Hacktivity - The IT Security Festival in Central & Eastern Europe
Streamed Worldwide // 8-10 October 2020
2020-10-08 08:00:00
Buy ticket
  • Home
  • News
  • Conference
    • What is Hacktivity?
    • Presentations
    • Workshop Sessions
    • Speakers
    • Hackademy Programme
    • Hacktivity Badge
      • Badge HOWTO
      • Badge wifi setup
    • Newsletter
    • Visit Budapest
    • HackCenter
    • Call For Papers
    • Call For Ideas
  • Sponsors
    • Become a Sponsor!
    • Sponsors & Partners in 2020
    • Qualys – GOLD Sponsor
  • About
    • About Us
    • Contact Us
    • Our Team
    • Program Committee
    • Privacy Policy
    • Terms & Conditions
    • House Rules
  • Home
  • News
  • Conference
    • What is Hacktivity?
    • Presentations
    • Workshop Sessions
    • Speakers
    • Hackademy Programme
    • Hacktivity Badge
      • Badge HOWTO
      • Badge wifi setup
    • Newsletter
    • Visit Budapest
    • HackCenter
    • Call For Papers
    • Call For Ideas
  • Sponsors
    • Become a Sponsor!
    • Sponsors & Partners in 2020
    • Qualys – GOLD Sponsor
  • About
    • About Us
    • Contact Us
    • Our Team
    • Program Committee
    • Privacy Policy
    • Terms & Conditions
    • House Rules
  • EDUCATION,
    INSPIRATION,
    NETWORKING
    & FUN

  • UP TO DATE
    PRESENTATIONS
    ABOUT
    CYBERSECURITY

  • COMPREHENSIVE
    WORKSHOP
    SESSIONS

  • HACKCENTER:
    THE PLACE
    TO EXPERIENCE

  • PROFESSIONAL
    TRAINING
    SESSIONS

HACKTIVITY2020 ONLINE

Due to the global situation caused by COVID-19 #Hacktivity2020 is going to be organized as a 3 days long ONLINE event with lots of exciting presentations and brand new content! Get your ticket and enjoy the conference from home!

Read more

COMMUNITY SPACE

We have created a community space for the #Hacktivity2019 electronic badge owners at Reddit. Feel free to post your experiences about the conference, questions about the badge, or everything related to hacking!

Read more

CALL FOR IDEAS

If you have a specific knowledge, technique or tool that is exciting and you are  willing to share it with the IT security community, CALL FOR IDEAS is for you! Become one of our instructors and enjoy #Hacktivity2020 for free!

Read more
1000+ VISITORSREPRESENT THEMSELVES FROM THE FIELD OF IT SECURITY
44 SPEAKERSPRESENTING FROM ALL AROUND THE WORLD
17 YEARSHISTORY AS THE BIGGEST EVENT OF ITS KIND IN THE REGION
3 DAYSHIGH QUALITY PRESENTATIONS AND WORKSHOP SESSIONS

#HACKTIVITY is the biggest event of its kind in Central & Eastern Europe. About 1000 visitors are coming from all around the globe every year to learn more about the latest trends of cybersecurity, get inspired by people with similar interest and develop themselves via comprehensive workshops and training sessions.

More info about Hacktivity

The Most Anticipated
IT Security Event
in the region

Hacktivity is a very special opportunity to get to know people in the cybersecurity community of Hungary.

Mike Ossmann / Great Scott Gadgets
mike_ossmann

I think the range of speakers is very impressive, with a very good mix of local and foreign cybersecurity professionals.

Inbar Raz / Argus Cyber Security
Inbar Raz

I really like the atmosphere of Hacktivity, and it’s great that the organizers are supporting students as well.

Leigh-Anne Galloway / Positive Technologies
leigh-anne

Hacktivity provides great opportunity for social interaction with people who have similar interest in IT security.

