Nicolas Gregoire Web Hacker, Bug Hunter, Trainer, Agarri
Nicolas Grégoire as nearly 20 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then, either privately or during infosec events. Outside of that, he runs Agarri, a one-guy company where he finds security bugs for customers and for fun. His public security research (that mostly deals with XML, XSLT and SSRF) was presented at numerous conferences around the world (HackInTheBox, ZeroNights, HackInParis, Nullcon, etc.). He was also thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.
Dhruv Shah Senior Security Consultant and Trainer, NotSoSecure
Dhruv has been with NotSoSecure since 2017 and has worked on security issues with a broad range of clients, including major banking, finance and media companies. This work involves web and application penetration testing and network assessments. He is also involved in Red Team assessments appraising system and network vulnerabilities with little or no prior knowledge of them. His trainer work has involved running courses at BlackHat Chicago and researching and updating the NotSoSecure Advanced Web Hacking training course.
Dhruv holds a Masters degree in IT and has seven years’ specialist experience in Information Security. He started off as a trainer sensitising staff in private sector organisations about security issues and what hackers look for when they launch attacks on networks. He then moved employers where he carried out penetration testing work in Indian government agencies and then at banking clients in the Middle East. He now has extensive penetration testing experience for Fortune 500 companies involving web and mobile applications, networks, Infra and and Red Team work. In his spare time, he co-authored the book “Kali Linux Intrusion and Exploitation” and is an active member and moderator of one of the Null chapters in India.
JP Aumasson Cryptographer, Teserakt
Jean-Philippe (JP) Aumasson is the founder and managing director of Teserakt, a Swiss-based company specialised in IoT security and offering an end-to-end encryption solution. He is an expert in cryptography and the author of the reference book Serious Cryptography (No Starch Press, 2017). He designed the widely used cryptographic algorithms BLAKE2 and SipHash, which he developed after a PhD from EPFL (Switzerland, 2009). He regularly speaks at leading security conferences about topics such as applied cryptography, quantum computing, or blockchain security. JP also holds advisory roles in Kudelski Security and Taurus Group.
Philipp Jovanovic Post-Doctoral Researcher, EPFL DEDIS Lab
Philipp Jovanovic is a post-doctoral researcher at EPFL’s Decentralized and Distributed Systems (DEDIS) Lab, Switzerland. In 2015, he obtained his PhD in cryptography from the University of Passau, Germany and in 2020 he will join the Information Security Research Group (ISRG) at the University College London (UCL) as an Associate Professor. Philipp has worked on a broad set of topics in cryptography, security, privacy, and systems design, including encryption algorithms like NORX and OPP/MRO, and distributed security protocols like ByzCoin, RandHound, OmniLedger or drand. Philipp's research is regularly published at top-tier academic crypto/security venues and you can find him frequently speaking at conferences around the globe.
The information security industry needed to be modernized to keep up with the evolution of sophisticated threats; so in 2011, Silent Break Security was formed. Our team started their careers with the National Security Agency (NSA) and United States Air Force Network Warfare Squadron. These Department of Defense (DoD) agencies require the highest level of information security, and there is no reason your organization shouldn’t have the same. We have first-hand experience on offensive and defensive security to best assist our clients on actual organizational threats.
Rory McCune Principal Security Consultant, NCC Group
Rory has worked in the Information and IT Security arena for the last 19 years in a variety of roles. These days he spends most of his work time on container, cloud and application security. He's an active member of the UK information security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of NCC's Mastering Container Security training.
Kubernetes' broad adoption has triggered a growth of frameworks, tools and technologies supporting it. It also means a growth in the attack surface. Instead of taking Kubernetes clusters head on, learn how to do a recon on a real-world k8s cluster and the common sets of sidecar containers that it relies on. Then see what it takes to pwn ingress point, service mesh, network infrastructure, package manager and performance monitoring tools. From there, get persistence in Docker registries and images.
