“Hack the planet!” was the battle cry. Now, years later we are grasping to get the message across that we are not the enemy. Security has been laboring in the shadows for the last couple of decades trying to gain the visibility and respect that it has craved and deserved. Like that wretched-looking dog who would chase the car down the laneway every morning, we continually try to get that prize. Now, security has become that dog with one small difference. We have managed to catch the car bumper at last and much like the confused look on that dog we’re struggling with what to do next. Conversely, businesses and governments are trying to understand that value proposition that hackers bring to the table. For years they have worried about the sharks in the water all the while missing the threat posed by the ocean.

One of the lesser known but critical attack surfaces in modern x86 based computing systems are the highly privileged proprietary out of band management controllers such as Intel’s Management engine and AMD’s Platform “Security” Processor. Public research into the depths of these systems is scarce because of the nature of them being highly complex hardware based devices. Fortunately, thanks to the countless hours of effort that researchers put into it, a method was discovered to disable Intel’s ME via an intentional but undocumented kill switch called the HAP bit. This kill switch worked decently for a lot of devices, however the latest motherboards based on the Cannonlake H chipsets were different. In this talk, I will guide you through my reverse engineering efforts that allowed me to find the new position of the kill switch in the ROM and therefore add support for these new systems into the me_cleaner project.

Modern vehicles are equipped with Tire Pressure Monitoring System (TPMS) – a system that alerts the driver when the tire pressure is inappropriate. TPMS broadcasts an unencrypted data stream at known frequencies and has already attracted the attention of security researchers, who demonstrated the ability to spoof the transmission and cause an alert.

However, while previous research concluded that the worst case scenario would be forcing the driver to pull over for inspecting the vehicle – and by that facilitating some other illicit activities such as robbing or kidnapping – we will demonstrate a specific scenario which, using already-published research, could cause driver distraction, theoretically resulting in an unsafe driving scenario.

In this talk we will quickly go over the TPMS, show how to research it using Software Defined Radio and reach spoofing capabilities, and end by showing a proof of concept for our attack scenario.

*** Clarification: This is research in progress. ***

The combat to discern what if news are real or not has already begun. Generating fake content has never been so easy.
Artificial Intelligence has become a useful resource to apply techniques for an easy generation of non-legitimate content.
These new tools have become a threat for Fake News, phishing campaigns and cunning fraud strategies generation.

In this talk, the most extended techniques for the generation of deceitful content are explained from both technical and practical approaches.
The capabilities of the state-of-the-art generative models (i.e., Variational Autoencoders and Generative Adversarial Networks) will be exemplified by means of a Chief Executive Officer fraud sample generation, including fake images generation and custom voice production.
Additionally, considering the big amount of fake content society is currently exposed, different Machine Learning techniques to reveal spurious contents will be also presented.

Most health and fitness apps like many other apps, in general, collect a variety of personal data, sometimes non-fitness apps tend to have access to iOS/Android built-in health app. These apps are supposed to be designed to minimize their potential for harm due to if they fail to do this even. There is no specific security legislation that shields consumer information from attack by third parties. Thus, apps usually have inadequate security arrangements, and app’s agreements often contain wrong descriptions.
More issues come from cloudy data, while companion devices’ apps gather information from multiple sources itself, the other health and fitness applications increase the quantity places where data stores including app-to-app data transfer and cloud export (iCloud, google drive, Dropbox, OneDrive, etc.) The far from the companion app, the more insecurity we have in fitness apps that do simple things while having powerful ‘read’ access to built-in health app and an ability to copy these data or directly access the wearable stuff.
The top sport, workout, fitness apps with built-in health apps were analyzed to see what problems they have to understand the overall health and fitness app security status better. It is essential to know how developers secure health information and how much of that data is available to third parties. Third party tools based on forensic techniques or forensics tools itself might have access to data bypassing the device and credentials. As such tools have comprehensive experience put into a tool code, you clearly understand what risks you have, what and how much data may leak and how better to build your security use cases to reduce discovered risks. Eventually, the results can be used as a comprehensive guide to assist app developers in producing legally compliant apps and in keeping with high professional standards of user protection.

