TBD

Mobile devices are part of every enterprise threat model – they are desirable targets, unmanaged and tough to protect. We use them for MFA and to access company resources, on top of personal use. But one compromised device is enough for the attackers. In this talk, while guiding you through the mobile kill chain, I will demo the potential impacts of a vulnerable device – exploitation, financial fraud, stealing credentials protected by MFA, lateral movement, you name it. More importantly, I will show how we can detect adversary tactics in time using centralized threat protection.

Golang is Google’s open source programming language which in the recent years gained popularity among developers. As usually, it is not only used for good purposes, but it attracted the attention of malware developers as well. The fact that Go supports cross compiling to run binaries on various operating systems makes it a tempting choice for IoT malware attacks.
In this talk, we will introduce IoT malware families written in Go. Through some examples we will discuss the unique features of Go binaries and give tips on how to reverse engineer them using Ghidra. We will share our Ghidra scripts that we use during reverse engineering Go binaries.

Fuzzing over the ages has improved in tooling, logic, and process, but is still a number-crunching problem! You are improving your odds by throwing more CPU power at it.

How do we make it happen without hacking through custom solutions that cannot be reused? Enter FuzzCube – Batteries Included! (supports scaling AFL and libFuzzer ) It leverages Kubernetes for its infrastructure orchestration capabilities. Using Kubernetes, we abstract the complexity of deploying a fuzzing infrastructure with distributed high throughput workloads, fault tolerance, storage orchestration, and high scalability. We will practise distributed fuzzing in the era of Cloud Native Computing and use our new skills to find some 0days 😉

During this lecture Eddy Willems will take you inside the dark world of some specific spyware: stalkerware. Why is stalkerware so special or isn’t it? Is this a new phenomenon? Eddy will guide you through the most common features of stalkerware. Is it easy to install? What are the differences between spyware and this kind of malware. How do the companies who create this software advertise themselves? Is it really legal? Eddy will show you a couple of examples. What are the technical challenges for the security industry? What can you do about it? What if your husband, wife, boyfriend, ex-lover or even father is using it against you? If you care about your privacy this lecture is a must. If you want to know more about spyware this lecture can open your eyes even more.

With the explosion of IoT, there goes hand in hand also an explosion of threats that traditional methods of protection are not able to detect. Security reduces to matter of trust. What do we know about how the device has been manufactured, which components are involved, where did the cloud solution came from. On the epic fail of GPS trackers security and a few others, I’ll demonstrate how big the problem is. How white labelling mainly of Chinese products makes supply chains opaque and messy. And if you think that can happen only in China I’ll prove you wrong.

Research attacking ML-based image classifiers is common, but it is less frequent to see a study on how someone can bypass ML-based malware detection.
In 2019, we organized a contest where participants had to modify Windows malware in a way where the provided three ML engines do not detect it. However, the modified sample is still functionally equivalent to the original binary. As it turned out, it is not that hard to come up with a generic solution which can bypass all three engine. In this presentation, we will discuss the details of the contests from 2020 and 2019, some of the techniques used by the participants (packing, overlays, adding sections), and information on the defensive tracks.

Google has changed Android runtime drastically each time a new version of Android is released to optimize the performance, storage usage, and system updates of apps. Since the latest version of Android 10, profiling data is generated based on the user’s behavior in ART (Android Runtime). The byte code is optimized (Profile-Guided optimization, Cloud Profile optimization) by the compiler (AOT/JIT). ART also interprets and executes different types of code (byte code, oat code and jit code) generated by the compiler. Such complexity in the structure and operation method makes ART difficult to understand correctly. However, since all the code of the app is interpreted and executed through ART, if the attacker understands how ART works, it is possible to steal all the information necessary to analyze the app. Therefore, in this paper, we analyze the flow and structure of how app codes are interpreted and executed by objects existing inside Android 10 ART. Then, after modifying the ART based on the analysis results, we develop a framework that can steal information in real time, such as code, interface, parameters, return value, fields and stack trace of a method that is executed dynamically. In addition, we present an easy technique to effectively analyze the app without accessing the execution code by using tools such as decompiler or disassembler.

While doing security research on macOS PrivilegedHelper tools I found that most of them are vulnerable to privilege escalation, or allows unauthorised clients to perform the privileged action even without interacting with the original client application. This poses a general risk to macOS users. In my talk I will explore all the little pieces, that if missed will lead to vulnerable applications. Examples / demos will be shown for all of them.

