SEC-T - 0x0Beyond

September 13-14, 2018 – Stockholm, Sweden

Talks 2018

RID Hijacking: Maintaining Access on Windows Machines

A Community Night talk by Sebastian Castro

The new persistence technique RID Hijacking, which affects all Windows versions, takes advantage of some security issues found on the authentication & authorization tasks executed by the Operating System.

It allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes.

To show its effectiveness, the attack will be demonstrated against the latest Windows 10 version by using a module which was recently added to the Metasploit Framework, and developed by the security researcher Sebastián Castro.

About Speaker

Sebastián Castro (@r4wd3r) is the R&D Leader at CSL Labs. Born in Bogotá, Colombia, has been an information security researcher, network & application pentester and red-teamer for 6 years, providing cybersecurity services to global financial institutions and local defense government organizations. This guy has presented at national and international conferences, such as BSides, ISC² and recently Black Hat, exposing Windows security and password cracking own research.

Sometimes a tenor, sometimes a hacker, Sebastián also works as an opera singer at the Opera of Colombia Chorus, participating on many national and international fancy performances with well-known singers whose names he can’t even spell.


Hacking Minesweeper: A Beginner’s Steps to Reverse Engineering

A Community Night talk by Ophir Harpaz

Is there anyone who is not familiar with Microsoft’s famous Minesweeper game? So many hours of endless failures and mine-exploding could have been saved if only we knew how to change this program to our wishing…
In this talk, we will set ourselves a goal: make Minesweeper mark all mines with flags, every time a new game starts. We will walk step-by-step through the reverse engineering and patching process, on our journey to accomplish the desired task.

About Speaker

Ophir Harpaz is a Cybercrime researcher at Trusteer, IBM Security. At work she delves into banking malware and reads malicious JavaScript code, but her after-hours are dedicated to reverse engineering Windows applications. Author of https://begin.re workshop for reverse engineering newcomers.


Virtualization Concepts As a Security Wall

A Community Night talk by Carine-Belle

Virtualization has become the backbone of both security and cloud computing.
In this talk we will get comfortable with virtualization concepts and obtain a better understanding of our work and research environments. We’ll discuss a major volubility found in a VMware product, and note the key questions one must ask when taking a look at his virtual infrastructures.

About Speaker

Carine-Belle is a software engineer in the virtualization group of Oracle-Ravello – a part of Oracle’s Cloud Infrastructure.
Prior to that, she has served in the IDF in an elite tech intelligence unit as a researcher and a team lead in the fields of cyber security.
She loves to learn new things, tech, sushi, and their combination.


The Renaissance Approach

A Community Night talk by Tigran Terpandjian

This talk has been canceled


A never told story of one of the biggest hacks of all times

A Community Night talk by Dimitri van de Giessen

In the year 2000 several Microsoft sites have been hacked by a Dutch Hacker named Dimitri. Several subdomain servers, such as windowsupdate.microsoft.com, 128download.microsoft.com, events.microsoft.com and so on has been hacked. Not even once but twice in a short period of time. A secret meeting was planned by Microsoft with Dimitri. Why was it secretly? What actually happened behind the closed doors at MS? And why even after 18 years it is still a secret? This presentation includes some Mystery, Drama, Action & NSFW.

About speakers

Private Ethical Hacker, Computer Hacking Forensic Investigator & System Engineer. Working/worked for Dutch Goverment, Healthcare, Multinationals and club scene (!?).


Smart Install – Cisco

By Lucas Lundgren

Cisco Smart Install suffered recently from a RCE execution. That allows attacker to run custom code on the Switches, as well as downloading the configurations. What if i told you, there is a another very similar bug that was branded Informational by Cisco, and was active as far back as 2016. What if I told you, Millions of devices had this bug. And what if we dug deep into Millions of Cisco Configurations obtained from other people scanning. Play with the question a bit; Who? TAP interfaces? Switch Vulnerabilities? Who is connected to who? Who else was already scanning this in Oct 2017? And how easy would it be to destroy the internet?

About speaker

Breaking stuff since the age of six left this guy with a piss’em off by pointing out flaws type of attitude. Known for doing things that might be questionable, mostly due to companies don’t listen until it’s too late.


An ice-cold Boot to break BitLocker

By Olle Segerdahl & Pasi Saarinen

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as “they are not possible using published techniques”.

We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.

About speakers

Olle is a veteran of the IT-security industry, having worked with both “breaking” and “building” security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure’s technical security consulting practice.

Pasi is an experienced security researcher with a background in both software and network security. In previous employment he has worked on a modern framework for white-box fuzz testing of binaries and security standardization of the 5G mobile network. While he has a very Finnish name, he plays for team Sweden in F-Secure’s technical security consulting practice.


