Electronic Frontier Foundation
CERT-EU
CERT-EU
Talos
Talos
GoSecure
Payatu Software Labs LLP.
Silesia Security Lab
ESET
FireEye / Mandiant
Agarri
RSM Partners
SpecterOps
Coming soon...
Eva Galperin Director of Cybersecurity, Electronic Frontier Foundation
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.
Cisco Talos identified an espionage campaign that mainly targeted Middle East that we named "DNSpionage". First, we will describe a malware targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and registered SSL certificates for them. We identified a dozen of countries targeted by this redirection. The January 22nd, U.S. DHS published a directive concerning this attack vector. In this presentation, we will present the timeline for these events and their technical details.
Warren Mercer Security researcher, Talos
Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps!
Cisco Talos identified an espionage campaign that mainly targeted Middle East that we named "DNSpionage". First, we will describe a malware targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and registered SSL certificates for them. We identified a dozen of countries targeted by this redirection. The January 22nd, U.S. DHS published a directive concerning this attack vector. In this presentation, we will present the timeline for these events and their technical details.
Paul Rascagnères Security Researcher, Talos
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.
Nicolas Gregoire Web Hacker, Bug Hunter, Trainer, Agarri
Nicolas Gregoire has more than 15 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He is an official Burp Suite Pro trainer since 2015, and trained hundreds of people since then.
Outside of that, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Netherlands, Germany, Switzerland, France, Russia, Canada, India, ...) and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs.
Dawid Czagan Bug Hunter, Trainer, Silesia Security Lab
Dawid Czagan (@dawidczagan) is an internationally recognized security researcher, trainer, and author of online security courses. He is listed among Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his security bug hunting experience in his hands-on trainings “Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More” and “Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”. He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (recommendations: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses. To find out about the latest in Dawid Czagan’s work, you are invited to subscribe to his newsletter and follow him on Twitter (@dawidczagan).
Ashfaq Ansari Vulnerability Researcher, Payatu Software Labs LLP.
Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing and Program Analysis.
Filip Kafka Malware Researcher, ESET
Filip Kafka is a malware researcher at ESET's Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. He is a regular speaker at security conferences including the Virus Bulletin conference, the AVAR conference, Caro Workshop and NorthSec conference. He has also been speaking at various events aimed at raising awareness about malware and computer security, presented for local universities. His teaching experience includes running reverse engineering and malware research workshops in London, Brno or Bratislava, and regularly lecturing a reverse engineering course at the Slovak University of Technology and the Comenius University.
Trainers to be determined , FireEye / Mandiant
Specific instructor will be determined soon. All of our instructors are security professionals with years of security experience. FireEye instructors have extensive experience working with FireEye solutions; and Mandiant instructors have applied their skills on the frontlines of major cyber incidents around the world.
Mainframes, the once thought unhackable are now anything but. This talk will cover the following:
Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. In addition to speaking, he has built mainframe security programs for multiple Fortune 100 organizations starting from the ground up to creating a repeatable testing program using both vendor and public toolsets. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.
Chad Rikansrud Director of North American Operations, RSM Partners
Chad Rikansrud, aka Big Endian Smalls, is the Director of North American Operations for RSM Partners - a world leader in IBM mainframe security consulting services. Chad is a nationally recognized security industry speaker, with appearances at: DEF CON, RSA2017, SHARE, and other regional conferences. Most of Chad's 20-year career has been in technology leadership for the financial services industry where he has held various senior leadership positions, including worldwide datacenter operations, infrastructure and recovery responsibility, as well as enterprise-wide system z storage
The purpose of the workshop is to improve students red teaming capabilities and stealthiness by covering the following topics:
project management:
Initial foothold:
lateral movement:
post exploitation (I have Domain Admin, then what?):
The hands-on lab will cover all of these sections.
a computer is required with windows and linux (VMs are fine)
participants need to have basic windows and programming skills.
programming languages:
With more than 9 years of experience delivering Information Technology and Information Security services to various government and commercial clients such as a banks, nuclear industry and lay firms. Having the opportunity to perform RedTeam against complex and secured environment allowed him to develop a certain expertise that can be used to navigate through the target network without being detected. Since 2014 I'm also the proud owner of the RingZer0 Team website that have more than 25 000 members worldwide. The RingZer0 Team website is a hacking learning platform.