Alex Ivkin is a director of solutions at Eclypsium, a US security company. His focus is on secure deployments of (in)secure software, including container orchestration, application security, and firmware security. Alex has two decades of security integration experience, presented at numerous security conferences, delivered trainings, holds MS in CSci, co-authored the ISACA CSXP certification and climbs mountains in his spare time.
Workshops are first-come first-serve and have a participant limit.
What do Desjardins, Apple, Yahoo!, and the NSA have in common? They’ve all been in the public eye for incidents spawned by insiders. Insiders' everyday activity requires legitimate use of their knowledge of, and access to, their employer's systems and data. So how can we distinguish between legitimate use of an employer's resources, and use that poses a threat to the organization or those it serves? This workshop introduces attendees to the methodology behind effective digital forensics investigations. Attendees will learn how to apply the best forensics tool (spoiler: it's your brain!) to solve a mock insider threat investigation. The workshop will introduce investigative methodology, core forensics topics, and key free and open source tools to leverage in their investigation.
Attendees will be provided with the evidence for the investigation and links to a variety of free and open source tools, ahead of time. A Windows machine or virtual machine is required for many of the tools. Please come prepared with the evidence downloaded and tools installed. Please feel free to reach out ahead of time with any questions and we'll do our best to assist.
Beginner-Intermediate. Attendees should have a fairly solid understanding of security and computers. Experience in digital forensics is not required, but welcome.
Emily is a digital forensics investigator on the Insider Threat Investigations team at Morgan Stanley. In her role, Emily helps protect the Firm against insider threats by conducting investigations and working to improve forensic tooling and techniques. In her spare time, Emily's passion for forensics persists as a hobby, but she also enjoys crime shows, ballet, and pursuing her not-so-secret mission of finding the best ice cream in the world.
Adversarial Misinformation Influence Tactics and Techniques (AMITT) framework is a common language for describing organized communication attacks.
Misinformation, and more nefariously disinformation, has become a hot button issue as the public and private sector struggle to contain influence operations which threaten to degrade political and social fabrics.
Using well-established information-sharing standards and tooling appropriated from the InfoSec community, we explore the use of the AMITT for the detection and disruption of influence operations. Where response to disinformation has been largely reactive, we discuss left-of-boom operational playbooks and strategies for working with disinformation at scale.
Octavia Hexe is a security analyst at Ubisoft Montreal where she specializes in adversary emulation and threat intelligence.
In 2019 she worked closely with the Credibility Coalition misinfosec working group to develop counters for disinformation, and to provide tooling to the AMITT community.
Octavia volunteered with the Cognitive Security Collaborative where she builds capabilities to bootstrap elf communities, provides trainings, and evangelizes the need for greater awareness of disinformation. Her recent work at Cognitive Security Collaborative includes the launch of a MISP sharing community for influence operations.
Through Cognitive Security Collaborative, Octavia recently joined the CTI League to counter COVID-19 disinformation.
Adversarial Misinformation Influence Tactics and Techniques (AMITT) framework is a common language for describing organized communication attacks.
Misinformation, and more nefariously disinformation, has become a hot button issue as the public and private sector struggle to contain influence operations which threaten to degrade political and social fabrics.
Using well-established information-sharing standards and tooling appropriated from the InfoSec community, we explore the use of the AMITT for the detection and disruption of influence operations. Where response to disinformation has been largely reactive, we discuss left-of-boom operational playbooks and strategies for working with disinformation at scale.
Sara-Jayne “SJ” Terp is a data nerd with a long history of working on the hardest data problems she can find. Her background includes designing unmanned vehicle systems, transport, intelligence and disaster data systems with an emphasis on how humans and autonomous systems work together; developing crowdsourced advocacy tools, managing innovations, teaching data science to Columbia’s international development students, designing probabilistic network algorithms, working as a pyrotechnician, and CTO of the UN’s big data team. Her current interests are focused on misinformation mechanisms and counters; she founded Bodacea Light Industries to focus on this, worked with the Global Disinformation Index to create an independent disinformation rating system, and runs a Credibility Coalition working group on the application of information security principles to misinformation. SJ holds degrees in artificial intelligence and pattern analysis and neural networks.
