Thursday, March 23th
Friday, March 24th
(KEYNOTE) Crazy incentives and how they drive security into no man's land
Dr. Christian Folini
SPEAKER BIOBut life goes on and castles tend to be very cold, namely in Winter times.
So he turned to defending web servers, which he finds equally challenging. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling.
Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference. During the years, he made a name of himself as somebody wo managed to piss off the No-E-Voting as well as the Pro-E-Voting crowd, which he takes as proof of a well-balanced and typically Swiss position.
In 2023 he attempts his third InsomniHack keynote in a row with a presentation that is set to vex his supporters and put future sponsoring of his own open source project as well as the conference at risk.
ABSTRACT
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices.
There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc.
But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security".
But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money.
Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security!
Follow me on a journey and security will never look the same to you again!
(KEYNOTE) The Converging Threat Landscape
Patrice Perche (Chief Revenue Officer and EVP Support at Fortinet)
ABSTRACT
Just as network & security solutions, IT & OT networks are converging in the cybersecurity industry, a similar phenomenon is occurring on the threat landscape. Fortinet has observed a shift in attack tactics as cybercrime becomes highly targeted and even destructive in nature. Cybercriminals are expanding from IT targets to now OT, with new destructive tools – specifically system wipers – at hand. Risk continues to elevate, and the crime as a service portfolio is expanding. This talk will highlight some data points observed by Fortinet over 2022, as well as public-private sector industry efforts that are underway to disrupt this threat.
Modern Adventures with Legacy Protocols
Yannay Livneh
SPEAKER BIOYannay is a regular contributor to PoC||GTFO magazine and also an active CTF player and a member of 5BC team.
During 2015-2018 I found myself in a few scenarios that required IP spoofing capabilities to triumph. 30 years ago that wasn't a problem, but nowadays the moderators of the Internet (ISPs, Governments, etc.) don't put up with that (except for themselves). Unfortunately, I'm neither a government nor an ISP so I had to come up with some feasible solution for the average hacker. If you are like me, tragically devoid of nation-state capabilities, join me to this talk where I explain how you can find IP-Spoofing-As-A-Service on the internet today for free using legacy VPN protocols.
But, there is more. This talk is not your average "How I found and exploited CVE-*". No. This is not about the CVEs, not about the 0days, not about the exploits and not about the tools. Even though this talk includes all of the above, the focus of this talk is not the outcome, but the quest we call "research". I will discuss the things you won't find in a paper - the failures, the struggles, the details to make things actually work and the accidental packet of death I unleashed in the wild (I'm sorry). I will also share the horrible experience of reporting a multi-vendor vulnerability and why I will never do this again.
This presentation concludes a 3-years of moonlight research. Parts of it were published before and granted me a Pwnie Award for the Most Under-hyped Research of 2022 and a couple of CVEs. But some parts were left in the shadows. Join me as I conclude the odyssey and share the full juicy details, so you too can spoof the internet at will.
Hacking Harms! Measuring the impact and harm from cyberattacks
Emma Raffray
She has spent over 10 years working as an intelligence analyst across multiple sectors including national and international law enforcement (Metropolitan Police Service, London, UK and INTERPOL), financial sector, defense and the humanitarian sector. A recognized expert, providing operational and strategic analysis for intelligence units, investigations and projects.
Emma holds a BSc in Criminology and Social Policy, Loughborough University.
Over the years efforts to measure the impact of cyberattacks have focused on the direct impact to targeted systems or organizations; from time to restore them, financial costs and to some extent the number of breached records. This narrow assessment of the impact of cyberattacks misses a fundamental element; the harm the attack caused to people. The CyberPeace Institute is developing a methodology to do just this and needs your support!
Data Science and Machine Learning in Cybersecurity: Hype or Reality?
Angelo Schranko de Oliveira
Defensive mechanisms such as firewalls, proxies, web application firewalls, intrusion detection systems, intrusion prevention systems and so on continuously generate a huge amount of information. How can we leverage that information for threat detection and improvement of SOC operations? In this talk I'll present three real world scenarios where I've successfully applied Data Science, Supervised and Unsupervised Machine Learning, and Probabilistic Graphical Models for triaging SOC alerts, detecting APIs abuses, and detecting data exfiltration. By the end of this talk, the audience will be able to decide if Data Science and Machine Learning in Cybersecurity is reality, hype, both, or neither!
