This talk will describe many issues that a redteamer may face during a Red Team exercise. Being stealth is one of them; avoiding detection of your lateral movements, phishing campaign and post exploitation are crucial to succeed. Over the years I've developed tools and different approaches that can be used during standard engagement and Red Team to remain stealth and move more efficiently into your victim network.
During the presentation several techniques will be described and analyzed to understand the idea behind them.
Charles Hamilton
Stupid Purple Teamer Tricks
Stupid tricks for everyone! This talk will present very simple, low tech attacks to better achieve your goals, both attack and defense. From a defense standpoint, this talk will present simple tricks to identify Responder on your network, pinpoint BurpSuite activities, block some active crimeware and other simple tricks. Offensive tricks include a very simple NAC bypass, even more physical pentesting tricks and some very simple changes to social engineering that can help a lot.
Laurent Desaulniers
Quick Retooling with .NET Payloads
PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. In the post offensive PowerShell world, a move in the direction of .NET implants may be a desirable option in some cases.
However, Red Teams are faced with challenges when moving automation down into managed code. Can .NET based toolkits maintain flexibility, quick in-field retooling and operational security in the face of current detection mechanisms?
We think the answer is yes.
In this talk, we will focus on quick in-field retooling and dynamic execution aspect of .NET implants as the crucial trait to overcome static defensive mechanisms.
We will dive deeper into OpSec lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .NET assemblies, into reflective .NET DLR.
We will showcase on-the-fly access to native Windows API and discuss methods of hiding sensitive aspects of execution in the managed code memory.
All that, with the help of the DLRium Managed Execution toolkit we have in development.
Dimitry Snezhkov IBM
Ichthyology: Phishing as a Science
Many companies consider phishing inevitable: the best we can do is run training for our employees, and cross our fingers. But does phishing training actually work?
In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.
Karla Burnett Stripe
Logic against sneak obfuscated malware
Malware is sneaky. Malicious codes are implemented to stay hidden during the infection and operation, preventing their removal and the analysis of the code. Most samples employ some sort of packing or obfuscation techniques in order to thwart analysis. Similar techniques are also used to protect digital assets from intellectual property theft.
Analysis tools help getting new insights that can be used to secure software and hardware by identifying vulnerabilities and issues before they cause harm downstream. Tools and techniques beyond standard debuggers can enhance analysts capabilities with better adaptability and automation.
This talk will give you a small taste on some practical applications of SMT solvers in IT security, investigating the theoretical limitations and practical solutions, focusing on their use as a tool for binary static analysis and code deobfuscation.
Thaís aka barbie Moreira Hamasaki
Binary analysis, meet the blockchain
Ethereum is a novel, decentralized computation platform that has quickly risen in popularity since it was introduced in 2014, and currently controls the equivalent of one hundred ten billion dollars. At its foundation is a virtual machine which executes “smart contracts”: programs that ultimately control the majority of the value transfer within the network. As with most other types of programs, correctness is very important for smart contracts. However, somewhat uniquely to Ethereum, incorrectness can have a direct financial cost, as evidenced by a variety of high profile attacks involving the loss of hundreds of millions of dollars. The error-prone nature of developing smart contracts and the increasing amounts of capital processed by them motivates the development of analysis tools to assist in automated error and vulnerability discovery.
In this talk, we describe our work towards smart contract analysis tooling for Ethereum, which focuses on a modern technique called symbolic execution. We provide context around both Ethereum and symbolic execution, and then discuss the unique technical challenges involved with combining the two, touching on topics including blockchains, constraint solvers, and virtual machine internals. Lastly, we present Manticore: an open source symbolic execution tool which we have used to enhance smart contract security audits.
Mark Mossberg Trail of Bits
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses.
However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild?
In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.
The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities.
In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never- before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries.
I will conclude this talk by performing a live demo of my new cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.
Daniel (DBO) Bohannon FireEye
Non-Crypto Constant-Time Coding
Cache attacks are a class of side-channel attacks that have been used since 2005 to break implementations of cryptographic algorithms. However, they do not impact only cryptography; if a given context makes cache attacks applicable, then everything that handles confidential data is potentially vulnerable. The SGX technology offers such a context where all the code in an enclave, not only its encryption code, shall be made robust to such attacks. In this talk, we present a summary of cache attacks, SGX, and a toolkit of C functions designed to help with writing generic, non-crypto, constant-time code.
Thomas Pornin NCC Group
Smart contract vulnerabilities: The most interesting transactions on the Ethereum blockchain
Smart contract security is a brave, new, and sometimes terrible field. This presentation will take you through some of the most famous vulnerabilities of these first few years (from the Dao hack, to the Parity wallet vulnerabilities ... and including less-well-known but very interesting events like the DDOS attacks from late 2016). We'll explain the details of how these attacks work(ed), some of the idiosyncrasies of Ethereum, and through these examples some general principles of smart contract security.
Sarah Friend
Jon Maurelian ConsenSys Diligence
Not the Droid You're Looking For: Evading Vulnerability Exploitation Through Secure Android Development
The first commercially-available Android device was released in 2008. Despite its nearly 10-year public lifespan, the OS still poses numerous security challenges. Now, as mobile becomes an increasingly popular platform for consumers, we're faced with the challenge of protecting these consumers from new, quickly evolving threats. We’ll discuss why Android security is so much more challenging for software developers compared to iOS and the web, look at the most common attack vectors for the operating system, and walk through best practices for guarding against them.
Kristina Balaam Shopify
Cell Site Simulators From the Ground Up
IMSI-catchers, also known as cell-site simulators, are devices that let their operators track cell users, interfere with their calls/texts, and mount other privacy-invasive attacks. While research around IMSI-catchers has been gaining traction over the years, there hasn’t been much effort into making the more technical results accessible outside of academia and niche hardware hacking circles. The goal of this talk is to remedy that.
This talk will be a deep technical dive into how cell networks interact with user equipment, the details of how IMSI-catchers exploit their design flaws, what goes into building an IMSI-catcher (hypothetically, of course!), the relationship Canadian & American law enforcement have with these devices, and steps one can take to protect themselves.
Yomna Nasser
Exploits in Wetware
Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift
Robert Sell (Creep)
Data Breaches: Barbarians in the Throne Room
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise.
In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong.
Dave "gattaca" Lewis Akamai Technologies
Surprise Supplies!
Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach.
2017 has truly marked itself as 'The Year Of The Supply Chain Attack' and marked a turning point concerning supply chain attacks.
Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers.
In this presentation we will first present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims.
For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc.
Concerning the CCleaner compromise, we will provide some data and statistics from the attacker's database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it's not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks.
Paul Rascagnères Talos
Warren Mercer Talos
Prototype pollution attacks in NodeJS applications
Prototype pollution is a term that was coined many years ago in the JavaScript community to designate libraries that added extension methods to the prototype of base objects like "Object", "String" or "Function". This was very rapidly considered a bad practice as it introduced unexpected behavior in applications. In this presentation, we will analyze the problem of prototype pollution from a different angle. What if an attacker could pollute the prototype of the base object with his own value? What APIs allow such pollution? What can be done with it?
Olivier Arteau
What are containers exactly and can they be trusted?
Everyone's talking about containers these days.
But how many actually know what they are?
Do you know there are two big families of containers and that even within those, there are countless different runtimes to set them up and manage them?
Is a VM safer than a container? What about those containers that are using VM technology for containers?
Those are all questions anyone who's dealing with containers in production should know answers to. You should be able to decide whether to use containers at all and if so, what kind of container is the best fit for your particular task.
During this presentation, we'll be going over 15 years of container technologies on Linux (10 years in mainline Linux), how the security features they're built on top have evolved and what's the current state of things. We'll be comparing application containers to system containers, actual containers to lightweight virtualization and briefly cover some of the higher level management tools that come with them and what to keep in mind when trying to keep all of that safe.
Stéphane Graber Canonical
Only an Electron away from code execution
Over the decades, various security techniques to mitigate desktop specific vulnerabilities have been developed which makes it difficult to successfully exploit traditional desktop applications. With the rise of Electron framework, it became possible to develop multi-platform desktop applications by using commonly known web technologies. Developed by the Github team, Electron has already become amazingly popular (used by Skype, Slack, Wire, Wordpress and so many other big names), bringing adventurous web app developers to explore the desktop environment. These same developers who make the XSS to be the most common web vulnerability are now bringing the same mistakes to a whole new environment.
While XSS in the web applications is bounded by the browser, the same does not apply to Electron applications. Making the same kind of mistakes in an Electron application widens the attack surface of desktop applications, where XSS can end up being so much more dangerous.
So in this talk, I will discuss the Electron framework and the related security issues, its wonderful “features” getting me a bunch of CVE’s, possible attack vectors and the developers in the dark about these issues.
