SEC-T - 0x0F***

12-15th of September 2023

Talks


Colorful Vulnerabilities – How changing the colors of your keyboard might lead to privilege escalation

A talk by Tal Lossos & Eran Shimony

Have you ever felt excited about using a brand-new gaming keyboard? Have you dreamed of how you can increase your actions per minute while having many cool bright colors? Often we do not think about the repercussions of the peripheral devices we use, which might be a problem. In this session, we will outline our research process – analyzing and investigating Razer’s Linux kernel module, followed by finding a number of bugs that are oddly determined by the number of RGB colors you have, affecting the kernel itself.

About Speakers

Tal Lossos is a Security Researcher at CyberArk Labs with years of experience in kernel module development with a deep interest in OS internals and currently focuses on bug hunting in the Linux kernel. In his recent works, Tal discovered multiple vulnerabilities in drivers causing elevation of privilege. Besides tinkering around with the kernel, he enjoys CrossFit.

Eran Shimony is a Principal Security Researcher at CyberArk Labs with an extensive background in security research that includes years of experience in vulnerability research on multiple platforms. He previously spoke at HITB, Sec-t, No Hat, HITB RSA, and more. Eran has discovered several dozen acknowledged vulnerabilities across major vendors including Microsoft, Intel, and Samsung. Besides finding security bugs, he enjoys mixing and, of course, drinking cocktails and listening to heavy metal.


I See What You’re Watching on SVT Play: Fast Identification of DASH Encrypted Network Traces

A talk by Romaric Duvignau

We present an attack capable of identifying streamed content from the web service SVT Play even when the said content is encrypted by HTTPS. The attack relies on finding recognizable and predictable patterns produced by the DASH streaming protocol in the packet traces. After building a 100k fingerprint database from all SVT videos, any video watched by nearby streamers can be recognized in as little as 15 seconds of packet capture. The viewing timestamp is also recovered making the attackers capable of mirroring live the encrypted streamed content on their own device simply via calls to the SVT play API.

An open-source implementation of our prototype is publicly available at https://github.com/embeage/streaming-identification.

About Speaker

Romaric Duvignau is an Assistant Professor in the Computer and Network Systems division of the Department of Computer Science and Engineering at Chalmers University of Technology, Gothenburg, Sweden. He received his Ph.D. degree in computer science from the University of Bordeaux (LaBRI), France, in 2015. His research interests include cyber security, passive network attacks, network trace analysis, 5G core network architecture, data stream processing, edge computing, p2p networks and continuous distributed monitoring.

For more information, see http://www.cse.chalmers.se/~duvignau/.


Pwned in Space

A talk by Paul Coggin

In this presentation we will discuss both theoretical and real-world examples of space systems cybersecurity issues. There are many components and systems that may be targeted in a space system by adversaries including ground station systems, satellites and space vehicles. This presentation will step through attack trees for targeting space systems. Examples of real-world cybersecurity events involving space assets will be covered. Recommendations for improving the security of space systems will also be presented.

About Speaker

Paul Coggin is a Cyber SME at nou Systems, Inc. His expertise includes space systems, service provider, and ICS/SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. Paul is experienced in leading network architecture reviews, vulnerability analysis, and penetration testing engagements for service provider, enterprise, space systems and tactical networks. Paul is a regular instructor at international conferences teaching networking, hacking and forensics courses. He has a BS in Math\Computer Science, MS in Systems Management, MS in Information Assurance and Security and a MS in Computer Information Systems. In addition, he holds numerous industry network and security certifications.


JavaScript Prototype Poisoning, an unexplored bug-class, and it’s everywhere

A talk by Christoffer Jerkeby & Anton Linné

A JavaScript prototype mutation vulnerability is a bug that occurs when the input data contains a structure resembling an object that is instantiated by the receiving application. The vulnerability can lead to Denial of Service, flow control alteration, input validation bypass and, in the worst case, arbitrary code execution. The vulnerability is commonly found when the application receives JSON input but can apply to any type of structured format that supports nesting. The presentation will cover demonstrations of current vulnerabilities and how they are exploited.