RCEing Your Way Into the Blockchain: Uncovering a critical vulnerability and taking over Decentralized Identity (DID) networks
Shaked Reiner
The promise of Decentralized Identity (or DID) is to set us free from corporations owning our digital identity (be it Google, Apple, etc.) by distributing it to a blockchain. In this talk, we'll learn the fascinating technology behind DID and see how we were able to completely own one of the most popular DID networks currently active by uncovering a critical CVSS 10 vulnerability in it.
Inglourious Drivers - The Revenge of the Peripheral Devices
Omer Tsarfati
Do you like gaming and gambling?? Why not do both with your computer’s security?!
Just install a driver from your favorite peripheral vendor, and find out if it allows attackers to completely own your machine (chances are it will!).
We'll deep-dive into the 0day we discovered, exploit them, go over mitigations, and explore a very concerning and common drivers' behavior that you can easily avoid.
Breaking and fixing Azure AD device identity security
Dirk-jan Mollema
In zero trust deployments, the users endpoint is an important component. Long-term credentials are stored on the endpoint which comply with strict security policies, such as Multi Factor Authentication and device compliance.
To secure these credentials, hardware protection with a Trusted Platform Module is used where possible. But how effective are these security controls? I have been researching Azure AD device security for the past two years and have broken quite some security controls I encountered.
When a device is joined to Azure AD, several cryptographic secrets are stored in a secure part of the device’s hardware (Trusted Platform Module). These cryptographic secrets are used to prove authentication is happening from that device and the credentials were not simply extracted to elsewhere. When I first started looking at this implementation, there were several issues with it. The secrets to device authentication, although protected by a TPM, could be extracted using mimikatz by dumping the lsass process. During the following months, I researched other attack avenues that could accomplish the same without needing to dump the lsass process. In fact, I discovered it was possible to bypass the protection by the TPM in its entirety and obtain long-lived trusted access tokens without even needing Administrator privileges on the device. Meanwhile, Microsoft improved the authentication flow and changed how the TPM is used during authentication.
In this talk I walk you through all the details of the discovery of these vulnerabilities, and how they were eventually patched by Microsoft throughout 2021 and 2022.
Targeted Social Engineering Attacks: Weaponizing Psychology
Christina Lekati
With her background and degree in psychology, she learned the mechanisms of behavior, motivation, and decision-making, as well as manipulation and deceit. She became particularly interested in human dynamics and passionate about social engineering.
She works with Cyber Risk GmbH as a social engineering trainer and consultant.
Christina is the leading developer of the social engineering training programs provided by Cyber Risk GmbH. She has participated in penetration tests and is running tailored training programs within companies and organizations,
Christina is also conducting vulnerability assessments on corporations and high-value targets. Those reports are based on Open Source Intelligence (OSINT). Their goal is to help organizations identify and manage risks related to human or physical vulnerabilities. These risks are the result of intelligence that is produced through publicly available resources and that threat actors regularly utilize in their attacks.
Within this realm, she is also an active executive Board Member at the OSINT Curious project, contributing to the international scene of Open Source Intelligence (OSINT) with the latest news, updates, and techniques on collection and analysis.
Cybersecurity today is not only a technical challenge.
It is also a behavioral challenge.
For years we have been reading reports warning us that people are the primary attack vector. Social engineering attacks remain at the top of the threat landscape and data breach reports. But although we tend to simplify many breaches as the result of a successful phishing attack, the reality we get from current threat research is more complex. Social engineering attacks have been evolving. Today, the pathway that leads to that successful phishing email is often the result of a larger, well-researched attack kill chain. But it doesn't stop there.
Targeted social engineering attacks that weaponize psychology have started becoming a tool employed by cybercriminals to infiltrate organizations in the public and private sectors, steal sensitive information, recruit insiders, and help threat actors breach an organization's security.
This talk provides insights into the mechanisms and the methodology of today's targeted social engineering attacks and weaponizing psychology. It discusses how attackers tailor their approach in order to compromise specific people in key positions. The tricks they use to build trust and elicit information that assists them in strategizing, initiating, or delivering an attack.
This presentation will include recent, real-life case studies from current threat intelligence; it will discuss the lessons learned and the defense mechanisms we can employ to detect and deter targeted social engineering attacks.