Have you ever wondered, 'What if?' in a pentest? Are movies like 'Die Hard' a source of inspiration for your next red team? If so, this talk is for you!
This presentation will present a good list of bad ideas; how to evacuate a building, fake your own death and other similar capers!
This talk will also cover some bad ideas on the defensive teams, new DoS techniques, a new idea to improve your phishing game, stupid ways to persist and other simple bypass that you should not try at home.
Laurent is a team lead for a large security consulting firm, based in Montreal. He has conducted over 200 pentesting and red team engagements over the span of 10 years and is still enthusiatic about it. Laurent is also a challenge designer for Northsec and has given talks to CQSI, NCFTA, HackFest, RSI, Montrehack, Owasp Montreal and Northsec. Besides security, Laurent is interested in Lockpicking, magic and pickpocketting.
Disassembly is a well-known problem in the reverse-engineering community, but designing and building a disassembler engine able to deal with architectures like MIPS, ARM/ARM64 and x86/x64 at the same time, compiled by classic compilers or custom obfuscators, is a long and difficult road.
While translating individual instructions to their corresponding assembly representations is doable, producing a correct and complete representation of a whole executable is indeed another story. This adventure includes dealing with numerous compilers’ peculiarities, such as switch-case constructions, position-independent code and control-flow optimizations, while struggling with theoretically intractable questions, such as code and data distinction.
In this talk, we would like to dig into the internals of our own disassembler engine, which is part of JEB reverse-engineering platform. This component produces an assembly-like representation of a whole binary object, in particular for MIPS, ARM/ARM64 and x86/x64 executables, and has been developed fully in-house over the last three years.
During this presentation, we will describe in particular:
the design choices behind our disassembler engine. We will explain how we developed most of the logic in a generic way, while trying to keep architecture-specific parts contained, and how the disassembler employs different strategies depending of the architecture and the identified compiler.
the use of a so-called “advanced” analysis pass, based on a custom intermediate representation (IR), which allows us to compute possible runtime values in the same way on all architectures. We will explain in particular the design of our IR, and the way we translated native instructions to the IR.
the implementation of signatures on machine code, such that classic statically linked libraries are automatically identified. We will dig into the problems that the generation, storage and matching of such signatures brought.
the various techniques and tests we developed to assess the disassembler correctness.
Finally, dealing with several (quite different) architectures forced us to very often reassess our assumptions on what machine code is supposed to look like. Throughout this presentation, we will describe the mistakes and wrong assumptions we made, in the hope that it will be useful to fellow security researchers dealing with machine code.
WebAssembly (WASM) is a new binary format currently supported by all major browsers (Firefox, Chrome, WebKit /Safari and Microsoft Edge) and executed inside JS scripts. It is already used for malicious purposes like Cryptojacking and can be found inside some web-browsers addons.
In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose different techniques (Static/Dynamic analysis) and tools (Octopus, Wasabi, ...) to perform a WebAssembly module analysis. Finally, we will hands-on with basic examples (crackmes) and go throws some real-life cryptominer and web-browsers plugins using WebAssembly module. Along the talk, I will only used open source tools.
Laptop with admin rights (for installing the tools)
Python: notion Reversing: notion
Patrick Ventuzelo is a French security researcher specializing in Vulnerability research, Reverse engineering, Security tool development, and Program analysis. Patrick is the author of Octopus, the first Open-source security analysis tool that support WebAssembly and multiple Blockchain Smart Contract to help researchers perform Analysis on closed-source bytecode.
Currently, Patrick is mainly focus on developing automatic Binary Analysis and Transaction Tracking technique for Quoscient GmbH. Previously, he worked for P1 Security, the French Department Of Defense and Airbus D&S Cybersecurity.
Patrick has been Speaker and Trainer at various international security conferences (BlackAlps, hack.lu, Toorcon, REcon Montreal/Brussels, SSTIC)
As application security gained in popularity and maturity, attackers and researchers have turned to more creative methods for exploiting web applications. In 2017, security researcher Omer Gil introduced the Web Cache Deception attack. This attack, while trivial to understand and leverage, showed the potential of attacking caching mechanisms instead of targeting the application itself in order to extract sensitive information. In 2018, GoSecure introduced a new class of attack known as Edge Side Include Injections, exploiting a design flaw introduced nearly two decades ago in popular caching servers and cache providing solutions. Again in 2018, James Kettle released his research on Web Cache Poisoning, which leverages unkeyed input to reflect arbitrary data in an HTTP response in order to get a cross-site-scripting payload cached across users.
