SEC-T - 0x0F***

12-15th of September 2023

Talks

Tails (Fails) from the trenches 2021

A talk by Edwin van Andel

Edwin van Andel will take you on a ride through the beautiful, but sometimes scary, woods of bugs, fails and wonders, located in the misty valley of infosec.

There will be tales of misdirected focus. There will be burning arrows flying towards the anonymous clientele of Zerocopter’s bug-bounty and coordinated vulnerability disclosure platform. And we will gaze at the sunset over the immortal fields of stupidity.
Edwin will discuss and gives examples of beautifully chained exploits, utterly stupid designs, fails and the always funny owner’s responses. Fun, laughter and tears as we cool off and swim together in IoT infested waters. While always reflecting back to the key of all his presentations: Hackers can help.

Will you hop on for a 45 minute 2021 fully updated ride through these hidden woods? Visual stupidity included as always!

About speaker

Edwin van Andel started hacking at the age of 13. Although he is now CE2 of hacker company Zerocopter, his relationship with the hacker community is still the main driving force in his life. His dream to bring the brilliant minds of all hackers he knows together in one room and to hack everything that is brought in is something that he is getting closer to.

In addition, together with the “Guild of Grumpy Old Hackers”, he is actively guiding and leading young hackers in the right direction in order to create his ultimate goal – a safe society through a safer internet.


Gone in 45 minutes… War stories from incident response

A talk by Fabio Viggiani and Fredrik STÖK Alexandersson

A story-driven technical session, mixing incident response, forensic analysis, malware reversing, recovery operations, and threat intelligence research. We will share our learnings from investigations of attacks conducted by cybercriminals and state sponsored actors, by walking you through exciting war stories from incident response missions we conducted during 2020 and 2021.

Getting that phone call telling you to get ready to start an incident response mission. High stakes, adrenaline rising, and a lot of potential things that can be done, but time is critical. Where do you start? What do you do?

We want to share our learnings from the many incident response missions we have done, to help you look for the right things and save time. We will dig through some stealthy implants we came across, recovery operations where we learned important lessons, as well as some effective tricks such as extracting RDP cache data to reconstruct the visual desktop of the threat actor.

Based on indicators collected from investigations, we will talk about how we can follow the threat actor and their operations, what we can learn from it, and how to use threat intelligence to enhance anything from Red Team to incident response.

About speakers

Fabio leads advanced incident response missions at Truesec and has extensive experience in Red Team assignments as well as traditional penetration tests. He also does threat intelligence research, and he works closely with Truesec Security Operations Center, focusing on Threat Hunting and detection. This gives him a strong insight in the current threat landscape and the latest attacks and detection techniques.

STÖK is a hacker and creative with over 25 years in the IT Industry. STÖK is passionate about Cyber Security Awareness and creates educational cybersecurity related video content. Educational content that inspires and helps the audience to level up their Cyber Security game. When he’s not hacking Fortune 500 companies for bounties or creating educational cybersecurity related video content, he runs a sustainable fashion brand and is a part of the Truesec Offensive Security Team.


Exploring memory corruption in real-time operating systems

A talk by Lars Haulin

Real-time operating systems (RTOSes) are very specialized for their purpose. They are highly optimized and often written in a low-level programming language to be fast, but this also makes memory corruption vulnerabilities an issue to consider.

There are many RTOSes available, and many have mechanisms in place to mitigate the exploitability of memory corruption, but how effective are these mitigations?

This talk will present some common RTOSes, show their internal memory layout and shared features and what exploit mitigations they provide.

The talk will also introduce a dockerized playground framework to hands-on explore the internals of some RTOSes and their protection mechanisms.

About speaker

Lars Haulin is a cybersecurity engineer with a passion for Embedded Systems and electronics. He has previously worked with pentesting and embedded development, but is currently more into threat modeling, education and network security.

Lars is an experienced CTF player, and has been a member of the top Swedish CTF team HackingForSoju since it was founded in 2010. He also coaches a student CTF-team at Uppsala University.


My Fuzzy Driver

A talk by Mark Cherp and Eran Shimony

Drivers are everywhere; it does not matter if you use Linux, Android, Windows, or Solaris :). They are a prime target for vulnerability research because of their high level of privilege and the fact; they are accessible from user-land. By harnessing the power of a great fuzzer, kAFL that is, using the advanced technology of Intel PT, and sugar coating with some driver-specific grammar, we set out on a journey to find bugs in modern kernel code, agnostic to the source code.

About speakers

Eran is a security researcher at Cyberark that has an extensive background in security research that includes years of experience in malware analysis and vulnerability research on multiple platforms. Previously spoke at HITB Amsterdam, DeepSec and No Hat. Eran has several dozens of acknowledged vulnerabilities across major vendors, like Microsoft, Intel, Samsung, and many others. Besides finding security bugs, he enjoys mixing and of course drinking cocktails.

Mark Cherp is a security researcher at CyberArk, who takes a special interest in low-level, kernel-space attack vectors and very much enthusiastic about fuzzing and other automation techniques for bug discovery. Mark is an ex of Microsoft, Checkpoint, and several other companies in the Israeli cyber industry. He had the chance to tackle multiple vulnerabilities research domains such as cloud, network, mobile, and other endpoints.


