SEC-T - 0x10sion

10-13th of September 2024

Talks 2019

The art of browser exploitation using Assembly

A talk by Jameel Nabbo

Most of the browser engines now support writing assembly instructions by using JavaScript (E.g. ASM.JS), from an attacker perspective this technique opened so many doors for cyber criminals to exploit the web browser silently

About Speaker

Jameel Nabbo is the founder of bufferoverflows.net and an offensive security expert with over a decade of hands-on experience in exploit development and penetration testing.


Ghosts in the Machine: Adversarial Artificial Intelligence

A talk by Jennifer Fernick

As a long-time security researcher with a degree in artificial intelligence, I feel that the adversarial capabilities both of and against machine learning are hiding in plain sight behind rudimentary, vendor snake-oil claims of “artificial intelligence” which have bored many serious security researchers away from the field. In this talk, I will bring these fields together again in the ways that deeply matter, by both presenting a comprehensive taxonomy of known offensive attacks against machine learning systems, as well as demonstrating the ways in which what counts for artificial intelligence today has been and can be weaponized, using a range of examples from cryptanalysis, fuzzing, automated exploit generation, and beyond.

In this comprehensive research-oriented talk, I will begin by outlining the major ways in which offensive security researchers can attack machine learning systems, and then proceed to discussing how both generic and adversarial techniques from the machine learning domain itself can be used as a part of an offensive security researcher’s arsenal to assist in fuzzing, bug-hunting, generating deepfakes, and performing cryptanalysis. In doing so, I want to demonstrate that A.I. is both a tool and a weapon, depending on how you hold it – and use this as a call to action for security researchers to engage with the machine learning research community before it is too late to defend against ubiquitous surveillance, deepfakes, vuln-laden ML implementations, and dangerous regulatory and policy precedents.

About Speaker

Jennifer Fernick is the Head of Research at NCC Group, a global cybersecurity consulting firm, and is a National Security Institute Technologist Fellow at George Mason University Law School in Washington, D.C. She was formerly Director of Information Security at a major global bank, and spent 4 years as a computer science Ph.D researcher at the Centre for Applied Cryptographic Research and the Institute for Quantum Computing at the University of Waterloo. Her career has included designing and building satellite systems, working on bleeding edge cryptography research, building secure systems at massive scale, running incident response events for core pieces of critical infrastructure, and leading the development of global technology standards. Jennifer holds an Honours Bachelor of Science degree in Cognitive Science & Artificial Intelligence from the University of Toronto, a Master of Engineering degree in Systems Design Engineering from the University of Waterloo, and was a part of the 2018 Assembly Cohort at MIT Media Lab and the Berkman-Klein Centre for Internet Society at Harvard University, focusing on Artificial Intelligence & its Governance. She has previously spent multiple years as CFP Chair of Crypto & Privacy Village at DEF CON, serves or has served on the review boards of USENIX CSET and USENIX Enigma, and regularly speaks at major technology conferences such as RSA, CFI-CIRT, ECML, DEF CON, O’Reilly AI, and Blackhat Europe.


How one picks a pocket

A talk by James Harrison

Being a magician and pickpocket, James Harrison demonstrates his skills and shows us how we can apply some of these principles to larger approaches in Social Engineering.

About Speaker

After a knee injury in 2002 ended his dream of becoming a professional athlete, James Harrison began to pursue his other passion: Picking pockets. But only for entertainment purposes, he promises.

His dedication to the craft quickly paid off when he landed his first professional performance after nine months. As James’ notoriety grew, he soon learned that pickpocketing is a family trade of sorts as his father used to pick pockets when he was younger. The difference being that James returns everything he takes.

James has performed across North America with one of his more recent talks being at the hacker convention, DEFCON. He has also been nominated twice for Excellence in the Arts and was named A-1 Radio’s Magician of the Year 2016.


Baldr vs The World

A talk by Albert Zsigovits

In January, 2019, SophosLabs discovered a new family of credential stealing malware that called itself Baldr was being marketed on message boards used to advertise malware. In a short period of time, the developer of Baldr made a significant number of improvements and updates, including two major releases. Baldr enjoyed a rapid growth in sales and within a few months, had more than 200 criminal customers who were using it to steal valuable credentials, mainly from videogame players, who were the most frequently targeted victims. In this talk, we will discuss the mechanism by which Baldr performs its tasks, how the malware markets and promotes itself, and some of the vulnerabilities in its command-and-control panel, which has allowed other criminals to take over its C2 servers.