The findings from this research show the obvious flaws we failed to identify in caching specifications for so long. This talk aims to be a precautionary tale for the next time you need to implement a web caching solution by providing a practical overview of caching attacks in web applications. We'll look at attacks targeting both modern and legacy web applications, how to detect these design oversights and leverage them, and more importantly how to mitigate them.
Louis Dion-Marcil is a consultant working for Mandiant. He specializes in offensive appsec and pentesting medium to large scale organizations. A seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. His prior research at GoSecure introduced a new class of attack, coined Edge Side Include Injection, which was presented at BlackHat and DEF CON in 2018.
User-centric security and privacy conversations are based around best-practices or a binary of what to do and what not to do. This has been detrimental to practical conversations around user security and privacy. In the context of digital sexual expression, users are typically shamed and told not to engage in those activities without providing an alternative.
Harm reduction provides an alternative framework that can be used. At its core, harm reduction is based around making risky behaviors safer. It has successfully been used for public health programming around drug use and sexual activities.
This talk will introduce harm reduction as a framework for user-centric security and privacy and walk through an example based on research around gay dating apps. Through this case study, I will discuss some of the ways that taking a harm reduction approach shifted security expectations and priorities to recommend practical features that had major implications for user safety.
Security and privacy harm reduction is still a developing conversation. This talk is aimed at a wide audience to introduce harm reduction as a framework with the goal of improving the methods and practices around user-centric security and privacy.
Norman Shamas is a security and privacy harm reduction specialist. They work with activists globally and have a particular focus on sex workers, queer, trans*, and gender nonconforming communities. Norman works an independent consultant and is a member of Open Privacy's board of directors.
The last few years have seen a meteoric rise in HTTPS adoption on the web. At this stage, complete adoption is a feasible goal. To get there, it's going to have to be easy for every operator behind every website to turn on HTTPS.
Certbot is EFF's tool for getting automated certificates from Let's Encrypt. Certbot makes getting certificates easier, but how much easier? And which groups of users get left behind?
The Certbot team ran usability studies to find out how people were conceptualizing and using tooling around HTTPS. This talk will cover our (often surprising) results, lessons we learned, and how we're using what we learned to make Certbot more helpful for more people.
Erica Portnoy is a technologist at the Electronic Frontier Foundation (EFF). She develops the Let's Encrypt client Certbot, which makes it easy for people who run websites to turn on https, keeping their users private and secure against network-based attackers. She writes and speaks about encryption in practice, including what people need from secure messaging providers and what the next generation of encryption in the cloud might look like. Erica also works on EFF's net neutrality project, writing technical filings and opinion pieces and organizing technologists from the networking industry to speak up for technical accuracy in policy decisions.
This workshop is an introduction to Return Oriented Programming. The workshop aims to be fitting for people with varying background, as it starts easy and with detailed explanation on hands-on exercises but increases difficulty over time. The workshop is a good fit for attendees who already know about buffer overflows but want to go further. For them it's a perfect next step which will take their exploiting skills to the next level!
The basic example of exploiting a buffer overflow is pushing shellcode on the stack and jumping to it. This is successful when there are no security mechanisms. But how can we get a shell if the stack is not executable? Return Oriented Programming (ROP) is a neat technique to defeat this protection.
In this workshop, we will step up the game by turning on the NX-bit and using ROP to exploit the buffer overflow anyway. The basic idea of ROP is to use code snippets that are already in the binary. This way, we can put the shellcode together like we would tinker a blackmailing letter from old newsletters, putting the fitting pieces one after another, until we get the payload we want.
We will work on Linux (x86), get to know the libc, and debug the process. By observing the stack and registers, we will see how choosing code snippets that end with a ‘return’ (ROP-gagdets) plays out.
The workshop contains 3 exercises of different stages.