Adversary Tracking And All The Lies We Tell Ourselves
Joe Slowik
Adversary tracking and identification - if not outright attribution - is a complex and challenging task, but one that retains a fundamental flaw in its focus and execution. When tracking entities, from red teams to advanced persistent threats, defenders are almost always operating from the perspective of incident-related technical observations. While this can outline how an incident took place and through what tools, such information does not provide much (if any) insight as to who is involved and what their motivations may necessarily be. In this presentation, we will examine the identification issue, distinguishing between developers, infrastructure operators, and actual intrusion entities while highlighting the implications of these divisions for defenders as well as those involved in the new discipline of adversary emulation. Through this discussion and examination of case studies, attendees will learn the pitfalls of identification on technical artifacts in an increasingly commodity ecosystem, and how to combat the impacts of such a trend in their own operations.
How to have visibility and security OF CICD ecosystem
Pramod Rana
- Omniscient - LetsMapYourNetwork: a graph-based asset management framework
- vPrioritizer - Art of Risk Prioritization: a risk prioritization framework
- sec-depend-aider - Dependabot pull request monitoring automation platform
He has presented at BlackHat, Defcon, nullcon and GrayHat before.
He is leading the application security team in Netskope with primary focus on integrating security controls in the development process and providing security-testing-as-a-service to other teams. He loves to understand new security practices and how to practically implement them.
A security professional by job, a coder by hobby, a runner by passion.
Today CICD platforms are an integral and critical part of the overall software supply chain. To support the business requirements, it processes a lot of sensitive data, compromise of which can have effect on the entire organization. Security IN CICD is a well discussed topic, now security OF CICD deserves the same attention.
One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.
In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD ecosystem along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.
I will introduce two new open source projects:
First, **CICDGuard** - a graph based CICD ecosystem visualizer and security analyzer, which
- Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem
- Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws
- Technologies supported as of now:
- GitHub
- GitHub Action
- Jenkins
- Spinnaker
Second, **ActionGOAT** - a deliberate damn vulnerable GitHub Action for learning purposes
Cloud, IoT, machine learning: which models for secure ICS network architectures to adapt to new usages?
Alexandrine Torrents
There are more and more business needs requiring interconnections with the ICS that seem legitimate. Yet, how do we allow these interconnections in a secure way? And can we say yes to everything?
ICS cybersecurity requirements have always been the same. And in terms of network architecture, we always come to the Purdue Model, as well as the zones and conduits methodology. Traditionally there has been a rigidity to what a “secure” ICS architecture is. The Internet tends to be seen as the devil when we talk about ICS.
Well, “No Limits!” made me want to dream a little bit. What if I could start from scratch and build my dream architecture for ICS without any limit?
In this presentation, we compare and contrast the requirements and corresponding secure ICS network architecture of two very different businesses within the same company: power plants and solar/wind farms.
Attacking and Defending GraphQL: The Ultimate Guide
Leo Juszkiewicz
Currently works as an **AppSec Architect at Dario (NASDAQ:DRIO)**, designing, building and implementing finest in-class security solutions, as well as maintaining security tools and systems, sticking to best SSDLC practices in the HealthTech industry.
Attacking and Defending GraphQL, the ultimate GraphQL guide. Leo will elaborate on the basics, history, how they work, advantages, why it became one of the most popular technology for APIs in modern web applications. Subsequently, Leo will elaborate on common attack scenarios. He will dive deeper into the technicalities and share details about several common exploitation techniques and tactics, as well as showcasing real life use case that were exploited in-the-wild, bypassing security entirely, achieving full account takeover. Additionally, Leo will provide statistics and best practices for developers to create a working plan for testing, remediating and validating the security of GraphQL endpoints.
Go security pitfalls: 2 lessons from the battlefield at Grafana Labs
Jeremy Matos
Twitter: @SecuringApps
Go language has proven to be very secure yet it is not bullet proof. We will analyse in details 2 significant vulnerabilities in Grafana that were ultimately caused by confusion around Go usage. And discuss how we gained confidence that fixes were not missing anything.
Hacking your Jump Rope or your Coffee Machine
Axelle Apvrille
In a prior life, Axelle used to implement cryptographic algorithms and security protocols.
As some may know, I love to hack IoT. Some connected objects are useful, some are close to useless but whatever category they fall in, they are always very interesting and funny to hack! In this talk, you'll learn how to hack a connected jump rope and a connected coffee machine. Actually, maybe it's better to hack coffee first and get more energy to jump ;P
The talk is very much around Bluetooth Low Energy, Android applications and how to reverse engineer.
Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques
Lindsay Kaye
Everyone makes mistakes - including threat actors who deploy ransomware. Sometimes, “technical innovation” on the locker goes sideways and makes it easier to track or reverse engineer, or a false flag operation doesn’t quite pin enough blame on the intended party. We will highlight some interesting examples of ransomware techniques, such as PLAY’s usage of ROP, LockBit’s acquisition of BlackMatter code, ALPHV’s Morph obfuscation tool, and the myriad of threat actors who use custom-designed crypto or hard-coded, cryptographically insecure keys, and the opportunities they presented for us as defenders to signature and detect their malicious behavior. We will present technical deep dives on these techniques and talk about evolutions in the lockers, where relevant. On a similar note, we as defenders can often focus on the novel, innovative tools and often the art of the possible while tried and true techniques remain extremely successful for threat actors. As a result, while detections centered on these novel behaviors are effective for threat hunting or tracking specific groups, defending against them is most effectively accomplished by focusing on commodity tools and TTPs used across groups. Finally, we will discuss how to stay ahead of the ever changing threat landscape, and how we anticipate threat actors will evolve, including where we expect to see them innovate next.
Open Sésame! Example of Modern Electronic Lockpicking
Thomas BYGODT
He does not want to remain passive in front of the technologies that interact with the real world. Testing and understanding them allows us to better understand their limits, both for people's privacy and for their security. He has been specializing in connected devices for 2 years now.
In an ever increasingly connected society, we are often introduced to “new and improved” devices that offer smart capabilities, and door locks are no exception. Increased security and ease of use are some of the key selling points for these locks. However, are these modern, connected locks more secure than those from the 90s when a thief could break into your house with a little practice?
This presentation goes back to some of the origins of hacking when hardware was as important as software is today. We will show the consequences of lax security design by hacking a connected door lock. The goal being, of course, that a homeowner would not be aware of our intrusion all without needing any expensive equipment. From the raw electrical signal to a extern proprietary BLE SDK, we will cover all aspects of the lock and confirm some vulnerabilities on another lock.
In fact, sometimes attacking your target is as simple as copying it, giving the firmware some minor tweaks, replacing some parts and voila, Open Sesame!
Cloud Disaster... As a Service (CANCELLED)
Chris Hernandez
The mix of hybrid on prem and in-cloud environments is prevalent today. With the added operational cost of being fully migrated to the cloud some enterprises have adopted an approach of utilizing cloud service providers for disaster recovery. Physical and virtual machines are synchronized to the cloud as a disaster recovery solution. But what if this Disaster recovery solution is a disaster in its own right? Enter Microsoft Azure Site Recovery, a cloud disaster recovery as a service platform (DRaaS), or as I like to call it, just plain "Disaster-as-a-Service".
Hacked on national television
Linus Kvarnhammar
In 2021, Swedish national television (SVT) aired a six-part TV series called "Hacked" where 4 professional hackers set out to hack into the private assets of normal people, celebrities, and companies. The “victims” had all agreed to participate in a cyber security experiment but were unaware of what exactly was going to happen. Linus was one of the 4 hackers in the TV series and in this talk, he is going to talk about some of the most interesting hacks that were seen on-screen.
Whatever Pown2own
Benoit Forgette & Damien Cauquil
In this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.
Pown2own is a bug bounty competition, many participants are present and only the first participant gets a reward.
It is important to be efficient in your research, a search time that does not lead to exploitation will only be a waste of time.
In this competition it is not necessary to be exhaustive but efficient, a vulnerability that cannot lead to a code execution should not be considered.
To avoid falling into these traps we decided to target vulnerabilities with a high chance of leading to code execution and we wanted to industrialize this research by automatizing it and allowing it to reproduce this search on any firmware.
Permissionless Android Universal Overlays
Dimitrios Valsamaras
Both Android and iOS operating systems interact with the users using a constrained graphical interface, typically occupied at its majority by one application at a time while many of them can run in the background. That being said, a user must rely on the GUI provided by the application itself to verify its legitimacy. This type of behavior has raised concerns within the security research community that have been proved to be well founded, judging from the fact that multiple malware campaigns use GUI confusion as their main attack vector.