Gábor Szappanos / SOPHOS
szapy

Hacktivity has a great tradition and I’ve met a lot of brilliant people around here. I’m super happy with this event.

Rodrigo Branco / Intel Corporation
rodrigo_branco

Hacktivity is a very impressive conference and it’s definitely one of my favourite events in the world.

Costin Raiu / Kaspersky Lab
costin

Hacktivity has a really good cost/benefit ratio, the quality of the talks is really good in international comparison.

Bálint Varga-Perke (Buherátor) / Silent Signal
buherator
PROGRAM

OFFICIAL PROGRAM

DAY 1 // ONLINE STREAM
8 OCTOBER 2020
08:30 — 08:35
Opening Ceremony / Attila Marosi-Bauer
08:35 — 09:15
History of Computer Viruses

TBD

Tobias SchrödelKICK OFF GK/VSE Mobile 2010 in Berlin  am 23.02.2010 - Nur zum redaktionellen Gebrauch - Nur f¸r interne und externe Pressearbeit, nicht f¸r Werbung - Model-Releasevertraege der abgebildeten Personen liegen nicht vor, die Personen haben sich lediglich muendlich mit der internen Verwendung der Fotos einverstanden erklaert.
09:30 — 09:50
Bring Your Own Demise - The Corporate Threat of Mobile Endpoints

Mobile devices are part of every enterprise threat model – they are desirable targets, unmanaged and tough to protect. We use them for MFA and to access company resources, on top of personal use. But one compromised device is enough for the attackers. In this talk, while guiding you through the mobile kill chain, I will demo the potential impacts of a vulnerable device – exploitation, financial fraud, stealing credentials protected by MFA, lateral movement, you name it. More importantly, I will show how we can detect adversary tactics in time using centralized threat protection.

János Pallagijanos pallagi1 BP
10:05 — 10:45
Perception vs Reality: Cyber War - Are We Losing to Cyber-Criminals or Are We Giving Up Space at Our Own Request?

I want to play a game… What is a number of assets in your organization? How many of them you have recognized and how many of them are under VM Process? What is your main focus for remediation (patching) and what is out of the radar? Do you know your overall threat landscape? Do you want to know the real one? 🙂 Finally, how to convince C-Level Executives to follow your recommendations and to allocate a serious budget for this area?
Let’s crack it together!

Piotr PobereznyPiotr Poberezny - Profile Photo
11:00 — 11:20
Distributed Fuzzing with k8s

Fuzzing over the ages has improved in tooling, logic, and process, but is still a number-crunching problem! You are improving your odds by throwing more CPU power at it.

How do we make it happen without hacking through custom solutions that cannot be reused? Enter FuzzCube – Batteries Included! (supports scaling AFL and libFuzzer ) It leverages Kubernetes for its infrastructure orchestration capabilities. Using Kubernetes, we abstract the complexity of deploying a fuzzing infrastructure with distributed high throughput workloads, fault tolerance, storage orchestration, and high scalability. We will practise distributed fuzzing in the era of Cloud Native Computing and use our new skills to find some 0days 😉

Anto Josephanto_joseph
11:35 — 12:15
My Wife is Watching Me: The Spy Inside All of Us.

During this lecture Eddy Willems will take you inside the dark world of some specific spyware: stalkerware. Why is stalkerware so special or isn’t it? Is this a new phenomenon? Eddy will guide you through the most common features of stalkerware. Is it easy to install? What are the differences between spyware and this kind of malware. How do the companies who create this software advertise themselves? Is it really legal? Eddy will show you a couple of examples. What are the technical challenges for the security industry? What can you do about it? What if your husband, wife, boyfriend, ex-lover or even father is using it against you? If you care about your privacy this lecture is a must. If you want to know more about spyware this lecture can open your eyes even more.

