Talks

Thursday, March 24th

Time TRACK 1 (ROOM A) TRACK 2 (ROOM C) TRACK 3 (ROOM K) CONTESTS (ROOM B)
09:00 Keynote
by Riccardo Sibilia
Head of Computer Network Operations Team, Swiss Armed Forces
10:00 COFFEE
10:30 It’s Raining Shells - How to Find New Attack Primitives in Azure
by Andy Robbins
How we've built one of the most secure media companies in the world
by Andreas Schneider
Cyberterrorism and the Energy Sector: A Framework to Improve Collaboration Between Lawmakers and Cybersecurity Experts
by Chris Esquire
11:30 Delegating Kerberos to bypass Kerberos delegation limitation
by Charlie Bromberg
Introduction to Open Source Investigations
by Aiganysh Aidarbekova
Securing Critical Infrastructures with Fortinet
by Dino-Boris Dougoud (Fortinet)
12:30 LUNCH
13:30 Breaking SecureBoot with SMM
by Itai Liba & Assaf Carlsbad
An Insider Threat: What is Social Engineering?
by Crux Conception
CLOSED
14:00 - 18:00
Splunk Boss Of The SOC
14:30 Exploiting WebKit to break Authentication and Authorization
by Sachin Thakuri & Prakash Sharma
Raising employee awareness : which training strategy to go for?
by Eric Bärenzung
CLOSED
15:30 COFFEE
16:00 Automatically extracting static anti-virus signatures
by Vladimir Meier
Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software
by Nitin Lakshmanan & Sunil Kumar
CLOSED
17:00 REW-sploit: dissect payloads with ease
by Cesare Pizzi

Forging golden hammer against Android app protections
by Georges-Bastien Michel
CLOSED

Friday, March 25th

Time TRACK 1 (ROOM A) TRACK 2 (ROOM C) TRACK 3 (ROOM K)
9:00 Keynote
Adventurous tales of Online Voting in Switzerland

by Dr. Christian Folini
10:00 COFFEE
10:30 Two bugs to rule them all: taking over the PHP supply chain
by Thomas Chauchefoin
Managing large-scale response
by Mathias Fuchs
Ransomware Encryption Internals: A Behavioral Characterization
by Antonio Cocomazzi (SentinelOne)
11:30 A Common Bypass Pattern to Exploit Modern Web Apps
by Simon Scannell
The Rat-Race Detection Game
by Myriam Leggieri
Noise and Signals – Digging through threat- and APT-stories
by Marco Preuss (Kaspersky)
12:30 LUNCH
13:30 Hook, Line and Sinker - Pillaging API Webhooks
by Abhay Bhargav
Stop this car || GTFO
by Karim Sudki
Elevate your security in the cloud with Telsys and AWS
by Colin Szajkowski, Geoffray Schmitt
14:30 Symbolic Execution Demystified
by Jannis Kirschner
Future Proofing your Security Operations Center
by Amitabh Singh (Palo Alto Networks)
Void Balaur: a cyber mercenary from the underground
by Feike Hacquebord (TrendMicro)
15:30 COFFEE
16:00 Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems
by Rahul Umapathi & Nitin Lakshmanan
Hunting for Bugs in "Ethereum 2.0"
by Denis Kolegov & JP Aumasson
Loose lips might sink Clouds
by Jason Hill & Dvir Sason (Varonis)
17:00 Blacksmith: A Blackbox Fuzzer for Bypassing Rowhammer Mitigations on DDR4 DRAM Devices
by Patrick Jattke & Stijn Gunter
Practical bruteforce of military grade AES-1024
by Sylvain Pelissier & Boi Sletterink
The Nym network deep-dive
by Simon Wicky (Nymtech)
18:15 ROOM B

18:15 - 04:00
Capture The Flag

(Doors open at 17:15)

Keynote

Riccardo Sibilia (Head of Computer Network Operations Team, Swiss Armed Forces)
SPEAKER BIO

Riccardo heads the Computer Network Operations team of the Swiss Armed Forces. In the last couple of years he and his team were charged (among other things) with the development of the technical training program and the necessary training infrastructure for the Cyber training within the military basic training. Riccardo is a physicist by training, has substantial experience in the SIGINT field and started his career in the field of Information Warfare / Information Operations. He is an active reservist in the Swiss Armed Forces and carries the rank of Lieutenant Colonel.
ABSTRACT
The challenge of integrating a complex and fast developing field of activity as Cyber Defence in the context of an army of conscripts requires to follow new paths in different areas. This starts with the selection of the personnel, based on the potential to rapidly acquire and integrate knowledge and to collaborate with skilled colleagues on a team or task force. In this talk both the current status and the ongoing and future developments towards an increasingly capable and reactive Cyber Force within the Swiss Army are presented.

Adventurous tales of Online Voting in Switzerland

Christian Folini
SPEAKER BIO

Dr. Christian Folini is a Swiss security engineer and open source enthusiast. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the 2nd edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference.
ABSTRACT
The Swiss tale with online voting serves as a typical example for the iterative development of highly critical IT systems and the eventual involvement of scientist as a necessary step for a government that is willing to learn from past mistakes.

Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out.

In 2019, Swiss Post published the source code of its online voting system, that last system that was still in the race.
Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections.

In 2020, the government rebooted the process by inviting two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the new regulation that was put on a public consultation in Spring 2021.

After an extensive feedback summing up some 700 pages, the new regulation is expected for 2022. It is meant to allow Swiss Post to get back into the online voting business with their new and overhauled system that is now open source to a wide extent.