The number of Unicode code points has never stopped growing just like its integration in modern technologies. Web applications you have developed or used are likely to support input and output formatted in UTF-8 character encoding.
In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit and HostBond attacks. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). While HostBond is a risk affecting service provider giving subdomain to account created by users. Aside from normalization, uppercase and lowercase transformation can introduce vulnerability. Encoding can be used to circumvent security controls such as Web Application Firewalls. Punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users.
While some issues were patched in major software, many risks remain or are likely to resurface. Get ready for a complete summary of everything security professionals should know about Unicode!
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.
Workshops are first-come first-serve and have a participant limit.
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.
We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec's official CTF.
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting embedded Linux malware, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat USA/Europe, Defcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.
This talk presents the current knowledge on Direct Memory Access attacks aiming to unlock a user logon session. The Input Output Memory Management Unit (IOMMU)[1] functioning and its integration within the main operating systems (Windows, macOS and Linux) is firstly addressed. Then, the existing DMA attacks using an external peripheral on a switched on computer are explained with a particular focus on IOMMU bypassing on macOS until 10.12.4 version. These attacks give an access to a valid logon session even if the computer is locked. This research was performed in order to prepare the upcoming french RAPID project by Synacktiv: DMArvest.
[1] Only Intel VT-d technology will be discussed in this document
[2] https://www.defense.gouv.fr/aid/deposer-vos-projets/subventions/rapid
Former pentester, I used to play a lot with Microsoft Active Directory infrastructures, both on defensive and offensive aspects at Synacktiv, a french offensive security company. I am now in the Reverse Engineering team within my company, focusing on Windows and hardware topics.
Workshops are first-come first-serve and have a participant limit.
This workshop introduces advanced binary analysis concepts that are often required when reverse engineering executables protected by digital rights management (DRM) solutions or malicious software that attempts to hide behavior through code obfuscation and various indirections.
Participants will work on a tailor-made binary that simulates a packed and obfuscated malware dropper and apply the techniques presented to defeat its obfuscation and unpack each stage in order to recover and analyze the final payload. The solution to each stage will be shown and explained in detail. At the end of the workshop, attendees will be able to write emulation scripts using Python and Unicorn engine, use dynamic instrumentation to automate unpacking and perform selective symbolic execution and constraint solving to analyze program behavior.
The workshop will cover the following topics:
A laptop running Linux and the following software is recommended for participants who wish to attempt the workshop exercises:
A Virtualbox image containing all the required tools will be provided at the start of the workshop. If planning to use the VM, it is recommended to arrive early to allow time for copying the files and setting up the computer.
Participants should have a basic knowledge of x86-64 assembly and be comfortable reading C code. Experience in reverse engineering is recommended but not necessary and no prior experience with the presented techniques is required.
Alexandre is a security researcher working for GoSecure. His area of expertise is reverse engineering, binary exploitation and tool development. His previous experience as a software developer covers a broad spectrum of topics ranging from low-level systems and binary protocols to web applications. Prior to joining the research team, Alexandre spent time as an Ethical Hacker honing his offensive security skills. His areas of interest include binary analysis, compiler theory and systems programming. Alexandre gives back to the Montréal infosec community by volunteering his time, contributing workshops and designing application security challenges for events like MontréHack and REcon.
You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.
At Twilio, we provide a free consumer 2FA service via the Authy App. We've spent over seven years thinking about account recovery, refining the process, and designing our system to balance the support burden with necessary friction. During that time I've tracked dozens of other account recovery procedures to learn how everyone from utility companies to crypto startups attempt to re-verify identity when life happens. This talk will look at that research and outline best practices you can use depending on your industry and customer risk profile.
Security keys and app based authentication are great until the user loses the device but SMS 2FA is too insecure to use as the only account recovery mechanism. Since phone support is commonly used for account recovery, we'll highlight how to build guardrails for your call center agents to minimize costs and delight customers. You'll leave understanding the trade-offs of mechanisms for 2FA recovery (like government ID verification, forced waiting periods, security questions) and debating the value of recovery tokens.