Eddy Willemsportretten van het personeel van G Data Software Benelux  te 1731 Zellik..danielle.van.leeuwen@gdata.nl .Tel. +31 (0)20 808 0835.Mob. +31 (0)6 54 660 215
12:30 — 13:00
Lunch Break
13:00 — 13:40
Reversing Golang Binaries with Ghidra

Golang is Google’s open source programming language which in the recent years gained popularity among developers. As usually, it is not only used for good purposes, but it attracted the attention of malware developers as well. The fact that Go supports cross compiling to run binaries on various operating systems makes it a tempting choice for IoT malware attacks.
In this talk, we will introduce IoT malware families written in Go. Through some examples we will discuss the unique features of Go binaries and give tips on how to reverse engineer them using Ghidra. We will share our Ghidra scripts that we use during reverse engineering Go binaries.

Dorka Palotaydorka, Albert Zsigovitsalbert
13:55 — 14:35
Machine Learning Evasion Competition

Research attacking ML-based image classifiers is common, but it is less frequent to see a study on how someone can bypass ML-based malware detection.
In 2019, we organized a contest where participants had to modify Windows malware in a way where the provided three ML engines do not detect it. However, the modified sample is still functionally equivalent to the original binary. As it turned out, it is not that hard to come up with a generic solution which can bypass all three engine. In this presentation, we will discuss the details of the contests from 2020 and 2019, some of the techniques used by the participants (packing, overlays, adding sections), and information on the defensive tracks.

Zoltán Balázsbzoli
14:50 — 15:10
Blue Team over the Air : What's Going on in the Air?

I call wireless networking technologies invisible threats. They can be carried out easily and their effects can be very high.There are attacks that can directly affect users, institutions and sometimes devices.

In this talk, I will explain how we can fight against invisible threats and we will answer a question: What’s going on in the air?

Besim Altinokbesim altinok
15:25 — 16:05
XPC Exploitation on macOS

While doing security research on macOS PrivilegedHelper tools I found that most of them are vulnerable to privilege escalation, or allows unauthorised clients to perform the privileged action even without interacting with the original client application. This poses a general risk to macOS users. In my talk I will explore all the little pieces, that if missed will lead to vulnerable applications. Examples / demos will be shown for all of them.

Csaba Fitzlfitzl
16:20 — 17:00
Infra Security Automation in CI/CD: Impossible is Nothing

Agile enterprises are constantly facing new challenges when it comes to embedding security in the CI/CD DevOps processes. One of the main pros of adopting DevOps is gaining speed but that does not always match with having thorough security checks, especially when those checks are performed manually for each release/build.

How does the new deploy affect the exposure of the environment where the application running?

– New binaries
– New logging mechanisms
– New log files
– New monitoring
– New permissions
– New configurations
– New secrets

How do we make sure that the environment is safe and does not introduce new privilege escalation vulnerabilities for example?

Answering these questions for each machine in a landscape of thousands of VMs, images and IP addresses is not an easy manual task.

In this talk we want to share how we solved the issue in a large agile organization like ING, and present our framework and tools to automate infrastructure testing in a CI/CD environment built on top of Ansible and STRIDE.

Spyros ManglisSpyros Manglis, Davide CiocciaCiocca Davide
17:15 — 17:55
How Soft Skills Get Hard Results

Key Highlights

-Why soft skills are essential for business
-The connection between leadership + emotional intelligence (EQ)
-3 soft skills techniques that improve communication immediately

Description

Based on his 2020 TEDx Talk in Laie, Oahu, “Saving Soft Skills From Extinction,” Scott teaches audiences how to model soft skills to the next generation producing better communication and performance in the workplace.

Scott Asaiscott-revolution-17
DAY 2 // ONLINE STREAM
9 OCTOBER 2020
08:35 — 09:15
Penetration Testing Communication Systems Nowadays

Today’s communication is no longer limited to simple IP telephony using deskphones on an office desk.
Rather, one encounters again and again buzz words unified communication, SIP trunking, online conferencing, anywhere workplace, E2EE etc.
In my presentation on penetration testing of communication systems I will show you how these increasingly complex scenarios are tested for weaknesses and security issues.
We will decrypt encrypted conversations, redirect media streams and attack communication systems from the public Internet.
In addition to attack techniques and methods, you will also get to know suitable recommendations for the protection of communication systems.