Agile enterprises are constantly facing new challenges when it comes to embedding security in the CI/CD DevOps processes. One of the main pros of adopting DevOps is gaining speed but that does not always match with having thorough security checks, especially when those checks are performed manually for each release/build.

How does the new deploy affect the exposure of the environment where the application running?

– New binaries
– New logging mechanisms
– New log files
– New monitoring
– New permissions
– New configurations
– New secrets

How do we make sure that the environment is safe and does not introduce new privilege escalation vulnerabilities for example?

Answering these questions for each machine in a landscape of thousands of VMs, images and IP addresses is not an easy manual task.

In this talk we want to share how we solved the issue in a large agile organization like ING, and present our framework and tools to automate infrastructure testing in a CI/CD environment built on top of Ansible and STRIDE.

Key Highlights

-Why soft skills are essential for business
-The connection between leadership + emotional intelligence (EQ)
-3 soft skills techniques that improve communication immediately

Description

Based on his 2020 TEDx Talk in Laie, Oahu, “Saving Soft Skills From Extinction,” Scott teaches audiences how to model soft skills to the next generation producing better communication and performance in the workplace.

Today’s communication is no longer limited to simple IP telephony using deskphones on an office desk.
Rather, one encounters again and again buzz words unified communication, SIP trunking, online conferencing, anywhere workplace, E2EE etc.
In my presentation on penetration testing of communication systems I will show you how these increasingly complex scenarios are tested for weaknesses and security issues.
We will decrypt encrypted conversations, redirect media streams and attack communication systems from the public Internet.
In addition to attack techniques and methods, you will also get to know suitable recommendations for the protection of communication systems.

I’ve done more than 50 security awareness workshops for software developers, for several different organizations, from a bank to software as a service companies. During this time I’ve heard plenty of stories about the current application security problems they face and their attitude to cope with those problems. I chose the most popular ones and would like to share the developer’s experiences in a nutshell, answering the following questions:

What are common problems, misconceptions and how to approach them?
How to talk to developers about application security?
How to find common ground for software developers and security department?
How to start adding security to software development lifecycle or improve what you have now?

Based on real cases from various companies, the audience will learn how to improve application security in their companies.
Better learn from someone else’s mistakes, without making them yourself.

Paratroopers, tanks and planes included!

ATTPwn is a computer security tool designed to emulate adversaries. The tool is focused to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework. The goal is to simulate how a threat works in an intrusion scenario, where the threat has been successfully deployed. It is focused on Microsoft Windows systems through the use of the Powershell command line. This enables the different techniques based on MITRE ATT&CK to be applied. ATTPwn is designed to allow the emulation of adversaries as for a Red Team exercise and to verify the effectiveness and efficiency of the organization’s controls in the face of a real threat.

Stuxnet is a computer worm, which emerged during the summer of 2010 to infiltrate numerous computer systems. The worm is a military-class cyberweapon that was used to launch a destructive attack against Iran nuclear centrifuges. Stuxnet operates in three main steps by analyzing the targeted networks and computer systems to gain access to the automated program logic controllers. Having infiltrated these machines, Stuxnet began to replicate itself continually.
Although there have been a large number of public articles and talks regarding Stuxnet, during our analysis we have noticed some critical details about the virus’s code and its functionalities that have not been exposed before. In this talk, we share the result of our in-depth malware analysis by achieving the original source code of Stuxnet. Our analysis sheds light on some untold aspects of the worm that can provide new insights for security communities on a specific class of military super viruses.

The talk describes an adventure in hacking the Hacktivity 2019 badge, trying to replace the embedded micro-Python with a standard Arduino development environment. The steps followed in this adventure are:

– how to brick the device using the Arduino development environment loading a not functioning sketch and destroying the existing firmware

– reverse-engineering the device schematic using:

– visual inspection of the two-layer PCB

– using a multi-meter

– searching information on the Internet

– using GIMP to follow PCB traces on the two PCB layer images

– using the Arduino development environment to load sketches on the ESP32

– loading a bootloader to the ATSAMD21G16B to bring back the USB interface, using a J-Link mini EDU interface and the JLink.exe software