The first stage is 32 Bit to get an easy start and to get to know the environment and commands. This exercise is done together, to get a quick and efficient example on how to interact with the tools. The second stage is 64 Bit, to stress the differences regarding e.g. calling conventions. This exercise will allow the attendees to explore the exploit on their own, with my assistance when needed.
The 3rd stage will be solving the challenge with ASLR turned on (without PIE). This will get us a longer ROP-Chain, we will have a look on other useful segments like the Global Offset Table and how to use this for exploitation. Also, the combination of using ROP on 64 Bit with ASLR turned on can score you some points in CTFs.
I will provide a VM with the binaries and my presentation on it. Using a common system is the easiest way to get the same offsets in our address calculation. I will also provide instructions to set up the VM in case the attendees want to set up their own VM.
A laptop with a hypervisor (e.g. VirtualBox, VMware) installed
Lisa is a student in Automation and Mechatronics at the university Hochschule Furtwangen (HFU), Campus Tuttlingen. With her bachelor thesis she shifted torwards the security field by developing a clang-based fuzzing toolchain. She was both attendee and trainer at Blackhoodie events and likes CTF competitions.
Video conferencing systems are increasingly used to talk about critical issues in corporate environments, but there are very few attacks and tools dedicated to them. Cisco Meeting Server or CMS is a software used to make video conferences, which allows users to connect to meetings through different clients or via WebRTC with a browser.
During a series of tests conducted with this software, we detected that remotely and without authentication it is possible to list the active conferences on a CMS server and obtain a large amount of information for each conference such as the name of the conference, ID, video address, passcode protection and more. After our report, in November 2018 Cisco published a security advisory associated with this vulnerability with CVE-2018-15446. We also detect that remotely and without authentication, in some cases it is possible to perform a bruteforce attack of the passcode in the conferences that have one, to obtain this numeric code and access the corresponding videoconference.
Based on this research, we developed two open source tools in Python: m33tfinder and m33tbreak that allow to automate this attack, knowing only the URL of the CMS server. An attacker using our tools could identify the URL of the CMS of a certain company, obtain the valid conferences, identify the conferences that discuss critical issues such as budgets, directive committees, board meetings and join the meetings as a guest. That way the attacker could access the critical information discussed in them or record them, using only a web browser.
In our talk, we will see the overall security of videoconferencing systems, the story of how we discovered the vulnerability, how to identify the Cisco Meeting Servers exposed on the Internet, the technique used to obtain information about the conferences and perform the bruteforce attack, a demo of the tools to carry out an attack on a CMS and the countermeasures we can take to protect ourselves from these attacks in case of administering or using this or another videoconferencing system.
Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive Security Professional with more than 15 years of experience in Infosec. Over the years, she has discovered vulnerabilities in various applications and systems.
Yamila currently works as Security Researcher in ElevenPaths (Telefonica Cibersecurity Unit) where she specializes in offensive/defensive techniques, conducts researches, publishes articles on different information security issues and develop security tools in Python. She is an international security conferences speaker and has presented her researches at important events such as OWASP Latam Tour, Infosec UTN and Notpinkcon. She has also taught ethical hacking courses for women, CTF courses for beginners and several information security awareness and training courses and talks.
Among the myriad of programming languages which have been defined over the last five decades, some provide memory safety (e.g. Java, Rust) but are often inapplicable to low-end embedded systems with 32-bit microcontrollers and a few dozen kilobytes of RAM at best:
Both RAM and ROM (Flash) sizes are severely constrained; a bulky runtime systems cannot be accommodated, and even a "normal-sized" stack is not an option.
Small embedded systems do not have an operating system at all, and do not provide features on which many language runtimes rely on, e.g. a MMU to trap dereferencing of NULL pointers, or multithreading.
Many microcontrollers use custom or reduced CPU versions that existing code generators do not support, forcing the use of a vendor-provided C compiler.
This talk describes T1, a novel programming language that tries to address these issues. It is an evolution of T0, the Forth-like language which is already successfully used in BearSSL for managing the SSL/TLS handshake and for verifying X.509 certificate chains.
Thomas Pornin is a cryptographer, author of the BearSSL library. He works as a consultant for NCC Group, as part of the Cryptography Services team.
In the world of cryptocurrency-related malware, mining botnets are a growing threat for organizations. It is also not unusual today to have banking malware, ransomware, or spyware embedding cryptomining capabilities.