Moritz AbrellAbrell Moritz 8596
09:30 — 09:50
Making Developers Security Aware. Lessons Learnt.

I’ve done more than 50 security awareness workshops for software developers, for several different organizations, from a bank to software as a service companies. During this time I’ve heard plenty of stories about the current application security problems they face and their attitude to cope with those problems. I chose the most popular ones and would like to share the developer’s experiences in a nutshell, answering the following questions:

What are common problems, misconceptions and how to approach them?
How to talk to developers about application security?
How to find common ground for software developers and security department?
How to start adding security to software development lifecycle or improve what you have now?

Based on real cases from various companies, the audience will learn how to improve application security in their companies.
Better learn from someone else’s mistakes, without making them yourself.

Paratroopers, tanks and planes included!

Mateusz OlejarkaDSC_7675_fot_klaudyna_schubert
10:05 — 10:45
ATTPwn: Adversary Emulation. ATT&CK Automation Tool & Collaborative Project

ATTPwn is a computer security tool designed to emulate adversaries. The tool is focused to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework. The goal is to simulate how a threat works in an intrusion scenario, where the threat has been successfully deployed. It is focused on Microsoft Windows systems through the use of the Powershell command line. This enables the different techniques based on MITRE ATT&CK to be applied. ATTPwn is designed to allow the emulation of adversaries as for a Red Team exercise and to verify the effectiveness and efficiency of the organization’s controls in the face of a real threat.

Francisco RamirezFranRamirez, Pablo GonzalezPabloGonzalez
11:00 — 11:20
Unveiling Some Untold Facts Regarding Stuxnet a Decade After the Attack

Stuxnet is a computer worm, which emerged during the summer of 2010 to infiltrate numerous computer systems. The worm is a military-class cyberweapon that was used to launch a destructive attack against Iran nuclear centrifuges. Stuxnet operates in three main steps by analyzing the targeted networks and computer systems to gain access to the automated program logic controllers. Having infiltrated these machines, Stuxnet began to replicate itself continually.
Although there have been a large number of public articles and talks regarding Stuxnet, during our analysis we have noticed some critical details about the virus’s code and its functionalities that have not been exposed before. In this talk, we share the result of our in-depth malware analysis by achieving the original source code of Stuxnet. Our analysis sheds light on some untold aspects of the worm that can provide new insights for security communities on a specific class of military super viruses.

Dr. Mohammadreza AshouriMohammadreza_Ashouri
11:35 — 12:15
Hacking the Hacktivity 2019 Badge: How to Brick the Device and Resurrect it with Another Soul

The talk describes an adventure in hacking the Hacktivity 2019 badge, trying to replace the embedded micro-Python with a standard Arduino development environment. The steps followed in this adventure are:

– how to brick the device using the Arduino development environment loading a not functioning sketch and destroying the existing firmware

– reverse-engineering the device schematic using:

– visual inspection of the two-layer PCB

– using a multi-meter

– searching information on the Internet

– using GIMP to follow PCB traces on the two PCB layer images

– using the Arduino development environment to load sketches on the ESP32

– loading a bootloader to the ATSAMD21G16B to bring back the USB interface, using a J-Link mini EDU interface and the JLink.exe software

– failing to load an Arduino sketch to the ATSAMD21G16B arm MCU

– using the unpleasant (and Windows only) Atmel Studio to write and load a firmware to bring back the USB/serial interface, read the touch buttons, drive the LEDs and talk to the ESP32

– finally enabling the Arduino development environment with the Hacktivity 2019 badge

Valerio Di Giampietrovaleriodigiampietro
12:30 — 13:00
Lunch Break
13:00 — 13:40
Anatomy of Automated Account Takeovers