A Common Bypass Pattern to Exploit Modern Web Apps

Simon Scannell
SPEAKER BIO

Simon is a self-taught Vulnerability Researcher at SonarSource who is passionate about playing CTF, traveling, and sports. He has come up with ways to find 0days in some of the most popular web applications such as WordPress, MyBB, and Magento2. He has also developed exploits for the Linux Kernel and Counter-Strike: Global Offensive.
ABSTRACT
During our vulnerability research, we broke the defenses of some of the most popular open-source web applications. We realized that many code vulnerabilities we discovered share a common theme. In this presentation, we want to express this common denominator as a simple, abstract methodology that seems to have gone unnoticed in the industry. Developers and security researchers can apply this pattern to find and prevent similar vulnerabilities in any project of any size, language, or environment. To turn our theoretical pattern into an entertaining presentation, we explain and demo related vulnerabilities that we discovered in applications such as Magento2, WordPress, and Zimbra.

Two bugs to rule them all: taking over the PHP supply chain

Thomas Chauchefoin
SPEAKER BIO

Thomas Chauchefoin (@swapgs) is a Security Researcher in SonarSource's R&D team. With a strong background in offensive security, he helps to uncover and to responsibly disclose 0-days in major open-source software. He also participated in various competitions like Pwn2Own or Hack-a-Sat and was nominated at the Pwnies Award for his research on the PHP supply chain security.
ABSTRACT
Package managers are essential components of the modern developer toolkit. They give the ability to deploy and update dependencies from a central repository in a click, significantly reducing operation costs. The majority of these tools are open-source, and the backend infrastructure that powers entire language ecosystems is run by volunteers. These services are provided on a best-effort basis and offer no guarantees, both in terms of availability and security.

Yet, virtually all software companies need these package managers to operate: compromising this segment of their supply chain is a very effective and subtle attack vector. A recent report of the European Union Agency For CyberSecurity (ENISA) studied 24 attacks reported from January 2021 and early July 2021 and highlighted that 50% of these attacks came from known threat actors and predicted a fourfold increase in 2021 as ransomware groups are joining the trend.

In this talk, we present the technical details of the vulnerabilities that allowed us to compromise the infrastructure behind the two PHP package managers, Composer and PEAR. Together, they serve more than a billion monthly package downloads, and the exploitation of these bugs by malicious actors could have led to a massive disruption of all companies using PHP. We will also discuss the way that we could reduce the risks of such an attack happening again and the actions that package managers could take to protect themselves.

Hunting for Bugs in "Ethereum 2.0"

Denis Kolegov & Jean-Philippe Aumasson
SPEAKER BIO

Denis Kolegov is a research engineer at Wallarm and an associate professor at Tomsk State University. His research focuses on applied cryptography, network security, and web application security. He holds a PhD and associated professor degree in computer security. Denis has spoken at conferences such Black Hat Asia, Power of Community, Area41, Zero Nights, Positive Hack Days, DeepSec, and SibeCrypt.
JP is co-founder and CSO of [Taurus](https://taurushq.com), and holds a PhD in cryptography from EPFL. He has been doing cryptography for 15 years, and notably designed the ubiquitous algorithms BLAKE2 and SipHash. He wrote the reference books Serious Cryptography and Crypto Dictionary. His previous research works can be found on [https://aumasson.jp](https://aumasson.jp). He is [@veorq](https://twitter.com/veorq) on Twitter.
ABSTRACT
Over the last 6 months, we looked for bugs in protocols and software of Ethereum's beacon chain (previously called "Ethereum 2.0"), including the recent Altair fork. In this talk, we will describe some of the most interesting security issues we have found. We will describe security shortcomings in the libp2p and discv5 handshake protocols, BLS signatures, and API implementations. Then we will discuss supply chain and fingerprinting risk analysis results. Finally, we will draw some lessons from our experience.

Hook, Line and Sinker - Pillaging API Webhooks

Abhay Bhargav
SPEAKER BIO

Abhay Bhargav is the Founder of we45, a focused Application Security Company and the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps.

Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOps

He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. In addition, Abhay has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron, from we45. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook.

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He’s authored two international publications on Java Security and PCI Compliance as well.

ABSTRACT
Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.

Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.

In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.

The talk starts with a detailing of webhooks and typical webhook functionality that are provided by popular CI, CRM, Project Management, Payment Gateways and other applications. Subsequently, I'll be showcasing demos of multiple techniques that can be used in this attack approach, with special emphasis on evasive payloads as well.

Next, I will showcase the success of this attack against several popular bug-bounty targets to highlight the impact of these attacks at scale.

Finally, I will present multiple approaches to defending against these vulnerabilities and developer best practices that should be applied when defining webhook functionality.

Symbolic Execution Demystified

Jannis Kirschner
SPEAKER BIO

Jannis (@xorkiwi) is a Swiss Security Researcher and CTF player. With a passion for reverse engineering and exploit development, he loves to analyze cutting edge technology, finding flaws in highly secured systems and complex applications. Jannis regularly participates in national and international cybersecurity competitions and speaks at various conferences and events.
ABSTRACT
Symbolic Execution is awesome!
From modern fuzzing tools, over automated exploit generation to solving complex reverse engineering challenges - frameworks like "angr" are getting increasingly popular.

There are a lot of crackme-style ctf challenges where the intended solution is to find a specific path through a binary while your input has to match various conditions.
Before symbolic execution techniques became popular you had to manually analyze these binaries, extract all the constraints by hand and use tools like the z3 theorem prover to solve the task. Depending on the binary size this would turn out to be a very tedious and time-consuming process.

What if there was a more effective way to tackle such a problem and supercharge your reverse engineering skills?

This introduction to symbolic execution is for everybody that might've already heard of the "angr" framework but never got to learn it. New CTF players will get a headstart into crackme solving, seasoned reverse engineers will discover a powerful technique for their toolbox.

You will learn where you can apply symbolic execution frameworks, how they work under the hood and how to integrate them into your reverse engineering workflow. Naturally the practical part won't fall short, so we'll apply the newly learned techniques on several demos.