AND as Electron apps do not like to play in the sandbox, this talk will DEMO Electron applications found to be vulnerable, gaining code execution from XSS.
Silvia Väli Clarified Security OÜ
The Blackbear project
In typical enterprise networks today, ingress filtering is taken care of by firewall or similar devices. Unfortunately, the ability of devices and applications to reach the outside world is often overlooked or intentionnaly left open as Web services might need to be reacheable.
We will present a fork of an OpenSSH daemon, that is able to exploit the often loose egress filtering and maneuver around network restrictions.
Designed for more comfortable post-exploitation, it also extends regular forwarding and tunneling abilities in order to circumvent network rules that may otherwise hinder lateral movement.
In addition, it can also act as a regular SSH server listening for an incoming connection, and provides reliable interactive shell access (must be able to run top, sudo, screen, vi, etc) as opposed to crafted reverse shells or even meterpreter which allow basic commands but fail at interactive ones.
Marc-André Labonté
From Hacking Team to Hacked Team to…?
Hacking Team came into the spotlight of the security industry following its damaging data breach in July 2015. The leaked data revealed several 0-day exploits being used and sold to governments, and confirmed Hacking Team’s suspected business with oppressive regimes. But what happened to Hacking Team after one of the most famous hacks of recent years?
Hacking Team’s flagship product, the Remote Control System (RCS), was detected in the wild in the beginning of 2018 in fourteen countries, including those contributing to previous criticism of the company’s practices. We will present the evidence that convinced us that the new post-hack Hacking Team samples can be traced back to a single group – not just any group – but Hacking Team’s developers themselves.
Furthermore, we intend to share previously undisclosed insights into Hacking Team’s post-leak operations, including the targeting of diplomats in Africa, uncover digital certificates used to sign the malware, and share details of the distribution vectors used to target the victims. We will compare the functionality of the post-leak samples to that in the leaked source code. To help other security researchers we’ll provide tips on how to efficiently extract details from these newer VMProtect-packed RCS samples. Finally, we will show how Hacking Team sets up companies and purchases certificates for them.
Filip Kafka ESET
Video game hacks, cheats, and glitches
Ron built his security career in a unique way: writing cheats for video games. In highschool, while others were having fun, he was trying to find new and creative ways to confuse Starcraft.
In this presentation, he will look at some of the major hacks, cheats, and glitches in video games, from famous ones (like arbitrary code execution in Super Mario World) to obscure ones (like stacking buildings in Starcraft).
But more importantly, he will tie these into modern vulnerabilities: the Legend of Zelda "bottle glitch" is a type-confusion vulnerability, for example: similar vulnerabilities in normal software could lead to remote code execution.
This talk will bridge video game cheating with real-world security vulnerabilities, and explore the history of both!
Ron Bowes
Tightening the Net in Iran
How do Iranians experience the Internet? Various hurdles and risks exist for Iranians and including outside actors like American technology companies. This talk will assess the state of the Internet in Iran, discuss things like the threats of hacking from the Iranian cyber army; how the government are arresting Iranians for their online activities; the most recent policies and laws for censorship, surveillance and encryption; and the policies and relationships of foreign technology companies like Apple, Twitter and Telegram with Iran, and the ways they are affecting the everyday lives of Iranians. This talk will effectively map out how the Internet continues to be a tight and controlled space in Iran, and what efforts are being done and can be done to make the Iranian Internet a more accessible and secure space.
Mahsa Alimardani Article 19
Brain Implants & Mind Reading
At a certain level of technological sophistication you gain the ability to grant others read, write, and execute permissions to your brain. That ability creates a unique set of security concerns. In this talk we will discuss the current state of both brain scanning and brain stimulation technology, the practical implications of merging brains with artificial intelligence, and the role infosec can play in shaping the dystopic cyberpunk future that we’re currently careening towards.
Melanie Segado
One Step Before Game Hackers -- Instrumenting Android Emulators
Commercial Android emulators such as NOX, BlueStacks and Leidian are very popular at the moment and most games can run on these emulators fast and soundly. The bad news for game vendors is that these emulators are usually shipped with root permission in the first place. On the other hand, cheating tools developers are happy because they can easily distribute their tools to abusers without requiring the abusers to have a physical rooted device, nor do they need to perform trivial tuning for different Android OS / firmware version. However, luckily for game vendors, commercial Android emulators usually use an x86/ARM mixed-mode emulation for speed-up. As a result, a standard native hooking/DBI framework won't work on this kind of platform. This drawback could discourage the cheating developers.
In this talk, I will introduce a native hooking framework on such a kind of mixed-mode emulators. The talk will include the process start routine of both command-line applications and Android JNI applications as well as how these routines differ on an emulator. The different emulation strategies adopted by different emulators and runtime environments (Dalvik/ART) will also be discussed. Based on these knowledge, I will explain why the existing hooking/DBI frameworks do not work on these emulators and how to make one that works.
Lastly, I will present a demo of using this hooking framework to cheat a game on emulator. With this demo, I will discuss how the dark market of mobile game cheating may develop in the foreseeable future.
Wan Mengyuan (Nevermoe) DeNA Co., Ltd.
Homeward Bound: Scanning Private IP Space with DNS Rebinding
DNS Rebinding attacks have re-entered the spotlight, largely owing to recent high-profile disclosures by Tavis Ormandy including RCE in the Blizzard Update Agent triggered from the browser. However, given the vast amount of consumer software in circulation today and the apparent frequency with which the design (anti)pattern of treating localhost as secure occurs, it is likely that many vulnerable services still exist. In this talk, we will present a set of tools we created to make performing DNS Rebinding attacks fast and easy at scale, discuss how these tools can be used to perform network reconnaissance from inside a browser, and present an opt-in “localhost census” page that uses DNS rebinding to enumerate localhost services listening for HTTP on the visitor’s computer, and adds the results to a database.
Danny Cooper Akamai
Allan Wirth Akamai
Getting ahead of the elliptic curve
Elliptic curves are relatively obscure mathematical objects: you can get a PhD in maths without ever having come across them. Yet these objects play an important role in modern cryptography and as such are found in most HTTPS connections, in Bitcoin, and in a large number of other places.
To really understand elliptic curve cryptography (ECC) to the point that you can implement algorithms, you'd have to study the maths behind it. This talk assumes that you haven't studied the maths, but just want to understand what ECC is about, how is works and how it is implemented.
It will discuss how 'point addition' works and how the Elliptic Curve Diffie-Hellman algorithm is used, for example in HTTPS - and how you can find it using Wireshark. It will explain how to use elliptic curve for digital signatures and why you don't want to be like Sony when it comes to implementing them. It will discuss how ECC was used in an infamous random number generator and, finally, will take a brief look at the use of elliptic curves in post-quantum algorithms.
The goal of this talk is to keep things simple and understandable and no knowledge of maths is assumed. The talk won't make you an expert on ECC -- that would take years of studying. But it might help you understand the context a bit better when you come across them in your research. And hopefully it will also be a little bit fun.
Martijn Grooten
Source code vulnerability research and browser exploitation
Every day, most people who uses a computer will either run applications on untrusted networks (like public wifi) or run application that will run untrusted scripts on their machine. Whether it is a browser running javascript, a cryptocurrency’s smart contracts or even a script from a map or game mod, scripting engines like these tend to have large attack surface for vulnerabilities and they are usually quite exploitable especially when they are use after free bugs. How ever, finding these bug in large open source projects can be a bit intimidating.
In this talk I will present various tools that I used for finding vulnerabilities in open source software. I will try to demonstrate the various bug patterns and how I look for them using examples in everyday software. I will explain how to go from a bug to a vulnerable bug.
Finally, I will explain what is use-after-free (auf) and the bug patterns to look for. Use uaf bugs can be quite tricky to find and quite complicated to exploit. But can be quite dangerous if an attacker understands them well. To demonstrate how powerful uaf in a scripting engine can be, I will walk the audience through a uaf in a modern browser bugs and the some techniques used to exploit them.
Jean-Marc Leblanc EWA-Canada
Python and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting
Machine learning can be useful for helping analysts and reverse engineers. This presentation will explain how to transform data to use machine-learning algorithms to categorize a malware zoo. To cluster a set of (numerical) objects is to group them into meaningful categories. We want objects in the same group to be closer (or more similar) to each other than to those in other groups. Such groups of similar objects are called clusters. When data is labeled, this problem is called supervised clustering. It is a difficult problem but easier than the unsupervised clustering problem we have when data is not labeled. All our experiments have been done with code written in Python and we have mainly used scikit-learn. With the dataset the Zoo, we present how to use unsupervised algorithms on labeled datasets to validate the model. When the model is finalized, the resulting clusters can be used to automatically generate yara rules in order to hunt down the malware.