About Speakers

Anton and Christoffer are independent security consultants. Anton is a JavaScript security expert with in-depth comprehension of lingual quirks and typical pitfalls. Christoffer has previously presented language flaws in both Aruba and F5 products. This time they both join forces and present this unexplored bug class found during a penetration test.


Hacking your dishwasher, or cloudless Home Connect appliances

A talk by Trammell Hudson

Why does your dishwasher, laundry or coffee-pot need to talk to the cloud? In this presentation, Trammell Hudson shows how he reverse engineered the encrypted connections between Home Connect appliances and the Bosch-Siemens Cloud servers, and how you can control your own appliances with your self-hosted MQTT home automation system by extracting the devices’ authentication keys and connecting to their local websocket ports. No cloud required!

About Speaker

I like to take things apart.

I’m Trammell Hudson, a programmer, photographer, frequent hacker and occasional watchmaker. I enjoy reverse engineering things, restoring antique computers and making things blink. Sometimes I use my Amateur Extra rating (NY3U) and hack on Radio and RF projects. I also have other hobbies involving coffee, aviation, sailing and other vehicles. And on the weekends I enjoy teaching classes at NYC Resistor.


Russian Cyber Warfare in Ukraine

A talk by Mattias Wåhlén & Nicklas Keijser

We will discuss details of 3 Russian Wiper malware used in cyberattacks against Ukraine during the conflict, how they where employed, how they differ and how this relates to the physical war in Ukraine. We will show how the Russian Cyber war in Ukraine was integrated in the kinetic war, where it succeeded, where it failed and maybe why we haven’t seen more written about it.

About Speakers

Mattias Wåhlén is a Threat Intelligence Expert at Truesec. He has almost 35 years of experience in Swedish Intelligence, both FRA and MUST. He has 15 years of experience in analyzing cyber threat actors at Försvarets Radioanstalt and now at Truesec, both cybercrime syndicates, cyber espionage groups and cyber warfare units.

Nicklas Keijser is a Threat Research Analyst at Truesec. This involves a lot of reverse engineering and looking into all thing’s malware. Nicklas is also a subject matter expert within industrial control system and anything security related to it, starting his career programming PLC: s and SCADA systems and almost anything industry possible. Before joining Truesec Nicklas worked at the Swedish National CERT, within the Swedish Civil Contingencies Agency.


Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

A talk by Jonathan Leitschuh

Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!

The scale of GitHub & tools like CodeQL (GitHub’s code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.

When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution – automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.

About Speaker

Jonathan Leitschuh is a Software Engineer and Software Security Researcher. He is the first ever Dan Kaminsky Fellow. Jonathan is best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He is amongst the top OSS researchers on GitHub by advisory credit. He’s both a GitHub Star and a GitHub Security Ambassador. In 2019 he championed an industry-wide initiative to get all major artifact servers in the JVM ecosystem to formally decommission the support of HTTP in favor of HTTPS only. He has spoken at BSides, Shmoocon, Black Hat, & DEFCON.


Crypto Vuln Cornucopia – From the archives of Team Kairos – Enhanced Edition

A talk by Eric Michaud & Tom Smith

A disclosure talk covering some vulnerabilities Team Kairos discovered in various crypto projects over the last year. From accelerating hardware wallet cracking by orders of magnitude, cracking wallets of a non-custodial crypto wallet project, to a full chain RCE in crypto wallet software.

About Speakers

Eric Michaud is an expert in physical and cybersecurity with over 15 years experience.  He was a computer and physical security analyst at Argonne National Laboratory, where he worked on nuclear security, counter proliferation tools development, and voting machine security. Currently Partner and CEO of Unciphered a cryptocurrency recovery and vulnerability research company.


Four Horsemen of Cyberwarfare: 4) Pestilence – A Informational Vulnerability Turned into a Weapon of Mass Destruction.

A talk by Lucas Lundgren

A vulnerability marked as Informational since the vendor stated that; It’s working as intended. Put the entire Internet at risk, where anyone with a little bit of knowledge could demolish

our infrastructure and cause damages amounting to billions. Combine this with the ability to backdoor firmware, and steal valuable information from entities like; weapons manufacturers and banks. I bring you Pestilence, one of the four horsemen which is still active today.