Exploiting WebKit to break Authentication and Authorization

Sachin Thakuri & Prakash Sharma
SPEAKER BIO

Sachin Thakuri is an experienced security professional focusing on application and mobile security who has been in this field for 6+years.
ABSTRACT
When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we talk about a vulnerability in Safari and a security feature in browsers which when abused allowed us to leak certain cross-site information which alone made almost every application vulnerable- even giving us instant access to visitors' accounts.

We will explain how we were able to exploit hundreds of companies with over billions of users and were able to harvest over $100k in bounties. Even corporations like Google, Facebook, Gitlab, Coinbase and others who are very cautious with security measures were all vulnerable. The exploit, on one hand, demonstrates how sometimes not adhering to a simple looking specification can turn into a disaster and on the other hand, how simply following the specification might not be enough.

We'll also talk about programs' responses to our reports and a general understanding of such vulnerabilities, fixes and bypasses we came up with. Finally, we'll conclude with how to address such vulnerabilities using yet another browser feature.

Cyberterrorism and the Energy Sector: A Framework to Improve Collaboration Between Lawmakers and Cybersecurity Experts

Chris Esquire
SPEAKER BIO

Chris Esquire is a lawyer in private practice, professor at 5 major universities, cyber security curriculum developer, instructor for several private institution's certification programs. Previously he served as a Sr. Security Analyst for the 2nd largest energy company in the United States ensuring federal and state regulatory cyber compliance. He serves the American Bar Association as the Vice-Chair of the Privacy and Computer Crime committee on his second term. He has previously served as Academic Relations/ Research Committee Director for ISACA and vice chair for the American Bar Association’s young lawyers law practice division.
Chris has over 22 years of IT, communications and Cyber Security experience. He has several industry recognized certifications to include the CISSP, CEH and CCSK. He holds several degrees to include an BSIS focused in IT and Accounting forensics, a MSISM focused on Project Management, and Juris Doctor. He is finishing a dual PhD’s in Management Information Systems Business Administration focused on Information Security with his dissertations focused on the legal implications of security breaches on organizations and legal and ethical issues in security management.

He has presented as a speaker and his award-winning research used as materials for several conferences by the American Bar Association and universities. He is a chapter lead and section author for the International Guide to Cyber Security 2nd edition to be published by the American Bar Association for the topics of Enterprise Systems and Technology Issues, A/V & Malware Detection, IDS/IPS & Firewalls, Whitelisting, NERC, & OWASP.

ABSTRACT
Terrorism has begun to shift the battlefield from the traditional landscape of physical land to a boundaryless cyber environment. The legal community is not addressing the actions of terrorists that are targeting the energy critical infrastructure sector effectively. Because of the number of individuals that a single cyberattack can impact, there has been discussion that the international legal world should create international laws to address the problem. War crimes are already considered international crimes. There currently is a movement to have cyberterrorism classified under the scope of a war crime or a broader terroristic crime definition to include cyberterrorism. If there is not a sweeping movement across the world in regards to cyberterrorism, there is a considerable risk to both lives and the economy as a whole. The challenge presented would be furthering the scope to include the elements of cyberterrorism under an existing international crime. This discussion presents the research conducted and provides a proposal that countries can use to better combat cyber terrorism.

Attacking Bluetooth LE design and implementation in mobile + wearables ecosystems

Nitin Lakshmanan & Sunil Kumar
SPEAKER BIO

Nitin Lakshmanan is a Principal Security Analyst at Deep Armor. He is skilled in SDLC methodologies and security assessment of IoT platforms, web applications, mobile solutions and thick client applications. He has developed advanced tools for infrastructure security assessment of modern cloud platforms, with special focus on AWS. Prior to his job at Deep Armor, Nitin worked for Aricent Technologies and Aujas Networks. Nitin regularly speaks at security conferences and conducts trainings/workshops on IoT and Cloud topics, including at Black Hat USA, OWASP conferences, FIRST TC, etc.
Sunil is an industry expert in security research, product security assessment and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure and mobile solutions. Sunil is skilled in JavaScript and Python scripting, and has developed numerous security tools and applications. He regularly speaks at local and international security conferences, including at FIRST Annual Conference, FIRST TC, ISC2 events, and so on. He currently works as a Principal Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.
ABSTRACT
Consumer IoT devices manifest in a variety of forms today, including fitness trackers, rings, smart-watches, pacemakers, and so on. The wearable IoT market is dominated by small and medium-sized business, who are often in a rush to hit the shelves before their competitors, and trivialize the need for security in the bargain, citing no “return on investment”. **In our presentation, we deep-dive into the wireless protocol of choice for wearables — Bluetooth Low Energy (BLE), and its impact from a security perspective. We use a USB-based bluetooth hacking hardware board called Ubertooth-One to analyze popular market products, and also perform a live demo on stealing information from a fitness tracker using standard Android app development practices. We wrap up with a discussion on simple cryptographic approaches and BLE-hardening mechanisms to prevent such attacks on wearable and IoT platforms.**

Forging golden hammer against Android app protections

Georges-Bastien Michel
SPEAKER BIO

Georges-B Michel is the founder and is security researcher at Reversense. He worked on many security topics including TEE/TA reversing, web application security, and secure coding. Since 2018, he develops Dexcalibur (CE & Pro), a mobile reverse engineering automation software.
ABSTRACT
Today most of serious mobile applications relay on industrial-grade software protection tools to detect and slow down reverse engineering. It forces attackers to waste a precious time bypassing obfuscation and RASP before deep diving into app specific logic. So, If each tool tries to detect non-app specific threats such as hooking, rooted device, emulator, debugger, rogue certificate, and so, we postulate we can design an universel tool to bypass all of them. In our talk, we start by reversing protections from most popular and certified Android app protection tools, and we follow by designing instrumentation to defeat all tools.