Smart car forensics and vehicle weaponization

By Stefan Tanase & Gabriel Cirlig

As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars.

Given a relatively new car with an infotainment system completely decoupled from the car’s backbone (ignition, lights and such), we discovered a plethora sensitive personal information being stored completely in the clear during our smart car forensic investigation.

We were able to extract call logs, text messages and phone contacts from all mobile devices connected to the car. More worryingly, the navigation system logs were left completely unobfuscated, allowing a potential attacker to track the driver’s habits very precisely.

Live demo: A proof-of-concept vehicle weaponization attack will be shown during this talk. By abusing various debug tools present on the car’s infotainment system, we demonstrate how a malicious attacker would be able to track the position of the car in real time, or even do wardriving and network exploitation from the on-board computer of the car.

About speakers

Stefan Tanase – Principal Security Researcher at Ixia, a Keysight business
Stefan is an experienced security researcher based in Bucharest, Romania. Having spent the last 10 years of his career combating the world’s most sophisticated cyber threats, Stefan joined Ixia in 2017 as a Principal Security Researcher. Through innovative research projects and effective public speaking engagements, he actively contributes to keeping internet users safe. While Stefan specializes in collecting threat intelligence and monitoring the cybercrime ecosystem, he has a real passion for digital rights and internet privacy.

Gabriel Cirlig – Senior Software Engineer at Ixia, a Keysight business
Software developer turned rogue, went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye for everything shiny and new. For about two years he’s been tinkering at Ixia’s threat intelligence system as his full time passion while playing around with whatever random hardware comes into his hands. With a background in electronics engineering and various programming languages, Gabriel likes to dismantle and hopefully put back whatever he gets his hands on.


How did I get here?

By Dan Tentler

This talk aims to point out how companies that spend staggering amounts of money on both their security programs, and then after a breach, on incident response, can remain highly vulnerable. We’ll be doing live examples on the internet and we’ll be covering how redteams can use this to their advantage during target acquisition, and how blueteams can use this to expose their own risk surfaces to protect themselves.

About speaker

Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. He files race drones and crashes them in colorful ways. A lot. Dan scans the whole internet for fun and posts screenshots to twitter. He likes rum. Hand him a rum drink and ask him to tell you a story and he will, on the spot, conjur the spirit of George Carlin for you. No joke. Bring a helmet


DISSECTING THE BOOT SECTOR: The hunt for ransomware in the boot process

By Raul Alvarez

Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised?

About speaker

Raul Alvarez a Senior Security Researcher/Team Lead at Fortinet. He is a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering. Raul has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor,DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, andHackInParis. He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.


Shellcode injection without touching disk

By Reenz0h Black

Shellcode injection without touching disk in Windows is well understood and researched. The same cannot be said about *NIX (and Linux specifically). The talk will show modern offensive methods of code injection into a living process without leaving any artifacts on disk. These can also be used to bypass ‘noexec’ option configured on a mounted partition.

About speaker

Geek by passion, engineer by profession since last millennium. For many years he’s been working in global red team simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon – IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.


Reversing the TriStation Network Protocol

By Steve Miller

The TRITON malware framework uses TriStation, a proprietary ICS network protocol, to communicate with target Triconex SIS controllers. We did some “reverse engineering” (mostly just studying and writing down our observations) of this protocol to help understand its structure and develop some detection logic for abuse of this protocol. This talk will be a story of 1) learning a new (to us) network protocol and 2) investigating the origin story of the TRITON framework to discover some things we didn’t see before.

About speakers

Steve Miller is an incident response professional with experience in computer forensics, communications signals analysis and intelligence program management. Steve’s background includes work for the U.S. Army, the National Security Agency, Cornell University, the U.S. Department of State, and the U.S. Department of Homeland Security. Steve is currently a researcher for FireEye. He slings a lot of pcap, Snort, Yara and yadda yadda yadda adversary methodologies, find evil, solve crime.
In his spare time, he plays BF1 and rides a totally rad BMW F800GS motorcycle.

 


TOTAL MELTDOWN

By Ulf Frisk

Did you think Meltdown was bad? Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse… It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well. This is the story about how the newly developed PCILeech Memory Process File System was used to spot Total Meltdown. How I came to believe Total Meltdown to be already fixed and how I released this potent kernel privilege escalation vulnerability as a 0-day.

About speakers

Ulf Frisk is a pentester in the Swedish financial sector by day and a DMA hacker by night. Ulf is the author of the PCILeech direct memory access attack toolkit and has previously presented his work at SEC-T, DEF CON and the Chaos Communication Congress. Ulf is interested in low-level attacks and focuses most of his research on direct memory access.


A Drone Tale, All Your Drones Are Belong To Us

By Paolo Stagno

Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.

This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.

