SEC-T - 0x0Anniversary

September 14-15, 2017 – Stockholm, Sweden

Talks 2017


Intercepting iCloud Keychain

By Alex Radocea

iCloud Keychain employs end-to-end encryption to synchronise secrets across devices enrolled in iCloud. We discovered a critical cryptographic implementation flaw which would have allowed sophisticated attackers with privileged access to iCloud communications to man-in-the-middle iCloud Keychain Sync and gain plaintext access to iCloud Keychain secrets.

About speaker

Alex Radocea started in Security by testing firms from an office on Wall St at Matasano and playing wargames at wargames.unix.se. He’s worked on Product Security at Apple, Crowdstrike, and most recently the Security team at Spotify before founding Longterm.


Breaking Tizen

Talk Canceled

By Amihai Neiderman

Tizen​ ​is​ ​Samsung’s​ ​newest​ ​OS​ ​for​ ​its​ ​devices​ ​and​ ​considered​ ​by​ ​them​ ​as​ ​the​ ​operation system​ ​of​ ​everything,​ ​aiming​ ​to​ ​run​ ​on​ ​every​ ​device​ ​from​ ​simple​ ​IoT,​ ​mobile​ ​phones, televisions​ ​to​ ​even…Cars. During​ ​the​ ​course​ ​of​ ​a​ ​few​ ​days​ ​I​ ​found​ ​over​ ​40​ ​different​ ​vulnerabilities​ ​in​ ​tizen​ ​-​ ​some​ ​logical and​ ​some​ ​just​ ​classic​ ​(really​ ​classic!)​ ​memory​ ​corruptions​ ​bugs.​ ​I will explain the basics of Tizen OS and present some cherry-picked 0days I have found.

About speaker

Amihai Neiderman is a security researcher in the field of vulnerability research. Amihai has worked on everything from embedded devices, IoT, OS exploitation and web security. In past years he has worked as an independent researcher for various companies and now works as a security researcher for Azimuth security.


Candy and Competence

By Hugo Hirsh

Bringing together lessons from Criminology, Sociology and Behavioral Psychology, this talk focuses on the human elements of creating secure organizations. We discuss embedding security as a part of the culture of an organisation and how to bring it to the forefront of everyone’s mind.

Positive re-enforcement, the Broken Window Theory, and Design Thinking all contribute to creating an environment where security is taken out of the hands of the few and into the hands of the masses. Empowering our users, and our businesses, for the better.

About speaker

Hugo Hirsh is a founding member of the Security Operations team at Kambi, a B2B sports betting company. He is an infrequent CTF player and an even less frequent blogger. He has a passion for learning by doing, and can frequently be found out of his depth. He also tries to help out with Security Without Borders.


Hack the Invisible! Exploiting IoT Devices over Software Defined Radio, ZigBee, WiFi and BLE

By Swaroop Yermalkar

With arrival of new smart devices every day, Internet of Things is one of the most upcoming trends in technology. Most of these devices have component to communicate over Wireless. However many of these devices communicate over proprietary protocols and it’s important to know the process of analyzing and finding flaws in it.

This talk will help you to understand Software Defined Radio, ZigBee, WiFi, BLE (Bluetooth Low Energy) with practical approach for identifying attack surface and exploiting IoT Devices. The talk will cover BLE hardware, ZigBee Sniffing Hardware, SDR Hardware – RTL SDR, HackRF, WiFi Sniffing / Injection hardware, Radio Frequencies Basic, ZigBee Profiles, WiFi, ZigBee, BLE attacks with IoT devices.

About speaker

Swaroop Yermalkar works as a Senior Security Engineer at Philips. His work includes threat modelling, security research, assessment of IoT devices, healthcare products, web applications, networks, Android, and iOS applications.

Swaroop is an OWASP iGoat Project leader and one of the top security researchers worldwide who works with Cobalt.io and Synack.inc. Swaroop has given talks and training at various security conferences, such as Hacks in Taiwan (HITCON), Europeansec, GroundZero, c0c0n, 0x90, DefconLucknow, and GNUnify. He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Evernote, Simple Banking, iFixit, and many more for reporting high-severity security issues in their mobile apps.

He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune, Bengaluru chapter. He holds various information security certifications, such as OSCP, OSWP, SLAE and CEH. Swaroop has written articles for clubHACK magazine and is the author of An Ethical Guide to Wi-Fi Hacking and Security and Learning iOS Penetration Testing (Packt Publishing).