– failing to load an Arduino sketch to the ATSAMD21G16B arm MCU

– using the unpleasant (and Windows only) Atmel Studio to write and load a firmware to bring back the USB/serial interface, read the touch buttons, drive the LEDs and talk to the ESP32

– finally enabling the Arduino development environment with the Hacktivity 2019 badge

Smart contracts have extensive applications in various emerging domains such as IoT, 5G networks, and finance. In this regard, the Ethereum platform has provided the capability of running smart contracts on its distributed infrastructure. Ethereum smart contracts are small programs that describe a set of rules for the supervising of associated funds, often written in a Turing-complete programming language called Solidity. Ethereum is also one of the most extensive cryptocurrency currently next to Bitcoin. This provides an extraordinary opportunity for cybercriminals to exploit potential zero-day vulnerabilities in the Ethereum ecosystem that are tightly twisted with financial gain.
In this talk, I will introduce a practical approach for fuzzing Ethereum smart contracts. My method works based on the combination of dynamic taint analysis and concolic testing on the bytecode. I implemented this technique in the Rust programming language with the help of an instrumented Ethereum virtual machine, which is called Parity.
To demonstrate the usefulness of our approach, I analyzed the tool on 1,000,000 real-world smart contracts available online on the Ethereum blockchain. As a result, my tool could successfully generate 170,849 out of 207,412 critical execution paths in a real-world benchmark suite.

I call wireless networking technologies invisible threats. They can be carried out easily and their effects can be very high.There are attacks that can directly affect users, institutions and sometimes devices.

In this talk, I will explain how we can fight against invisible threats and we will answer a question: What’s going on in the air?

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests’ private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest’s details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Phishing techniques from the latest ones to the oldest tricks in the book that still work. Even if you have spent a lot of resources on software and hardware based protection, you are still not addressing the human factor. In this technical talk we will look into how hackers can be effective in phishing attacks and see if some very old techniuqes can still be used in modern systems. Topics include spear phishing, making users run executables (well, that souldn’t work in 2020, right?), a look into macro based attacks (most AVs find them, or not?) and the more rarely discussed vishing/smishing (techniques, SIM cards, fake/cloned numbers).

Phishing techniques from the latest ones to the oldest tricks in the book that still work. Even if you have spent a lot of resources on software and hardware based protection, you are still not addressing the human factor. In this technical talk we will look into how hackers can be effective in phishing attacks and see if some very old techniuqes can still be used in modern systems. Topics include spear phishing, making users run executables (well, that souldn’t work in 2020, right?), a look into macro based attacks (most AVs find them, or not?) and the more rarely discussed vishing/smishing (techniques, SIM cards, fake/cloned numbers).

This white paper outlines the plenary mechanism of automated account takeovers (ATOs), while treating cybercrime as a fully functioning, profit driven business industry. Based on an extensive literature review, the paper analyses the constituent players and components of automated ATO attacks, their implications on the businesses, tech companies and victims, as well as the financial ramifications of the attacks. Taking a multifaceted approach to the issue, the paper initially examines the current environment cultivating automated ATO attacks and the prevalence of credential stuffing attacks, establishing cybercrime as a business operating with the principles of maximizing ROI. Then from a technical standpoint, the bad bot element is further scrutinized along with the technological evolution of the attacks and the evasion methods of cybercriminals. Lastly but not least, from a rather financial angle, the paper delves into the means of capitalization of the ATO attacks benefitting not only the criminals but also the diverse players of the cybercrime industry, while analyzing the facilitating services for the criminals. Finally, the conclusion remarks and recommendations are presented for tech leaders and cybersecurity industry as precautionary and ameliorating measures that can be taken to combat automated ATOs.

The initial section aims to identify the reasons behind the ubiquity of the automated ATO attacks in the digital status quo by analysing the relevant literature and statistics on users’ digital behavior patterns, password hygiene awareness and management/storage methods as well as the technology providers’ contribution in making automated attacks lucrative for cybercriminals. It is discussed that, user tendency of reusing or minimally altering the same password in different digital platforms as well as the predictability of different demographics’/age groups’ digital behavior patterns instigate mass scale automated credential stuffing attacks and increase the turnout of the automated attacks via acute client pool segmentation, respectively. Moreover, the technology firms’ hesitance to mandate 2FA for their account logins due to the dilemma of finding the optimal equilibrium between UX and security inadvertently assists the automated ATO attacks, enlarging the attack surface of vulnerable accounts.