Sebastien Larinier
Keynote: How to Think (About Complex Adversarial Systems)
It's possible to approach security as a series of one-off technical problems to solve in series (from either the attacker or defender perspective). While this can often help you find and fix specific bugs, it's not particularly useful for either securing or attacking an organization at scale, and tends to fail badly when you attempt to interact with humans. Everyone who works in security finds patterns in their work, and scaling up and orchestrating interactions with those patterns is a large part of how we make progress.
We rarely talk about the larger structures of these patterns, though, and, being of a practical bent, often try to turn back to practice too quickly -- hence much of e.g. the lackluster discourse around threat modeling. In this talk, I'll look into some of the things I've noticed about how to think that may be useful for security practitioners of all stripes.
Eleanor Saitta Independent Security Architecture and Strategy Consultant,
Eleanor Saitta is an independent security architecture and strategy consultant with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She was previously the security architect for Etsy.com, and has worked for a number of commercial consultancies (Bishop Fox, IOACtive, and others) over the past fifteen years. Her work has encompassed everything from core security engineering and architecture work for Fortune 50 software firms to cross-domain security for news organizations and NGOs targeted by nation states. Her focus is on the ways task and experience design, system architecture, development process change, and operational changes can shift the balance of power between adversaries to bring better outcomes to users.
Saitta is a co-founder and developer for Trike, an open source threat modeling methodology and tool which partially automates the art of security analysis and has contributed to the Briar and Mailpile secure messaging projects. She's on the advisory boards of the Freedom of the Press Foundation, the International Modern Media Institute, and the Calyx Institute, all organizations that look at freedom in the media and security online. Saitta is a regular speaker at industry conferences; past venues include O'Reilly Velocity, KiwiCon, ToorCon, CCC, Hack in The Box, and HOPE, among others. You can find her on twitter as @dymaxion, and at https://dymaxion.org
Talk: Tightening the Net in Iran
How do Iranians experience the Internet? Various hurdles and risks exist for Iranians and including outside actors like American technology companies. This talk will assess the state of the Internet in Iran, discuss things like the threats of hacking from the Iranian cyber army; how the government are arresting Iranians for their online activities; the most recent policies and laws for censorship, surveillance and encryption; and the policies and relationships of foreign technology companies like Apple, Twitter and Telegram with Iran, and the ways they are affecting the everyday lives of Iranians. This talk will effectively map out how the Internet continues to be a tight and controlled space in Iran, and what efforts are being done and can be done to make the Iranian Internet a more accessible and secure space.
Mahsa Alimardani , Article 19
Mahsa Alimardani has been doing research and work on the politics of Iran’s Internet for the past six years. She leads on some of Article 19's Iran digital rights projects while she does her DPhil at the Oxford Internet Institute at the University of Oxford, researching communications technology's and how they affect political participation in Iran's information control space. She has also been Iran editor for the citizen media platform Global Voices for the past five years.
Talk: Prototype pollution attacks in NodeJS applications
Prototype pollution is a term that was coined many years ago in the JavaScript community to designate libraries that added extension methods to the prototype of base objects like "Object", "String" or "Function". This was very rapidly considered a bad practice as it introduced unexpected behavior in applications. In this presentation, we will analyze the problem of prototype pollution from a different angle. What if an attacker could pollute the prototype of the base object with his own value? What APIs allow such pollution? What can be done with it?
Olivier Arteau Security Researcher,
Olivier Arteau is a security researcher that works for a large financial institution. In his early day, he was a web developer and transitioned into the security field during his university. He gave in the last few years a good amount of workshop for the usergroup MontreHack and is also part of the organization of a few CTF (Mini-CTF OWASP and NorthSec).
Talk: Not the Droid You're Looking For: Evading Vulnerability Exploitation Through Secure Android Development
The first commercially-available Android device was released in 2008. Despite its nearly 10-year public lifespan, the OS still poses numerous security challenges. Now, as mobile becomes an increasingly popular platform for consumers, we're faced with the challenge of protecting these consumers from new, quickly evolving threats. We’ll discuss why Android security is so much more challenging for software developers compared to iOS and the web, look at the most common attack vectors for the operating system, and walk through best practices for guarding against them.
Kristina is an Application Security Engineer with Shopify. She builds web and mobile security tools and helps discover vulnerabilities in the existing platform. Prior to Shopify, Kristina led a team of developers, building web and mobile applications for enterprise and start-up clients. Kristina graduated with a Bachelor of Computer Science from McGill University in 2012. She volunteers with DEFCON Toronto, founded the Women in Tech Toronto book club, and is a novice boxer, book hoarder, and purveyor of fine cat gifs.
Workshop: Hacking APIs and the MEAN Stack with OWASP DevSlop
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?
MEAN Stack, API and Web Service Hacking & OWASP Project DevSlop
What will attendees learn from attending this session?
How to hack APIs and web services manually
Items attendees are required to bring with them
A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software. If possible, install VirtualBox or VMWare, Docker, GitHub and Postman on your machine in advance. If you don’t have them, we will get them for you, don’t worry. Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.
Nicole Becher specializes in application security, red teaming, penetration testing, malware analysis and computer forenscics. OWASP Brooklyn Chapter Leader, OWASP DevSlop Project Leader, Adjunct Instructor at NYU, political junkie, marathoner, martial artist and animal lover. OWASP WASPY 2017 winner!
Workshop: Botnet Tracking and Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practices and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
The workshop will be divided in three sections. The first section will present the contextual information needed for participants to start the practical technical labs afterwards. The second section will focus on analyzing the botnet’s C&C traffic in Pcaps. The third section will emphasize on graphs and the use of the mitmproxy library to analyze decrypted traffic.
Introduction
Lab 1 – Extract SOCKS Traffic with Wireshark
Lab 2 – Extract SOCKS Traffic with Tshark
Introduction to Jupyter Notebook and it’s shell integration (xargs, parallel)
Lab 3 – Search in mitmproxy logs
Lab 4 – Manipulate Dataframes with Pandas
Lab 5 – Graph the Data using Plotly
Tools
Due to the short time allotted, we ask participants to download and install Wireshark locally on their computer (https://www.wireshark.org/download.html) during the introduction. For the other tools (tshart, bash, GNU parallel, the anaconda package, mitmproxy, pandas, numby, plotly), we will provide a hosted environment in which the tools will be installed and the scripts, the data and the exercises will be available.
Workshop: Capture-The-Flag 101
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing them. Then by helping both individuals and teams prepare but also evolve in their practice of applied cybersecurity.
We will have various levels (easy, medium, hard) of CTF challenges in several categories (binaries, exploitation, Web, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec’s official CTF instead.
Requirements
a laptop
a programming language of choice (it's usually Python)
wireshark
a web assesment security tool (Burp, ZAP, Watobo, mitmproxy)
Olivier Bilodeau Lead of Cybersecurity Research Team, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, Olivier managed large networks and server farms, wrote open source network access control software and recently worked as a Malware Researcher. Passionate communicator, Olivier has spoken at several conferences like Defcon, Botconf, SecTor, Derbycon and many more. Invested in his community, he co-organizes MontréHack — a monthly workshop focused on applied information security through capture-the-flag challenges —, he is in charge of NorthSec’s training sessions and is hosting NorthSec’s Hacker Jeopardy. His primary research interests include reverse-engineering tools, Linux and/or embedded malware and honeypots. To relax, he likes to participate in information security capture-the-flag competitions, work on various open-source projects and brew his own beer.
Talk: Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses.
However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild?
In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.
The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities.
In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never- before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries.
I will conclude this talk by performing a live demo of my new cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.
Daniel (DBO) Bohannon Senior Applied Security Researcher, FireEye
Daniel Bohannon is a Senior Applied Security Researcher with FireEye’s Advanced Practices Team with over seven years of operations, security and Incident Response experience.
He is the author of Invoke-Obfuscation, Invoke-CradleCrafter, Invoke-DOSfuscation and co- author of the Revoke-Obfuscation detection framework. He has presented at numerous conferences including Black Hat USA, DEF CON, DerbyCon and BlueHat.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Talk: Video game hacks, cheats, and glitches
Ron built his security career in a unique way: writing cheats for video games. In highschool, while others were having fun, he was trying to find new and creative ways to confuse Starcraft.
In this presentation, he will look at some of the major hacks, cheats, and glitches in video games, from famous ones (like arbitrary code execution in Super Mario World) to obscure ones (like stacking buildings in Starcraft).
But more importantly, he will tie these into modern vulnerabilities: the Legend of Zelda "bottle glitch" is a type-confusion vulnerability, for example: similar vulnerabilities in normal software could lead to remote code execution.
This talk will bridge video game cheating with real-world security vulnerabilities, and explore the history of both!
Ron Bowes Senior Applied Security Researcher,
Ron has worked in information security for more years than he can count, and has performed roles across the board. He currently works at Counter Hack, where he develops SANS Netwars, Holiday Hack Challenge, and other security games.