An Intelligence-Driven Hunting Methodology Featuring a North Korean APT

A talk by Assaf Dahan, Tom Fakterman and Lior Rochberger

In this session, we will share an intelligence-driven hunting methodology that was developed to uncover the very same threats that wish to remain in the dark. We will provide a case study detailing how we discovered a cyber espionage campaign carried out by the infamous North Korean Kimsuky APT group and by the end of the session – you too will be hunting experts.

About speakers

Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.

Tom is a Threat Researcher at Cybereason, focusing on threat hunting and malware research. Tom began his career as security analyst in the security operations center in the Israeli Air Force, where he mostly focused on incident response and malware analysis.

Lior is a senior threat researcher at Cybereason, focusing on threat hunting and malware research. Lior began her career as a team leader in the security operations center in the Israeli Air Force, where she mostly focused on incident response and malware analysis.

 


Demystifying the MacOS Attack Chain

A talk by David Jacoby

What actually happen when you click on a malicious link or open that attachment? What about the debate that MacOS is more secure than for example Windows? I will in my presentation go through an MacOS Attack Chain by doing a live hacking session showing Userland rootkits, techniques for Userland phishing, obtaining root access, bypassing password manager and much more.

About speaker

Hacker and Coder who is currently working as Deputy Director for the European Global Research and Analysis Team for Kaspersky Lab.

Been doing IT-security for over 25+ years focusing on penetration testing, vulnerability research, fighting cybercrime, Threat and Vulnerability Management and have had the opportunity to speak at some of the worlds largest conferences.

Additional to this i am also the technical advisor for the continuation of the Millennium books written by David Lagercrantz and also been included in multiple other books such as “A Guide to Kernel Exploitation: Attacking the Core”, “Generation 500” and “Svenska Hackare”, ”The ABC of IT-security”.


DIY cheap gigabit data diode

A talk by Magnus

Tired of expensive and hard-to-get data diodes Magnus decided to build his own data diode from readily available off-the-shelf components. In this talk he will show how to make your own gigabit optical data diode for less than 1000SEK. With the talk he will also publish open source code for mirroring files and folders over a data diode.

About speaker

Magnus has spent the last 25 years building software for the Internet and has a strong interest in privacy, security and all things connected. He is a true full-stack dev coding everything from kernel to frontend and loves hacking and modding software and hardware. His code is running on millions of computers including machines inside top tech giants. Magnus is the co-founder of the 0xFF community and runs his own business Klockcykel.


Practical Mobile app attacks by Example

A talk by Abraham-Aranguren

A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This talk aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over
multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.

About speaker

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense” – a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or 7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at 7asecurity.com/publications.


Animated stickers done right 📈: the new native Telegram attack surface in your pocket 📉

A talk by polict

End-to-end encrypted instant messaging apps have taken over the last few years, but some of the good ol’ pitfalls are still hanging around: shiny image formats and memory corruptions. We’ll walk through Telegram’s implementation of animated stickers in E2EE chats and how I’ve found 13 1-click 0days via structure-aware fuzzing.

About speaker

Director of research at Shielder, polict likes to understand the underlying design of new features – then break them. You might have met him backpacking through the world before the pandemic. Do suggest him niche extreme sports (no, reversing rust is not a valid answer).


Sticks and Stones, Breaking Bones: Millions of medical images are exposed online. Let’s take a look

A talk by Lucas Lundgren

PACS and DICOM are used in the medical field to process and handle x-ray images, amongst others. As always, the protocol is old.

Updating it is problematic, but what happens if its exposed to the internet (spoiler: it is). And what happens if there is no password.

What can we do? what can we see? and what can we alter?

About speaker

Lucas Lundgren started breaking things at the age of twelve, and has reported numerous vulnerabilities since then, working with global security leaders including Sony Ericsson and IOActive. Primarily focused on penetration testing, fuzzing, and exploit development, Lucas has a passion for IoT and Smart Technology.


False Flag – dealing with a tainted crime scene

A talk by Leif Nixon

The Large Hadron Collider at CERN is supported by a large global cooperative infrastructure for scientific computing. Securing this infrastructure means preventing, detecting, and resolving security incidents as early as possible, while trying to overcome technical, organizational and cultural challenges. Working in this environment is a rollercoaster ride where you never know what will happen next.

One day, for example, it was discovered that a number of European supercomputers were all mining Bitcoin. This is the story about that incident, about French bureaucracy, and how the culprit was eventually identified.

Oh, and quite a lot of low-level filesystem forensics.

About speaker

Leif Nixon has been dabbling in IT security since the previous millennium. He has alternately hacked and defended all sorts of stuff, ranging from thermostats to supercomputers. This has left him depressed, embittered and cynical. These days, he works at Sectra Communications, defending critical infrastructure.


The latest crypto achievements from the FRA

A talk by Vesa Virta

Latest crypto breakthrough from the FRA, that we are allowed to talk about.

After invading Norway in 1940 the German Wehrmacht demanded to use Swedish telegraphy wires for communication to Berlin. This gave Swedish intelligence an opportunity to intercept information, provided that the German crypto device “der Geheimschreiber” could be cracked.

About speaker

Vesa is a museum guide at the National Defense Radio Establishment in Sweden. With 25 years of experience in the IT-security/intelligence arena he has some interesting stories that he unfortunately can’t share. However infosec as a field is older than the Internet, and there are some cool stories to be told that are no longer classified.