Secondarily, the paper addresses the bot facet of the ATO attacks from a rather technical standpoint. The innovation in technology is rapidly adopted by the cybercriminals to add further layers of sophistication beyond automation level 2 and eliminate the burdensome human tasks of traditional manual attacks. The paper examines the utilization of artificial intelligence for deception and detection evasion; accurate simulation of victims location via rotating VPN, secure VPS, RDP servers or secure proxies, as well as how doppelgängers are employed to mimic the victim’s digital behavior patterns and device fingerprint. Furthermore, It is inspected that, through deception created by storytelling, criminals can leverage the alert fatigue by having the bad bots’ activity perceived as ‘white noise’ or false positive by SecOp analysts who may overlook the critical issues. Lastly but not least is the supplementary capabilities of the bad bots, which require relatively complex complex automation techniques, discussed in the paper such as creating synthetic identities for new pseudo legitimate account creation and aging those accounts by making false transactions and even opening virtual credit cards to do so.

The tertiary focus of the paper is on the financial compensation of the criminals once an ATO is attained, examining the components of the end-to-end money trail from cashing-in to cashing out. The most straightforward way to capitalize on an account is changing the credentials of the account immediately after the ATO to impede a potential ATO from rival criminals and selling the account with pertaining victim information or holding the victim to ransom. A riskier option with higher ROI on the risk for criminals is accustoming themselves with the victim throughout nesting period, until the account is ‘mature’ enough for a strike such as taking unsecured loans and making wire transfers and ACH payments. On the other hand, the criminal may opt to keep the account as ‘money mule’ to conduct illicit money trafficking/laundering by offering compensation to the account owner. The paper further delves into the facilitating parties of these undertakings; such as criminal brokers providing credentials for a periodic fee and commissioned escrow services providing credential quality assurance while serving as a financial guarantor for the transactions. It is noteworthy to mention the challenges against cashing out the criminal earnings, hence the criminals have to not only follow the static restrictions but also be equipped with acute regional and international money laundering regulations to minimize their chances of being issued a suspicious activity report.

The conclusion remarks of the paper serves as recommendations for tech industry to reduce their user accounts’ vulnerability to automated ATO attacks. The initial point mentioned is to tailor the user authentication experience to be an adaptive, continuous process by effectively combining 3 types of MFA with respect to the relevant business processes and requirements, while prioritizing the UX along with minimizing the security risks. Secondarily, the paper recommends to avoid the ‘assume breach mentality’ and to grasp the potential gaps and threats as well as the risk posture of the organizations by data driven analysis, hence identify what is crucial to protect. Final recommendation of the paper is on raising user cybersecurity awareness to secure their accounts with sufficiently complex and unique passwords.

Do you know that it is possible to create glasses to bypass facial recognition system? The use of facial recognition technology is on the rise, and you can find it in different areas of human activity including social media, smart homes, ATMs, and stores. Recently, researchers have discovered that deep learning algorithms are vulnerable to various attacks called adversarial examples. Our client, a smart home solution provider, asked us to test software and hardware to reveal a real threat or academic research and select the most secure solution available on the market.
Here is the way we conducted the security assessment. Facial recognition systems have their specific deep learning models. The systems usually work in the physical environment, and their attack surface differs from the digital one presented in research papers. Furthermore, all examples of attacks and defensive measures were given for various models, datasets, and conditions. It does not help to understand the real situation even if you examine approximately 100 research papers on this subject.

To test properly, we’ve composed our own attack taxonomy to check the effectiveness of the recent approaches to attacking facial recognition systems. I will present our research conducted in the real environment with various cameras and algorithms and show how to protect production systems from this kind of attacks.

As cyber threats become more intense and taken seriously, companies in the financial services industry face constant pressure to make their activities more agile and digital, and to guarantee an ever-higher level of security and compliance.
The ambition behind DevSecOps standard practices is to integrate security into DevOps so that businesses can accelerate the speed and frequency of software releases without compromising controls or increasing risks.

This presentation will focus on the technological aspect of a good DevSecOps integration with an example of a stack implemented in the financial services sector in Luxembourg including secrets management segregation, automated code analysis, vulnerability assessments, automated CI/CD pipelines with built-in security controls, automated penetration testing.