Talk: Ichthyology: Phishing as a Science
Many companies consider phishing inevitable: the best we can do is run training for our employees, and cross our fingers. But does phishing training actually work?
In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.
Karla Burnett Application Security Specialist, Stripe
Karla has a varied offensive security background: she's reverse engineered train ticketing systems, written articles on TLS and SSH, and competed in the Defcon CTF finals for the last several years running. She officially works on authentication and application security at Stripe, but builds internal phishing campaigns when she has business hours to spare. She's cumulatively phished nearly half the company, has triggered many bouts of internal paranoia, and has built a reputation as being entirely untrustworthy when it comes to email.
Talk: Homeward Bound: Scanning Private IP Space with DNS Rebinding
DNS Rebinding attacks have re-entered the spotlight, largely owing to recent high-profile disclosures by Tavis Ormandy including RCE in the Blizzard Update Agent triggered from the browser. However, given the vast amount of consumer software in circulation today and the apparent frequency with which the design (anti)pattern of treating localhost as secure occurs, it is likely that many vulnerable services still exist. In this talk, we will present a set of tools we created to make performing DNS Rebinding attacks fast and easy at scale, discuss how these tools can be used to perform network reconnaissance from inside a browser, and present an opt-in “localhost census” page that uses DNS rebinding to enumerate localhost services listening for HTTP on the visitor’s computer, and adds the results to a database.
Danny Cooper Security researcher, Akamai
Allan Wirth and Danny Cooper are security researchers in the Adversarial Resilience group at Akamai, as well as administrators of BKPCTF.
Talk: Stupid Purple Teamer Tricks
Stupid tricks for everyone! This talk will present very simple, low tech attacks to better achieve your goals, both attack and defense. From a defense standpoint, this talk will present simple tricks to identify Responder on your network, pinpoint BurpSuite activities, block some active crimeware and other simple tricks. Offensive tricks include a very simple NAC bypass, even more physical pentesting tricks and some very simple changes to social engineering that can help a lot.
Workshop: Capture-The-Flag 101
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing them. Then by helping both individuals and teams prepare but also evolve in their practice of applied cybersecurity.
We will have various levels (easy, medium, hard) of CTF challenges in several categories (binaries, exploitation, Web, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec’s official CTF instead.
Requirements
a laptop
a programming language of choice (it's usually Python)
wireshark
a web assesment security tool (Burp, ZAP, Watobo, mitmproxy)
Laurent Desaulniers Team Lead for Pentesting Team,
Laurent is a team lead for a large security consulting firm, based in Montreal. He has conducted over 200 pentesting and red team engagements over the span of 10 years and is still enthusiatic about it. Laurent is also a challenge designer for Northsec and has given talks to CQSI, NCFTA, HackFest, RSI, Montrehack, Owasp Montreal and Northsec. Besides security, Laurent is interested in Lockpicking, magic and pickpocketting.
Workshop: Wi-Fi Security
This workshop will briefly go over the Wi-Fi basics and known security issues, covering WPA2-Personal, WPA2-Enterprise, WPS, and then focusing on the most recent developments in Wi-Fi such as KRACK, and will include hands-on labs. The workshop will also cover direct attacks against wireless clients and access points, such as router vulnerabilities, rogue access points and denial-of-service attacks.
To get the most out of this workshop, attendees are encouraged to:
Have a machine with Kali Linux installed (either as a virtual machine or directly).
Bring a packet-injection capable wireless card, such as the Alfa AWUS036h.
Ideally, be familiar with setting up their wireless card in monitor mode to minimize setup time during the workshop.
Attendees are also encouraged to bring any Wi-Fi-related equipment that they would like to show off!
Workshop Outline
Introduction & Quick Overview of 802.11 basics
What is Wi-Fi and how does it work?
What are control frames, management frames, etc.
What is the difference between a/b/g/n?
What hardware do I need to start hacking?
Attacks on WPA-Personal
Attacks on WPS
Attacks on WPA-Enterprise
Other attacks on Wi-Fi
Attacks on access points
Attacks on clients
DoS attacks
Attacking the Wi-Fi firmware (Broadcom vulnerabilities)
Other recent developments (KRACK)
Notes on WPA3
Mark El-Khoury Security Consultant, NCC Group
Mark El-Khoury is a Security Consultant with NCC Group, where he has been for over two years. Mark has been involved in a wide variety of security assessments, ranging from large web applications in various environments and frameworks, to native desktop applications and IoT devices. Mark also specializes in internal and external network infrastructure penetration testing, including IEEE 802.11 wireless assessments. Mark graduated from Syracuse University with a Master's degree in Computer Science, and has participated in many programming contests, including ACM ICPC, IEEE Xtreme, and Topcoder matches.
Talk: Smart contract vulnerabilities: The most interesting transactions on the Ethereum blockchain
Smart contract security is a brave, new, and sometimes terrible field. This presentation will take you through some of the most famous vulnerabilities of these first few years (from the Dao hack, to the Parity wallet vulnerabilities ... and including less-well-known but very interesting events like the DDOS attacks from late 2016). We'll explain the details of how these attacks work(ed), some of the idiosyncrasies of Ethereum, and through these examples some general principles of smart contract security.
Sarah Friend Software Engineer,
Sarah Friend is a software engineer working at a large blockchain development studio on tools for financial transparency/accounting. When not doing that, she creates games and other interactive experiences. She has recently exhibited with Furtherfield at the Neon Festival in Dundee, Scotland, and presented at the Montreal International Games Showcase. In 2018, she will be part of the MoneyLab program by the Institute for Networked Culture in London, UK and at Transmediale in Berlin.
Talk: What are containers exactly and can they be trusted?
Everyone's talking about containers these days.
But how many actually know what they are?
Do you know there are two big families of containers and that even within those, there are countless different runtimes to set them up and manage them?
Is a VM safer than a container? What about those containers that are using VM technology for containers?
Those are all questions anyone who's dealing with containers in production should know answers to. You should be able to decide whether to use containers at all and if so, what kind of container is the best fit for your particular task.
During this presentation, we'll be going over 15 years of container technologies on Linux (10 years in mainline Linux), how the security features they're built on top have evolved and what's the current state of things. We'll be comparing application containers to system containers, actual containers to lightweight virtualization and briefly cover some of the higher level management tools that come with them and what to keep in mind when trying to keep all of that safe.
Stéphane Graber Developer, Canonical
Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at various containers and other Linux related events.
Stéphane is also a long time contributor to the Ubuntu Linux distribution as an Ubuntu Core Developer and he currently sits on the Ubuntu Technical Board.
On his spare time, Stéphane helps organize a yearly security conference and contest in Montréal, Northsec, where his knowledge of Linux and network infrastructure is used to simulate the most complex of environments for the contestants.
Talk: Getting ahead of the elliptic curve
Elliptic curves are relatively obscure mathematical objects: you can get a PhD in maths without ever having come across them. Yet these objects play an important role in modern cryptography and as such are found in most HTTPS connections, in Bitcoin, and in a large number of other places.
To really understand elliptic curve cryptography (ECC) to the point that you can implement algorithms, you'd have to study the maths behind it. This talk assumes that you haven't studied the maths, but just want to understand what ECC is about, how is works and how it is implemented.
It will discuss how 'point addition' works and how the Elliptic Curve Diffie-Hellman algorithm is used, for example in HTTPS - and how you can find it using Wireshark. It will explain how to use elliptic curve for digital signatures and why you don't want to be like Sony when it comes to implementing them. It will discuss how ECC was used in an infamous random number generator and, finally, will take a brief look at the use of elliptic curves in post-quantum algorithms.
The goal of this talk is to keep things simple and understandable and no knowledge of maths is assumed. The talk won't make you an expert on ECC -- that would take years of studying. But it might help you understand the context a bit better when you come across them in your research. And hopefully it will also be a little bit fun.
Martijn Grooten ,
Martijn Grooten is a lapsed mathematician who by chance ended up working in security - and loved it. He's spend more than a decade testing security software but his interest in security is broad and he has a weak spot for cryptography. He currently is Editor of Virus Bulletin.
Workshop: IoT Firmware Exploitation
The IoT Firmware Exploitation and Attack Countermeasures workshop is designed to provide techniques for testing of embedded IoT systems, employing proactive controls, embedded application security best practices, and address the challenges of building security into embedded devices. This course is suited for embedded systems engineers, software developers, and security professionals of all backgrounds. Hands on demonstrations and labs will be given throughout the course. Upon completion of the course, trainees will learn the following:
How to identify vulnerabilities in embedded firmware
Understand the embedded security testing methodology, techniques, and tools
Firmware reverse engineering, emulation, and binary exploitation
How to backdoor firmware for MIPs and ARM architectures
Understand embedded system design constraints that pose security risks
Understand IoT botnet exploitation techniques that impact critical infrastructures and how to apply appropriate mitigating controls for product security teams
Course Prerequisites
Familiarity with a Linux operating system
Admin Rights to Computer….If you do not have install rights no problem as we will work in pairs for the labs.