In this presentation we explain how to leverage publicly available sources for hunting cryptomining malicious activities. We focus on a common behavior of such malicious activities: using collaborative work to mine cryptocurrencies.
All the tools and scripts detailed in this presentation are or will be available in a GitHub repository: https://github.com/kwouffe/
In the world of cryptocurrency-related malware, mining botnets are a growing threat for organizations. It is also not unusual today to have banking malware, ransomware, or spyware embedding cryptomining capabilities.
In this presentation we explain how to leverage publicly available sources for hunting cryptomining malicious activities. We focus on a common behavior of such malicious activities: using collaborative work to mine cryptocurrencies.
All the tools and scripts detailed in this presentation are or will be available in a GitHub repository: https://github.com/kwouffe/
Server-side Linux malware is a real threat now. Unfortunately, unlike for its Windows counterpart, most system administrators are inadequately trained or don't have enough time allocated to analyze and understand the threats that their infrastructures are facing. This tutorial aims at creating an environment where Linux professionals have the opportunity to study such threats safe and in a time-effective fashion.
In this introductory tutorial you will learn to fight real-world Linux malware that targets server environments. Attendees will have to find malicious processes and concealed backdoors in a compromised Web server.
In order to make the tutorial accessible for a range of skill levels several examples of malware will be used with increasing layers of complexity — from scripts to ELF binaries with varying degrees of obfuscation. Additionally, as is common in Capture-The-Flag information security competitions, flags will be hidden throughout the environment for attendees to find.
Any OS with the following tools:
Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Péter Szőr Award for best research paper in 2014. While still keeping eyes open on crimeware, he now focuses on the analysis of targeted attacks.
Outside his day job, Marc-Etienne enjoys designing challenges for the NorthSec CTF competition. He is also a co-organiser of the MontréHack monthly event. He presented at multiple conferences including CSAW:Threads, CARO Workshop and Linuxcon Europe. When he’s not one of the organizer, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics. He tweets sporadically at @marc_etienne_.
Among the novelties developed for Bitcoin, one can find a very interesting scheme for asymmetric key derivation introduced in BIP32 (“Bitcoin Improvement Proposals”). The principle is to be able to derive child keys in a deterministic way from their parents’ keys.
This is a “feature” which is already available in straight ECC, since one can simply exploit the distributivity of the scalar multiplication over the elliptic curve addition law.
No need for any blockchain, and I'm thus explaining in this talk some basic EC maths, before explaining how this key derivation works, and I'll finally be showcasing a few examples.
Yolan is a security researcher delving into (and dwelling on) cryptography, crypto coding, blockchains technologies and other fun things. He has spoken at Black Hat USA, BSidesLV, Cryptovillage and DEF CON, on topics including automation in cryptography, public keys vulnerabilities, or vulnerability research, and presented at FDTC the first known practical fault attack against the EdDSA signature scheme. Yolan tweets as @anomalroil.
When on the hunt for new malware, the digital connection to the physical world can often be overlooked. We’re constantly reminded in the news of political struggles and physical warfare, with adversaries targeting each other through sanctions or military action. However, a large portion of these real world decisions are driven by digital espionage, which is evolving at an exponential rate - even ‘traditional’ digital espionage like desktop malware and phishing campaigns are being supplemented by state sponsored mobile surveillance-ware. This talk will highlight 4 real world mobile espionage campaigns tied to political and physical conflicts, allowing attendees to get a broader understanding of the targeting and intelligence collection techniques of global actors, as well as tool development to evade (repeated) detection, and hopefully use these characteristics to enhance threat hunting efforts.
Kristin Del Rosso is a member of Lookout's Threat Intelligence Team in San Francisco, where she hunts for nation state malware and targeted surveillanceware. She recently spoke at BlackHat Europe on a state-sponsored malware campaign, and continues to work with her team to map out attacker infrastructure and better understand the actors and motives behind these mobile threats. Her happy place combines history, languages and security intelligence.
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.
We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec's official CTF.
Requirements
See Requirements section of the proposal
Zer0
Everyone working with computers lately has heard of VMs, cloud orchestration and containers. That said, so many of us still do many things manually or use these technologies inefficiently. Let’s not allow the devs to have all the fun with DevOps (and its tools).
