All the presentations of #Hacktivity2019 can be found on this page. We reserve the right to change the program.
One of the lesser known but critical attack surfaces in modern x86 based computing systems are the highly privileged proprietary out of band management controllers such as Intel’s Management engine and AMD’s Platform “Security” Processor. Public research into the depths of these systems is scarce because of the nature of them being highly complex hardware based devices. Fortunately, thanks to the countless hours of effort that researchers put into it, a method was discovered to disable Intel’s ME via an intentional but undocumented kill switch called the HAP bit. This kill switch worked decently for a lot of devices, however the latest motherboards based on the Cannonlake H chipsets were different. In this talk, I will guide you through my reverse engineering efforts that allowed me to find the new position of the kill switch in the ROM and therefore add support for these new systems into the me_cleaner project.
On Windows systems, users can be given special privileges. Some of these, if appropriately abused can lead to elevation of privileges to become SYSTEM.
In this talk, I will explain what the privileges and tokens are, how to get them, and based on their characteristics, identify some possible paths for Privilege Escalation via “Windows Privilege abusing” & “Token manipulation” .
Particular attention will be devoted to the privileges “SeImpersonate” and “SeAssignPrimary” which, combined with the “Rotten Potato” exploit and our subsequent research, the “Juicy Potato”, have proved to be “Golden Privilege”
Most health and fitness apps like many other apps, in general, collect a variety of personal data, sometimes non-fitness apps tend to have access to iOS/Android built-in health app. These apps are supposed to be designed to minimize their potential for harm due to if they fail to do this even. There is no specific security legislation that shields consumer information from attack by third parties. Thus, apps usually have inadequate security arrangements, and app’s agreements often contain wrong descriptions.
More issues come from cloudy data, while companion devices’ apps gather information from multiple sources itself, the other health and fitness applications increase the quantity places where data stores including app-to-app data transfer and cloud export (iCloud, google drive, Dropbox, OneDrive, etc.) The far from the companion app, the more insecurity we have in fitness apps that do simple things while having powerful ‘read’ access to built-in health app and an ability to copy these data or directly access the wearable stuff.
The top sport, workout, fitness apps with built-in health apps were analyzed to see what problems they have to understand the overall health and fitness app security status better. It is essential to know how developers secure health information and how much of that data is available to third parties. Third party tools based on forensic techniques or forensics tools itself might have access to data bypassing the device and credentials. As such tools have comprehensive experience put into a tool code, you clearly understand what risks you have, what and how much data may leak and how better to build your security use cases to reduce discovered risks. Eventually, the results can be used as a comprehensive guide to assist app developers in producing legally compliant apps and in keeping with high professional standards of user protection.
Malicious actors on the Internet are progressively using cryptocurrencies and digital forms of money to facilitate cyber crime.This presentation will walk you through an example case and show how to do forensic analysis of various transactions, identifying links and similarities, profiling and tracking crime using cryptocurrency, unmasking and identifying wallet provider, find IP addresses, explore Dark-net and Illegal marketplaces, search suspicious operations and follow the transaction and money trails. We will also look at how we can find traces in decentralised crypto currency exchanges (DEX) and link it to the actual cyber crime.
Modern vehicles are equipped with Tire Pressure Monitoring System (TPMS) – a system that alerts the driver when the tire pressure is inappropriate. TPMS broadcasts an unencrypted data stream at known frequencies and has already attracted the attention of security researchers, who demonstrated the ability to spoof the transmission and cause an alert.
However, while previous research concluded that the worst case scenario would be forcing the driver to pull over for inspecting the vehicle – and by that facilitating some other illicit activities such as robbing or kidnapping – we will demonstrate an attack scenario that could quite possibly cause physical harm and in extreme cases, maybe even loss of lives.
In this talk we will quickly go over the TPMS, show how to research it using Software Defined Radio and reach spoofing capabilities, and end by showing a proof of concept for our attack scenario.
*** Clarification: This is research in progress. ***
History repeats itself. All the time. If we learn the lessons from the past and be mindful of what has already happened within the science of hacking, we can move forward, spending time and energy on creating new technology and techniques, and advancing the field. But we must never forget the instructive lessons of the past.