About Speakers

Albert Zsigovits works as a Threat Researcher at SophosLabs. He joins us from a traditional blue team background, kickstarting his cyber career analyzing security events as an IDS analyst, and later investigating breaches as an incident responder for a Fortune 50 company. His specialties include threat hunting, memory forensics and signature development. In his spare-time he enjoys reverse engineering malware and diving deep into deep-web territories, connecting the dots between criminals leveraging threat intelligence and open source intelligence techniques.


5G IMSI Catcher? – exploiting vulnerabilities in 5G access network protocols

A talk by Altaf Shaik & Ravishankar Borgaonkar

There are so many theories on 5G security related concerns. This talk will provide a brief summary on 5G security architecture and newly introduced security features. Further, we discuss whether previous IMSI catchers can succeed or fail in 5G networks or there will be no IMSI catchers in 5G networks. To prove our theories, we reveal new vulnerabilities in 5G radio access network protocols and demonstrate a risk having IMSI catcher type of devices in 5G if not addressed in the standard. Finally, we highlight potential security and privacy issues (if not designed/configured properly) when deploying or using 5G networks.

About Speakers

Ravishankar Borgaonkar works as a research scientist at SINTEF Digital and undertakes research in securing next generation digital communication. His primary research themes are related to mobile telecommunication and involved security threats. This ranges from 2G/3G/4G/5G network security to end-user device security. After receiving his PhD in ‘security in telecommunication’ area from the technical university of Berlin, he was a security researcher at Deutsche Telekom’s lab for 3 years. Since that time he has worked for Intel Collaborative Research Institute for Secure Computing at Aalto University, as well as for the University of Oxford. He has found several protocol flaws in 3G/4G technologies. The demonstrated vulnerabilities affected billions of 3G/4G devices and resulted a change in the existing 3G/4G communication standards.

Altaf Shaik is a principal security researcher at Kaitiaki Labs and currently pursuing PhD at the Technical University of Berlin. He is experienced in analyzing cellular network technologies from radio to networking protocol layers. His recent renowned research includes low-cost 4G IMSI catchers and security issues in several cellular baseband chipsets.


Operation SoftCell – a global campaign against cellular providers

A talk by Amit Serper, Mor Levi & Assaf Dahan

This talk will discuss Operation Softcell – a large scale, and multi-year-running campaign against multiple cellular providers around the world in which the attackers completely owned the networks of cellular providers and stole hundreds of gigabytes of call records and location data, targeting high profile individuals.

About Speakers

Amit Serper – Amit leads the security research at Cybereason’s Noctornus group in the company’s Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience in reverse engineering malware and investigating large scale attacks. Prior to joining Cybereason four years ago, Amit spent nine years leading security research projects and teams for an Israeli government intelligence agency..

Mor Levi – Mor Levi has more than eight years of experience in cyber investigations, incident response, and SIEM/SOC management. She began her career as a team leader in the Israeli Defense Force security operation centre. Later, she led an incident response and forensics team at one of the big four accounting firms providing services to global organizations.

Assaf Dahan – Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.


How to bug hotel rooms

A talk by Dan Tentler

Do you keep expensive stuff in your hotel room? Did defcon last year show you that perhaps your hotel room isn’t private? Do you like the idea of having visibility of your expensive stuff when you’re not in your hotel room? I got you covered. I travel quite a lot for work and I carry lots of expensive things around. I’ve learned how to deploy ‘tells’, as well as a slurry of cameras in hotel rooms in an effort to keep tabs on things. This talk will elaborate on stories and experiences, talk about how to build hotel room networks, and cover some of the camera models I bought and use. What’s good, What’s bad, and how you can fall into this rabbit hole too.

About Speaker

Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. He files race drones and crashes them in colorful ways. A lot. Dan scans the whole internet for fun and posts screenshots to twitter. He likes rum. Hand him a rum drink and ask him to tell you a story and he will, on the spot, conjur the spirit of George Carlin for you. No joke. Bring a helmet


Chinese Police and CloudPets

A talk by Abraham Aranguren

This talk is a summary of three different security audits with an interesting background: First CloudPets, their epic track record, what we found and what happened afterwards. Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways, stay tuned.

Part 1: CloudPets
Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out from a soft toy that children can hug? That’s the idea of CloudPets, children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short

Part 2: Chinese Police
This part talks about two surveillance mobile apps that Chinese authorities employ to spy on the Muslim minorities of China’s Xinjiang region, the applications: “IJOP” and “BXAQ”. The Chinese government faced international criticism for this when the results of these audits became public. While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and were not the focus of the audit itself.