This white paper outlines the plenary mechanism of automated account takeovers (ATOs), while treating cybercrime as a fully functioning, profit driven business industry. Based on an extensive literature review, the paper analyses the constituent players and components of automated ATO attacks, their implications on the businesses, tech companies and victims, as well as the financial ramifications of the attacks. Taking a multifaceted approach to the issue, the paper initially examines the current environment cultivating automated ATO attacks and the prevalence of credential stuffing attacks, establishing cybercrime as a business operating with the principles of maximizing ROI. Then from a technical standpoint, the bad bot element is further scrutinized along with the technological evolution of the attacks and the evasion methods of cybercriminals. Lastly but not least, from a rather financial angle, the paper delves into the means of capitalization of the ATO attacks benefitting not only the criminals but also the diverse players of the cybercrime industry, while analyzing the facilitating services for the criminals. Finally, the conclusion remarks and recommendations are presented for tech leaders and cybersecurity industry as precautionary and ameliorating measures that can be taken to combat automated ATOs.

The initial section aims to identify the reasons behind the ubiquity of the automated ATO attacks in the digital status quo by analysing the relevant literature and statistics on users’ digital behavior patterns, password hygiene awareness and management/storage methods as well as the technology providers’ contribution in making automated attacks lucrative for cybercriminals. It is discussed that, user tendency of reusing or minimally altering the same password in different digital platforms as well as the predictability of different demographics’/age groups’ digital behavior patterns instigate mass scale automated credential stuffing attacks and increase the turnout of the automated attacks via acute client pool segmentation, respectively. Moreover, the technology firms’ hesitance to mandate 2FA for their account logins due to the dilemma of finding the optimal equilibrium between UX and security inadvertently assists the automated ATO attacks, enlarging the attack surface of vulnerable accounts.

Secondarily, the paper addresses the bot facet of the ATO attacks from a rather technical standpoint. The innovation in technology is rapidly adopted by the cybercriminals to add further layers of sophistication beyond automation level 2 and eliminate the burdensome human tasks of traditional manual attacks. The paper examines the utilization of artificial intelligence for deception and detection evasion; accurate simulation of victims location via rotating VPN, secure VPS, RDP servers or secure proxies, as well as how doppelgängers are employed to mimic the victim’s digital behavior patterns and device fingerprint. Furthermore, It is inspected that, through deception created by storytelling, criminals can leverage the alert fatigue by having the bad bots’ activity perceived as ‘white noise’ or false positive by SecOp analysts who may overlook the critical issues. Lastly but not least is the supplementary capabilities of the bad bots, which require relatively complex complex automation techniques, discussed in the paper such as creating synthetic identities for new pseudo legitimate account creation and aging those accounts by making false transactions and even opening virtual credit cards to do so.

The tertiary focus of the paper is on the financial compensation of the criminals once an ATO is attained, examining the components of the end-to-end money trail from cashing-in to cashing out. The most straightforward way to capitalize on an account is changing the credentials of the account immediately after the ATO to impede a potential ATO from rival criminals and selling the account with pertaining victim information or holding the victim to ransom. A riskier option with higher ROI on the risk for criminals is accustoming themselves with the victim throughout nesting period, until the account is ‘mature’ enough for a strike such as taking unsecured loans and making wire transfers and ACH payments. On the other hand, the criminal may opt to keep the account as ‘money mule’ to conduct illicit money trafficking/laundering by offering compensation to the account owner. The paper further delves into the facilitating parties of these undertakings; such as criminal brokers providing credentials for a periodic fee and commissioned escrow services providing credential quality assurance while serving as a financial guarantor for the transactions. It is noteworthy to mention the challenges against cashing out the criminal earnings, hence the criminals have to not only follow the static restrictions but also be equipped with acute regional and international money laundering regulations to minimize their chances of being issued a suspicious activity report.

