SEC-T - 0x0G

10-13th of September 2024

Talks

RCE and the Full Cluster Breach: Don’t Let Your Security Be the Punchline of a Joke

A talk by Jesper Larsson

“RCE and the Full Cluster Breach” is a humorous and informative talk that demonstrates how seemingly small authentication vulnerabilities can lead to a full cluster breach. Attendees will learn about post-exploitation techniques and gain practical advice on securing their clusters.

About Speaker

Jesper Larsson is a freelance IT security researcher and penetration tester focused on cloud and infrastructure security. Jesper is a member of the well-renowned penetration testing firm Cure53, where he works for multinational clients spanning several fields, helping companies and foundations implement secure infrastructures worldwide. In addition, Jesper has also made an appearance in the movie industry, with his participation as one of the hackers in the SVT production “_Hackad”. Furthermore, He is one of the co-founders and organizers of SecurityFest, a technical IT-Security conference on the Swedish west coast, and Säkerhetspodcasten, Sweden’s first IT-Security-focused podcast.


Methods of Lateral Movement using Windows OpenSSH

A talk by Matthew Lucas

Windows’ recent ports of OpenSSH allows admins to access their Windows estate with the same tools as their Linux estate. This talk will show how a misconfigured Windows SSH service combines the worst case scenarios of both AD and SSH and can even allow the theft of plaintext domain credentials. Those well-versed in Active Directory exploitation will see how a few old favourite techniques can be weaponised in a new context, and how the particular quirks of Windows OpenSSH can make them even more potent.

About Speaker

Matt Lucas has been a security consultant at WithSecure for three years, beginning his career in cybersecurity as a summer intern there four years ago. Since then, he has gravitated to exercises that allow him to play with offensive techniques but that also emphasis collaboration over competition — anything that can be considered “purple”. On a similar purple streak, he also looks a bit like Waluigi and consistently dominates in Mario Party as the purple menace but he tries not to be quite so mischievous.


Essential principles in container internals

A talk by Ilan Sokol & Eran Ayalon

We will dive into essential principles in container internals focused on container capabilities.
We’ll describe how it works, how we can use specific container capabilities to pull off container escapes, and how to minimize the danger of this kind of attack.

About Speaker

Ilan Sokol is a Team Lead in the Cybereason Security Research Group, specializing in Linux and MacOS research. Prior to Cybereason, his work focused on research in the offensive security field. Ilan has a deep understanding of the malicious operations prevalent in the current threat landscape. Ilan loves digital forensics and incident response but is also interested in offensive aspects such as vulnerability research.

Eran Ayalon, Security Research Team Lead at Cybereason, specializes in detecting different attack frameworks on multiple OS. Eran started his career six years ago as a security researcher in the Israeli Air Force, where he specialized in malware analysis, forensics, and incident response. Eran’s previous employment was in the banking sector, where he led the threat hunting and incident response in corporate environments.


Bikini bottom file encryption

A talk by Joris

Let’s design and implement a file encryption tool for POSIX systems using modern day development principles, a sponge-based cryptographic design, absolutely no meta data .. and why you probably shouldn’t do it.

About Speaker

Joris has 20 years of experience writing safe C code, of which more than 15 years in the OpenBSD project and 10 years designing and writing code for high assurance cryptographic systems used in classified networks.


Domain Admin through breaking and entering

A talk by Erik Alm & Erik Eklund

Erik and Erik will share their experience performing physical security testing as part of “Red Team” engagements, telling real world stories from the field. Attacks against physical security controls will also be demonstrated and the audience will walk away with a better understanding of how to protect against common and simple to exploit flaws that an attacker might use to gain unauthorized physical access.

About Speaker

Erik Alm: Originally an electrical engineer from the Royal Institute of Technology in Stockholm, Sweden, Erik Alm joined WithSecure (F-Secure at the time) in 2020. Since early 2021, Erik Alm has primarily been working with targeted attack simulations and adversary emulation, both in the form of regulated testing (TIBER) and traditional red team assessments.

Erik Eklund: Software engineer turned security consultant, Erik primarily focuses on application security and secure development practices. After joining WithSecure in 2021, he has additionally been specializing in physical red team engagements and social engineering.


Compliancy vs security. Pentesting is dead

A talk by Edwin van Andel

Pentesting is dead? Well, yes and no. This talk starts with the history of computing, how security testing came about and how that all worked. But then we dive in to current times and show you what a mismatch pen testing is most of the time. I’ll basically show the audience a mirror, and let them find out themselves via funny stories and shocking truths, that we can do better. Much better. We need a bigger boat!