In this paper we present a novel GUI attack that leverages the fact that an Android activity maintains its graphical state and can receive touches, while it’s in the top of the back stack of the device home screen. Whilst most of the techniques that have been introduced so far require the SYSTEM_ALERT_WINDOW permission, the one we present is permissionless and makes use only of the FLAG_NOT_TOUCH_MODAL flag.
By using this technique, we were able to create overlapping views over system dialogues, luring the user to unintentionally approve dangerous permissions and access to system services. Third party applications are also at risk, as it is possible to garble their UI by projecting fraudulent views that ostensibly belong to the targeted application’s context. For the latter to be successful, the PACKAGE_USAGE_STATS permission must be obtained in order to identify the application that is currently in the foreground.
Google addressed a similar issue (CVE-2020-0416) for Android versions 8.0, 8.1, 9, 10 and 11 by enabling the filterTouchesWhenObscured attribute on all SwitchPreferences, for pages that control special application permission access. Our technique (CVE-2021-39617) was not affected by this fix, and it was proven to additionally impact system dialogues that control dangerous permissions.
The Snake is in the Grass: Finding Malicious PyPI Packages in the Wild
Christophe Tafani-Dereeper&VLADIMIR DE TURCKHEIM
Vladimir (Vlad) is a Staff engineer at Datadog. He has been working on Application Security topics since 2016 at Sqreen then at Datadog. He also is a Node.js core collaborator and has focused on Node.js runtime instrumentation. When he is not hacking, you might find him cooking or planning an upcoming raclette party.
Vladimir (Vlad) is a Staff engineer at Datadog. He has been working on Application Security topics since 2016 at Sqreen then at Datadog. He also is a Node.js core collaborator and has focused on Node.js runtime instrumentation. When he is not hacking, you might find him cooking or planning an upcoming raclette party.
Over the past few years, attackers have increasingly been using malicious software packages to compromise developer machines and organizations. The Python Package Index (PyPI), in particular, is frequently used to host backdoored versions of legitimate packages and information stealers. In this talk, we describe our approach and findings to identify malicious PyPI packages and present a new open-source tool, GuardDog.
Detection Engineering in Modern Day Security Organization
@tas_kmanager & Sylvain Lu
He is a seasoned Incident Responder and Threat Hunter with Detection Engineering mindset; he believes after every incident there is always a new detection opportunity. He loves to be involved in the security community and has presented at numerous world class conferences such as SANS Summits and DEF CON BTV. He is also an active contributor to the DFIR Report, where he took part in real attacks analysis and provide the public with high quality threat intelligence report and article. He is also a proud member of CDEF.ID, and Indonesian Security community where he has presented, talked in podcast and is volunteering as a mentor.
Outside of security, he enjoys traveling with friends and family, doing astrophotography and cooking new foods from different part of the world.
Sylvain Lu is currently a Security Developer for an MDR company. His main responsibilities include researching threats, and developing detections for clients in various industries. He is passionate about process development, especially in the space of Detection Engineering and Threat Hunting.
Is Detection Engineering just another overly hyped term in the world of Cyber Security? Does the role is just a made-up role combining different elements of Defensive Security? Should your company stay away and not implementing this fancy role in your organization?
If you are having these questions, then this presentation is for you! In this talk, we will dive into Detection Engineering, discussing all the components and parts of this role. We will view the role from different point of views, started from the organization view, the individual view (aka Detection Engineer view) and the daily view. On top of that, this presentation will be filled with real life detection engineering lesson, gathered from the presenter career and other detection engineers in the industry.
After this presentation you or your organization will be able to decide if your organization need a detection engineering role and with the information provided able to build a successful detection engineering program and train or hire the right detection engineer.
The History of Ransomware: From Floppies to Droppers, and Beyond
Eliad Kimhy
Modern ransomware has become synonymous with some of the most devastating cyber attacks of our time.. But it hasn't always been so. 30 years ago, ransomware was born as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. How has this evolved into the most impactful form of cybercrime today, and what can this surprising, untold history teach us about our present and future?
USBvalve - expose USB activity on the fly
Cesare Pizzi
He develops software and hardware, and tries to share this with the community. Mainly focused on low level programming, he developed a lot of OpenSource software, sometimes hardware related (to interface some real world devices) sometimes not.