After this talk, the public repository will be populate with Ghidra and Frida scripts.

Practical exploitation of zigbee-class networks with USB-based RF transceivers & open source software

Nitin Lakshmanan & Sunil Kumar
SPEAKER BIO

Nitin Lakshmanan is a Principal Security Analyst at Deep Armor. He is skilled in SDLC methodologies and security assessment of IoT platforms, web applications, mobile solutions and thick client applications. He has developed advanced tools for infrastructure security assessment of modern cloud platforms, with special focus on AWS. Prior to his job at Deep Armor, Nitin worked for Aricent Technologies and Aujas Networks. Nitin regularly speaks at security conferences and conducts trainings/workshops on IoT and Cloud topics, including at Black Hat USA, OWASP conferences, FIRST TC, etc.
Sunil is an industry expert in security research, product security assessment and risk management. He has worked extensively on threat modeling and penetration testing of Web applications, IoT products, Cloud infrastructure and mobile solutions. Sunil is skilled in JavaScript and Python scripting, and has developed numerous security tools and applications. He regularly speaks at local and international security conferences, including at FIRST Annual Conference, FIRST TC, ISC2 events, and so on. He currently works as a Principal Security Analyst at Deep Armor. Prior to that, Sunil worked as a security engineer for Ola Cabs and Aricent Technologies.
ABSTRACT
Internet of Things (IoT) products proliferate the market today. They manifest in different forms – right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.

The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.

Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. **In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.**

An Insider Threat: What is Social Engineering?

Crux Conception
SPEAKER BIO

Crux resides in Fort Wayne, Indiana, and has over 20 years of Law Enforcement (Now-Retired), Criminal Profiling, and teaching experience (Adjunct Professor). Now an international speaker; speaking in over 34 countries, Crux has now taken his years of experience, education research, and training; to incorporate novel methods of teaching/learning. Crux has utilized his psychology, Team Building, and Behavioral Profiling to implement said methods to take out the law-enforcement aspect and make these skills for people/civilians practical.

Law Enforcement experience:

•Homicide Detective
•Criminal Profiler
•Gang Unit Specialist Detective
•Hostage Negotiator
•Crisis Intervention Team (CIT) Officer
•School Resources Officer (SRO)
•Five years as a Special Agent with the DEPARTMENT OF HOMELAND (DHS)

Crux, now retired, worked as a Homicide Detective, Criminal Profiler, and Hostage Negotiator with the Fort Wayne (Indiana) Police Dept.

Teaching experience:
Currently, Crux is an Adjunct Professor:

•Psychology
•Business Psychology
•Social Media Psychology
•Criminal Profiling
•Criminal Behavior
•Computer Psychology
•Sociology (Group Dynamics)

Education:

•Bachelor of Science degree; Criminology (Ball State University, 1994).

•Master’s degree; Forensic Psychology (Walden University, 2012).

•Currently, a Ph.D. Candidate (Forensic Psychology), at Walden University

ABSTRACT
This lecture will display individual methods to infiltrate social media accounts using fake accounts and collect data from unknowing account holders. (using altered photos, which will appear original and pass a "google photo search," disseminating false or misleading information, and more).

The presentation will engage the audience: We will focus on their psychological motivations to identify the emotional precursors. We will combine open discussions, media, and PowerPoints, to illustrate cultural adaptation, borderline personality disorder, psychological autopsy, precursors to Espionage, Spying, and Theft of Data.

The presentation will give participants innovative insights to conduct psychological field profiles/assessments and verify potential risk factors. This presentation will outline the mental aspects of Data Breaching and possible prevention of Data Loss.

In today's cyber-risk and cyber-security world, we sometimes forget about the individuals or suspects behind the breach, attack, or theft. We neglect these individuals until it is too late and the damage has been done.

Breaking SecureBoot with SMM

Itai Liba & Assaf Carlsbad
SPEAKER BIO

Itai Liba is a Sr. Security Researcher and a member of the Innovation team @SentinelOne. Itai has over 20 years of software experience, most of them in roles related to security, reverse engineering and vulnerability research. His interests include Computers, Electronics, Mechanics and much more.
ABSTRACT
Ever since its introduction, SMM was considered by many to be one of the most powerful execution modes of Intel CPUs. Unfortunately, practice has shown that more often than not, SMM code provided by most OEMs is poorly written and suffers from a myriad of security issues that can be exploited by attackers to elevate their privileges. In this talk we will dive into a vulnerability we’ve found in the Intel BIOS reference code and how we exploited it to gain SMM read, write and execute primitives. Will will show how we combined these primitives to get a full dump of SMRAM and break UEFI’s SecureBoot mechanism which allows us to load an unsigned bootloader. We will finish by discussing possible mitigation strategies.

The Rat-Race Detection Game

Myriam Leggieri
SPEAKER BIO

Myriam is a security engineer in the Detection & Response team in Google. She comes up with ways to alert on security threats as fast and as accurately as possible. When these alerts trigger, she digs into security investigations. Her passion is malware analysis and the impact of security on society. Her background includes software development, a PhD on sensor data mining and leading several awarded initiatives for encouraging women in tech.
ABSTRACT
In a medium-sized company, security threats are identified at a rate of at least 10 per month, while building methods to detect each can take a month or longer for a single engineer - an unsustainable ratio of threats-to-effort. Building detections can also require thousands of lines of code to be written, causing complexity and maintainability challenges. In this talk, we will demonstrate an ideal detection pipeline driven by templates and configuration-based rules which automatically creates threat detectors actionable by Security Operations. This approach drastically cuts down on complexity and maintainability as well as on detection building time. With early testing showing a significant increase in detection coverage, this pipeline could become an important improvement in industry state of the art.