Kelley works on the Account Security team at Twilio. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience and design trade-offs for different risk profiles and 2FA channels. Kelley lives in Brooklyn, is an avid home cook, and spends too much time on Twitter (@kelleyrobinson).
Since 2010 and the Aurora attacks, the infosec community has largely improved the skills, methods and tools available to protect large organizations against targeted attacks by well-resourced adversaries. The same tools and methods are not available to Human Rights Defenders (HRDs) yet we have ample evidence that they face the exact same attacks from the same groups.
Human Right Defenders very often have a hard threat model : little resources, limited technical skills and a high risk of being targeted by different forms of surveillance. The latest expensive security middle-box won’t help here, and they may be infected by a malware listed in your favorite threat feed without them knowing.
Within Amnesty International we have been doing technical investigations on these attacks and tracking several attack groups targeting HRDs for a few years. We are seeing some trends into these attacks, for instance more and more of them targeting smartphones, but also a wider gap between technical levels. We have developed new tools to help identify phishing emails (such as PhishDetect) or easing forensic investigations during research mission (focusing more on live forensic than cold forensic).
In this talk, we will share technical details of malware and phishing attacks against HRDs, from low/medium level of sophistication in Pakistan to highly technical attacks in Morocco, and we will see how these attacks are evolving today. We will talk about the challenges of investigating such attacks and the solutions we are developing within Amnesty International to identify and block them. Finally, we’ll see how people in the infosec community can help supporting HRDs
Fingerprint scanners have become a default feature on most mobile devices. They give users a sense of security and are usually a convenient way to unlock a mobile device.
But all of this biometric data can be a security risk. Suprema Corp. was in the news earlier this year when it was discovered the company exposed more than 1 million users’ biometric information, including fingerprints and facial recognition data. It is unclear if the data allowed attackers to reconstruct users’ fingerprints, or if any of the data was exfiltrated Still, this information was sure to be attractive to threat groups.
In July, news broke that China was installing malware on tourists’ phones. So we started to wonder how hard would it be to silently install malware into users’ devices silently.
We wanted to find out how much time is needed to go from fingerprint scanning to malware deployment on mobile devices. Could it be fast enough to be the equivalent of someone being stopped at the border having their fingerprints scanned during an interview while their devices are in the “x-ray machine”? Or would the amount of time needed to be a couple of hours? In this real-world scenario, time is only important for foreign opportunistic targets. Most country’s citizens will have their fingerprints on file, meaning that everything can be prepared in advance. Fingerprint authentication — like other biometric authentication mechanisms — has been broken before. Now that it’s grown in popularity, it’s time to test how to bypass the authentication, and more importantly, test a real-world attack scenario and the level of sophistication needed to execute it. Finally, our research showed that technology has not advanced enough to be considered generally safe. These practical attacks don’t require state-level resources to be executed, they can be performed by motivated attackers with a budget under $2,000.
Vitor Ventura is a Cisco Talos security researcher. Has a researcher, he investigated and published various articles on emerging threats. Most of the days Vitor is hunting for threats, investigating, them reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like Recon Brussels, Defcon Crypto Village and BSides Lisbon among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections, helping to determine the extent of the damage and to define the recovery path. Before that he did penetration testing at IBM X-Force Red, where Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).
Fingerprint scanners have become a default feature on most mobile devices. They give users a sense of security and are usually a convenient way to unlock a mobile device.
But all of this biometric data can be a security risk. Suprema Corp. was in the news earlier this year when it was discovered the company exposed more than 1 million users’ biometric information, including fingerprints and facial recognition data. It is unclear if the data allowed attackers to reconstruct users’ fingerprints, or if any of the data was exfiltrated Still, this information was sure to be attractive to threat groups.
In July, news broke that China was installing malware on tourists’ phones. So we started to wonder how hard would it be to silently install malware into users’ devices silently.