About Speaker

Lucas Lundgren started breaking things at the age of twelve, and has reported numerous vulnerabilities since then, working with global security leaders including Sony Ericsson and IOActive.

Primarily focused on penetration testing, fuzzing, and exploit development, Lucas has a passion for IoT and Smart Technology. And has started his own company Skullkey with a vision to make the world a little bit safer today, than it was yesterday.


Popopizza – How to break the Dutch police bodycams for fun and pizza

A talk by Edwin van Andel

The Dutch police has been trying to collaborate with ‘private partners’, including the Dutch hacker community in the Netherlands, for years now (the great Public Private Partnership or PPP), with mild succes. So when they asked us what they could organise to get to know us, we replied with “invite us to hack police shit and eat pizza’s”. We thought we would never hear of them again. Surprise surprise, they eventually invited us in. So we created a team consisting of brilliant hard- and software hackers from the Dutch hacking community and went to the Amsterdam police station to try and hack some of their obsolete bodycams. Did we succeed? Come and find out and prepare to laugh your ass off!

About Speaker

Edwin van Andel started hacking at the age of 13. Although he is now CTO of hacker company Zerocopter, his relationship with the hacker community is still the main driving force in his life. His dream to bring the brilliant minds of all hackers he knows together in one room and to hack everything that is brought in is something that he is getting closer and closer to. In addition, together with the “Guild of Grumpy Old Hackers”, he is actively guiding and leading young hackers in the right direction in order to create his ultimate goal – a safe society through a safer internet. Next to all this he is known as the organizer of Defcon group Defcon3120 (Amsterdam) and from Darknet Diaries episode 87 – Hacking Trumps twitter in 2016


Project TEMPA – Demystifying Tesla’s Bluetooth Passive Entry System

A talk by Martin Herfurt

Tesla vehicle security has been a hot topic over the last few months and years. Tesla always strives to be particularly innovative when it comes to technical challenges. Since 2018 some Tesla vehicles can be controlled using the official Tesla app on a smartphone. This  so-called “phone-as-a-key” feature has been integrated into several newer Tesla models since then.

This talk deals with the protocol that is used for communication between the vehicle and the smartphone. On the one hand, the underlying functionality is highlighted, on the other hand, hidden errors in the protocol that can lead to the theft of a vehicle are revealed.

About Speaker

Martin is an independent security researcher focusing – but not exclusively – on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues. Martin holds a master’s degree in telecommunications engineering from the University of Applied Sciences in Salzburg. During the last year, he spent his free time to investigate security issues with Tesla vehicles. As part of his fascination with rapid developments in IT technology, Martin has been a regular participant and speaker at the Chaos Communication Congress (CCC) and other international IT security conferences since 1997.


Secure your code like NASA with Security as Code (SaC)

A talk by Joseph Katsioloudes

Following the lessons learnt from two missions of NASA to Mars, Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization.
In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.

About Speaker

Joseph Katsioloudes and his team at the GitHub Security Lab work at the forefront of Open Source Security and they shape it every day with 331 CVEs published in the last 26 months. He chose this career path because from a very young age, security was his own way to provide ethical and dedicated service to organisations and the society as a whole. Joseph holds two engineering degrees, a Bachelors of Engineering in Computing from Imperial College London and a Masters in Cyber Security Engineering from the University of Warwick.

His most recent contributions to the Open Source Security ecosystem include the YouTube series “SecurityBites” where he educates developers how to avoid common software flaws. Previous highlights include a zero-day vulnerability for a Top 10 Cryptocurrency in 2018 as part of his university Thesis and open-source contributions to OSINT & Blockchain.