About Speaker

Edwin van Andel started hacking at the age of 13. Although he is now CTO of hacker company Zerocopter, his relationship with the hacker community is still the main driving force in his life. His dream to bring the brilliant minds of all hackers he knows together in one room and to hack everything that is brought in is something that he is getting closer and closer to. In addition, together with the “Guild of Grumpy Old Hackers”, he is actively guiding and leading young hackers in the right direction in order to create his ultimate goal – a safe society through a safer internet. Next to all this he is known as the organizer of Defcon group Defcon3120 (Amsterdam) and from Darknet Diaries episode 87 – Hacking Trumps twitter in 2016


3TAI – Autonomous Offensive AI Threat Modeling and Exploitation Framework

A talk by Igor Andriushchenko

We propose a novel approach to threat modeling called 3TAI – it uses AI for automated enumeration of most likely attack scenarios and building a threat model of any system or repository. Our AI (LLM) can be trained on the target system code, its documentation, and any extra context (IaaS docs, security best practices, relevant standards or regulations). The resulting model and generated attacks can be used to improve system’s defences and protect against realistic exploitation scenarios.

About Speaker

Igor (@doshch) has tinkered with computers since 1997, spent countless hours online from his ZyXel 56k modem, and mainly played defense over the last 20 years – he and his teams worked on protecting products of Microsoft, GE, Shopify, caught cryptominers, and stopped network takeovers by Mirai bots. He studied Machine Learning and AI in Finland in 2010-s. To his surprise, these studies turned out to be in high demand in cybersecurity in 2023. Igor’s profile is a combination of a security practitioner and an AI theorist. Today, Igor spends his days managing a security team at Shopify. At night, he is busy trying to hack AIs, hack with AIs and protect from those who hack with AIs or AIs that hack.


How to Break into Organizations with Style: Hacking Access Control Systems

A talk by Julia Zdunczyk

Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems.

The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.

During the talk, I’m going to show you how I was able to break into organizations using techniques such as card cloning:

Let’s discover how to break into organizations with style.

About Speaker

Julia performs penetration tests for a wide range of IT Projects as a Junior IT Security Specialist at Securing. Her main area of interest revolves around Red Teaming, specifically access control systems assessments, RFID hacking, social engineering and other related topics. As a Cybersecurity student at AGH, she had the opportunity to learn a wide range of IT security aspects from the beginning of her academic education. In her free time, she enjoys playing CTFs and researching attacks on access control systems.


Flipper Zero – Zero Trust or Beware of Geeks bearing gifts

A talk by Mikael Simovits

Flipper Zero (https://flipperzero.one) is a very popular tool among security researchers and penetration testers. In June 2023 an estimation was made that 300 000 units have been sold. Behind the tool is a company, Flipper Devices Inc. registered in Delaware USA. A closer look shows that the main development took place in Moscow, Russia. This fact is well known and “accepted”. When further investigations are made it shows that the organization that developed the tool itself has connections to a person directly associated with the DNC hack during the US elections 2016, and thus to FSB and GRU. Even the front figure of Flipper Zero is related to previous suspicious activity such as DDOS attacks and cyber sabotage. This talk will give you an insight into Russian cyber security business and hacking community and provide a deeper understanding why using tools and software developed in Russia is not a good idea.

About Speaker

Mikael has worked with IT-security since 1994 and has a vast experience regarding different types security threats. Mikael Simovits, from the beginning a crypto nerd, turned into working with network security, is now more specializing in different types of wireless hacking techniques and offensive cyberwar strategies and tactics. Mikael has done research in the field of cyber security, and has written both academical papers as well as articles and blogs about different types of cyber security Issues. Mikael Simovits is also the CEO and founder of Simovits Consulting AB, which is one of Sweden’s oldest cyber security consultancy firms.


Devising and Detecting Phishing: Large Language Models (GPT3, GPT4) vs. Smaller Human Models (V-Triad, Generic Emails)

A talk by Fredrik Heiding

AI programs, built using large language models, make it possible to automatically create realistic phishing emails based on a few data points about a user. They stand in contrast to “traditional” phishing emails that hackers design using a handful of general rules they have gleaned from experience.