Hardware
At least 25 GB of free space
Laptop with a minimum of 4 GB RAM
USB access allowed
Software
Participants should have virtualization software installed (VMWare and/or VirtualBox)
At the start of the class, we will share a virtual machine which will have all the tools and labs preconfigured for the training.
Aaron Guzman Security Consultant,
Aaron Guzman is a Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. Mr. Guzman has spoken at several word-wide conferences which include: DEF CON, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, 44Con, AusCERT as well as several regional BSides events. Furthermore, Aaron is a Chapter leader for the Open Web Application Security Project (OWASP) Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), a Technical Editor, and author of "IoT Penetration Testing Cookbook" with Packt Publishing. He has contributed to many IoT security guidance publications from CSA, OWASP, Prpl, and several others. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on Twitter at @scriptingxss
Workshop: A Gentle Introduction to Fuzzing
Fuzzing could be summed up as a testing method feeding random inputs to a program. Where a more traditional approach to testing relies on manual design of tests based on known assumptions, fuzzing bring an automated mean of creating test cases. Although a single test generated by a fuzzer is unlikely to find any defaults, millions of them in quick iterations makes it very likely to trigger unexpected behaviours and crashes. With the rise of smarter fuzzers, fuzzing has become an efficient and reliable way to test most edge cases of a program and makes it possible to cover very large programs that would require otherwise a large amount of effort from manual reviewing and testing. The low amount of manual intervention required to setup a modern smart fuzzer dismiss any pretexts a developer or security research might have to not fuzz its project. If you aren't fuzzing, the bad guys will (and find all the bugs that comes with it).
This workshop aims to introduce the basic concepts of fuzzing to the participants and to enable them to make fuzzing a critical step of their testing process. The class is going to start with a quick introduction about the concepts of fuzzing, why they should do it and some benefits other organisations have gain from it. The workshop will then move on to an hands-on approach on how to set up AFL and run it against a program and how to interpret the outputs. Most of the exercice will turn around a sample program with intentional bugs and gotchas, and once the participants will have an understanding of the basis, they will be walked through real world scenarios. Finally, a time will be allocated at the end for the participants to fuzz a project of their choice with the assistance of the presenters.
Requirements
For a better experience participants must:
Bring their own laptops with a working Docker installation. Docker will be used to give a proper AFL working environment to all participants. No support will be provided for participants running AFL outside of the provided Docker image.
For a better experience we encourage participants to:
Have a basic knowledge of C and common C vulnerabilities (Buffer Overflow, Format String, etc). The workshop won’t cover the exploitation of found crashes, but it might be more helpful to understand why those crashes happen and what can be done from them.
Command-line knowledge, particularly how to build a program with gcc from the command-line interface.
Israël Hallé Developer and Reverse Engineer,
Israël Hallé has a B.Eng. from the École de Technologie Supérieure (E.T.S.). He worked as a developer on the Merchant Protection and Checkout teams at Shopify. He also did malware analysis and reverse engineering contracting work for Google on their Safe browsing team. He is now working full-time developing the technology that powers Flare Systems. Israël has organized exploitation workshops at E.T.S. and at the NorthSec conference in addition to participating in multiples security CTFs, mostly working on binary reverse engineering and exploitation challenges.
Talk: A Journey into Red Team
This talk will describe many issues that a redteamer may face during a Red Team exercise. Being stealth is one of them; avoiding detection of your lateral movements, phishing campaign and post exploitation are crucial to succeed. Over the years I've developed tools and different approaches that can be used during standard engagement and Red Team to remain stealth and move more efficiently into your victim network.
During the presentation several techniques will be described and analyzed to understand the idea behind them.
Workshop: Capture-The-Flag 101
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing them. Then by helping both individuals and teams prepare but also evolve in their practice of applied cybersecurity.
We will have various levels (easy, medium, hard) of CTF challenges in several categories (binaries, exploitation, Web, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec’s official CTF instead.
Requirements
a laptop
a programming language of choice (it's usually Python)
wireshark
a web assesment security tool (Burp, ZAP, Watobo, mitmproxy)
Charles Hamilton Penetration Tester,
With more than 8 years of experience delivering Information Technology and Information Security services to various government and commercial clients such as a banks, nuclear industry and lay firms. Having the opportunity to perform RedTeam against complex and secured environment allowed him to develop a certain expertise that can be used to navigate through the target network without being detected. Since 2014 I'm also the proud owner of the RingZer0 Team website that have more than 28 000 members worldwide. The RingZer0 Team website is a hacking learning platform.
Mario Heiderich Security Researcher, Cure53
Dr.-Ing. Mario Heiderich, handsome heartbreaker, Bon-Vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint slides and profanities.
Workshop: Hacking APIs and the MEAN Stack with OWASP DevSlop
Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
What will be discussed?
MEAN Stack, API and Web Service Hacking & OWASP Project DevSlop
What will attendees learn from attending this session?
How to hack APIs and web services manually
Items attendees are required to bring with them
A laptop with a web proxy and modern web browser (Chrome or FireFox are great). Admin Priv on your machine, and the ability to install software. If possible, install VirtualBox or VMWare, Docker, GitHub and Postman on your machine in advance. If you don’t have them, we will get them for you, don’t worry. Windows and Mac OS are supported for this workshop, if you you have linux you’ll probably be fine, but we make no guarantees.
Tanya Janca Security Evangelist,
Tanya Janca is a senior cloud advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
Babak Javadi Security Researcher, Red Team Alliance / The CORE Group
Babak Javadi is a hardware hacker with a wayward spirit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and hardware hacking, he found his passion in the puzzling and mysterious world of high security locks, safes, and alarm systems. After serving as a driving force within the locksport community for almost a decade and co-founding the US division of The Open Organisation of Lockpickers, he has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance. He currently serves as the President of the US group of The Open Organisation of Lockpickers (TOOOL) and is the founder of The CORE Group, a security research and consulting firm. When not hunched over a lab workbench or crouched beside an auxiliary entrance to a target building, Babak travels around the world to speak at varied conferences, agencies, and companies, including DEF CON, HOPE, BlackHat, Confidence, HITB, DeepSec, eko, and the USNA. He enjoys spicy food and lead-free small arms ammunition.
Talk: The Blackbear project
In typical enterprise networks today, ingress filtering is taken care of by firewall or similar devices. Unfortunately, the ability of devices and applications to reach the outside world is often overlooked or intentionnaly left open as Web services might need to be reacheable.
We will present a fork of an OpenSSH daemon, that is able to exploit the often loose egress filtering and maneuver around network restrictions.
Designed for more comfortable post-exploitation, it also extends regular forwarding and tunneling abilities in order to circumvent network rules that may otherwise hinder lateral movement.
In addition, it can also act as a regular SSH server listening for an incoming connection, and provides reliable interactive shell access (must be able to run top, sudo, screen, vi, etc) as opposed to crafted reverse shells or even meterpreter which allow basic commands but fail at interactive ones.
Marc-André Labonté Pentester,
System administrator for more than 10 years, now doing penetration testing since 2016. I do have a strong interest in privacy and computer security. While not in front of a computer, I am either rock climbing or walking highlines.
Talk: Python and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting
Machine learning can be useful for helping analysts and reverse engineers. This presentation will explain how to transform data to use machine-learning algorithms to categorize a malware zoo. To cluster a set of (numerical) objects is to group them into meaningful categories. We want objects in the same group to be closer (or more similar) to each other than to those in other groups. Such groups of similar objects are called clusters. When data is labeled, this problem is called supervised clustering. It is a difficult problem but easier than the unsupervised clustering problem we have when data is not labeled. All our experiments have been done with code written in Python and we have mainly used scikit-learn. With the dataset the Zoo, we present how to use unsupervised algorithms on labeled datasets to validate the model. When the model is finalized, the resulting clusters can be used to automatically generate yara rules in order to hunt down the malware.
Sebastien Larinier Senior Researcher,
Sébastien Larinier is a freelance Senior Researcher and Incident Handler who created the CERT Sekoia located in Paris. Member of the honeyproject chapter France and co-organizer of botconf. Sébastien focuses his work on botnet hunting, malware analysis, network forensics, early compromise detection, forensic and incident response. As a Python addict, he supports different opensource projects like FastIR, veri-sig, Oletools, pymisp, and malcom…
Workshop: A Gentle Introduction to Fuzzing
Fuzzing could be summed up as a testing method feeding random inputs to a program. Where a more traditional approach to testing relies on manual design of tests based on known assumptions, fuzzing bring an automated mean of creating test cases. Although a single test generated by a fuzzer is unlikely to find any defaults, millions of them in quick iterations makes it very likely to trigger unexpected behaviours and crashes. With the rise of smarter fuzzers, fuzzing has become an efficient and reliable way to test most edge cases of a program and makes it possible to cover very large programs that would require otherwise a large amount of effort from manual reviewing and testing. The low amount of manual intervention required to setup a modern smart fuzzer dismiss any pretexts a developer or security research might have to not fuzz its project. If you aren't fuzzing, the bad guys will (and find all the bugs that comes with it).
