise all SD-WAN networks in the World.
Cryptocurrency mobile malware
By Axelle Apvrille, Fortinet
On Windows, cryptojacking has become a big issue. It generates important revenues for their authors: even small botnets generate as much as 500 US dollars per day!
"Why not port it to smartphones?" cybercriminals obvisouly thought. Indeed, we do have cryptocurrency malware on Android smartphones since 2014. We discuss some of the recent ones (AdbMiner, HiddenMiner, Clipper...), and reverse engineer live the most interesting ones.
Despite their increasing power, mining on smartphones has its limits. For example, mining Bitcoin on a smartphone does not make sense. We see which cryptocurrencies are mined on smartphones and discuss how profitable this is for cyber-criminals. We follow the earnings of the authors of HiddenMiner, based on live captures we were able to get.
Threat Hunting Research Methodology: A Data Driven Approach
By Roberto Rodriguez, SpecterOps & Jose Luis Rodriguez
Threat hunting as a process is still being defined for many organizations across various industries. Hence, the justification of its budget becomes even harder. Some security teams don’t have a formalized team in place, and they see threat hunting as an informal, ad-hoc procedure where it becomes the responsibility of all Cyber employees to find malicious activity. Others see threat hunting as a formalized process that requires a full-time team focused more on creating detection strategies for adversaries even when they are not in the production environment. No matter how it is defined, there is still uncertainty pertaining to the impact that threat hunting has to the security posture of an organization. In addition, organizations believe that buying more tools and hiring more people would solve their problem. However, they disregard the fact that they might not even have the right data to start with. In this presentation, we will share a threat hunting research methodology that focuses on assessing what an organization has and needs from a data perspective to validate the detection of an adversary. This talk will show organizations how they can assess the collection and quality of their data and create data analytics to set their teams up for more effective engagements in production networks.
Betrayed by the Android User Interface: Why a Trusted UI Matters
By Yanick Fratantonio, Eurecom
In the last few years, the Android platform has gone through a lot of changes and security enhancements. Most of these improvements relate to low-level mechanisms and current devices are significantly more difficult to compromise than ever before. However, without a "trusted UI", many of these mechanisms can be bypassed. This talk will provide an overview of two of the biggest UI-related open problems in Android security: clickjacking and phishing. In particular, it will feature UI clickjacking attacks against a wide range of sensitive apps, and how modern features of Android, such as mobile password managers and Instant Apps, can be used to mount the stealthiest phishing attacks known to date. This talk will also discuss why it is so difficult to eradicate these problems and what we can do to defend ourselves.
Digitalisation demands defensive action
By Daniel Caduff, Federal Office for National Economic Supply FONES
Increasing levels of IT penetration and networking in almost all areas of life opens up both economic and social potential that a highly developed and industrialised nation like Switzerland cannot fail to act upon. At the same time, however, increasing digitalisation also gives rise to new threats to which we must respond quickly and decisively. The particular danger of targeted cyber-attacks on IT infrastructures affects public-sector bodies, operators of critical infrastructures, and other businesses or organisations to the same degree.
These individual businesses and organisations have a fundamental responsibility to protect themselves. However, wherever the functioning of critical infrastructures is affected the state also has a responsibility, based on its remit as laid down in the Federal Constitution, and on the National Economic Supply Act. To address this responsibility, FONES released Switzerland’s ICT-Minimum-Standard in 2018. The ICT Minimum Standard is an expression of the responsibility of the state to protect its citizens, its economy, and its institutions and public administrations. The Minimum ICT Standard comes into play in those areas in which a modern society can least afford outages: in those ICT systems that are important to the functioning of critical infrastructures. Daniel will outline the intention and strategy of FONES to strengthen the resilience of this critical infrastructure against cyber risks.
Intelligence-driven Red Teaming
By Peter Hladký, Credit Suisse
Cyber security breaches are repeatedly placed among the top risks by governments and organizations in the private sector. States are revising and improving their national strategies to improve resilience of their critical infrastructure sectors, among them the financial sector. Financial institutions have several motivations to invest and build their own cyber security capabilities. Their services are being increasingly digitized. Cyber security is within the focus of financial regulatory authorities. Financial institutions are being constantly targeted by hacktivists, cyber crime groups, nation-states, or nation-state proxies. Because of these reasons and available resources, financial institutions are in the forefront of developing or adopting novel defensive cyber security capabilities to protect their assets. Two capabilities that stand out are Cyber Threat Intelligence and Red Teaming. The former having a longer history, while the latter is receiving more focus by different regions and regulatory authorities in the recent years. A number of frameworks within the sector were recently developed for conducting intelligence-driven red teaming exercises.