Virtual Machines can be effectively used to test exploits or contain development environments. Vagrant makes it easy to share these pre-built VMs, avoiding tedious "next, next, next" install procedures while supporting both Linux and Windows.
Containers changed the way we distribute applications and combine services together. Built on top of Linux namespaces, they enable us to deploy complex software in a reproducible manner no matter on which Linux distribution we deploy it. Additionally, using network namespaces manually is useful to isolate, bridge, route or firewall a single process or a process hierarchy.
Orchestration is the natural next step of automation. We describe entire fleets of systems in code and use tools to make sure that the current state of the infrastructure matches what the code says. Terraform leverages cloud APIs to deploy computing instances and other cloud resources. Ansible reads from Terraform’s inventory, connects to the instances, install software, copy files and perform the various tasks known as provisioning. Together they are a powerful combination, allowing the deployment of complex systems temporarily in a matter of a few minutes and then tear everything down when it is no longer required.
This workshop will be use case driven and each one will explore more advanced featuresets of the tools demonstrated.
Virtual Machines (VMs)
Containers
Orchestration†
Due to the fast-paced nature of this workshop, no technical support will be provided. So make sure to install and test the following tools before we start:
Alternatively a Vagrant box (based on VirtualBox, which you will need) will be provided on site with all the tools pre-installed. Using this will require only Vagrant and VirtualBox installed and should work cross-platform.
*: These tools require Linux to run. Have a Linux host or VM ready with the tools preinstalled
†: Achieving these use cases will require a Digital Ocean account and will incur costs (should be less than USD $5 unless you forget to destroy your instances after the class). The code provided by the instructor should work with other cloud providers with minor adaptations.
See the prerequisite section of the workshop description.
Familiar with a Linux command-line
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting embedded Linux malware, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat USA/Europe, Defcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.
The RDP protocol has a wide variety of interesting features, yet no tool supported the complexity of the RDP protocol for information security purposes. Inspired by RDPY, we created PyRDP, an open-source general-purpose RDP man-in-the-middle tool. This presentation will cover use cases for PyRDP in malware research and pentesting.
First, we added new features to our project to help with malware research. One crucial feature is the ability to rewrite the username and password sent to the server. This is used to allow access to the target RDP server to anyone using any credentials, which maximizes hostile interactions. Our tool also saves full RDP sessions to disk as well as clipboard content and files transferred during the sessions. Having session replays allows us to extract tactics, techniques and procedures (TTPs) from malicious actors. By using our tool and pointing it to a real RDP server, we created a fully interactive honeypot and caught a malware actor in the act.
We will do a demonstration of these features and show replays of the malware actor we caught.
Second, in a corporate environment, RDP is oftentimes used by high-privilege user accounts to manage Active Directory, servers, users' workstations and more. Using RDP is so ingrained in day-to-day tasks that users stop thinking about the potential consequences of connecting to random machines.
We will present PyRDP's use cases in pentesting engagements and propose an approach to compromising high-privileged accounts. A man-in-the-middle in an RDP context can be used to capture credentials, but it can do more. Instead of reusing the credentials to launch another connection, attackers can interactively hijack the existing connection and disguise their actions as coming from the victim. Additionnally, it can lead to the partial compromise of the client machine by abusing features such as drive redirection to enumerate and download sensitive files. PyRDP can also be used to challenge the incident response process by attracting the incident response team to a machine and capturing their credentials as they connect. Finally, the replay files produced by PyRDP can be used to demonstrate the impact of compromise to high-level executives.
The talk will cover these attack scenarios in depth and will end with a short demo of the open-source tool and its capabilities.
Émilio is an undergraduate student from Université de Sherbrooke (UdeS). He discovered a passion for cybersecurity two years ago, which lead him to break his promise of trying three different fields during his internships and instead taking only cybersecurity-related internships at the Canadian Cyber Incident Response Center (formerly CCIRC, now CCCS)'s malware analysis team, GoSecure's R&D team and Desjardins' threat hunting team.
President of JDIS, UdeS' computer science student organization, Émilio likes to make things happen, let it be CTFs, AI competitions, conferences, workshops or making every developper understand that tab is the superior indentation character (work in progress).