Delegating Kerberos to bypass Kerberos delegation limitation

Shutdown (Charlie BROMBERG)
SPEAKER BIO

Shutdown (Charlie BROMBERG, [@_nwodtuhs](https://twitter.com/_nwodtuhs)) is a penetration testing team leader in the South of France at Capgemini Sogeti. CTF Team leader of the semi-professional team "Sogeti Aces of Spades". He specializes in Active Directory and red-teaming. Creator of [The Hacker Recipes](https://www.thehacker.recipes/), [Exegol](https://github.com/ShutdownRepo/Exegol), and many other open-source projects and tools ([pyWhisker](https://github.com/ShutdownRepo/pywhisker), [targetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast), [etc.](https://github.com/ShutdownRepo)).
ABSTRACT
Within Active Directory Domain Services, Kerberos delegations allow services to access other services on behalf of other principals (i.e. domain users). Three main types of delegations exist: Unconstrained, Constrained and Resource-Based Constrained.

Kerberos Constrained Delegations (KCD) come in two flavors: with, and without protocol transition. KCD-without-protocol-transition limits the attackers lateral movement capabilities. Or does it?
Let's see how the limitation induced by "Kerberos Constrained Delegation without protocol transition" is actually bypassable with... **Kerberos delegation!**

REW-sploit: dissect payloads with ease

Cesare Pizzi
SPEAKER BIO

Cesare Pizzi is a Security Researcher, Analyst, and Technology Enthusiast at Sorint.lab.
He develops software and hardware, and tries to share this with the community. Mainly focused on low level programming, he developed a lot of OpenSource software, sometimes hardware related (to interface some real world devices) sometimes not.
Doing a lot of reverse engineering too, so he feels confident in both "breaking" and "building" (may be more on breaking?). He gave some presentations in different conferences:
- DEFCON 25 HHV: Ardusploit: PoC of Arduino code injection
- BSides 2018 Milano: Ardusploit evolution
- Italian Hacker Camp 2018: 0-ITM portable malware analysis lab
- DEFCON 27 PHV: Sandbox creative usage
- BHUSA 2020 Arsenal - SYNwall: A Zero-Configuration (IoT) Firewall

Contributor of several OS Security project (Volatility, OpenCanary, CETUS, etc) and CTF player.

ABSTRACT
Need help in analyzing Windows shellcode or attack coming from **Metasploit Framework** or **Cobalt Strike** (or may be also other malicious or obfuscated code)? Do you need to automate tasks with simple scripting? Do you want help to decrypt **MSF** generated traffic by extracting keys from payloads?

REW-sploit do some heavy lifting and provide you an interface to analyze Windows based code (EXE, DLL or shellcode) and give you some useful insight!

Practical bruteforce of military grade AES-1024

Sylvain Pelissier & Boi Sletterink
SPEAKER BIO

Cryptography expert in the research team at Kudelski Security. His favorite topics are Cryptography, Hardware attacks and vulnerability research in general. He worked on security of Cryptography algorithms implementations on different platforms as well as on critical code security audits. He like playing and organizing CTFs.
IT Security, crypto and salsa nerd.
ABSTRACT
Sony, SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products. The software is already present when buying a new product and used to keep data on the storage safe. This solution is developed by a 3rd party called ENCSecurity. The security claims of this solution were very strong *i.e.* "Ultimate encryption using 1024 bit AES keys Military grade". Our analysis of the DataVault software revealed three serious flaws impacting the security of the DataVault solution. This presentation is a look the flaws we identified along with our process for discovery and how the vulnerabilities were addressed.

Introduction to Open Source Investigations

Aiganysh Aidarbekova
SPEAKER BIO

Aiganysh Aidarbekova is a Bellingcat investigative researcher and trainer from Kyrgyzstan. She has investigated corrupt officials, built databases of citizens, monitored war crimes - all using open source materials from Instagram to Google maps to governmental websites. Aiganysh frequently conducts Russian and English language workshops into OSINT and verification throughout Central Asia, Caucasus, and Europe.
ABSTRACT
Everyday an enormous amount of content is uploaded on the internet. Some of them like Google Map's satellite imagery, an Instagram post, or a random website can be the key to journalistic investigations from identifying neonazi criminals to tracking the use of chemical weapons to environmental research. In this session you will learn the basics of open source investigations, practical tools, methods and case studies from Bellingcat's experience.

Automatically extracting static anti-virus signatures

Vladimir Meier
SPEAKER BIO

Vladimir Meier is a security researcher working for SCRT since 2018. His interests include program analysis for (de)obfuscation, automated reverse-engineering and security software.

Since 2015, his main focus has been to leverage old and new techniques to get around antivirus, EDR and whatever they may be called in the next years 😉 While graduating from the School of Engineering and Architecture of Fribourg in Switzerland, he authored 3 thesis for SCRT on this subject, which culminated in the realization of the open-source tool https://github.com/scrt/avcleaner, a C/C++ source-code obfuscator for antivirus evasion.

ABSTRACT
Antivirus software are black-box software that run on a multitude of devices around the world. From mobile devices to enterprise servers, they are given the critical role of monitoring files and network traffic to detect and block malicious code. Our information systems include an immense variety of ways a malware can spread and compromise machines. Furthermore, thousands of new malware are born each day. Faced with such a hostile environment, how would security software companies address this problem and detect threats in Office documents, executable files, scripts, e-mails,... ?

Well, we don't really know because it's not documented. Though it is known that they are imperfect and vulnerable by design to the problem of false positives, they have done sufficiently well that people might blindly rely on their protection, and be surprised when a real-world malware goes through its net.

Beyond the false of security they might provide, they might also hide severe security issues from pentesters and security researchers in engagements by detecting their audit tools. It is widely accepted that security should be implemented as intertwined layers of protections and controls, and that there is no silver bullet.

In view of that, we open-source a tool that has been used for 4 years at SCRT in order to automatically extract signatures from static antivirus engines, with the following goals in mind:

  • to show customers what they can realistically expect from their security software by evidencing how they actually work.
  • to offer pentesters a way to conduct security assessments that can be as exhaustive as possible when such software are in the way.