The talk will revolve around us red-teamers testing and penetrating into Banking, Mobile wallets, and Non-Banking Financial applications. We will cover bugs not only in payment gateways and frameworks but also in applications that fail to implement them properly. This will include bypassing AES encrypted requests, logical bugs in numerous banking applications we tested. We will talk about techniques using which we were able to make recurring deposits in our account which get debited from victim’s accounts, view statements of arbitrary accounts, buy products for free, pay loan installments for free, pay credit card bills for free, make online recharges from victim accounts, regenerate ATM pins of bank accounts at mass among numerous other exploits along with real-life case studies, patches, and recommendations.
Activists, journalists and human rights defenders are in hostile environments and in constant danger as they deal with sensitive information. They are often exposed to targeted and sophisticated attacks.
We designed the Emergency VPN which allows us to help people in danger by analyzing their mobile traffic. This way we can identify if a device is infected or find its vulnerabilities that may put the user at risk. However, the biggest challenge for the network analyst is to quickly and accurately detect malicious encrypted traffic. The speed of the analysis is a critical factor in this work.
To improve the speed of the analysis of HTTPS traffic, we combine specific features extracted from HTTPS traffic with state of the art machine learning methods. In this talk we will show how this combination allowed us to increase the efficiency and accuracy of Encrypted traffic analysis of people at risk. In a live demo, we will demonstrate a detection of malicious traffic in a mobile device.
In this talk we will review several ways that avoids a Gatekeeper check. According to Apple these are by design, and not bypasses, still plenty of way to execute code on a macOS system. We will also see how the new macOS Catalina changes these.
BlackEnergy/Sandworm is a well-known group operating at least since 2010 and famous, among other things, for its attacks on industrial control systems. It received much media attention in 2015, after an attack on a Ukrainian power grid company, which resulted in power blackouts in several regions. Although the group remained under the radar for a while, it caught researchers’ attention again last year. Even though their toolset had completely changed over time, certain techniques remained the same, specifically the use of exploits for various software vendors’ products, including SCADA systems.
One specific zero-day vulnerability in a popular SCADA system, which the group exploited for several years to attack industrial organizations, remained unknown and the Kaspersky Lab ICS CERT team investigated a possible attack scenario. We would like to tell you about the exploitation of the possible zero-day vulnerability in the vendor’s software and reconstruct the attack by showing a live demo.
The combat to discern what if the news is real or not has already begun. Generating fake content has never been so easy. Artificial Intelligence has become a useful resource to apply techniques for an easy generation of non-legitimate content.
These new tools have become a threat for Fake News, phishing campaigns and cunning fraud strategies generation.
In this talk, the most extended techniques for the generation of deceitful content are explained from both technical and practical approaches.
The capabilities of the state-of-the-art generative models (i.e., Variational Autoencoders and Generative Adversarial Networks) will be exemplified by means of a Chief Executive Officer fraud sample generation, including fake images generation and custom voice production.
Additionally, considering the big amount of fake content society is currently exposed, different Machine Learning techniques to reveal spurious contents will be also presented.
Nmap is a well-known software tool used widely by ethical hackers and network engineers. With its ability to active discovery, revealing hosts on the target network can be a piece of cake.
However, what are the possibilities, if our target sits on a type of network that behaves in a totally different manner from the comfortable world of Ethernet? How do we discover a network where there are no source addresses, no destination addresses, and no traditional acknowledgment? This sounds strange, right? Well, what if I told you that you use this network every day.
The ever-more-complex electronic systems within cars today still mostly rely on the traditional CAN bus, which is actually such a strange network.
Our aim is to describe the possibilities to get information from the nodes of an automotive CAN network with the help of our proof of concept tool: CANmap. In our presentation, we represent a simple device that is capable of scanning the CAN-based protocols that are widely used in any everyday vehicle.
The world is continuously evolving and many things become outdated. Cryptography is no different. While strong crypto should always be used, in time this strong crypto becomes weak due to advancements in the cryptoanalysis research and simply constant improvements of the cost and availability of compute resources.
When strong crypto becomes weak, all related software needs to be updated. But this can be a challenge, as more often than not, there are cases where a particular piece of software is either unmaintained or proprietary, and the software vendor is not cooperative enough to make this change. And what’s more, this piece of software cannot be easily replaced, for a number of reasons.
While there is no perfect go-to solution for every unique case, there may be a way for old/proprietary/unmaintained software based on OpenSSL to be fixed. OpenSSL has a pluggable extensible architecture called “engines”, which allows for the addition or replacement of cryptographic algorithm implementations without having to completely recompile the whole thing. However, the ability to use this functionality requires support from the linked application—the application itself needs additional code to hotswap OpenSSL engines—which most applications lack.