The RDP protocol has a wide variety of interesting features, yet no tool supported the complexity of the RDP protocol for information security purposes. Inspired by RDPY, we created PyRDP, an open-source general-purpose RDP man-in-the-middle tool. This presentation will cover use cases for PyRDP in malware research and pentesting.
First, we added new features to our project to help with malware research. One crucial feature is the ability to rewrite the username and password sent to the server. This is used to allow access to the target RDP server to anyone using any credentials, which maximizes hostile interactions. Our tool also saves full RDP sessions to disk as well as clipboard content and files transferred during the sessions. Having session replays allows us to extract tactics, techniques and procedures (TTPs) from malicious actors. By using our tool and pointing it to a real RDP server, we created a fully interactive honeypot and caught a malware actor in the act.
We will do a demonstration of these features and show replays of the malware actor we caught.
Second, in a corporate environment, RDP is oftentimes used by high-privilege user accounts to manage Active Directory, servers, users' workstations and more. Using RDP is so ingrained in day-to-day tasks that users stop thinking about the potential consequences of connecting to random machines.
We will present PyRDP's use cases in pentesting engagements and propose an approach to compromising high-privileged accounts. A man-in-the-middle in an RDP context can be used to capture credentials, but it can do more. Instead of reusing the credentials to launch another connection, attackers can interactively hijack the existing connection and disguise their actions as coming from the victim. Additionnally, it can lead to the partial compromise of the client machine by abusing features such as drive redirection to enumerate and download sensitive files. PyRDP can also be used to challenge the incident response process by attracting the incident response team to a machine and capturing their credentials as they connect. Finally, the replay files produced by PyRDP can be used to demonstrate the impact of compromise to high-level executives.
The talk will cover these attack scenarios in depth and will end with a short demo of the open-source tool and its capabilities.
A student at the École de Technologie Supérieure (E. T. S.), Francis has discovered an interest for information security at the start of his undergraduate studies. He has worked as an intern for Desjardins's ETTIC team and GoSecure. He has also given workshops for Montrehack and DCIÉTS, and has been a finalist in popular CTF events like Hack in Paris, CSAW and DefCamp.
In this workshop, we will teach students how to write smart contracts in the Solidity programming language. Solidity is easy to learn, but hard to get right.
The approach to training we’ll take in this session will be to provide a series of simple coding challenges, where participants are asked to write the code to implement a simple program, such as a coin toss, a transferable token (like a coin), or an auction. We’ll allow an appropriate amount of time for each step, and then provide a solution.
Then the fun part! We will walk the participants through the steps to break their contracts.
Classes of vulnerabilities we’ll explore include:
Overflows Reentrancy attacks Forcible sends Front Running
Basic programming skills
Maurelian is a lead security engineer at ConsenSys Diligence, where he works to ensure that Ethereum smart contracts are transparent, trustworthy, and reliable. He helped build a decentralized name registrar for the Ethereum Name Service; authoring the spec and auditing the final implementation. He is a regular writer and speaker on smart contract security. Prior to joining ConsenSys, Maurelian worked at Coinbase.
For this workshop, participants do not need to have prior knowledge about bitcoin. The workshop is divided in three strategic sections.
Section 1–Bitcoin fundamentals – 45 minutes
Hands-on exercise:
Participants will download the Electrum software wallet and I will transfer bitcoin to each of their generated addresses (small amounts, obviously). They will be able to track the transaction in the blockchain using blockchain.info.
Section 2 – Clustering, tagging and basic techniques to trace transactions – 1 hour
Hands-on exercise: Using a dozen of bitcoin addresses, participants will be tasked to trace transactions and conclude whether it is possible to know where the money was cashed out and what can be inferred from the money flow.
Section 3 – Advanced techniques behind tracing transactions using GraphSense API and Python open-source libraries – 1 hour
Hands-on exercise:
For this exercise, an environment will be provided to participants with the tools and the data installed. If needed, they can easily replicate the environment at home.
Participants will be tasked to extract information from a list of addresses using the GraphSense open source API. Then, they will graph the data based on the techniques presented above.
A laptop
For this workshop, participants do not need to have prior knowledge about bitcoin.
Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD student at Simon Fraser University in criminology and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of markets behind illicit online activities. She published in several peer-reviewed journals, such as Social Networks, Global Crime and the International Journal for the Study of Drug Policy, and presented at various international conferences including WEIS, Virus Bulletin, Black Hat Europe, Botconf and the American Society of Criminology.