The V-Triad is an inductive model that replicates these rules. In this study, we compare users’ suspicion towards emails created automatically by GPT-4 and created using the V-triad. We also combine GPT-4 with the V-triad to assess their combined potential. A fourth group, exposed to generic phishing emails created without a specific method, was our control group. We utilized a factorial approach, targeting 200 randomly selected participants recruited for the study. First, we measured the behavioral and cognitive reasons for falling for the phish. Next, the study trained GPT-4 to detect the phishing emails created in the study after having trained it on the extensive cybercrime dataset hosted by Cambridge. We hypothesize that the emails created by GPT-4 will yield a similar click-through rate as those created using V-Triad. We further believe that the combined approach (using the V-triad to feed GPT-4) will significantly increase the success rate of GPT-4, while GPT-4 will be relatively skilled in detecting both our phishing emails and its own.

About Speaker

I am a research fellow in computer science at Harvard John A. Paulson School of Engineering and Applied Sciences (SEAS), and pursue a Ph.D. in electrical engineering from the Division of Network and Systems Engineering at KTH. My research interests include usable ethical hacking, technical fraud & deception, cybersecurity policies, and usable security & privacy. I am currently investigating how cyberattacks can be automated using Large Language Models. Our work will presented Black Hat US, in August 2023.


Pwning for plaintext: A hashcat 2.0 adventure

A talk by Will Hunt

Are those last high privilege hashes still eluding you after you’ve exhausted your usual attacks? In this talk we’ll look at some creative and unorthodox password cracking techniques and attack chains that’ll enable you to attack longer passwords, delimited passphrases, emojis and even using hashes to crack hashes! We’ll also explore some lesser known rule insertion techniques, as well as ways to identify redundant and non-executing rules that will help optimise your attacks.

About Speaker

Co-founder of In.security, Will has been in InfoSec since 2008, starting in digital forensics and moving into offensive security in 2014. When he’s not pentesting and helping secure his clients, he delivers In.security’s technical cyber security training at global security conferences such as Black Hat and many others. Will also assists the UK government in various technical, educational and advisory capacities.


Take all my money – penetrating ATMs

A talk by Fredrik Sandström

In this presentation we will discuss real-world examples of cybersecurity issues with ATMs. Ever wondered what it takes to make an ATM spewing out cash? You’ll hear some war stories from Fredriks career when penetration testing ATMs which includes the technical aspects of ATM hacking like tools but also troubles that can arise when trying to set up an ATM test.

About Speaker

Fredrik Sandström is a senior security consultant at Basalt based in Stockholm, Sweden.
Fredrik has an experienced background as software developer and as an embedded systems engineer. He has developed software for companies like the Swedish Research Agency (FOI).

Since 2015 Fredrik focused on delivering penetration testing and ethical hacking projects for customers in Sweden on different branches, e.g. banking and insurance, automotive, energy, communication, IT service providers.


Beyond the Baseline: Horizons for Cloud Security Programs

A talk by Rami McCarthy

There is a definitive resource for cloud-native companies to build a security program and posture in AWS: Scott Piper’s AWS Security Maturity Roadmap. However, mature programs quickly progress past the end of Scott’s roadmap. In this talk, I’ll take you on a rapid fire tour beyond the end of the roadmap, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work. The goal is to leave you with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

About Speaker

Rami works on Infrastructure and Cloud Security at Figma. He previously worked as a security consultant and helped scale security for a health-tech unicorn, and infrequently writes about security on tldrsec.com.


Threat Modeling Big Systems

A talk by Amit Dori

As the sophistication and complexity of modern products advances forward, the approach towards cybersecurity and safety has to evolve as well. This presentation will discuss the difficulties in analyzing threats for big systems such as operating systems, cloud infrastructures, and automobiles. We will propose ways, guidelines and techniques to perform a Threat Model at large scale as part of the Security Development Lifecycle (SDL) – Understanding the key elements of a system, its threats and assets Before jumping into code audits & fuzzing.

About Speaker

My name is Amit Dori, I’m a Tech Lead focusing on Security & Vulnerability Research at Microsoft Offensive Research and Security Engineering (MORSE) – MORSE ensures Microsoft ships secure operating systems, cloud platforms, and edge devices.
Before that I was a Security Research Team Lead at Mercedes-Benz Technological Hub Israel, focusing on automotive vulnerabilities and full exploitation chains.
I’m a security enthusiast who enjoys all aspects of Security Research and finding loopholes – in both code and real life 😎
I especially love transforming big & complex systems into research targets in a surgical & methodical way.