About Speaker

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “Practical Web Defense” – a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Some presentations, pentest reports and recordings can be found at https://7asecurity.com/#publications


Zero to Millionaire in 60 minutes: Hacking Real Life Financial Applications

A talk by Himanshu Sharma

“The talk will revolve around us red-teamers testing and penetrating into Banking, Mobile wallets and Non Banking Financial applications. We will cover bugs not only in payment gateways and frameworks but also in applications that fail to implement them properly. This will include bypassing AES encrypted requests, logical bugs in numerous banking applications we tested. We will talk about techniques using which we were able to make recurring deposits in our account which get debited from victim’s accounts, view statements of arbitrary accounts, buy products for free, pay loan instalments for free, pay credit card bills for free, make online recharges from victim accounts, regenerate ATM pins of bank accounts at mass among numerous other exploits along with real life case studies, patches and recommendations”

About Speaker

Himanshu Sharma has been in the field of bug bounty since 2009 and has been listed in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings as proofs. He has helped celebrities such as Harbhajan Singh in recovering their hacked accounts, and also assisted an international singer in tracking down his hacked account and recovering it. He was a speaker Botconf ’13, held in Nantes, France, RSA 2018 held in Singapore. He also spoke at IEEE Conference in California and Malaysia as well as for TedX. Currently, he is the co-founder of BugsBounty, a crowd-sourced security platform for ethical hackers and companies interested in cyber services. He also authored two books titled Kali Linux titled “Kali Linux – An Ethical Hacker’s Cookbook”, ” Hands On Red Team Tactics”


Battle in the Clouds: Attacker vs Defender on AWS

A talk by Dani Goland & Mohsan Farid

The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.

About Speakers

Mohsan Farid:
Mohsan has over 13 years of experience in cyber security. Mohsan has ran the gamut in the security space: from penetration testing for Rapid7 as a consultant, penetration testing for numerous federal agencies, pentesting mobile applications for HP, pentesting Fortune 500 companies, and contributing exploits to the Metasploit framework as well as contributing to open source projects. When Mohsan isn’t breaking things, he likes to travel the globe in search of incredible surf, scuba diving, rock climbing, hiking, and is an avid yogi.

Dani Goland:
At the age of 20 he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 2500 researchers. Dani spoke at numerous cybersecurity conferences such as BlackHat USA, CodeBlue Japan, CONfidence, SEC-T, and more. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.


Crypto Cobra: Tales of the nation-state actor targeting crypto-exchanges

A talk by Dani Goland & Ido Naor

There’s only one state-sponsored threat actor that targets victims for financial motivations. Because of sanctions and political implications, it has been told that the isolated kingdom of North Korea resorted into launching vicious malware campaigns against financial institutions to fund their operations. They hold the record for one of the most notorious banking heists in history, but it doesn’t stop there. Tools from their APT group, called Lazarus, has been found in many digital crime scenes and cross-matched other attacks on crypto-currency exchanges as well! This talk is a version 2 in the series, scoping attacks conducted against the virtual currency trading platforms. Ido & Dani will dive into how the lion of APTs takes on its pray in the Jungle of digital warfare.

About Speakers

Ido Naor:
Ido is a principal security researcher at Kaspersky and part of the elite threat intelligence unit called GReAT (Global Research and Analysis Team). During the past 5 years, Ido has been dedicating thousands of hours into hunting for state-sponsored APT actors, mainly in the Middle East. Aside from analyzing malware samples, Ido also enjoys vulnerability research as responsible disclosure. He successfully reported major in-the-wild vulnerabilities used by hackers. In 2018, Ido founded a collaborative malware research platform called Virusbay which skyrocket among world renowned researchers from all over the world. It is a house for over 2500 researchers. Ido holds a bachelor of CS, is a father of three, a Kyokushinkai black belt and a former commander of an elite intelligence unit in the IDF.

Dani Goland:
At the age of 20 he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 2500 researchers. Dani spoke at numerous cybersecurity conferences such as BlackHat USA, CodeBlue Japan, CONfidence, SEC-T, and more. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.


Cloudhopper

A talk by Vesa

The Swedish National Defense Radio Establishment was among the first organizations to notice the APT campaign later dubbed Cloudhopper. This presentation will reveal some of the discoveries we made and information about the methods used by the threat actor, as well as some techniques that are useful against a threat of this magnitude.