When SysAdmin and Hacker unite: 21 One-Liners to make you convert from bash to Powershell

A talk by Yossi Sassi

Gotta love those one-liners! we all use Bash everywhere for everything, yet rarely do sys admins & hackers realize the real potential of PowerShell as a quickn’dirty “hacking tool” (open sourced on Mac/Linux/Windows). It has evolved greatly in the last decade to became the tool of choice for Windows Post-Exploitation by many, yet also for Sys Admins it is a dream of functionality and, well, ‘Power’. Indeed, with great power(shell) comes great responsibility. Join this fun session with highly technical hands-on demos, covering attacks, defending, forensics, malicious vectors, cryptography and other security & management related hacks! Scanning the entire internet, running fileless in memory without touching disk, running powershell without powershell and more, including Bypassing all PowerShell defenses in.. mmm, well, creative ways 🙂

About Speaker

Seasoned 30+ years InfoSec researcher and hacker. When not playing guitar on the world’s rock festivals or flying airplanes, Sassi has accumulated extensive experience in information security for over 3 decades, in Red-Blue team assessments, for banks/Military/Government/Fortune 100, conducting DF/IR investigations and more. Ex-member of Javelin Networks (acquired by Symantec in 2018), developing a unique deception solution for Active Directory. Worked for Microsoft 8 years as Technology Group Manager and coded support tools for Windows Server. Sassi spoke at TED and TEDx events, and was awarded 4 Peace and friendship awards. Sassi holds a M.A in law, CISSP etc, and speaks regularly at various security conferences worldwide.


Nation-state actors… No, it’s not all about phishing

A talk by Anastasios Pingios

The vast majority of threat research on nation-state actors reports initial access through various forms of phishing, but is this actually the case? This research looks into nation-state cyber operations from a different perspective. That of studying leaked material to identify how prominent are phishing attacks compared to other methods, and which are those other initial access methods. The objective of the presentation is to provide some food for thought on whether or not we are looking for APT activity in the right places, and which are those places in case you want to invest in security against advanced actors.

About Speaker

Since the early 2000s Anastasios has been involved with cyber security starting from the offensive side of vulnerability research and exploit development and gradually moving to the defender’s side in the area of incident response, digital forensics, and security engineering. In the process he acquired some industry accreditations along with a M.Sc. in Secure Computing Systems. The last few years Anastasios has been focusing more on the intelligence domain and he is currently working as Head of Infrastructure Security at Booking.com.


eBPF ELFs JMPing Through the Windows

A talk by Richard Johnson

eBPF tracing is a hot new technology in the EDR and infrastructure space providing high speed instrumentation and telemetry on events, processes, and network connections. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future.

eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context so integrity of the software is paramount. This research will be the first public work to analyze the new eBPF for Windows implementation for security vulnerabilities.

Our presentation will discuss the capabilities and security model of eBPF for Windows followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery.

About Speaker

Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently Senior Principal Security Researcher at Trellix and Chief Research Officer at Fuzzing IO, Richard offers over 20 years of professional expertise and leadership in the information security industry. Current responsibilities include zeroday vulnerability research and development of advanced fuzzing and automated reverse engineering solutions. Prior to Trellix, he built security research and bug hunting teams for Oracle Cloud and Cisco Talos. Richard has delivered training and presented annually at top-tier industry conferences for over 15 years at several leading events including Black Hat, Defcon, Hack in the Box, RECON, and OffensiveCon. Richard was co-founder of the Uninformed Journal and has been on program committees for USENIX WOOT, RECON, and Toorcon.


Thinking About The Unthinkable

A talk by Mikko Hyppönen

The internet is the best and the worst thing that has happened during our lifetime. It has brought us amazing upsides, but at the same time exposed us to completely new kinds of risks. For example, organized cybercrime gangs are bigger than ever. Technology also shapes our conflicts and crisis. Geopolitical crises extend to cyberspace, and cyberspace has no borders. What kind of attacks have effects beyond the battlefields? What will the next arms race look like? And what does the future hold for us?

About Speaker

Mikko Hyppönen is a global security expert. He has written on his research for the New York Times, Wired and Scientific American and lectured at the universities of Oxford, Stanford and Cambridge. His latest book is “If It’s Smart, It’s Vulnerable”. Mr. Hyppönen works as the Chief Research Officer for WithSecure.