How we've built one of the most secure media companies in the world

Andreas Schneider
SPEAKER BIO

Andreas Schneider, born and raised in Munich, Germany, entered the field of IT Security at an early stage in 2000. Trained as a Mainframe System Programmer, he took responsibility for a regional bank institute’s entire mainframe landscape security. He then grew his specialization in the field of IT Security and IT Risk Management throughout various related roles like Consultant, Specialist and CISO, while transforming IT Security across different businesses and company sizes, including startup, regional and multinational within banking, IT and media. With more than 20 years of international specialist experience, he currently acts as the Group CISO at TX Group (formerly known as Tamedia AG), Switzerland’s largest private media company, progressing Cyber Security to become more agile, more user focused and embed security by design into digital products. He further holds several well-respected professional certifications, such as the C-CISO, CISM, CISSP, CRISC, and is also certified in ISO 27001 and ITIL V3. He lives with his wife and two sons in Zurich, Switzerland.
ABSTRACT
TX Group (with the media brands Tamedia and 20min) run various modern security technologies like a Zero Trust Architecture, passwordless authentication, Cloud only environment with Cloud Native Security elements, scaling infrastructures, proven DDOS protection and public Bug Bounty Programs. All driven with a lean/agile security team with lots of love for Boba Fett and tree planting

Managing large-scale response

Mathias Fuchs
SPEAKER BIO

Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming. As his skills improved (and as breaking into customer systems got more repetitive and less demanding), Mathias sought new challenges that would expand his IT security acumen. So, he moved over to digital forensics and incident response, a field where the attacker unintentionally sets the pace and partly controls what an investigator needs to do - rather than that being dictated by the customer or the investigator. While in his day job he is running an incident response and intelligence practice he also teaches and authors high-level incident response classes for SANS. Out of pure need, he authored the first version of the Aurora Incident Response tool which has since found its way into many IR teams around the globe
ABSTRACT
Large-scale incident response is not about scaling classical forensic approaches, it's an entirely different field. In his talk, Mathias will focus on the various pitfalls when handling major breaches in organizations with well above 100.000 endpoints. While there are many points to cover, the main focus of the talk will be on documentation and how it ties into managing resources, the victim and other stakeholders.

Good Incident Response Leads need to be able to brief a non technical client as well as a new team member on the case at every given time - not just in pre-scheduled status calls. This requires a stable set of information at the IR Lead's finger tips. To consolidate all the information in one place, Mathias created and maintains the Aurora Incident Response tool that strives to bring Incident Response documentation to the next level. Many years ago Mandiant coined the term SOD (Spreadsheet of Doom) which is the general source of truth and stores all the key findings in an investigation. While the original SOD was an Excel template, Aurora is an SOD on steroids. It enables responders to work as a team, offers instant visualizations of lateral movement and a graphical timeline. It ties into MISP and Virus Total for a streamlined intelligence workflow. That way responders never lose the oversight or get lost in details as they can always step back to get the helicopter view on the case.

Resource management is a key topic in large-scale incident response. If responders use a linear scaling approach they will fail. Good IR teams can usually handle large-scale response for over 100.000 hosts with only 3-4 FTEs. Mathias will introduce strategies on how to optimize resource allocation and allow for personnel swaps easily. All of these strategies rely on a number of factors like technical team skills, tools and the IR lead's soft skills. Resource management is also strongly supported by Aurora-based documentation.

The target audience for the talk are security specialists who want to understand how to improve their IR readiness as well as everyone else who wants to hear some cyber war stories.

Stop this car || GTFO

Karim Sudki
SPEAKER BIO

Karim is a Security Expert at Kudelski IoT Labs performing security evaluation on embedded devices and related protocols. He is also interested in research topics around hardware attacks, such as fault injection and side channels. Among his past experience he has also performed numerous penetration tests and red/blue team operations.
ABSTRACT
Car trackers have been around for more than a decade to tackle the surge in vehicle thefts especially in the USA. Their features have evolved from simple vehicle positioning to full access to the car internals like current speed, possibility to remotely query information and even disable the engine ignition.
This talk aims at shedding some light on the security level of one specific tracker. Starting from the hardware aspects, through firmware reverse engineering up to the remote communication protocol analysis. Needless to say that mistakes were made by the manufacturer along the way, with potentially harmful consequences.

Raising employee awareness : which training strategy to go for?

Eric Bärenzung
SPEAKER BIO

TBC
ABSTRACT
From data leak following human errors to ransomware activation, the human looks like the weakest link in the security landscape, but mostly because humans are the most targeted.
You need to build a proper security culture to make a powerful ally out of your employees in your fight against cyberattacks.
In this talk, we will address:
  • Why raising security awareness is key
  • How to do to ensure a successful training
  • What you should train your audience on (at least some suggestions)

Blacksmith: A Blackbox Fuzzer for Bypassing Rowhammer Mitigations on DDR4 DRAM Devices

Patrick Jattke & Stijn Gunter
SPEAKER BIO

Patrick Jattke has been a Ph.D. student in the Department of Information Technology and Electrical Engineering at ETH Zurich since 2020. He has broad interests in many different facets of hardware security, especially on DRAM security such as Rowhammer. Previously, he worked on advanced optimization strategies for making Fully Homomorphic Encryption accessible to non-experts.

Stijn Gunter is a final-semester Master's student in Computer Science at ETH Zürich. He is currently working on a thesis in hardware security and worked on Blacksmith as part of a semester project. Prior to his studies at ETH Zürich, he obtained Bachelor's degrees in Applied Mathematics and Computer Science and Engineering from the Eindhoven University of Technology.