About Speaker

Vesa has worked the last 20+ years with IT-security from different perspectives at the Swedish national authority for Signals Intelligence, FRA.


Game Boy hacking – Making the Midnight Sun CTF Game Boy challenge from hardware to software

A talk by Carl Svensson

For the Midnight Sun CTF finals we created a binary exploitation challenge for the Game Boy. This involved hardware modification, low level software, making a game and developing an exploit on the Z80 architecture. This talk will go through the process and various aspects of hacking the beloved game console.

About Speaker

Carl is a security professional and hobbyist currently working as the head of security at Swedish healthcare startup, Kry. He is a frequent CTF player for the Swedish top team HackingForSoju and an active member of the Swedish and international security community with a great fondness for a broad range of topics, reverse engineering being one of his favorites.


Quantum computing and its impact on the field of cryptology

A talk by Martin Ekerå

The possible future advent of large-scale quantum computing threatens to void the security of asymmetric cryptographic schemes based on the computational intractability of the integer factoring problem (IFP) or the discrete logarithm problem (DLP) in abelian groups.

This implies that virtually all currently widely deployed asymmetric schemes, including but not limited to RSA, finite field Diffie-Hellman (DH), the digital signature algorithm (DSA), elliptic curve DH and elliptic curve DSA, will become susceptible to practical cryptanalytical attacks should large-scale quantum computers materialize. The process of standardizing post-quantum secure replacements for these schemes is already under way.

This talk aims to briefly explain the fundamentals of quantum computing, and to describe the quantum computer algorithms that threaten current asymmetric cryptography, in a manner that is accessible.

Furthermore, this talk aims to describe the rapid transformation that the field of cryptology is currently undergoing in response to the developments in the field of quantum computing, and to advice the community on what actions need to be taken, in what order, and within which approximate time scales, to begin the process of mitigating the quantum threat.

About Speaker

Martin Ekerå is serving as the chief cryptographer of the Swedish NCSA that is a part of the Swedish Armed Forces.

He is also a part-time researcher at the Royal Institute of Technology (KTH) in Stockholm, focusing primarily on quantum computer algorithms for cryptanalysis and on algorithms for post-quantum secure cryptography.


Pwning AWS Cloud services

A talk by Mohammed Aldoub

This talk will touch on methods of gaining and keeping access inside AWS cloud environments, and will showcase also some aws-specific attacks such as attacks against Serverless functions (AWS Lambda), (e.g. Serverless Event Injection), attacks against EC2 instances (even without having access to SSH keys!), methods to backdoor compromised AWS accounts, cloud-wide credential theft, and other attacks. This talk will help penetration testers understand the cloud and how its components interact in order for us to be able to better penetrate and assess risks in cloud environments.

In the talk I’ll also demo my new tool “barq”, the custom AWS post-exploitation tool!

About Speaker

Mohammed Aldoub is an independent security consultant from Kuwait, who, in his 10 years of experience, worked on creating Kuwait’s national infrastructure for PKI, cryptography, smartcards and authentication. Mohammed delivered security trainings, workshops and talks in the Netherlands, USA, Czech Republic, Singapore, Dubai, Lebanon, Riyadh, Kuwait, and in global conferences such as Blackhat, Infosec in City, OPCDE, North Security Conference, and others.

Mohammed is focusing now on APIs,secure devops, modern appsec, cloud-native security, applied cryptography, security architecture and microservices.

You can find his twitter account at https://twitter.com/Voulnet and Github at https://github.com/Voulnet


Modchips of the State: Hardware implants in the supply-chain

A talk by Trammell Hudson

Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.

We don’t know how much of the Bloomberg story about hardware implants installed in Supermicro servers shipped to Apple and Amazon is true, nor do we know the story behind the story and the reasons for the vehement denials by all the parties involved.

However, a technical assessment of details of the describe implants reveals that a supply chain attack on the hardware is definitely possible, that the capabilities of the BMC can be used to bypass OS protections, and that there are means to access the BMC that would not necessarily generate readily identified network traffic.

In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems.

About Speaker

I like to take things apart.

I’m Trammell Hudson, a programmer, photographer, frequent hacker and occasional watchmaker. I enjoy reverse engineering things, restoring antique computers and making things blink. Sometimes I use my Amateur Extra rating (NY3U) and hack on Radio and RF projects. I also have other hobbies involving coffee, aviation, sailing and other vehicles. And on the weekends I enjoy teaching classes at NYC Resistor.