Act Three, The Evolution of Privacy

By Arron Finnon (Finux)

ZOMG not another god-damn privacy talk, i’m fed up of this. When will it ever end? We all know privacy is dead!

STFU, we’ve been saying things like that for too long! Empires have come and empires have fallen, but what part has privacy really played in any of it?

What i can tell you is, what we consider privacy today, isn’t what what was considered privacy a thousand years ago. You could argue, privacy is a learned behaviour of our species that’s less few centuries old. Yet that doesn’t quiet paint the full picture. However what is strange about privacy is, if i deny you your privacy, you will have physiological reactions to this (as well as psychological ones too). Most privacy talks I see are centred around a key premise, that what we have, we will lose, if we don’t stand up for it now, which is true. Yet few of those talks look at privacy from a historical prospective. Can we truly protect something we hold so dear, when we know so little about it’s history?

This talk is a gentle walk down Memory Lane, looking at many civilisations interpretation of what privacy is, and how it has been nurtured, as well as how it has been attacked. After all, “privacy may actually be an anomaly.”

About speaker

Arron “finux” Finnon has been involved in security research and consultation for a over 10 years. Arron has discussed a wide range of security related topics at a number of high profiled international Security/Hacking conferences, as well as producing over 100 security related podcasts. Interviewing countless security professionals as part of the Finux Tech Weekly podcast show. His security research and consultation have helped businesses around the globe better develop the effectiveness of their security posture in detecting and mitigating cyber attacks.

During Arron’s time at The University of Abertay Dundee he was awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software for his work whilst president of The UAD Linux Society. A subject matter he is still very passionate about even today.

Arron currently is the Chief Technical Officer for Krohn and Partners where he oversees the technical and security requirements of the business, as well as offering security consultation and services to Krohn and Partners clients.


MEAN stack bugs and vulnerabilities

Talk Cancelled due to visa problems

By Murat Yilmazlar

This presentation will be about the MEAN Stack and how to smash it. MEAN is the new era on web application world. In this presentation the speaker will cover all of the MEAN Stack components vulnerabilities and bugs. And it will be demo at the end of the presentation.

About speaker

Murat works as Penetration Tester at SiberAsist. His main interests are blackbox web application auditing and static analysis. He also supports the open source community. He is also known for bug bounty hunting.


Where Cypherpunk Meets Organized Crime

By Benjamin Brown

Where Cypherpunk Meets Organized Crime: The Shifting Landscape of Underground Economies and Crypto-driven Privacy.

About speaker

Benjamin Brown’s current research focuses on the dark web, cybercrime, cryptocurrencies, and underground digital economies. He also engages in internal and customer incident response, adversarial resilience, and security training. His day job is with Akamai Technologies where he has the opportunity to integrate his anthropology and international relations educations with research into large-scale, internet-level security problems.


Revoke-Obfuscation

By Daniel Bohannon

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad? Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

About speaker

Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques.


Invoke-CradleCrafter

By Daniel Bohannon

Are you a Blue Teamer that feels confident in your ability to detect PowerShell remote download cradles? What about if powershell.exe harness other binaries to actually make the network connection? As a Red Teamer, are you looking for new obfuscation techniques to thwart the Blue Team’s ability to effectively detect your payload delivery mechanisms to powershell.exe?

Invoke-CradleCrafter is a living library of obscure PowerShell remote download cradles that evade many of today’s detections through obscurity, syntax obfuscation, and even the pawning off of network connections to additional Windows signed binaries through COM objects, BITS or even SendKeys. In addition to highlighting over a dozen different PowerShell remote download cradles, I will cover over ten different code invocation syntaxes along with obfuscation techniques completely different from those found in other obfuscation frameworks like Invoke-Obfuscation.

Finally, as an Incident Response consultant with MANDIANT, I will share numerous behaviors and artifacts associated with each cradle that we regularly find during investigations so that both Blue Teamers and Red Teamers can be better educated and equipped when it comes to investigating or employing these various cradles on the job.

About speaker

Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques.


Cyber Terrorism

By Kyle Wilhoit

Terrorists have found novel ways to circumvent typical security controls. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, defacing websites to further their political or idealogical viewpoints, all the way to utilizing social networks to convey their messages. No matter what technology or service rolls out in the future, there will always be room for abuse. Terrorist organizations, while taking plays from organized cybercrime or state sponsored entities, are completely different then their counterparts in their methods, ideologies, and motivational factors.