Doing a lot of reverse engineering too. He gave some presentations in different conferences:
- DEFCON 25 HHV: Ardusploit: PoC of Arduino code injection
- DEFCON 27 PHV: Sandbox creative usage
- BHUSA 2020 Arsenal - SYNwall: A Zero-Configuration (IoT) Firewall
- Insomni'hack 2022 - REW-sploit: dissect payloads with ease
- DEFCON 30 - Old Malware, New tools: Ghidra and Commodore 64
Contributor of several OS Security project (Volatility, OpenCanary, Speakeasy, CETUS, etc) and CTF player.
I'm sure that, like me, you were asked to put your USB drive in an "unknown" device...and then the doubt: what happened to my poor dongle, behind the scene? Stealing my files? Encrypting them? Or "just" installing a malware? With **USBvalve** you can spot this out in seconds: built on super cheap off-the-shelf hardware you can quickly test any USB file system activity and understand what is going on before it's too late!
Breaking Docker’s Named Pipes SYSTEMatically
Eviatar Gerzi
While Docker is mainly known for running containers in a Linux environment, Docker Desktop is an application, by Docker, for Windows machines to run containers in Windows.
In this talk, we’ll show how Windows container research took a different turn, and we found multiple insecure APIs through a named pipe that led to numerous privilege escalation vulnerabilities.
You click, you lose: a practical look at Visual Studio Code's security
Thomas Chauchefoin&Paul Gerste
Paul Gerste (@pspaul95) is a Vulnerability Research in the Sonar R&D team. In the last months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Rocket.Chat, NodeBB, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.
Developers are becoming targets of choice for threat actors because of their access to business-critical code and services. By compromising a single developer, software backdoors and supply chain attacks can lead to the compromise of high-profile organizations. For instance, a recent campaign attributed to North Korea has set up social network profiles and websites to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits.
At the same time, modern development tools like IDEs offer increasingly advanced features and deep integration with language ecosystems, sometimes at the cost of basic security measures. IDEs tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), whose design inevitably led to a cat-and-mouse game to restrict access to sensitive attack surfaces while keeping most features available by default.
In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers, to develop the intuition of the audience. These concepts apply to most IDEs of the market and everybody will now think twice before opening third-party code!
A ticket worth waiting 65 years for
Charlie Bromberg
Silver and Golden tickets are used for persistence purposes within Active Directory offensive operations. In 2022, the "diamond" and "sapphire" variations of those forged tickets emerged. Let's understand, forge and use those tickets, and get a step ahead of the blue team
Secrets, data and cypher-injections: Neo4j attacks and cloud exploits
Nitay Bachrach & Or Emanuel (Varonis)
Neo4j is the most popular graph database. In this presentation, we will present how an attacker that encounters a Neo4j database can abuse it not only to manipulate the app and steal data from the graph but also how to retrieve more
useful information from the server and move laterally to other services and cloud assets.
This talk will explore novel techniques for exploiting Neo4j. Starting from different Cypher-injections, how to overcome protections, and how to abuse them, all the way through to practical post-exploitation techniques.
Additionally, we show how attackers that gain a foothold and connect to an instance directly can extract secrets and pivot into the cloud (AWS, GCP, and Azure).
Security researchers will learn what they can do with Neo4j and how to exploit Neo4j servers. Defenders will learn what threat actors can do, so they will have the tools to protect their environment fully.
Use Case: Red Teaming a recently breached company
Nuri & Marat (Palo Alto)
Marat is a Red Teamer at Unit42 with 6 years of experience in offensive security and 5 years in big four companies. Marat specializes in simulating real-world attacks (Red Teaming) on an organization's computer systems to identify and address vulnerabilities.
After having been breached, a financial company decided to tighten everything by getting an ISO certification and purchasing some security devices. Once done, they asked for a Red Team to prove to executives that a breach was no longer possible.
Optimising Business Value with Secure Access Service Edge
Neil Thacker (Netskope)
With compounding pressures of high inflation, scarce & expensive talent and global supply challenges affecting many organisations today, this session will explain how organisations that have adopted Secure Access Service Edge or SASE, have seen improved gains through an overall decrease in risk posture, improved business agility and overall improved ROI/TCO
Pentesting by the numbers - what data analysis tells about what we do
Charl van der Walt
We've done a lot of penetration testing over the years. Each test has its own scope, objectives and constraints. Each test is performed by a specific hacker, who has unique methods, strengths and weaknesses. Every test is different.