Malicious actors on the Internet are progressively using cryptocurrencies and digital forms of money to facilitate cyber crime.
This presentation will walk you through an example case and show how to do forensic analysis of various transactions, identifying links and similarities, profiling and tracking crime using cryptocurrency, unmasking and identifying wallet provider, find IP addresses, explore Dark-net and Illegal marketplaces, search suspicious operations and follow the transaction and money trails. We will also look at how we can find traces in decentralised crypto currency exchanges (DEX) and link it to the actual cyber crime.

The story of hacking a pacemaker.
Two IT security specialists analyzed pacemakers and found some vulnerabilities.
Tobias has received first hand information on this attack and is going to share them with us in his presentation.
No matter, if you have a pacemaker or not .. your pulse will rise when you see, what’s possible.

History repeats itself. All the time. If we learn the lessons from the past and be mindful of what has already happened within the science of hacking, we can move forward, spending time and energy on creating new technology and techniques, and advancing the field. But we must never forget the instructive lessons of the past.

Our hacking journey will start with blue and red boxes and bypassing the “one phone call” restriction. More than 50 years later you can hack smart vending machines with similar techniques. Technology may have evolved, but hacking concepts remain the same. Bulletin Board Systems were the first places to share information about hacking. But they weren’t merely the place to share information – they were themselves the target of hacking. A ZIP vulnerability was widely exploited to hack BBSs. In 2018 the same hack was reinvented and overhyped.

The concepts of the ancient +++ath0 modem hack will be covered.
The Morris worm from 1988 was as sophisticated as worms like NotPetya from 2017.
Besides old school hacking, I will cover topics like Gopher, Usenet, IRC, Fluxay and ezines.
You can learn how to pwn a misconfigured Windows 95 and achieve interactive remote code execution on it.
A Metasploit module will be released so that you can pwn Win95 during your red teaming exercises.

The talk will revolve around us red-teamers testing and penetrating into Banking, Mobile wallets, and Non-Banking Financial applications. We will cover bugs not only in payment gateways and frameworks but also in applications that fail to implement them properly. This will include bypassing AES encrypted requests, logical bugs in numerous banking applications we tested. We will talk about techniques using which we were able to make recurring deposits in our account which get debited from victim’s accounts, view statements of arbitrary accounts, buy products for free, pay loan installments for free, pay credit card bills for free, make online recharges from victim accounts, regenerate ATM pins of bank accounts at mass among numerous other exploits along with real-life case studies, patches, and recommendations .

“Last year was / This year is the toughest year in cybersecurity. We are dealing with threats never seen before.” – said every year. But is it true? Does the attackers put the bar higher every year? Does “the worst cyberattack in history with unmeasurable casualties” and the discovery of “the most widespread vulnerability ever” really occur annually?

In this talk, we are doing a retrospective at several years of information security – review some of the biggest threats, hypes and fails. For newbies, this talk will deliver a of the best/worst moments in infosec history, which could make you laugh, facepalm, or both. For those who are veterans in the field, these stories might bring some sweet tears of nostalgia and joy or unearth bittersweet memories of events that turned some of their hair gray.

Activists, journalists and human rights defenders are in hostile environments and in constant danger as they deal with sensitive information. They are often exposed to targeted and sophisticated attacks.

We designed the Emergency VPN which allows us to help people in danger by analyzing their mobile traffic. This way we can identify if a device is infected or find its vulnerabilities that may put the user at risk. However, the biggest challenge for the network analyst is to quickly and accurately detect malicious encrypted traffic. The speed of the analysis is a critical factor in this work.

To improve the speed of the analysis of HTTPS traffic, we combine specific features extracted from HTTPS traffic with state of the art machine learning methods. In this talk we will show how this combination allowed us to increase the efficiency and accuracy of Encrypted traffic analysis of people at risk. In a live demo, we will demonstrate a detection of malicious traffic in a mobile device.