Looking closer at terrorist ecosystems, we attempt to understand terrorist organization’s abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, their use of the “darkweb”, the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily. We will also track financials on the “deep web” attempting to locate financial records of these organizations while also attempting to understand how these organizations are leveraging the “deep web.” We will dive deeply into each of the technologies and how they are used, showing live demos of the tools in use.

About speaker

Kyle Wilhoit is a Sr. Security Researcher (or Purveyor of offensive security) at DomainTools. Kyle focuses on research DNS- related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. Kyle is on the Blackhat Guest Review board, and has spoken at over 50 conferences worldwide, including Blackhat US, Blackhat EU, FIRST, SecTor, Defcon, HiTB, Derbycon, and several more. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn’t be. Kyle is a co-author on the book Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions.


Using the ISCSI Protocol to Harvest Unprotected Hard Drives

By Lucas Lundgren

Having problem knowing where to dump your granny pictures? Why not on the internet? Who needs Dropbox when there are just thousands of hard drives out there to waiting to be used? Oh, giddy up, strap up, mount up, and sit down. All your granny pictures are belong to us.

About speaker

Lucas started breaking things at the age of twelve and has reported numerous vulnerabilities since then. A penetration tester for nearly 15 years, Lucas has worked with global security leaders including Sony Ericsson and IOActive. He primarily focuses on penetration testing, fuzzing, and exploit development (any platform, any medium, all the time).


iGoat – A Self Learning Tool for iOS App Pentesting and Security

By Swaroop Yermalkar

OWASP iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

This talk is all about how iOS developers, security analysts can dive deep into iOS App Security using iGoat tool. This talk will start from setting up iGoat to exploiting latest exploits in iOS app. I’ll also release a major version of iGoat with tons of new exercises at SEC-T 2017.

About speaker

Swaroop Yermalkar works as a Senior Security Engineer at Philips. His work includes threat modelling, security research, assessment of IoT devices, healthcare products, web applications, networks, Android, and iOS applications.

Swaroop is an OWASP iGoat Project leader (https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project) and one of the top security researchers worldwide who works with Cobalt.io (https://app.cobalt.io/swaroopsy) and Synack.inc. Swaroop has given talks and training at various security conferences, such as Hacks in Taiwan (HITCON), Europeansec, GroundZero, c0c0n, 0x90, DefconLucknow, and GNUnify. He has been acknowledged by Microsoft, Amazon, eBay, Etsy, Dropbox, Evernote, Simple Banking, iFixit, and many more for reporting high-severity security issues in their mobile apps.

He is an active member of NULL, an open security community in India, and is a contributor to the regular meetups and Humla sessions at the Pune, Bengaluru chapter. He holds various information security certifications, such as OSCP, OSWP, SLAE and CEH. Swaroop has written articles for clubHACK magazine and is the author of An Ethical Guide to Wi-Fi Hacking and Security and Learning iOS Penetration Testing (Packt Publishing).


Evil Devices and Direct Memory Attacks

By Ulf Frisk

Total physical pwnage and plenty of live demos in this action packed talk! The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. A year later major operating systems are still vulnerable by default. I will demonstrate how to take total control of Linux, Windows and macOS by PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated, file systems mounted and shells spawned! All this by using affordable hardware and the open source PCILeech toolkit.

About speaker

Ulf Frisk is a pentester working in the Swedish financial sector. Ulf focuses mainly on online banking security, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.


Cryptocurrencies

By Benjamin Brown

Cryptocurrencies: You keep using that word, anonymity. I do not think it means what you think it means.

About speaker

Benjamin Brown’s current research focuses on the dark web, cybercrime, cryptocurrencies, and underground digital economies. He also engages in internal and customer incident response, adversarial resilience, and security training. His day job is with Akamai Technologies where he has the opportunity to integrate his anthropology and international relations educations with research into large-scale, internet-level security problems.


Data Demolition: Gone in 60 Seconds

by Zoz Brooks

Organizations know the importance of destroying retired physical data storage units: the waste stream has the potential to be a major leak of security-relevant information, to competitors, criminal organizations and the public. Hackers have long appreciated the insights to be gleaned through trashing! But the volumes of data stored today make this process difficult to accomplish instantaneously, and data in the wrong hands is money. If you manage data that might be at risk of physical attack by criminal agents, could there be a way to ensure its physical destruction in under 60 seconds at the flip of a switch? In this research I investigate multiple paths to forensic-resistant elimination of physical media via thermal, kinetic and high voltage methods. Both magnetic and flash storage devices are investigated, requiring the development of new techniques for high explosives manufacture, delivery and encapsulation. Surprising results will be presented.