ABSTRACT
The Rowhammer vulnerability was first discovered in 2014 and allows inducing bit flips in DRAM memory by quickly repeating memory accesses. There has been a plethora of work showing that Rowhammer attacks are practical, for example, in browsers using JavaScript, over the network, and across co-located VMs. This talk presents Blacksmith, our latest work on Rowhammer. Our discoveries led to a new class of Rowhammer access patterns that can bypass the undocumented, proprietary in-DRAM Target Row Refresh (TRR) mechanism that aims to protect current DDR4 devices against Rowhammer. Blacksmith, a scalable Rowhammer fuzzer that generates these new access patterns, can find bit flips on all of our 40 recently purchased DDR4 DIMMs. To show the exploitation power of these bit flips, we use them to revive the Flip Feng Shui attack. Flip Feng Shui leverages these new bit flips and memory deduplication, an OS feature used to reduce the memory footprint, to compromise co-hosted victim virtual machines in the cloud by corrupting the victim’s SSH public key with Rowhammer.

It’s Raining Shells - How to Find New Attack Primitives in Azure?

Andy Robbins
SPEAKER BIO

Andy's background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat USA, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. And is a co-creator of BloodHound, and the Product Architect of BloodHound Enterprise.
ABSTRACT
What if you could go back in time, to the time before Kerberoast, Responder, or Mimikatz? What if you could protect or attack Active Directory in 2012 with the knowledge we now have in 2022? That time is now in the world of Microsoft Azure.

In this talk, I will explain the opportunity that exists for security researchers targeting Azure services. I will also explain, using my recent research into MS Graph, my own abuse research methodology - a methodology that anyone can use to find new abuse primitives in Azure.

Ransomware Encryption Internals: A Behavioral Characterization

Antonio Cocomazzi (SentinelOne)
SPEAKER BIO

Antonio Cocomazzi is a Threat Intelligence Researcher at SentinelOne with a particular interest in malware analysis and windows internals. He also conducts independent research with a focus on discovering new vulnerabilities and, more generally, in digging into Windows operating systems. He enjoys reversing any kind of binaries from packed malwares to windows internal components. He likes playing online CTF and writing/publishing offensive tools and security research on his GitHub channel, mostly based on Windows OS. He presented previously at international conferences such as Black Hat, Hack In The Box and RomHack.
ABSTRACT
Ransomware is a particular class of malware which performs a series of operations on the target to inhibit and disrupt the normal functioning of the systems.
Usually Ransomware are developed by financially motivated threat actors. The main goal of these attackers is to earn money. This kind of malware is the means that allows them to convince victims into paying a ransom and offer to restore the functioning of their systems as an exchange. These attackers have been very successful in their intent to extort money from their victims because the ploy to inhibit and restore the functioning of the systems is well structured and effective.
In modern Ransomware the main strategy to apply a reversible restriction to the target systems is the data encryption. This includes a series of crypto algorithms that combined together realize an hybrid encryption scheme strong enough to ensure the decryption only to the Ransomware developers.
This research focuses on the main task that enables the Ransomware to carry out their malicious operations: the data encryption.
The scope of this research is not strictly related to the cryptography implementation, but it includes a technical deep dive on all the required operations needed for the Ransomware to perform the data encryption: files enumeration, crypto schemes, parallelization and optimizations.
In this talk it will be uncovered all the data encryption features evolution observed in these threats, it will be provided a behavioral characterization and a series of behavioral detections based on overlapping implementations that can be adopted for effective countermeasures.

Noise and Signals – Digging through threat- and APT-stories

Marco Preuss (Kaspersky)
SPEAKER BIO

Marco Preuss has been working in the area of networking and IT security since the early 2000s. Having a long time experience in his role, he is responsible for monitoring the threat landscape in Europe while specializing in threat intelligence, darknet research, password security, IoT security and privacy. In addition to research-related projects, Preuss is a regular speaker at both closed and public events, and maintains close contact with security partners.
ABSTRACT
Join me in digging through different aspects of advanced and sophisticated threats and why it’s not simply “yet another APT”. Along this journey modern ThreatIntel will be addressed as well.

Securing Critical Infrastructures with Fortinet

Dino-Boris Dougoud
SPEAKER BIO

Boris has been working within the IT industry for the last 25 years. He’s younger interest in computers and of course video games let him pass the doors and work for DEC Digital, Compaq, HP, HPE. As of today, Boris is a Consulting Systems Engineer working for Fortinet since 2016. He currently focuses on securing Operational Technologies and Critical Infrastructures. He is passionate about computer and network security in general. Aside of computers & silicon, Boris is sometimes chasing the swells and riding waves around the world’s oceans. If the latter isn’t possible, he’s always happy to jump on a snowboard.
ABSTRACT
Critical infrastructure protection (CIP) is the process of securing the infrastructure of organizations in critical industries. It ensures that the critical infrastructures of organizations in industries like agriculture, energy, food, and transportation receive protection against cyber threats, natural disasters, and terrorist threats.

CIP typically involves securing critical infrastructures such as supervisory control and data acquisition (SCADA) systems and networks, as well as industrial control systems (ICS) and operational technology (OT). Popular CIP solutions from Fortinet include SCADA for securing critical infrastructure and OT for critical infrastructure protection.

The Nym network deep-dive

Simon Wicky
SPEAKER BIO

Simon is a research engineer at Nym. He holds a Master's degree in Computer Science from the Swiss Federal Institute of Technology Lausanne.
ABSTRACT
When talking about computer security, the privacy aspect is often overlooked. As the internet became an inevitable part of our daily lives, privacy is harder to maintain. Daily, we hear stories about the breach of privacy rights, mass surveillance or illicit harvesting of personal data. In response to that, Nym Technologies, with the help of Exoscale, is developing a decentralized mixnet that provides enhanced privacy to online users. But, how does it perform against well-known traffic analysis attacks, like for example, website fingerprinting? This talk provides a deep dive into the Nym mixnet and its privacy properties. We also present the first empirical analysis of the impact of website fingerprinting attacks on our mixnet.