“Hack the planet!” was the battle cry. Now, years later we are grasping to get the message across that we are not the enemy. Security has been laboring in the shadows for the last couple of decades trying to gain the visibility and respect that it has craved and deserved. Like that wretched-looking dog who would chase the car down the laneway every morning we continually try to get that prize. Now, security has become that dog with one small difference. We have managed to catch the car bumper at last and much like the confused look on that dog we’re struggling with what to do next. Conversely, businesses and governments are trying to understand that value proposition that hackers bring to the table. For years they have worried about the sharks in the water all the while missing the threat posed by the ocean.

In this talk we will review several ways that avoids a Gatekeeper check. According to Apple these are by design, and not bypasses, still plenty of way to execute code on a macOS system. We will also see how the new macOS Catalina changes these.

BlackEnergy/Sandworm is a well-known group operating at least since 2010 and famous, among other things, for its attacks on industrial control systems. It received much media attention in 2015, after an attack on a Ukrainian power grid company, which resulted in power blackouts in several regions. Although the group remained under the radar for a while, it caught researchers’ attention again last year. Even though their toolset had completely changed over time, certain techniques remained the same, specifically the use of exploits for various software vendors’ products, including SCADA systems.
One specific zero-day vulnerability in a popular SCADA system, which the group exploited for several years to attack industrial organizations, remained unknown and the Kaspersky Lab ICS CERT team investigated a possible attack scenario. We would like to tell you about the exploitation of the possible zero-day vulnerability in the vendor’s software and reconstruct the attack by showing a live demo.

On Windows systems, users can be given special privileges. Some of these, if appropriately abused can lead to elevation of privileges to become SYSTEM.

In this talk, I will explain what the privileges and tokens are, how to get them, and based on their characteristics, identify some possible paths for Privilege Escalation via “Windows Privilege abusing” & “Token manipulation” .

Particular attention will be devoted to the privileges “SeImpersonate” and “SeAssignPrimary” which, combined with the “Rotten Potato” exploit and our subsequent research, the “Juicy Potato”, have proved to be “Golden Privilege”

Nmap is a well-known software tool used widely by ethical hackers and network engineers. With its ability of active discovery, revealing hosts on the target network can be a piece of cake.
However, what are the possibilities, if our target sits on a type of network that behaves in a totally different manner from the comfortable world of Ethernet? How do we discover a network where there are no source addresses, no destination addresses and no traditional acknowledgement? This sounds strange, right? Well, what if I told you that you use this network every day.
The ever-more-complex electronic systems within cars today still mostly rely on the traditional CAN bus, which is actually such a strange network.
Our aim is to describe the possibilities to get information from the nodes of an automotive CAN network by the help of our proof of concept tool: CANmap. In our presentation, we represent a simple device that is capable of scanning the CAN-based protocols that are widely used in any everyday vehicle.

The world is continuously evolving and many things become outdated. Cryptography is no different. While strong crypto should always be used, in time this strong crypto becomes weak due to advancements in the cryptoanalysis research and simply constant improvements of the cost and availability of compute resources.

When strong crypto becomes weak, all related software needs to be updated. But this can be a challenge, as more often than not, there are cases where a particular piece of software is either unmaintained or proprietary, and the software vendor is not cooperative enough to make this change. And what’s more, this piece of software cannot be easily replaced, for a number of reasons.

While there is no perfect go-to solution for every unique case, there may be a way for old/proprietary/unmaintained software based on OpenSSL to be fixed. OpenSSL has a pluggable extensible architecture called “engines”, which allows for the addition or replacement of cryptographic algorithm implementations without having to completely recompile the whole thing. However, the ability to use this functionality requires support from the linked application—the application itself needs additional code to hotswap OpenSSL engines—which most applications lack.

Luckily, to fix such applications, dynamic linker code preloading can be used—a feature supported by most modern operating systems. This talk walks through a hypothetical scenario in which a proprietary tool based on OpenSSL using weak cryptography needs to be fixed.

Whether we like it or not, smart things rule our lives. Even if you choose not to use IoT devices and services in your private life, the production of products that you consume and the utilities that you rely upon would not be available to you without industrial IoT (IIoT) and operational technology (OT). Almost daily in our news feeds we see a steady stream of security fails in these areas. As security professionals, we must resist the urge to just facepalm and carry on. The I’s O’s and T’s have become too ubiquitous, and the trend is moving towards more rather than less. This presentation examines the technical and market factors that prevent us from securing all the things. Further, it analyzes where and how good security principles are emerging in practice, the common factors driving and inhibiting success and what we as security professional can do to make it better.