We wanted to find out how much time is needed to go from fingerprint scanning to malware deployment on mobile devices. Could it be fast enough to be the equivalent of someone being stopped at the border having their fingerprints scanned during an interview while their devices are in the “x-ray machine”? Or would the amount of time needed to be a couple of hours? In this real-world scenario, time is only important for foreign opportunistic targets. Most country’s citizens will have their fingerprints on file, meaning that everything can be prepared in advance. Fingerprint authentication — like other biometric authentication mechanisms — has been broken before. Now that it’s grown in popularity, it’s time to test how to bypass the authentication, and more importantly, test a real-world attack scenario and the level of sophistication needed to execute it. Finally, our research showed that technology has not advanced enough to be considered generally safe. These practical attacks don’t require state-level resources to be executed, they can be performed by motivated attackers with a budget under $2,000.
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.
Semantically related objects often get grouped together in memory, and it is about time we take advantage of this in developing software hardening measures. Types can be naturally assigned to regions of memory in a flexible manner. Such types can form the basis of a practical and intelligible access control policy. This observation allowed me to retroactively harden an instance of the U-Boot bootloader, to model the bootloader's intentions and build an access control policy that mediated its behavior.
Typed region-based hardening measures can be applied to other kinds of software to not only protect against low-level memory vulnerabilities but also to help protect and address high-level logic-based attacks (i.e., instances of weird machines).
bx enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She has previously studied the weird machines present in application linkers and loaders, publishing some nifty PoC along the way, but has since turned her focus towards the kinds of loaders that bootstrap systems. bx is currently a senior security researcher at Narf Industries.
What if I told you that you can bring threat modeling into a DevSecOps, CI/CD environment and that you can do it without buying another automated tool? When developers and security professionals alike think about threat modeling, all too often they become obsessed with frameworks like STRIDE, DREAD, PASTA, etc. Threat modeling is predominantly viewed as a heavy-weight, time-consuming exercise that is simply not compatible with high-paced development paradigms. As a result, as organizations shift into DevSecOps paradigms, they commonly scratch threat modeling off their Secure SDLC checklist as simply impossible to implement without breaking their DevSecOps model. They lose sight of the core purpose of threat modeling and as a result are unable to tailor an approach that fits their development lifecycle.
However, the importance of Threat Modeling cannot be understated. Recent surveys show us how effective Threat Modeling is in developing the culture of shared responsibility for security that is at the very foundation of DevSecOps. In this session, we’ll turn the misconceptions about Threat Modeling upside down. We’ll go back to the core purpose of threat modeling. We’ll discuss what components of threat modeling are most crucial, what questions we should be asking and who should be answering them. Ultimately, this will all culminate into presentation of an alternative approach to Threat Modeling. We’ll walk through the details of how to implement a backlog-based approach in any development paradigm and demonstrate how leveraging the user story can enable Threat Modeling to be done without affecting our development timelines.
Alyssa Miller (CISM) is a hacker, security advocate, author, professional, and public speaker with almost 15 years of experience in the security industry. She has always had a passion for deconstructing technology, particularly since buying her first computer at the age of 12 teaching herself BASIC programming. In her career, Alyssa has performed all forms of security assessments but given her developer background, she had a dedication to application security. She specializes in working with business and security leaders to design and deploy effective security programs that create a true culture of shared responsibility and developer enablement.
Alyssa is also committed to evangelizing security. Not only does she speak internationally at various industry, vendor and corporate events, Alyssa also engages in the community through her online content, media appearances, and security community activism. Her journey through security was recently featured in an article by Cybercrime Magazine. She’s also been recognized in Peerlyst’s e-Book “50 Influential Penetration Testers”. Alyssa is board member for Women of Security (WoSEC) and co-host of The Uncommon Journey podcast focusing on the unique stories of security professionals across the community. Finally, Alyssa is an Application Security Advocate for London-based Snyk Ltd.