Luckily, to fix such applications, dynamic linker code preloading can be used—a feature supported by most modern operating systems. This talk walks through a hypothetical scenario in which a proprietary tool based on OpenSSL using weak cryptography needs to be fixed.
WebSocket protocol is many times more efficient than HTTP. In recent years we can observe developers tend to implement functionality in the form of WebSocket API instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplifies building of the efficient WebSocket API. We can name GraphQL subscriptions or Websocket API support in Amazon API Gateway.
WebSockets APIs have different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.
WebSockets in browsers do not use same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: handshake and data transfer phases. Most of the time authentication and authorization logic is implemented on handshake phase, while subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.
We will talk about CSRF issue, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.
This talk will cover attacks on popular GSM-devices: GSM-alarms, GSM-controllers for smart homes, industrial GSM-controllers, access control systems, GSM-locks, some communication systems and smartwatches for kids. They are very easy to use. Usually, the user can insert a SIM-card in a controller, then the GSM-device is ready to use. Howewer, the security of these devices is questionable.
This talk will cover attacks on GSM controllers present in the aforementioned devices, as those seem ripe with insecurities.
This talk will also cover different problems that were found during research, as well as critical flaws.
Remediation is a crucial step when recovering from an incident. Proactively implementing security controls and hardening an environment doesn’t need to wait until AFTER an incident has occurred. The presenter will detail common remediation strategies that are used when responding to breaches, in addition to risk-reduction methods that align to proactively applying a remediation strategy.
This session will detail common remediation strategies that are used when responding to breaches – in addition to risk-reduction methods that align to proactively applying a remediation strategy.
If you want to gain control over IoT devices first you have to discover them and locate them. Then, you can be able to decide you need them or you should block them. IoT devices not necessary have IP or MAC address so the well-known scanners are unable to discover them. We have to check the ISM bands and the licensable bands, including the GSM and LTE band. When you find the signal source in the air you can be able to locate, inspect and control it.
If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyberwarfare today.
The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing the bigger picture. We decided to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections – not only between samples, but also between different families and actors.
In this talk, we will describe the process of our research. Namely, we will show how the technologies at our disposal allowed us to take a deep dive into these malware’s binary DNA in order to spot the mutual Genes that are shared between Russia’s APT families and actors.
While to the rest of the world social media are friendly platforms of communication and sharing, for the fellow OSINT analysts, hackers, social engineers and attackers, they are targeting and information harvesting platforms. Undoubtedly, online presence is important to all of us. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities.
This talk will demonstrate how one’s online presence on social media can attract social engineers to target them and victimize them to “open doors” through the organizational security. It will also discuss how social engineers and penetration testers can utilize social media for their engagements in creative ways and to identify their pretexts.
The talk covers the topic of information gathering through social media (a discipline called Social Media Intelligence, or SOCMINT, being a sub-division of OSINT) and explains how even seemingly innocent information can be used to manipulate and victimize targets. Case studies will be provided. A two-part demonstration is included on how a hacker’s mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to.
As the title suggests this is a journey into reverse engineering ATM malware, building skimmers, black boxes and other equipment, all in the name of education, and as a result, on a budget. Started about three years ago the goal of the project was to build a demonstration environment for all major attack vectors against ATMs, while using only publicly available resources. Hacking ATMs is an all in one challenge for hackers since it combines hardware security, electronics, networks and software security in a single package. It is also an area of IT security which is surrounded by a more than usual amount of secrecy, simply getting access to some hardware to legitimately hack is in itself a challenge, and the hacking starts after that.
My name is Onix. I’m mostly made out of C++. My whole life is indexing for fast searching purposes. I do it so well, Adobe decided to adopt me back in 2003. I was having a great time with my new parents. I did what I’m supposed to do for one of their products, indexing for fast searching purposes in Adobe Reader. For 15 years I stayed under cover. No one knew about me, or what I do.
I was happy. I did what I had to do without raising any flags. Until one day…
A human who works at an organization known as Trend Micro’s Zero Day Initiative (ZDI) decided to take a closer look at me. He started analyzing all my indexing and fast searching functionalities and examining my innermost details. Something drew him to me…and he saw that I was not up-to-date. He kept looking, and he started pointing out my defects. He told my parents. They were not happy. They went back to my biological parents. They were not happy either. They tried to correct my defects…once… twice… but, no dice… And those mean people at the ZDI started giving me Pokémon names.