Input Output + Syslog (iO+S): Obtaining data from locked iOS devices via live monitoring

A talk by Nicholas Dubois

Forensic examiners and iOS research alike greatly depend on the availability to unlock a mobile device to enable data extraction. This presentation reveals how significant data can be recovered from iOS devices without the need for a password or device unlock.
Important device information can be identified through the monitoring of raw data sent via USB protocol. iOS devices present sensitive information in the back end even when this information is not seen by iTunes and third-party software. The presentation demonstrates numerous techniques to facilitate iOS device monitoring and capture of relevant information including live parsing of the data. Attendees will learn how to monitor USB data and capture live system logs including case examples.

About Speaker

Nicholas Dubois is an experienced digital and mobile forensic researcher. He is currently a Digital Forensics Specialist and Developer at Hexordia as well as the founder of Dragon Eye Intelligence. Nicholas’s research has been presented at multiple conferences over the years including National Cyber Crime Conference, DFRWS, Ares 21, and HTCIA. Nicholas participates in the National Collegiate Cyber Defense Competition (NCCDC) and National Collegiate Penetration Testing Competition (NCPTC). He has been a recipient of a SANS Netwars Scholarship and is currently completing his Bachelor of Science in Cybersecurity & Networks from the University of New Haven.


Started from the Bottom, Now We’re Here: The Evolution of ESXi Ransomware

A talk by Lindsay Kaye

Ransomware targeting Linux/ESXi has existed since 2015, but since then has gained popularity and become more sophisticated; what was once a niche tool was later adopted by groups focused on “Big Game Hunting” and later became a key piece of ransomware threat actors’ toolkits. Ransomware targeting ESXi has become substantially more popular, and is now used by high-profile groups such as ALPHV, BlackBasta, Royal and LockBit. The shift towards ESXi stems from the virtualization of entire organizations’ infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into paying the ransom.

This talk will provide a technical discussion on the evolution of ESXi ransomware and the TTPs ransomware operators employ, including the move to new, cross-compilable languages such as Golang and Rust. I will give a technical overview of modern ESXi lockers, and some of the similarities and differences both with their Windows ransomware versions, and each other. I will also discuss techniques we can use to detect and defend against them, including endpoint and network detection opportunities, and what gaps exist in our ability to do so. Finally, this talk will cover what the future of ransomware could look like, including other opportunities for extortion and additional technologies to exploit that we see in the cybercriminal threat landscape.

About Speaker

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty and passion is reverse engineering. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.


More Crypto from the FRA

A talk by Vesa Virta

During the second world war the Germans used a number of different crypto machines, most known are the Enigma and the Gehimeschriber. They also used a machine called Lorenz SZ40/42 which was called “Tunny” by the British cryptanalysts. Some Lorenz traffic was intercepted by the FRA during the war. This presentation is about the Swedish as well as other allied efforts regarding this kind of traffic.

About Speaker

Vesa is a museum guide at the FRA. He has been working with IT-security an intelligence from all kinds of angles for more than 25 years.

Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare

A talk by STÖK

Have you ever interacted with a logfile from a external facing system using cli tools like, cat, grep, tail or awk using a terminal emulator?

Well then this talk is for you!

Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.

In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize plaintext logfiles of modern applications. We will revisit a vulnerability class thats been dormant for over two decades, dig into old terminal injection research and log tampering techniques from the 80-90s, and combine them with new features. With the pure intention to create chaos and mischief in the modern cloud cli’s, mobile, and feature-rich DevOps terminal emulators of today. Shine some light on the consequences, and learn how and why we should avoid passing on malicious escape sequences into our logfiles. To ensure that users acutally can trust the data inside their logs.

Join us on this “not so black and white,” but rather quite colorful ANSI adventure and learn how to prevent a forensic nightmare.

About Speaker

Hacker/Creative STÖK is passionate about learning new things and sharing his curiosity with the world. For the last 3 decades, he has professionally hacked anything from computers/tech to marketing, fashion, communication, and the human mind. By delivering fast-paced, engaging onstage presentations and creating educational cybersecurity video content for the hacker community. His curiosity and “Good Vibes Only” mentality have reached and inspired millions of people around the world. HACKERS GONNA HACK. CREATORS GONNA CREATE. GOOD VIBES ONLY.