Loose lips might sink Clouds

Jason Hill & Dvir Sason
SPEAKER BIO

Jason is a Security Researcher within the Varonis Research Team and has a penchant for all things threat intelligence. Equally happy analyzing nefarious files or investigating badness, Jason is driven by the desire to make the cyberworld a safer place.
Dvir manages the Varonis Research Team. He has ~10 years of Offensive & Defensive security experience, focusing on red teaming, IR, SecOps, governance, security research, threat intel, and cloud security. Certified CISSP and OSCP, Dvir loves to solve problems, coding automations (PowerShell ❤, Python), and breaking stuff.
ABSTRACT
The increasingly widespread adoption of cloud-services coupled with the need to rapidly share knowledge, be that with remote employees or customers, continues to provide opportunities for information to end up in the wrong hands.
Misconfigurations, countless instances of over-sharing and, in some cases inviting everyone and their dog to content, provide threat actors with a wealth of useful intelligence that can be later leveraged in targeted attacks against organizations.
In this session, Varonis Threat Labs discuss some of the common issues along with real-world examples to help defenders educate their organizations as well as providing some opens-source intelligence (OSINT) techniques for red-teamers and bug-bounty hunters to use in their future engagements.

Void Balaur: a cyber mercenary from the underground

Feike Hacquebord
SPEAKER BIO

Feike Hacquebord has more than 16 years experience in doing threat research as a Senior Threat Researcher. Since 2005, he has been a regular advisor of international law enforcement agencies and has assisted in several high-profile investigations. Hacquebord is the author of dozens of blog postings and papers on advanced cyberattacks. Prior to joining Trend Micro, he earned a Ph.D. in theoretical physics from the University of Amsterdam. Previously Hacquebord presented at international conferences like RSA, Blackhat EU and Virus Bulletin.
ABSTRACT
In this session we put a cyber mercenary into the spotlight. This cyber mercenary does not have a shiny office nor does it have a glossy brochure, but it advertises services in underground forums like Probiv. We will explain in detail how we attributed campaigns to this actor we track as "Void Balaur".

Void Balaur came to our attention in Spring 2020. We were contacted by a frequent target of Pawn Storm (APT28). His spouse received a dozen phishing emails and he wanted to know who the sender was. We soon related these phishing emails to Void Balaur, but we needed 6 more months of research to reach high confidence attribution. Using billions of passive DNS records and Trend Micro’s telemetry we found more targets, and related campaigns between 2016 and 2021. Some of these campaigns against Uzbek targets were reported on earlier by Amnesty International (2020) and eQualit.ie (2019), but without attribution. We found that similar campaigns with the exact same targets were still ongoing in 2020 and 2021.

We discuss the service offerings of Void Balaur. These include hacking into many kinds of e-mail accounts, including attacks that do not need any user interaction. Void Balaur also offers personal information like cell tower phone records, airline passenger data, passport details, interception of SMS and the blocking of phone numbers in CIS countries for sale. We will explain how having this information can facilitate serious crime.

In fall 2020 we found out that somebody was hiding behind the eleos.tk VPN network and using a customer system to access control panels of Void Balaur. These control panels appeared not to be protected by any authentication. From that moment on we could follow campaigns in real time and attribute old and new campaigns of Void Balaur with high confidence.

We uncovered about 3000 targets. These included oligarchs, CEOs, politicians, journalists, medical doctors, senior network engineers of ISPs and Telco companies and human right activists, some of which had to flee their home country. We found a small, but clear overlap with the targeting of Pawn Storm (APT28). This shows attackers who are politically and corporate-espionage motivated found their way to this cyber mercenary.

International regulations are not there to protect the targets of cyber mercenaries. Therefore, we will share ways that journalists, human right activists and other targets can protect themselves better against APT attackers and cyber mercenaries.

Elevate your security in the cloud with Telsys and AWS

Colin Szajkowski, Geoffray Schmitt
SPEAKER BIO

Colin Szajkowski, Head of Cloud Infrastructure at Telsys
Geoffray Schmitt, Manager Solutions Architecture at AWS

ABSTRACT
Come find out how AWS and Telsys are teaming up to guide and assist you on your digital transformation, safely and securely.
Telsys is leveraging decades of datacenter integration and management knowledge to provide you with the best of breed business continuity solutions and migration services leveraging the most secure public cloud services from AWS which will be soon opening its region in Zurich, Switzerland.

Future Proofing your Security Operations Center

Amitabh Singh
SPEAKER BIO

Amitabh is Field CTO EMEA for Palo Alto Networks. He was CISO and CDO for Swisscard (Credit Suisse and American Express JV) and has worked with companies like IBM, HSBC and GE. He has been managing and consulting on Security and Data Privacy for fortune 100 companies in Europe at C level. He is a guest lecturer at University of St. Gallen and Hochschule Luzern. He is also the regional Ambassador of Switzerland for Global Business Blockchain Council (a WEF and Richard Branson promoted think tank).
He is a speaker of repute and has been keynote speaker at various conferences. He is a trusted advisor to boards and companies. He has been a keen interface for Security using Blockchain and believes that Blockchain is one of the most exciting technology to support Security, Fraud prevention and managing real information across IT as well as OT.
He helped set up Girlscancode.ch- an organization to promote programming and STEM for Girls in Switzerland.
Amitabh is an Engineer from Indian Institute of Technology and an MBA from Faculty of Management Studies, New Delhi.

ABSTRACT
Reactive Security is failing the traditional SOCs...
What is anatomy of an Attack ?
What are the requirements for a next generation SOC?
Key Best practices towards creating an Autonomous SOC
Key insights from a real life Case study and SLAs to be measured