This workshop aims to introduce the basic concepts of fuzzing to the participants and to enable them to make fuzzing a critical step of their testing process. The class is going to start with a quick introduction about the concepts of fuzzing, why they should do it and some benefits other organisations have gain from it. The workshop will then move on to an hands-on approach on how to set up AFL and run it against a program and how to interpret the outputs. Most of the exercice will turn around a sample program with intentional bugs and gotchas, and once the participants will have an understanding of the basis, they will be walked through real world scenarios. Finally, a time will be allocated at the end for the participants to fuzz a project of their choice with the assistance of the presenters.
Requirements
For a better experience participants must:
Bring their own laptops with a working Docker installation. Docker will be used to give a proper AFL working environment to all participants. No support will be provided for participants running AFL outside of the provided Docker image.
For a better experience we encourage participants to:
Have a basic knowledge of C and common C vulnerabilities (Buffer Overflow, Format String, etc). The workshop won’t cover the exploitation of found crashes, but it might be more helpful to understand why those crashes happen and what can be done from them.
Command-line knowledge, particularly how to build a program with gcc from the command-line interface.
Talk: Source code vulnerability research and browser exploitation
Every day, most people who uses a computer will either run applications on untrusted networks (like public wifi) or run application that will run untrusted scripts on their machine. Whether it is a browser running javascript, a cryptocurrency’s smart contracts or even a script from a map or game mod, scripting engines like these tend to have large attack surface for vulnerabilities and they are usually quite exploitable especially when they are use after free bugs. How ever, finding these bug in large open source projects can be a bit intimidating.
In this talk I will present various tools that I used for finding vulnerabilities in open source software. I will try to demonstrate the various bug patterns and how I look for them using examples in everyday software. I will explain how to go from a bug to a vulnerable bug.
Finally, I will explain what is use-after-free (auf) and the bug patterns to look for. Use uaf bugs can be quite tricky to find and quite complicated to exploit. But can be quite dangerous if an attacker understands them well. To demonstrate how powerful uaf in a scripting engine can be, I will walk the audience through a uaf in a modern browser bugs and the some techniques used to exploit them.
Jean-Marc Leblanc Reverse Engineer, EWA-Canada
Currently working as a reverse engineer at EWA-Canada, Jean-Marc has worked for multiple respected security enterprises for past 5 years including national security agencies and contract work at google. On top of his professional security research, he has done a lot of personal vulnerability research on large popular applications. He has successfully claim bug bounties from google chrome and shopify. He has presented multiple talk at various conferences including last years script engine hacking for fun and profit at northsec and “why U A.F.ter calc?” at Ihack Ottawa.
Talk: Data Breaches: Barbarians in the Throne Room
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise.
In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong.
Dave "gattaca" Lewis Security Advocate, Akamai Technologies
Dave has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave writes a column for Forbes and Huffington Post.
Talk: One Step Before Game Hackers -- Instrumenting Android Emulators
Commercial Android emulators such as NOX, BlueStacks and Leidian are very popular at the moment and most games can run on these emulators fast and soundly. The bad news for game vendors is that these emulators are usually shipped with root permission in the first place. On the other hand, cheating tools developers are happy because they can easily distribute their tools to abusers without requiring the abusers to have a physical rooted device, nor do they need to perform trivial tuning for different Android OS / firmware version. However, luckily for game vendors, commercial Android emulators usually use an x86/ARM mixed-mode emulation for speed-up. As a result, a standard native hooking/DBI framework won't work on this kind of platform. This drawback could discourage the cheating developers.
In this talk, I will introduce a native hooking framework on such a kind of mixed-mode emulators. The talk will include the process start routine of both command-line applications and Android JNI applications as well as how these routines differ on an emulator. The different emulation strategies adopted by different emulators and runtime environments (Dalvik/ART) will also be discussed. Based on these knowledge, I will explain why the existing hooking/DBI frameworks do not work on these emulators and how to make one that works.
Lastly, I will present a demo of using this hooking framework to cheat a game on emulator. With this demo, I will discuss how the dark market of mobile game cheating may develop in the foreseeable future.
Wan Mengyuan (Nevermoe) Security Engineer, DeNA Co., Ltd.
Wan is a security engineer in DeNA Co., Ltd. He gives pen testing and security consulting for in-house developers. His main focus is on pen testing, game security and reverse engineering. He loves writing tools for game hacking / analyzing and publishing them on Github. .
Talk: Smart contract vulnerabilities: The most interesting transactions on the Ethereum blockchain
Smart contract security is a brave, new, and sometimes terrible field. This presentation will take you through some of the most famous vulnerabilities of these first few years (from the Dao hack, to the Parity wallet vulnerabilities ... and including less-well-known but very interesting events like the DDOS attacks from late 2016). We'll explain the details of how these attacks work(ed), some of the idiosyncrasies of Ethereum, and through these examples some general principles of smart contract security.
Jon Maurelian Security Engineer, ConsenSys Diligence
Jon Maurelian is a security engineer at ConsenSys Diligence, where he works to ensure that Ethereum smart contracts are transparent, trustworthy, and reliable. He helped build a decentralized name registrar for the Ethereum Name Service; authoring the spec, and auditing the final implementation. He is a regular writer and speaker on smart contract security. Prior to joining ConsenSys, Maurelian worked at Coinbase.
Derek McCarthy is a Technical Director for Incident Response & Forensics at Cylance. In addition to leading the development of both Compromise Assessment & Incident Response methodologies, Derek is often found on the frontlines leading teams of incident responders in some of the largest breaches of the last decade. Prior to working at Cylance, Derek worked on the information security team at Draper Laboratories in Cambridge, MA.
Talk: Binary analysis, meet the blockchain
Ethereum is a novel, decentralized computation platform that has quickly risen in popularity since it was introduced in 2014, and currently controls the equivalent of one hundred ten billion dollars. At its foundation is a virtual machine which executes “smart contracts”: programs that ultimately control the majority of the value transfer within the network. As with most other types of programs, correctness is very important for smart contracts. However, somewhat uniquely to Ethereum, incorrectness can have a direct financial cost, as evidenced by a variety of high profile attacks involving the loss of hundreds of millions of dollars. The error-prone nature of developing smart contracts and the increasing amounts of capital processed by them motivates the development of analysis tools to assist in automated error and vulnerability discovery.
In this talk, we describe our work towards smart contract analysis tooling for Ethereum, which focuses on a modern technique called symbolic execution. We provide context around both Ethereum and symbolic execution, and then discuss the unique technical challenges involved with combining the two, touching on topics including blockchains, constraint solvers, and virtual machine internals. Lastly, we present Manticore: an open source symbolic execution tool which we have used to enhance smart contract security audits.
Mark Mossberg Engineer, Trail of Bits
Mark Mossberg is an engineer at Trail of Bits, and the lead developer for the Manticore project.
Talk: Cell Site Simulators From the Ground Up
IMSI-catchers, also known as cell-site simulators, are devices that let their operators track cell users, interfere with their calls/texts, and mount other privacy-invasive attacks. While research around IMSI-catchers has been gaining traction over the years, there hasn’t been much effort into making the more technical results accessible outside of academia and niche hardware hacking circles. The goal of this talk is to remedy that.
This talk will be a deep technical dive into how cell networks interact with user equipment, the details of how IMSI-catchers exploit their design flaws, what goes into building an IMSI-catcher (hypothetically, of course!), the relationship Canadian & American law enforcement have with these devices, and steps one can take to protect themselves.
Yomna Nasser ,
Yomna likes mathematical cryptography, geometry, and succinct explanations. She used to work at the EFF as a Certbot developer (the popular ACME/Let’s Encrypt client), where she also took part in various cell phone security working groups. She currently spends her time thinking about the intersection of distributed systems and mathematical optimization at Stripe.
Thomas Pace Principal Consultant, Cylance
Thomas Pace began his career in security when he joined the Marine Corps as an infantryman and intelligence specialist. During this time, he deployed to both Iraq and Afghanistan. He then moved on to work for PNC Bank where he was an incident response investigator and assisted in mitigating the ongoing DDoS attacks that were occurring in 2012 and 2013. He then worked for the Department of Energy as a contractor where he leads the incident response and intrusion detection teams, as well as conducts forensic investigations. In addition, he is an Adjunct Professor at Tulane University where he teaches an undergraduate Cyber Security course. Currently, Thomas is a Principal Consultant with Cylance within the Incident Response and Forensics services organization. At Cylance, he assists organizations in remediating incidents and developing incident response policies and procedures. Thomas graduated with a Master's Degree from the University of Pittsburgh with a degree in Information Security. He also possesses the CISSP, SFCP, GCFA, GCIH, GCWN and GCIA certifications.