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe developers tend to implement functionality in the form of WebSocket API instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplifies building of the efficient WebSocket API. We can name GraphQL subscriptions or Websocket API support in Amazon API Gateway.

WebSockets APIs have different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.

WebSockets in browsers do not use same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: handshake and data transfer phases. Most of the time authentication and authorization logic is implemented on handshake phase, while subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.

We will talk about CSRF issue, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.

This talk will cover attacks on popular GSM-devices: GSM-alarms, GSM-controllers for smart homes, industrial GSM-controllers, access control systems, GSM-locks, some communication systems and smartwatches for kids. They are very easy to use. Usually, the user can insert a SIM-card in a controller, then the GSM-device is ready to use. Howewer, the security of these devices is questionable.

This talk will cover attacks on GSM controllers present in the aforementioned devices, as those seem ripe with insecurities.
This talk will also cover different problems that were found during research, as well as critical flaws.

Remediation is a crucial step when recovering from an incident. Proactively implementing security controls and hardening an environment doesn’t need to wait until AFTER an incident has occurred. The presenter will detail common remediation strategies that are used when responding to breaches, in addition to risk-reduction methods that align to proactively applying a remediation strategy.

This session will detail common remediation strategies that are used when responding to breaches – in addition to risk-reduction methods that align to proactively applying a remediation strategy.

If you want to gain control over IoT devices first you have to discover them and locate them. Then, you can be able to decide you need them or you should block them. IoT devices not necessary have IP or MAC address so the well-known scanners are unable to discover them. We have to check the ISM bands and the licensable bands, including the GSM and LTE band. When you find the signal source in the air you can be able to locate, inspect and control it.

Humans make mistakes. Information security’s mistake is operating as if humans can be forced to never err. The illusion of “human error” being a satisfactory explanation for security failures holds us back, constricting our feedback loops and creating blind spots. We will never achieve our goal of securing complex systems if we do not analyze problems through a systemic lens rather than childishly pointing fingers.

In this talk, we will explore what we mean by “error” as well as the hindsight and outcome biases that constrain our perspective. Then, we will discuss how infosec tends to cope with failure, from blaming humans to implementing rigid procedures. Finally, we will conclude by delving into solutions infosec can implement to help our organizations better cope with failure, including the adoption of a systems perspective, chaos security engineering, and blameless culture.

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyberwarfare today.

The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing the bigger picture. We decided to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections – not only between samples, but also between different families and actors.

In this talk, we will describe the process of our research. Namely, we will show how the technologies at our disposal allowed us to take a deep dive into these malware’s binary DNA in order to spot the mutual Genes that are shared between Russia’s APT families and actors.

While to the rest of the world social media are friendly platforms of communication and sharing, for the fellow OSINT analysts, hackers, social engineers and attackers, they are targeting and information harvesting platforms. Undoubtedly, online presence is important to all of us. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities.

This talk will demonstrate how one’s online presence on social media can attract social engineers to target them and victimize them to “open doors” through the organizational security. It will also discuss how social engineers and penetration testers can utilize social media for their engagements in creative ways and to identify their pretexts.

The talk covers the topic of information gathering through social media (a discipline called Social Media Intelligence, or SOCMINT, being a sub-division of OSINT) and explains how even seemingly innocent information can be used to manipulate and victimize targets. Case studies will be provided. A two-part demonstration is included on how a hacker’s mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to.

As the title suggests this is a journey into reverse engineering ATM malware, building skimmers, black boxes and other equipment, all in the name of education, and as a result, on a budget. Started about three years ago the goal of the project was to build a demonstration environment for all major attack vectors against ATMs, while using only publicly available resources. Hacking ATMs is an all in one challenge for hackers since it combines hardware security, electronics, networks and software security in a single package. It is also an area of IT security which is surrounded by a more than usual amount of secrecy, simply getting access to some hardware to legitimately hack is in itself a challenge, and the hacking starts after that.