Throughout this presentation, I will talk about how I – and all my flaws – went undetected for 15 years. I will also talk about the defects that were found in my code along with the final decision taken by my adopted parents… my complete removal from Adobe Reader.
Those ZDI guys sure know to ruin a good time.
Today all vehicles are connected through V2X technologies. All manufacturers are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third-party vendors which are still in a vulnerable state. So addressing their weakness requires specific skillset in cybersecurity as well as attack mitigation of vehicle industries. Mitigation part (Making ADS) requires huge and niche expertise in vehicle industries. No one show, how to mitigate these vehicle attacks through ADS systems in any conference. In this talk will show you how to make ADS (Anomaly detection system) to mitigate vehicle cybersecurity attacks against CANBUS and LIN protocol.
Enabling two-factor authentication for any online account is a necessity these days. Most common phishing attacks aim to steal login credentials, which are often not enough to provide attackers full access to targeted accounts. Since most attackers are unable to get hold of external authentication devices, multi-factor authentication (MFA) is widely proclaimed to be a silver bullet against all phishing attempts. I will challenge that thought and try to prove otherwise, while demonstrating the Evilginx phishing framework.
During the talk you will see how an attacker, armed with right tools, can perform a successful phishing attack on an account with 2FA enabled. Attack will result in full account takeover, despite the additional security measures.
I will also explain how websites and end-users can protect themselves from this new strain of phishing attacks.
You have probably seen some security incidents that were not handled adequately. Are people doing a good job of preventing incidents? Some organizations do a decent job at it, others are hard at work convincing themselves and their colleagues that there are no problems, except for the existence of researchers who are looking for security issues. In this talk, I will show you some of the best organizations that I have had a chance of working for as a security researcher (/bug bounty hunter) and will show you some of the hottest zero day exploits I’ve had at my disposal. The story does not end there though, professional hypocrisy is rampant in the industry and Hungary has no shortage of incompetent companies and incidents where security researchers are being treated as criminals. Design sophisticated and sustainable systems is in the interest of the public, yet the criminalization of valuable research is not only destroying the lives of researchers, it is an active and strong inhibitor of technological progress.
Starting as a developer’s best friend, the Android Debug Bridge has turned into a security nightmare as time passed. While having an open port available for debugging over the internet sounds great, forgetting to turn off that service in production environment can spell big trouble for you or even your customers. My analysis will be of the protocol, the worms abusing it and how I discovered it all after putting my freshly built honeypot up.
The information security domain, now infamously called cybersecurity, is constantly evolving and has quite changed in the last decade in order to provide more and more sophisticated, (bug-free) and complete tools. Their number and quality has both increased but as the security people are still not (great) developers, the same mistakes still live on especially regarding the ease of installation, maintenance, and last but not least the ability to scale. The main goal of this talk is to take a step back from this last decade of awesome tool tailoring, by presenting the results of a quantitative study on 2000+ of them, as well as giving key advice to make your tool great (again).
On the second day, the Security Dome is going to transform into a so called HackCenter, that is going to be the heaven for hackers who want to solve some exciting challenges, share their thoughts with each other, looking for a solution to a specified problem, or just have questions about a certain topic.
There will be also 5-10 minutes pop-up talks where hackers can present their ideas or try their presentation skills. Do you have a topic or an idea that’s not fully developed? Bring it in and we’ll help you work it out! Maybe you can finalize and present it at the next BSidesBUD conference! Send an e-mail to [email protected] to get on the schedule!
Stay tuned for more detailed information on the program of HackCenter!
If you like CTF games, you will have the opportunity to try your skills at the conference as well! Visit the HackCenter and take part of the CTF challenges created by SecureITeam and the Hackerspace squad of Budapest and Szeged! As always, teams will compete for the two days, but instead of awarding the first team, there will be another challenge at the end of the second day. The first and second team can take part in the SPEED HACKING COMPETITION. (The whole teams can participate but only one team member can sit in front of the computer.) Three medium difficulty challenges have to be solved in less than 90 minutes to win the CTF. What makes this interesting that players have to log in to a jumpbox (Kali Linux), and the screen of these jumpboxes will be displayed on a projector. Conference attendees will be able to follow how the best players play CTF in real-time. To make things even more interesting, two commentators will spice up the competition.
Key takeaways of SPEED HACKING:
- CTF players can show who is the king of the hill.
- Conference attendees can learn from the best.