The conclusion remarks of the paper serves as recommendations for tech industry to reduce their user accounts’ vulnerability to automated ATO attacks. The initial point mentioned is to tailor the user authentication experience to be an adaptive, continuous process by effectively combining 3 types of MFA with respect to the relevant business processes and requirements, while prioritizing the UX along with minimizing the security risks. Secondarily, the paper recommends to avoid the ‘assume breach mentality’ and to grasp the potential gaps and threats as well as the risk posture of the organizations by data driven analysis, hence identify what is crucial to protect. Final recommendation of the paper is on raising user cybersecurity awareness to secure their accounts with sufficiently complex and unique passwords.

Tal Eliyahutal_eliyahu, Begum CalgunerBegum_calguner
13:55 — 14:35
Broken IoT Supply Chain

With the explosion of IoT, there goes hand in hand also an explosion of threats that traditional methods of protection are not able to detect. Security reduces to matter of trust. What do we know about how the device has been manufactured, which components are involved, where did the cloud solution came from. On the epic fail of GPS trackers security and a few others, I’ll demonstrate how big the problem is. How white labelling mainly of Chinese products makes supply chains opaque and messy. And if you think that can happen only in China I’ll prove you wrong.

Martin Hronmartin hron
14:50 — 15:10
The Great Hotel Hack: Adventures in Attacking Hospitality Industry

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests’ private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access to Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest’s details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Etizaz Mohsinaitezaz
15:25 — 16:05
Service Mess to Service Mesh

In our quest to secure all the things, do we jump in too quickly? We’ll use Istio and Linkerd as example service mesGhes, and look at the features we would expect from a service mesh. We’ll dive into the day-1 experience with both Istio and Linkerd, and some advanced scenarios of using the service mesh. We’ll compare this to border security with an app gateway, and compare and contrast the security features, complexities, and implementation costs. You’ll leave with a concrete understanding of the benefits and tradeoffs you get when you pull in a service mesh, and be ready to justify the investment.

Rob RichardsonRob Richardson
16:20 — 17:00
State of the Art Phishing

Phishing techniques from the latest ones to the oldest tricks in the book that still work. Even if you have spent a lot of resources on software and hardware based protection, you are still not addressing the human factor. In this technical talk we will look into how hackers can be effective in phishing attacks and see if some very old techniuqes can still be used in modern systems. Topics include spear phishing, making users run executables (well, that souldn’t work in 2020, right?), a look into macro based attacks (most AVs find them, or not?) and the more rarely discussed vishing/smishing (techniques, SIM cards, fake/cloned numbers).

Sixsix_prof_clean
DAY 3 // ONLINE STREAM
10 OCTOBER 2020
08:35 — 09:15
Hacking Facial Recognition Systems

Do you know that it is possible to create glasses to bypass facial recognition system? The use of facial recognition technology is on the rise, and you can find it in different areas of human activity including social media, smart homes, ATMs, and stores. Recently, researchers have discovered that deep learning algorithms are vulnerable to various attacks called adversarial examples. Our client, a smart home solution provider, asked us to test software and hardware to reveal a real threat or academic research and select the most secure solution available on the market.
Here is the way we conducted the security assessment. Facial recognition systems have their specific deep learning models. The systems usually work in the physical environment, and their attack surface differs from the digital one presented in research papers. Furthermore, all examples of attacks and defensive measures were given for various models, datasets, and conditions. It does not help to understand the real situation even if you examine approximately 100 research papers on this subject.

To test properly, we’ve composed our own attack taxonomy to check the effectiveness of the recent approaches to attacking facial recognition systems. I will present our research conducted in the real environment with various cameras and algorithms and show how to protect production systems from this kind of attacks.

Alex Polyakovalexander_polyakov
09:30 — 09:50
DevSecOps in the Financial Services Industry: a Technological Approach

As cyber threats become more intense and taken seriously, companies in the financial services industry face constant pressure to make their activities more agile and digital, and to guarantee an ever-higher level of security and compliance.
The ambition behind DevSecOps standard practices is to integrate security into DevOps so that businesses can accelerate the speed and frequency of software releases without compromising controls or increasing risks.