In this talk, I will focus on two capabilities – Cyber Threat Intelligence and Red Teaming. I will begin by exploring frameworks for the purposes of intelligence analysis. Next, I will focus on the role of red teaming, and I will argue why traditional methods of security assessments and testing, are no longer sufficient to assure resilience against sophisticated cyber attacks. Then, I will discuss the interplay of the two capabilities captured by different frameworks for conducting intelligence-driven red teaming exercises. And finally, I will compare exercises in the financial sector with cyber defense exercises such as Locked Shields and Crossed Swords.
Addressing privacy: GDPR, Cloud, and You
By Chris Esquire
Chris has over 22 years of IT, communications and Cyber Security experience. He has several industry recognized certifications to include the CISSP, CEH and CCSK. He holds several degrees to include an BSIS focused in IT and Accounting forensics, a MSISM focused on Project Management, and Juris Doctor. He is finishing a dual PhD’s in Management Information Systems Business Administration focused on Information Security with his dissertations focused on the legal implications of security breaches on organizations and legal and ethical issues in security management.
He has presented as a speaker and his award-winning research used as materials for several conferences by the American Bar Association and universities. He is a chapter lead and section author for the International Guide to Cyber Security 2nd edition to be published by the American Bar Association for the topics of Enterprise Systems and Technology Issues, A/V & Malware Detection, IDS/IPS & Firewalls, Whitelisting, NERC, & OWASP.
This talk addresses how GDPR affects businesses that operate globally and utilize cloud technology from a privacy and liability perspective. Legal concerns, best practices, and forward areas of research will be presented.
NSX-T Architecture & Benefits
By Erik Bussink, VMware
VMware NSX-T is the network virtualization platform for the software-defined data center (SDDC). This session will detail the overlay model used in NSX-T Data Center and highlight the benefits resulting from decoupling networking from the physical infrastructure. NSX-T can deliver its networking features across an heterogenous range of products and environments: VMs, containers, bare-metal servers…all this, whether they are deployed on-prem or in the cloud. The presentation will also introduce the different components involved in NSX (management plane, control plane, data plane) as well as a summary of its services, including routing and switching.
From the cloud to the internal network – Offense vs Defense
By Snir Ben-Shimol, Varonis
Since then, he has worked in the Advanced Security Center of EY as the Cyber Security Advisory leader, managing red-team operations and risk assessments. He has advised major international corporates and high-profile individuals to build their security resilience and protect their organization. Prior to his current role, he led Radware’s Cyber Security Research division, responsible for innovation and security solution capabilities.
More companies are moving their most critical assets to the cloud, enabling new technologies, frameworks and cloud based applications. Misconfigurations, lack of experience and the extension of external access points turned to a fruitful ground for threat actors. Spear-phishing attacks became more powerful. The impact of simple credential theft and successful brute-force attacks escalating their impact and severity within Hybrid environments.
In this talk, I’ll share real-life attack use cases. How external attackers getting into the network and gaining full control over the internal domain. Those use cases where identified by our researchers and Forensics teams which later on became a base-line for several dynamic threat detections algorithms.
Finally, you’ll see how an organization can use this data in order to develop a powerful Vaccine against unknown attacks and targeted campaigns by leveraging advanced analytics capabilities.
The Evolution of Cloud Threats
By Paolo Passeri (@paulsparrows), Netskope
Organizations are increasingly moving to the cloud to reduce costs and enable collaboration between partners, customers, and suppliers. On the other hand, cybercriminals are constantly looking for newer and clever ways to carry on their malicious campaigns, deploying attack vectors that can take advantage of this process. This session will discuss how threat actors are leveraging cloud resources for their malicious purposes and how this trend is influencing the threat landscape.
What every (IT | Security) Professional should know about the dark web
By Mischa Peters, IntSights
Turn on the nightly news or your favourite TV drama and you’re bound to hear mentions of a vast criminal underworld for drugs, sex, guns, and identity theft hidden in plain site – all you need is a computer or mobile device to get there – this is the dark web. But what is the dark web really?
While well known, fewer than 1% of internet users have visited the dark web and even among IT security professionals, only 1 in 7 have ever ventured to a dark web forum or site. This lack of direct experience helps explain why there is so much fear and misinformation being spread. But it also suggests that many in the security industry are missing out on a crucial source of information that could help them better protect their enterprise and better get inside the mind of a hacker.
In this talk, we hope to use our knowledge to help break apart fact from fiction and provide you with the basics you, as a security professional, will need to begin safely leveraging this growing intelligence resource to better protect your organisation.