The presentation is an analysis of the threat landscape posed by the emergence of 5G technology. With the omnipresence of mobile technology and the need for telecommunication providers to roll out highly volatile technology or fall behind possibly forever, the speakers will discuss the benefits of leveraging an “attacker-perspective” when conducting a threat landscape assessment for the roll out of 5G technology. Utilizing their combined experience in cybersecurity working within telecommunication organizations, they have applied a combination of open and closed source research to create a picture of the likely relevant threats, actors and their TTPs, who would target an organization deploying 5G. They have then mapped each actor separately in the MITRE ATT&CK framework, combined them with an exposure/likelihood weighing, and mapped them back to the organization’s cyber defences, to create a “Master Matrix”.
This matrix is designed to help technology leadership gain ‘big picture’ visibility on the threats facing their remit, make focused, tactical decisions on new investments, and better align red and blue team resources to cover the most critical areas of the digital landscape.

No one knows where it came from, but it is spreading like a disease: blocking paste functionality on online password forms. There is no explanation, no research, just a typical “this is for your security…”. And yet, all this is in the age of almost defeating the threat of weak and reused passwords by adopting password managers.

Some try to fight back: Firefox, for example, allows users to disable the block by completely turning off paste notifications. However, this is like cracking a nut with a sledgehammer, as there may be many other legitimate use-cases for sites to handle paste events.

There are also some browser plugins: they go as far as scanning the whole DOM and removing the blocker code or injecting passwords directly into the page. But these come not without risks: unveiling passwords and full browsing history to third-party applications (which, by the way, have full network access). Also, users are limited in the choice of their browser, as these plugins are often not portable.

It feels a bit wrong when a website (or anyone else) decides what users can or cannot do on their computers. However, there is hope: instead of fighting paste blockers, why not just provide the password in the “natural” way they expect—by typing it in. But the typing will be done by the user’s operating system, rather than the user: the OS can automatically type a very complex password from any password manager for the user. And paste blockers can never block it—because this is the only way they should allow the password to get in, by design. These ‘Paste Wars’ are over: introducing a simple tool, which can type in complex passwords and restore users’ rights to paste!

Chinese phones are cheap only if your privacy is worthless. With the advent of low cost techonology, phone manufacturers started getting their profit margins from other sources. One such manufacturer is Xiaomi, which sells incredible phones at eye watering prices. Don’t be deceived though, because purchasing such devices also giving up your rights to digital privacy. I’ve dwelved into the rabbit hole in order to expose a company that not only wants your money, but also the entire history of you.

We all know how important web security is because it protects our personal information across the internet. Typically when a request is sent to a server to get access to private information, there is some kind of access token included in the headers. That authorization request is usually someone trying to sign in to one of their accounts.

Usually we create an access token to send back when their credentials are confirmed in the form of a JWT or some other encrypted key. This is the normal authorization workflow and for the most part it works well. The problem is that there are a few cracks starting to show in this flow. That’s what PKCE is here to fix.

Developers of IT systems have known for a long time that there is still one more bug to be found – or at least this is often humorously attributed to various IT products, no matter whether they are soft-, firm-, or hardware.

In this talk, SySS IT security expert Matthias Deeg shows that this assumption is sometimes very true, using the example of a wireless alarm system and its accessories, in which yet another security vulnerability could been found over the past few years – more than once.

Based on various concrete vulnerabilities of different types, practical experience gained in penetration tests as well as research projects at SySS regarding the security analysis of radio-based systems will be presented, and the following three descriptive attacks will be demonstrated on a revisited wireless alarm system:
1) Rolling code attack
2) Proximity key cloning attack
3) Reactive jamming attack
4) Sniffing attack
5) Spoofing attack

Demonstrate differents kind of structures in the binaries as a PE (header and your sessions) , ELF (header and your sessions), PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaning too about some anti-desassembly techniques, demonstrating as a is the action of these malwares and where it would be possible to “include” a malicious code.

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to make ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks against CANBUS and LIN protocol.

I want to play a game… What is a number of assets in your organization? How many of them you have recognized and how many of them are under VM Process? What is your main focus for remediation (patching) and what is out of the radar? Do you know your overall threat landscape? Do you want to know the real one? 🙂 Finally, how to convince C-Level Executives to follow your recommendations and to allocate a serious budget for this area?
Let’s crack it together!