But with enough tests, performed over enough time, there is a goldmine of data on patterns and trends we can use to develop a better understanding of what we’re doing, what we’re reporting, and how our customers are responding.
As reports are a boutique product – hand-written by the tester and customized to meet the customer’s specific requirement - they do not lend themselves readily to quantitative analysis. For the purpose of this study, therefore, we have developed a basic Machine Learning capability that is able to ‘read’ these human-readable reports, quantify specific elements (like Findings and their assigned Severity) and even extract key entities, like CVE numbers, technologies involved, etc.
We collected, anonymized and enriched over 1,400 Penetration Test reports dating back to January 2018.
The ‘Findings’ of a Penetration Test report are obviously only a small element of the overall output, but they contain elements similar datapoints to the Findings of a vulnerability scan and can be analysed in a similar way, and even compared to some extent.
In this presentation we tell the story of how we analyzed the data from thousands of penetration testing reports dating back more than four years. We describe the challenges we faced in data collection, the tools we developed to help us, the questions we asked once we had the data and the patterns that emerged once we had an analysis capability in hand.
We also share similar insights gleaned from a massive database of automated vulnerability scans and even from other perspectives, including security intelligence and incident detection and response.
None of these datasets is perfect, but they do hold valuable intelligence. Viewed together, they provide some invaluable insights. In this talk we will look at the data from penetration testing and other diverse services separately and, where sensible, together.
Join us in this session for a fascinating journey of exploration and discovery. Learn from our successes and our failures and help us think about the fresh questions and challenges that emerge when we try to extract useful intelligence from the work that we do.
Why kidz couldn’t care less about your password advice?
Mia Landsem
Mia has won several prices for her work in helping thousands of victims of online image abuse, hacking and fraud, winning "The Girl Award" (Plan International) in 2018 and "Influencer of the year". She has also been a finalist in "Bravest woman of the year" and "Årets Trønder" /"Trønder of the year". She has also been a top 3 finalist (2021) in the international award “Cyber security woman of the year”. The jury of The Girl Award said the following; - The winner of the Girl Award 2018 is an institution in itself. Mia Landsem shows the way by being energetic and extremely brave. Superman and Batman are nowhere near, this year's winner is among the roughest in its time. This is a winner we all want to be like. This is a winner we had all run to for help, says jury leader Navjot Sandhu.
For kids & teens to use social media and play games, they often have to authenticate using a password. They face the same cyber security threats as the grownups, from a younger age. Their parents are often their first role models when it comes to knowing about these threats and to protect themselves. Parents and children report that they talk together about online safety. That is great news, but when did we ever listen to our parents? Did we use our dogs name as our password? Did we share our password and pin code with our best friend? Did we drink that damned tequila shot when we were told we would get sick? Yes we did.
Mia Landsem will talk about the issues that these young children face. Being hacked on their favorite game, their best friend who logged into their Instagram account and started to write nasty stuff to other children, the nude photos that were saved on their snapchat that suddenly ended up in a hackers hand and they receive a message that if they do not send more photos, they will post the nude photos on their story to all their friends. Mia will talk about HOW we should educate the young ones, and how to make them care about security, passwords and password managers. Why kidz couldn’t care less about your password advice? Come find out!
Stories of Money - Crypto, hacks, ransom, DeFi and attacks
Marco Preuss (Kaspersky)
Especially over the past few years, many successful attacks related to crypto and DeFi were reported.
In this talk, several of the most notable incidents are discussed and explained.
Meet the latest innovations and startups in cybersecurity
Trust Valley Startups
ABSTRACT
PART 1: Meet the latest innovations and startups in cybersecurity (40 min)
6 startups (5 min each)
1. Custocy, Sébastien Sivignon (CEO)
2. Cognitechs, Gilles Rosset (CEO)
3. Clearsky, Stefano Zamuner (CTO)
4. Authena, Dejan Milenovic (CTO)
5. Altkimya, Philippe Huguet (CEO)
6. Anozr Way, Arnaud Gardin (CEO)
PART 2 (PANEL): How to become a cyber entrepreneur? Moving from employee to founder? (20 min)
- Saporo, Philippe Eyries
- Strong Networks, Laurent Balmelli
- Duokey, Seyfallah Tagrerout
Moderator: Lennig Pedron