This presentation will focus on the technological aspect of a good DevSecOps integration with an example of a stack implemented in the financial services sector in Luxembourg including secrets management segregation, automated code analysis, vulnerability assessments, automated CI/CD pipelines with built-in security controls, automated penetration testing.

Stéphane ChmielewskiStéphane Chmielewski
10:05 — 10:45
The 5G Battle

The presentation is an analysis of the threat landscape posed by the emergence of 5G technology. With the omnipresence of mobile technology and the need for telecommunication providers to roll out highly volatile technology or fall behind possibly forever, the speakers will discuss the benefits of leveraging an “attacker-perspective” when conducting a threat landscape assessment for the roll out of 5G technology. Utilizing their combined experience in cybersecurity working within telecommunication organizations, they have applied a combination of open and closed source research to create a picture of the likely relevant threats, actors and their TTPs, who would target an organization deploying 5G. They have then mapped each actor separately in the MITRE ATT&CK framework, combined them with an exposure/likelihood weighing, and mapped them back to the organization’s cyber defences, to create a “Master Matrix”.
This matrix is designed to help technology leadership gain ‘big picture’ visibility on the threats facing their remit, make focused, tactical decisions on new investments, and better align red and blue team resources to cover the most critical areas of the digital landscape.

Robert MoodyRobert Moody, Bence HorvathBence Denes Horvath
11:00 — 11:20
Paste Wars: Fighting for Copypaste Freedom

No one knows where it came from, but it is spreading like a disease: blocking paste functionality on online password forms. There is no explanation, no research, just a typical “this is for your security…”. And yet, all this is in the age of almost defeating the threat of weak and reused passwords by adopting password managers.

Some try to fight back: Firefox, for example, allows users to disable the block by completely turning off paste notifications. However, this is like cracking a nut with a sledgehammer, as there may be many other legitimate use-cases for sites to handle paste events.

There are also some browser plugins: they go as far as scanning the whole DOM and removing the blocker code or injecting passwords directly into the page. But these come not without risks: unveiling passwords and full browsing history to third-party applications (which, by the way, have full network access). Also, users are limited in the choice of their browser, as these plugins are often not portable.

It feels a bit wrong when a website (or anyone else) decides what users can or cannot do on their computers. However, there is hope: instead of fighting paste blockers, why not just provide the password in the “natural” way they expect—by typing it in. But the typing will be done by the user’s operating system, rather than the user: the OS can automatically type a very complex password from any password manager for the user. And paste blockers can never block it—because this is the only way they should allow the password to get in, by design. These ‘Paste Wars’ are over: introducing a simple tool, which can type in complex passwords and restore users’ rights to paste!

Ignat Korchaginignat_profile
11:35 — 12:15
China's Cheap Xiaomis are Low on Privacy

Chinese phones are cheap only if your privacy is worthless. With the advent of low cost techonology, phone manufacturers started getting their profit margins from other sources. One such manufacturer is Xiaomi, which sells incredible phones at eye watering prices. Don’t be deceived though, because purchasing such devices also giving up your rights to digital privacy. I’ve dwelved into the rabbit hole in order to expose a company that not only wants your money, but also the entire history of you.

Gabriel CirligGabriel_Cirli
12:30 — 13:00
Lunch Break
13:00 — 13:40
Working with Proof Key for Code Exchange To Communicate With The Cloud

We all know how important web security is because it protects our personal information across the internet. Typically when a request is sent to a server to get access to private information, there is some kind of access token included in the headers. That authorization request is usually someone trying to sign in to one of their accounts.

Usually we create an access token to send back when their credentials are confirmed in the form of a JWT or some other encrypted key. This is the normal authorization workflow and for the most part it works well. The problem is that there are a few cracks starting to show in this flow. That’s what PKCE is here to fix.