Workshop: Botnet Tracking and Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practices and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
The workshop will be divided in three sections. The first section will present the contextual information needed for participants to start the practical technical labs afterwards. The second section will focus on analyzing the botnet’s C&C traffic in Pcaps. The third section will emphasize on graphs and the use of the mitmproxy library to analyze decrypted traffic.
Introduction
Lab 1 – Extract SOCKS Traffic with Wireshark
Lab 2 – Extract SOCKS Traffic with Tshark
Introduction to Jupyter Notebook and it’s shell integration (xargs, parallel)
Lab 3 – Search in mitmproxy logs
Lab 4 – Manipulate Dataframes with Pandas
Lab 5 – Graph the Data using Plotly
Tools
Due to the short time allotted, we ask participants to download and install Wireshark locally on their computer (https://www.wireshark.org/download.html) during the introduction. For the other tools (tshart, bash, GNU parallel, the anaconda package, mitmproxy, pandas, numby, plotly), we will provide a hosted environment in which the tools will be installed and the scripts, the data and the exercises will be available.
Masarah is a security researcher at GoSecure and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of market dynamics behind illicit online activities. Her primary goal is to conduct scientific research on online crime without falling into the alarmist side. She published in several peer-review journals, such as Global Crime, Social Networks and the International Journal for the Study of Drug Policy and presented at various international conferences including Black Hat Europe, Botconf and the American Society of Criminology.
Talk: Non-Crypto Constant-Time Coding
Cache attacks are a class of side-channel attacks that have been used since 2005 to break implementations of cryptographic algorithms. However, they do not impact only cryptography; if a given context makes cache attacks applicable, then everything that handles confidential data is potentially vulnerable. The SGX technology offers such a context where all the code in an enclave, not only its encryption code, shall be made robust to such attacks. In this talk, we present a summary of cache attacks, SGX, and a toolkit of C functions designed to help with writing generic, non-crypto, constant-time code.
Thomas Pornin Cryptographer and Researcher, NCC Group
Thomas Pornin is a cryptographer and researcher, doing cryptography consulting at NCC Group. He is the author of BearSSL, a secure and compact SSL/TLS library.
Drew Porter , Red Team Alliance / Red Mesa
Coming soon
Talk: Surprise Supplies!
Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach.
2017 has truly marked itself as 'The Year Of The Supply Chain Attack' and marked a turning point concerning supply chain attacks.
Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers.
In this presentation we will first present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims.
For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc.
Concerning the CCleaner compromise, we will provide some data and statistics from the attacker's database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it's not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks.
Paul Rascagnères Security Researcher, Talos
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.
Workshop: Incident Response in the Age of Threat Intelligence with MISP, TheHive & Cortex
The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive — a Security Incident Response Platform, Cortex — a powerful observable analysis engine, and MISP — the de facto standard platform for threat sharing.
All software is free and open source.
Workshop Outline
What is Incident Response and Cyber Threat Intelligence in 2018
Overview of the software stack
Simple case study
Dealing with notifications
How CTI feeds IR
How IR feeds CTI
Advanced case study
Attendees need to have a laptop and the ability to run virtual machines (Virtualbox or VMWare), provided by the trainers.
Saâd Kadhi , CERT Banque de France
Saâd Kadhi, head of CERT Banque de France and TheHive Project leader, has over 18 years of experience in cybersecurity. He discovered incident response and digital forensics in early 2008 and has been working exclusively in this fascinating field since then. He built a CSIRT at a French multinational food-products corporation and worked as an analyst at CERT Société Générale before joining the French national central bank where he leads a team of 20 analysts. He frequently writes information security articles in a leading French magazine. He also co-organizes the Botconf security conference.
Workshop: Hands-on Modern Access Control Bypassing
This workshop will teach you how to attack applications secured by Firewalls, IDS/IPS, Antivirus, WAF. The presenter will describe the newest bypassing techniques and provide a systematic and practical approach on how to bypass modern access control mechanisms. This workshop contains lot of demos.
Everyone is now using Firewalls, IDS/IPS, Load Balancers with multiple features such as algorithms, signatures etc.
Since the beginning, filter obfuscation and evading technique have been there. These mechanisms provide multiple layers of defense, so bypassing them is an important aspect of pentesting. This workshop describes different techniques to bypass these mechanisms. We will see them in action with multiple demos. Just bring your laptop to learn these attacks practically.
This workshop will cover -
Detecting Honeypots
Bypassing DMZ
Bypass different types of Network Access Control (NAC) implementations
Firewalls -
Mapping beyond firewalls
Firewall identification
Evading firewalls
Intrusion Detection System / Intrusion Prevention System (IDS/IPS)
IDS/IPS identification
Evading IDS/IPS
Antivirus
Bypassing Antivirus using different frameworks
Evading detection and blocks from the different endpoint protection mechanisms that you may encounter during your testing
Generating compiled python executables from the raw shellcode from the Veil framework
Detection of Web Application Firewalls and Load Balancers
Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewalls
Vikram Salunke Pentester, Vmaskers
Vikram is the founder of Vmaskers, and a professional pentester. He has led 100+ pentests over the past years, compromising highly sensitive and secured enterprise networks. His primary responsibilities in his recent job roles were to look after enterprise network security, manage security automation and build internal tools to fight security attacks.
He has also discovered serious security flaws in many unique product giants all over the world. He has worked in various domains including Pentesting, Reverse Engineering, Fuzzing, Exploitation ,Source Code Auditing and Mobile application security research. He helps the community by uploading regular InfoSec videos on youtube (https://www.youtube.com/VikramSalunke). He has also previously spoken and trained at numerous security conferences all around the world including CHCon, OWASP AppSec Africa, CrikeyCon, CanSecWest, OWASP New Zealand Day, NolaCon, LayerOne, ShakaCon, OWASP AppSec California and will be training in Hack in The Box (HITB), InfoSec in the City, BlackHat USA 2018 etc.
Talk: Brain Implants & Mind Reading
At a certain level of technological sophistication you gain the ability to grant others read, write, and execute permissions to your brain. That ability creates a unique set of security concerns. In this talk we will discuss the current state of both brain scanning and brain stimulation technology, the practical implications of merging brains with artificial intelligence, and the role infosec can play in shaping the dystopic cyberpunk future that we’re currently careening towards.
Melanie Segado ,
Melanie really likes brains and computers. This is why she co-founded NeuroTechX, a non-profit whose mission is to grow the global neurotechnology community. She is currently pursuing a PhD in cognitive neuroscience. Melanie spends her free time hacking on brain technology and thinking about its societal implications.
Talk: Exploits in Wetware
Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift
Robert Sell (Creep) Senior IT Manager,
Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert has spoken about the rising SE risk at numerous events and on different security podcasts.
In 2017 he competed at the Social Engineering Village Capture the Flag contest at Defcon 25. He placed third in this contest and since then has been teaching organizations how to defend against SE attacks and reduce the OSINT footprint.
Robert is also a nine year veteran with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker. While one may think that SAR has little do to with InfoSec, tracking lost subjects in the back country has many of the same qualities as tracking individuals or organizations online with OSINT.
Talk: Quick Retooling with .NET Payloads
PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. In the post offensive PowerShell world, a move in the direction of .NET implants may be a desirable option in some cases.
However, Red Teams are faced with challenges when moving automation down into managed code. Can .NET based toolkits maintain flexibility, quick in-field retooling and operational security in the face of current detection mechanisms?
We think the answer is yes.
In this talk, we will focus on quick in-field retooling and dynamic execution aspect of .NET implants as the crucial trait to overcome static defensive mechanisms.
We will dive deeper into OpSec lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .NET assemblies, into reflective .NET DLR.
We will showcase on-the-fly access to native Windows API and discuss methods of hiding sensitive aspects of execution in the managed code memory.
All that, with the help of the DLRium Managed Execution toolkit we have in development.
Dimitry Snezhkov Security Consultant, IBM
Dimitry Snezhkov does not like to refer to himself in the third person :) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, performing penetration testing, occasional Red Teaming and application security assessments.
Talk: Logic against sneak obfuscated malware
Malware is sneaky. Malicious codes are implemented to stay hidden during the infection and operation, preventing their removal and the analysis of the code. Most samples employ some sort of packing or obfuscation techniques in order to thwart analysis. Similar techniques are also used to protect digital assets from intellectual property theft.
Analysis tools help getting new insights that can be used to secure software and hardware by identifying vulnerabilities and issues before they cause harm downstream. Tools and techniques beyond standard debuggers can enhance analysts capabilities with better adaptability and automation.
This talk will give you a small taste on some practical applications of SMT solvers in IT security, investigating the theoretical limitations and practical solutions, focusing on their use as a tool for binary static analysis and code deobfuscation.