In 2020 the government of People’s Republic of China is going to introduce a new administrative reform package, which contains the introduction of the mass surveillance system, named Social Credit System. The System is using Big Data and Artificial Intelligence to create the credit score of every citizen in China, based on their online credit history, administrative affairs and social behaviour. That enormous amount of data and skills in Big Data Analytics or AI is useful for further innovation in the IT sector and military or surveillance technology in cyberspace. It could make China the winner of the 21st century’s information revolution, but the infrastructure has a lot of challenges as well, like threats emerged from cyberspace and unauthorised or improper usage of its collected data and system. The Social Credit System is infamous for its evolving practise of control in western media, but what is real about that?

My name is Onix. I’m mostly made out of C++. My whole life is indexing for fast searching purposes. I do it so well, Adobe decided to adopt me back in 2003. I was having a great time with my new parents. I did what I’m supposed to do for one of their products, indexing for fast searching purposes in Adobe Reader. For 15 years I stayed under cover. No one knew about me, or what I do.

I was happy. I did what I had to do without raising any flags. Until one day…

A human who works at an organization known as Trend Micro’s Zero Day Initiative (ZDI) decided to take a closer look at me. He started analyzing all my indexing and fast searching functionalities and examining my innermost details. Something drew him to me…and he saw that I was not up-to-date. He kept looking, and he started pointing out my defects. He told my parents. They were not happy. They went back to my biological parents. They were not happy either. They tried to correct my defects…once… twice… but, no dice… And those mean people at the ZDI started giving me Pokémon names.

Throughout this presentation, I will talk about how I – and all my flaws – went undetected for 15 years. I will also talk about the defects that were found in my code along with the final decision taken by my adopted parents… my complete removal from Adobe Reader.

Those ZDI guys sure know to ruin a good time.

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to make ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks against CANBUS and LIN protocol.

Enabling two-factor authentication for any online account is a necessity these days. Most common phishing attacks aim to steal login credentials, which are often not enough to provide attackers full access to targeted accounts. Since most attackers are unable to get hold of external authentication devices, multi-factor authentication (MFA) is widely proclaimed to be a silver bullet against all phishing attempts. I will challenge that thought and try to prove otherwise, while demonstrating the Evilginx phishing framework.

During the talk you will see how an attacker, armed with right tools, can perform a successful phishing attack on an account with 2FA enabled. Attack will result in full account takeover, despite the additional security measures.

I will also explain how websites and end-users can protect themselves from this new strain of phishing attacks.

You have probably seen some security incidents that were not handled adequately. Are people doing a good job of preventing incidents? Some organizations do a decent job at it, others are hard at work convincing themselves and their colleagues that there are no problems, except for the existence of researchers who are looking for security issues. In this talk, I will show you some of the best organizations that I have had a chance of working for as a security researcher (/bug bounty hunter) and will show you some of the hottest zero day exploits I’ve had at my disposal. The story does not end there though, professional hypocrisy is rampant in the industry and Hungary has no shortage of incompetent companies and incidents where security researchers are being treated as criminals. Design sophisticated and sustainable systems is in the interest of the public, yet the criminalization of valuable research is not only destroying the lives of researchers, it is an active and strong inhibitor of technological progress.

Starting as a developer’s best friend, the Android Debug Bridge has turned into a security nightmare as time passed. While having an open port available for debugging over the internet sounds great, forgetting to turn off that service in production environment can spell big trouble for you or even your customers. My analysis will be of the protocol, the worms abusing it and how I discovered it all after putting my freshly built honeypot up.

The information security domain, now infamously called cybersecurity, is constantly evolving and has quite changed in the last decade in order to provide more and more sophisticated, (bug-free) and complete tools. Their number and quality has both increased but as the security people are still not (great) developers, the same mistakes still live on especially regarding the ease of installation, maintenance, and last but not least the ability to scale. The main goal of this talk is to take a step back from this last decade of awesome tool tailoring, by presenting the results of a quantitative study on 2000+ of them, as well as giving key advice to make your tool great (again).