Milecia McGregormilecia_mcgregor
13:55 — 14:35
There is Always One More Bug - or More: Revisiting a Wireless Alarm System

Developers of IT systems have known for a long time that there is still one more bug to be found – or at least this is often humorously attributed to various IT products, no matter whether they are soft-, firm-, or hardware.

In this talk, SySS IT security expert Matthias Deeg shows that this assumption is sometimes very true, using the example of a wireless alarm system and its accessories, in which yet another security vulnerability could been found over the past few years – more than once.

Based on various concrete vulnerabilities of different types, practical experience gained in penetration tests as well as research projects at SySS regarding the security analysis of radio-based systems will be presented, and the following three descriptive attacks will be demonstrated on a revisited wireless alarm system:
1) Rolling code attack
2) Proximity key cloning attack
3) Reactive jamming attack
4) Sniffing attack
5) Spoofing attack

Matthias DeegMatthias_Deeg_grayscale
14:50 — 15:30
Dissecting and Comparing Different Binaries to Malware Analysis

Demonstrate differents kind of structures in the binaries as a PE (header and your sessions) , ELF (header and your sessions), PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaning too about some anti-desassembly techniques, demonstrating as a is the action of these malwares and where it would be possible to “include” a malicious code.

Filipi PiresFilipi_Pires
15:45 — 16:25
Speeding Up Linux Disk Encryption

Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to make ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks against CANBUS and LIN protocol.

Ignat Korchaginignat_profile
16:40 — 16:45
Closing Notes / Attila Marosi-Bauer
TICKETS

TICKETSDON'T MISS THE BEST HACKTIVITY CONFERENCE SO FAR! GET YOURS NOW!

PASS FOR INDIVIDUALSThis ticket type is valid only for individuals. Invoices will be issued only for them, companies cannot purchase it.
30 000 HUF
PURCHASE
PASS FOR COMPANIES - Lite EditionYou will receive a VAT invoice for your ticket in your company’s name and address after we have received the payment.
60 000 HUF
PURCHASE
PASS FOR COMPANIESGet instant access to all presentations, re-watch them anytime. Get an exclusive Hacktivity branded T-shirt and a Hoodie along with some cool stickers.
90 000 HUF
PURCHASE

HACKADEMY SCHOLARSHIP PROGRAMME

We provide 50 tickets for university/high school students & teachers.

More info
SPONSORS

Our Sponsors and Partners in 2020SUPPORTING US IN MANY WAYS

Diamond sponsor

ntt

Diamond sponsor

check_point_logo

Gold sponsor

qualys_logo

Gold sponsor

ITSH_logo

Silver sponsor

nki

Silver sponsor

vulnary

Professional partners

bsides
isaca_new_logo
masterfield
mysec
witsec
mrg
hsbp
hackerspace_szeged
secureiteam
mongu

Media partners

hwsw
biztonsagportal
androgeek
makay_logo
new_technology
iseeq
hack_es_langos
ecsm
asva
kepszerk

Technical partners

ruckus
mom
brill
rentit

SUPPORTING #HACKTIVITY2020

Take part of the biggest IT security event in Central & Eastern Europe!

SPONSORSHIP PACKAGES
Hacktivity Kft.
2143 Kistarcsa, Eperjesi u. 40/2
+3670 507 5833
[email protected]
Latest news
  • Hacktivity2020 Extended Hackademy Program – Free online conference participation for public sector employees!
  • Hacktivity2020 kibővített Hackademy Program – Ingyenes konferencia részvétel a közszférában dolgozók részére! (in HUNGARIAN)
  • WORKSHOP SESSIONS announced for HACKTIVITY2020!
Looking for something?

Any content or design element on our website may only be used with the prior written approval of Hacktivity Kft.

 

© 2020, Hacktivity Kft. All rights reserved.