Thaís Moreira Hamasaki is a malware researcher, who focus on static analysis, reverse engineering and logical programming. Thaís started her career within the anti-virus industry working on data and malware analysis, where she developed her knowledge on threat protection systems. She won the “best rookie speaker” award from BSides London for her first talk about “Using SMT solvers to deobfuscate malware binaries”. Recent research topics include malware binary code deobfuscation, generic unpacking and malware analysis automation. She is an active member of the Düsseldorf Hackerspace, where she also leads the groups for Reverse Engineering and x86 Assembly. In her free time, you can find Thaís building tools, cooking or climbing somewhere offline.
Talk: Only an Electron away from code execution
Over the decades, various security techniques to mitigate desktop specific vulnerabilities have been developed which makes it difficult to successfully exploit traditional desktop applications. With the rise of Electron framework, it became possible to develop multi-platform desktop applications by using commonly known web technologies. Developed by the Github team, Electron has already become amazingly popular (used by Skype, Slack, Wire, Wordpress and so many other big names), bringing adventurous web app developers to explore the desktop environment. These same developers who make the XSS to be the most common web vulnerability are now bringing the same mistakes to a whole new environment.
While XSS in the web applications is bounded by the browser, the same does not apply to Electron applications. Making the same kind of mistakes in an Electron application widens the attack surface of desktop applications, where XSS can end up being so much more dangerous.
So in this talk, I will discuss the Electron framework and the related security issues, its wonderful “features” getting me a bunch of CVE’s, possible attack vectors and the developers in the dark about these issues.
AND as Electron apps do not like to play in the sandbox, this talk will DEMO Electron applications found to be vulnerable, gaining code execution from XSS.
Silvia Väli Security Researcher, Clarified Security OÜ
Security researcher from Estonia, working as a web-application pentester in Clarified Security.
Workshop: Incident Response in the Age of Threat Intelligence with MISP, TheHive & Cortex
The goal of the tutorial is to familiarize participants with Incident Response and Cyber Threat Intelligence using TheHive — a Security Incident Response Platform, Cortex — a powerful observable analysis engine, and MISP — the de facto standard platform for threat sharing.
All software is free and open source.
Workshop Outline
What is Incident Response and Cyber Threat Intelligence in 2018
Overview of the software stack
Simple case study
Dealing with notifications
How CTI feeds IR
How IR feeds CTI
Advanced case study
Attendees need to have a laptop and the ability to run virtual machines (Virtualbox or VMWare), provided by the trainers.
Raphaël Vinot CIRCL Operator, Computer Incident Response Center Luxembourg
Raphaël Vinot is a longstanding member of Computer Incident Response Center Luxembourg (CIRCL) and of Malware Information Sharing Platform (MISP).
Talk: Homeward Bound: Scanning Private IP Space with DNS Rebinding
DNS Rebinding attacks have re-entered the spotlight, largely owing to recent high-profile disclosures by Tavis Ormandy including RCE in the Blizzard Update Agent triggered from the browser. However, given the vast amount of consumer software in circulation today and the apparent frequency with which the design (anti)pattern of treating localhost as secure occurs, it is likely that many vulnerable services still exist. In this talk, we will present a set of tools we created to make performing DNS Rebinding attacks fast and easy at scale, discuss how these tools can be used to perform network reconnaissance from inside a browser, and present an opt-in “localhost census” page that uses DNS rebinding to enumerate localhost services listening for HTTP on the visitor’s computer, and adds the results to a database.
Allan Wirth Security researcher, Akamai
Allan Wirth and Danny Cooper are security researchers in the Adversarial Resilience group at Akamai, as well as administrators of BKPCTF.
Talk: Surprise Supplies!
Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach.
2017 has truly marked itself as 'The Year Of The Supply Chain Attack' and marked a turning point concerning supply chain attacks.
Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers.
In this presentation we will first present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims.
For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc.
Concerning the CCleaner compromise, we will provide some data and statistics from the attacker's database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it's not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks.
Warren Mercer Security researcher, Talos
Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps!
Workshop: Orange is the new Hack - Introduction to Machine Learning with Orange
Analyzing a large number of security alerts can be repetitive and tedious. To help cope with the growing complexity of systems, analysts can use machine learning algorithms and other data analysis concepts. By doing prediction, machine learning algorithms can help prioritize and even reduce the amount of manual work needed. Data analysis can also help gain a better understanding of our data.
The workshop will introduce participants to the world of machine learning using the software Orange. A security-related scenario will be used for the hand-on exercises. For this scenario, a large dataset of vulnerabilities from web applications reported by a static analysis tool will be used. The dataset of vulnerabilities was enriched with key metadata that will help the algorithms. Some metadata will need transformation. Based on issues that were classified, it will be possible to predict which unclassified issues are likely to be actual vulnerabilities.
The participants will be able to apply the same principles to the dataset in other contexts such as malware classification, system alert classification, vulnerability management, etc.
Agenda
This workshop will cover the following topics:
Data visualization
Classification
Making predictions
Comparing features and models
Prerequisites
Bring your own laptop
Operating system compatible for Orange (Windows/Mac/Linux)
Philippe Arteau Security researcher, GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He created a static analysis tool for .NET called Roslyn Security Guard. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and a few others. He presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest (QC) and JavaOne.
Training: Mastering Burp Suite Pro 100% Hands-On
Nicolas Gregoire Web Hacker, Bug Hunter, Trainer, Agarri
Nicolas Gregoire has more than 15 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then. Outside of that, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Netherlands, Germany, Switzerland, France, Russia, Canada, India, ...) and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.
Training: Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation
Dawid Czagan (@dawidczagan) is an internationally recognized security researcher, trainer, and author of online security courses. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses. To find out about the latest in Dawid Czagan’s work, you are invited to subscribe to his newsletter and follow him on Twitter (@dawidczagan).
Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing and Program Analysis.
Talk: From Hacking Team to Hacked Team to…?
Hacking Team came into the spotlight of the security industry following its damaging data breach in July 2015. The leaked data revealed several 0-day exploits being used and sold to governments, and confirmed Hacking Team’s suspected business with oppressive regimes. But what happened to Hacking Team after one of the most famous hacks of recent years?
Hacking Team’s flagship product, the Remote Control System (RCS), was detected in the wild in the beginning of 2018 in fourteen countries, including those contributing to previous criticism of the company’s practices. We will present the evidence that convinced us that the new post-hack Hacking Team samples can be traced back to a single group – not just any group – but Hacking Team’s developers themselves.
Furthermore, we intend to share previously undisclosed insights into Hacking Team’s post-leak operations, including the targeting of diplomats in Africa, uncover digital certificates used to sign the malware, and share details of the distribution vectors used to target the victims. We will compare the functionality of the post-leak samples to that in the leaked source code. To help other security researchers we’ll provide tips on how to efficiently extract details from these newer VMProtect-packed RCS samples. Finally, we will show how Hacking Team sets up companies and purchases certificates for them.
Training: Reverse Engineering Crash Course
Filip Kafka Malware Researcher, ESET
Filip Kafka is a malware researcher at ESET's Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. He is a regular speaker at security conferences including the Virus Bulletin conference, the AVAR conference, Caro Workshop and NorthSec conference. He has also been speaking at various events aimed at raising awareness about malware and computer security, presented for local universities. His teaching experience includes running reverse engineering and malware research workshops in London, Brno or Bratislava, and regularly lecturing a reverse engineering course at the Slovak University of Technology and the Comenius University.
Training: Windows Enterprise Incident Response
Trainers to be determined , FireEye / Mandiant
Specific instructor will be determined soon. All of our instructors are security professionals with years of security experience. FireEye instructors have extensive experience working with FireEye solutions; and Mandiant instructors have applied their skills on the frontlines of major cyber incidents around the world.
Training: Adversary Tactics: Red Team Ops
Trainers to be determined , SpecterOps
Specific instructors will be determined soon. The SpecterOps team consists of sought-after experts, who bring years of breach assessment (hunt) and red team experience from both commercial and government sectors.
Training: Evil Mainframe Hacking
Philip Young ,
Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. In addition to speaking, he has built mainframe security programs for multiple Fortune 100 organizations starting from the ground up to creating a repeatable testing program using both vendor and public toolsets. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.
Training: Evil Mainframe Hacking
Chad Rikansrud Director of North American Operations, RSM Partners
Chad Rikansrud, aka Big Endian Smalls, is the Director of North American Operations for RSM Partners - a world leader in IBM mainframe security consulting services. Chad is a nationally recognized security industry speaker, with appearances at: DEF CON, RSA2017, SHARE, and other regional conferences. Most of Chad's 20-year career has been in technology leadership for the financial services industry where he has held various senior leadership positions, including worldwide datacenter operations, infrastructure and recovery responsibility, as well as enterprise-wide system z storage