You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.
Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical concepts, especially security, accessible and approachable for new audiences. In her spare time, Kelley is an avid home cook and greatly enjoys reorganizing her tiny kitchen to accommodate completely necessary small appliance purchases.
The goal of the talk is to answer a few questions we often see or hear : “ATT&CK is nice and all, but how do I (we) get started?“, “How can I (we) detect those TTP?“, “Why use the ATT&CK Framework?“, etc. The ATT&CK Framework from Mitre is the new honest in the InfoSec world. There’s a lot of open source projects that use it, commercial products have started using it to show what TTP they cover, it even has it’s own conference : ATT&CKcon.
Mathieu Saulnier is a “Security Enthusiast” ©@h3xstream. He has held numerous positions as a consultant within several of Quebec’s largest institutions. For the last 6 years he has been focused on putting in place a few SOC and has specialized in detection (Blue Team), content creation and mentorship. He currently holds the title of « Senior Security Architect » and acts as “Adversary Detection Team Lead” and “Threat Hunting Team Lead” in one of Canada’s largest carrier. In the last decade, he has taken two separate sabbaticals to travel Africa and Asia.
Deserialization is the process of converting a data stream to an object instance. At the end of 2015, the Java community was taken by storm by deserialization vulnerabilities using a weakness from the library Commons-Collection. The event highlighted how many applications used unsafe deserialization. At the time, Jenkins, WebLogic, WebSphere and JBoss used the same vulnerable code pattern. Two years later, researchers turned to the .NET ecosystem and discovered that many serialization libraries were vulnerable to similar attacks. In 2018, vulnerabilities were found notably in SharePoint (Workflows API), PHP-BB (using a new PHP vector) and many more. Hundreds of CVEs were recorded for the same year proving that deserialization is still an active threat for modern web applications. Developers and pentesters can't ignore this risk because, in most cases, it leads to remote code execution.
This 3-hour workshop will go through the basics of exploiting such vulnerabilities in multiple languages including Java, .NET and PHP. After the theory, participants will have access to vulnerable applications specially designed for the workshop. The objective for the participants will be to exploit applications using the presented methods. Step-by-step instructions and tools will be provided to the participants. Additionally, participants will gain knowledge and skills to build gadgets in dedicated exercises.
Intermediate
Beginners will be able to do the first part of the workshop (exploitation with YSoSerial) but have a hard time doing the custom gadget exercise.
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. He presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest (QC), 44CON and JavaOne.
This workshop is a follow-up to Leveraging UART, SPI and JTAG for firmware extraction
Do you need to analyze a product that was shipped with a locked down operating system ? This workshop will cover the basic of analyzing this type of product.
The following topics will be covered :
The following tools are required for the workshop :
Entry-level workshop.
Olivier Arteau is a security researcher that works for Desjardins. In his early day, he was a web developer and transitioned into the security field during his university. He gave in the last few years a good amount of workshop for the user group MontreHack and is also part of the organization of a few CTFs (Mini-CTF OWASP and NorthSec).
Things covered:
Laptop with admin privileges and docker installed
basic linux knowledge, familiarity with Docker
Yash is a Senior Product Security Engineer at Twilio. He has worked with Box and iSEC Partners in the past. He has been working in security for over half a decade. He has worked in a variety of roles ranging from consulting to enterprise product security teams. He is a seasoned speaker and has presented in BSides SLC 2016, HackMiami 2017 and BSides San Diego 2018, and will be presenting at Troopers 2019
The classic firmware update procedure was to download the latest version from the manufacturer then upload it to your device which allowed easy access for inspection. In today's IOT devices, firmware may update itself directly using HTTPS. This allows for timely security updates but removes the end user access to the binary.
Fortunately, there are ways to extract a firmware from the flash chip on a circuit board using common protocols. In this workshop, we will learn:
TPLink WDR3600 or WDR4300 (similar models with UART, SPI and JTAG interfaces available) Adapter c232hm-ddhsl-0 or bus pirate recommended. Other similar adapters will also work. Linux computer recommended although other operating systems may be used if the attendee know how to install and operate the suggested software or similar software on his favorite operating system.