About speakers

Paolo Stagno (aka VoidSec) has worked as a consultant for a wide range of clients across top tier international banks, major tech companies and various Fortune 500 industries. He is responsible for discovering and exploiting new unknown vulnerabilities in web applications, network infrastructure components, IoT devices, new protocols and technologies. He enjoys home-brewing beer while understanding the digital world we live in.


Dissecting Non-Malicious Artifacts: One IP at a Time

By Dani Goland & Ido Naor

For years and years, anti-malware solutions, across many levels of the network, have been assisted by online anti-virus aggregation services and online sandboxes to extend their detection level and identify unknown threats. But, this power booster comes with a price tag. Even today, enterprises all over the world are using security solutions that instead of protecting the data, are suspecting it as malicious and sharing it with online multi-scanners. The result is drastic. What separates a hacker from extracting all that data on a daily basis is a couple of hundreds euros, monthly. A price which could be covered easily if that hacker finds a man of interest. In just a couple of days, one skilled hacker can build an intelligence platform that could be sold in 10 times the money they invested.The data is being leaked daily and the variety is endless. In our research, we dived into these malware-scanning giants and built sophisticated Yara rules to capture non-malicious artifacts and dissect them from secrets you’ve never thought possible of getting out of their chamber. But that’s not all. We will show the audience how we built an intelligence tool, that upon insertion of an API key, will auto-dissect a full dataset. In our talk, we reveal the awful truth about allowing internally installed security products to be romantically involved with online scanners.

About speakers

At the age of 20 Dani founded his own boutique company for innovative software and hardware solutions. While gaining experience in the business field, Dani did not neglect his hands-on capabilities. In just a short while he won two coding competitions, one of which was held by eBay. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 700 researchers. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America.

Ido Naor is a Senior Security Researcher at GReAT, a team of researchers who’ve been tasked by Kaspersky Lab to investigate the most prolific APT incidents, ransomware distribution, banking heists and other type of internet hacking monsters. Ido’s focusing on threats in the middle east and is actively following groups of hackers who aim to demolish the ordinary lives of citizens and public/gov institutes. During his work at Kaspersky, Ido found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 700 researchers. Ido is 31 years old, a martial arts experts and a father of 3, lives in Tel Aviv, Israel. He served at one of the most notorious intelligence special ops military unit, as a combatant, commander and later on as a Krav Maga instructor.


Security Vulnerabilities of Autonomous, Unmanned and Driverless Vehicles

By Zoz Brooks

Academic teams, tech startups and automotive companies are putting high-profile efforts into driverless cars, and gaining plenty of headlines.  But autonomous and unmanned systems are already patrolling the skies and oceans in addition to being tested on our streets and highways.  It’s already past time to be discussing the security implications and vulnerabilities of these machines which operate with delayed, remote supervisory control or without a human in the loop at all.  The USA gets most of the driverless vehicle attention, but pioneering testing of autonomous ground vehicles is currently being performed in Europe, even right here in Sweden.  All trends indicate that these systems collectively (including supervised driver-assist modes) are at an inflection point that will bring them rapidly into common usage.  Security researchers and professionals therefore need to be aware of the capabilities and vulnerabilities of these systems and their components.

About Speaker

Zoz is a hacker, robotics engineer and pyrotechnist with broad interests in software, hardware and security applications. He has taught subjects including robotics, digital fabrication, cybersecurity and ethical hacking at top international universities and as a private industry consultant. He has hosted and appeared on numerous international television shows including Prototype This!, Time Warp and RoboNationTV, and speaks frequently at prominent security and hacking conferences including DEF CON (US and China), HackCon and the Black Hat Tools Arsenal. As an expert on autonomous robots, he hosts the RoboSub, RoboBoat and RobotX maritime autonomous vehicle competitions.


Bypass Android Security mechanisms using custom Kernel

By SungHyoun Song

Most Android hackers are researching application vulnerabilities using the rooting tools (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.).
However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application.
So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing.
Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse.
So in this document analyzes the security mechanism applied to Android OS and Application in detail at code level. And by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.

About Speaker

SungHyoun(@decashx) is a security researcher at FSI(Financial Security Institute), in charge of Mobile Security for Financial Industry in Korea. He has experienced Mobile Security, Penetration Test and Authentication Mechanism for 10 Years. Also he has participated in various international security conference such as ITU-T, HITCON, beVX. And He is author of ITU-T X.1156.

He has developed a user and kernel level hooking framework that can dynamically analyze the behavior of an application in the Android environment. Recently He have been analyzing the platform and kernel source code of Android.


Registered Lightning Speakers

Johan Berggren

Frans Rosen

Petri O. Koivisto

Joel Rangsmo

Calle Svensson

Hanno Böck

(At this point we can not guarantee any more lightning speaker slots. Also, lightning talks will be spread out in the schedule this year.)