About speaker

Zoz is a hacker, robotics engineer and pyrotechnician with broad interests in software, hardware and security applications. He has taught subjects including robotics, digital fabrication, cybersecurity and ethical hacking at top international universities and as a private industry consultant. He has hosted and appeared on numerous international television shows including Prototype This!, Time Warp and RoboNationTV, and speaks frequently at prominent security and hacking conferences including DEF CON, HackCon and BruCon. He believes that your digital data is part of your human right to privacy and is yours to secure or destroy at will.


Security in GCP

by Carly Schneider

The cloud has become given internal developers the tools they need to work quickly and efficiently. They can create vms, manage databases, change firewall rules, open buckets to everyone in the world, and even add personal accounts to company projects. While some of these behaviors are expected others range from honest mistakes to malicious. In order to get a good idea of what is going on in our cloud we have been working nonstop to figure out what are the most important tools to monitor the cloud and then creating and open sourcing our learnings and work.

About speaker

At work Carly is a security engineer for Spotify in Stockholm. She has worked in both New York and Stockholm for the team.  Before this she interned at Google on Safe Browsing. She went to school at Binghamton University and while there studied abroad at Chalmers. At night she loves hacking all the things including stack smashing, reverse engineering, and most recently hardware hacking.


The HTTP GET attack

by Hanno Böck

A surprisingly simple attack can lead to devastating consequences: By simply trying to download files with common filenames one can find all kinds of things on web servers: Database dumps, Git repositories, private keys for HTTPS certificates, FTP and MySQL credentials.

About speaker

Hanno is a freelance journalist and hacker. He regularly covers IT security topics for the German IT news site Golem.de and other publications. He writes a monthly newsletter about TLS and runs the Fuzzing Project, an effort supported by the Core Infrastructure Initiative to improve the security of free and open source software.


Snakeoil Factory Inc: Risk Intelligence and Threat Intelligence

by Michael Goedeker (1D10T / Hakdefnet)

This talk is focused on discussing some of the APT38 stuff we have been tracking since 2014, we will also talk about the basics of forensics and how we can apply this to gathering information and evidence collection.

About speaker

Michael is the founder of Hakdefnet and security researcher focused on detecting and defending against “Cyber” Espionage, Warfare and (in some cases) Crime. Research is focused on finding vulnerabilities in IoF and all that jazz. He also work on various “Security” projects focused on Threat / Risk Detection using my own security technology based on Opensource and a dazzling few scripts that do some stuff. He loves breaking stuff and then putting them back together again with some missing screws and other components.


Lightning talks:

Michael Goedeker: TBA

Michael is the founder of Hakdefnet and security researcher focused on detecting and defending against “Cyber” Espionage, Warfare and (in some cases) Crime. Research is focused on finding vulnerabilities in IoF and all that jazz. He also work on various “Security” projects focused on Threat / Risk Detection using my own security technology based on Opensource and a dazzling few scripts that do some stuff. He loves breaking stuff and then putting them back together again with some missing screws and other components.

KalleZ: Exploiting a non-vulnerability

What if you took the silliest issue you could find, present in almost all web applications and turned it into something exploitable? Could the
behemoths of the internet have missed this, or do they simply not care?

Either way, it’s time to exploit the invulnerable! Attack giant corporations (well, sort of)! Play stupid tricks on your friends, foes and colleagues! Reckless live demos ahoy!

Kalle is an adventurer and explorer in the bizarre and wonderful realm of application security. For as long as anyone can remember, he has been on Sentor’s payroll, going on remote explorations  deep into this domain to bring back esoteric exploit artifacts and curious tales of hostile native applications.

Mathias Karlsson: Cache me if you can

2 years ago ServiceWorker functionality was introduced to blur the line between what’s online and what’s offline in the browser world. But what if I told you that ServiceWorker had an older brother, lurking in the shadows, silently making modern web applications prone to attacks?

Mathias “avlidienbrunn” Karlsson is a web security fiddler who likes to dwell in the web security world, collecting anomalies that are seldom useful, but always interesting. When the stars align and they’re useful, he puts them to use in bug bounty programs, literally for fun and profit!


Above list of speakers and topics is complete but might still change at any notice because humans. 🙂