Imagine a scenario where data is only kept on hard drives or disks you own. Welcome to 1999. Back then, cryptographic keys were secured only by hardware - that, for the most part, worked well. In 2019, hardware is still standard – even with the widespread adoption of cloud services and critical data stored on IoT devices. So why are we stuck in the past? This presentation will explore: • Why hardware fails when faced with rapid changes e.g. development process, regulation, and new security and privacy needs • The future of cryptography – as software-defined • Multi-party computation (MPC) for flexible, scalable key management
Yehuda Lindell is a professor at Bar-Ilan University in Israel and the CEO of Unbound Tech. Yehuda attained his Ph.D. at the Weizmann Institute of Science in 2002 and spent two years at the IBM T.J. Watson research lab as a Postdoctoral fellow in the cryptography research group. Yehuda has carried out extensive research in cryptography, and has published over 100 conference and journal publications, as well as one of the leading undergraduate textbooks on cryptography. Yehuda has presented at numerous international conferences, workshops and university seminars, and has served on program committees for top international conferences in cryptography. In addition to Yehuda's notable academic work, he has significant industry experience in the design and deployment of cryptography in a wide variety of scenarios.
As the world prepares for the advent of quantum computers, the security community must also prepare to defend against it: most of the cryptography in used today succumb to quantum attacks. I'll present recent progress in the development of quantum-resistant cryptography, it’s (2nd round of) standardization by NIST, it’s implementation in our Open Quantum Safe project, and results from our recent experiments integrating and benchmarking it in TLS, SSH, and VPN. Last year’s work allows developers to start experimenting with post-quantum cryptography to protect encrypted data that could be recorded today and decrypted with a quantum computer within a decade; I'll conclude with guidance to help such efforts.
I am a crypto specialist in Microsoft Research's Security and Cryptography team. I’m currently involved in projects related to post-quantum cryptography, such as the Open Quantum Safe project. I’m also leading the development of the U-Prove technology. I’m also interested in privacy-enhancing technologies, smart cloud encryption (e.g., searchable and homomorphic encryption), and the intersection of AI and security. Prior to joining Microsoft in 2008, I was the Chief Security Engineer at Credentica, a crypto developer at Silanis Technology working on digital signature systems, and a security engineer at Zero-Knowledge Systems working on TOR-like systems.
This IDA Plugin is instrumenting the binary using the DynamoRIO framework. It can resolve most of the dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations e.g. call eax or interesting strings e.g. “PE” which are decoded at runtime. You can also instrument the binary in a way that it can dump interesting buffers and last but not least you have several options to patch the binary at runtime to avoid anti-analyzing functions.
The talk would first describe the basics about the DynamoRIO instrumentation framework and then the capabilities, architecture and features of the plugin, followed by a live demo. The plugin can significantly improve the analyzing time of malware samples.
Holger is working for Cisco Talos, the threat research organization of Cisco. Our goal is to find and reverse engineer new unknown malware campaigns. My team uncovered attacks like NotPetya, WannaCry, DNSpionage, SeaTurtle and many more. I am frequently presenting on internal and external conferences, for example: Microsoft Digital Crime Consortium (DCC), Google Annual RE Meeting, FIRST, ISC, 4th International Conference on Cybersecurity and Privacy Balkan, BSIDES Munich, SecIT Germany, CiscoLive and more.
Workshops are first-come first-serve and have a participant limit.
While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. The workshop’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for compromise.
The workshop will include:
The scenarios are based on NCC Group's research, incident response experience and on the knowledge acquired through countless cloud assessments carried out every year.
Attendees will be provided access to instances with all the required tooling. All they need is a SSH client to access the instances.
Attendees should have some experience with a major Cloud provider (AWS, Azure, GCP), and be proficient at assessing the security of applications and infrastructures (not necessarily cloud hosted).
Xavier is a senior security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer, security researcher and consultant. Xavier currently spends most of his time focusing on application and cloud security, as well as driving the development of Scout Suite (https://github.com/nccgroup/ScoutSuite/), an open source multi-cloud security-auditing tool.
Xavier holds the AWS Certified Security – Specialty, Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE) and Offensive Security Wireless Professional (OSWP) certifications.