SEC-T - 0x0Beyond

September 13-14, 2018 – Stockholm, Sweden

Talks 2018


Smart Install – Cisco

By Lucas Lundgren

Cisco Smart Install suffered recently from a RCE execution. That allows attacker to run custom code on the Switches, as well as downloading the configurations. What if i told you, there is a another very similar bug that was branded Informational by Cisco, and was active as far back as 2016. What if I told you, Millions of devices had this bug. And what if we dug deep into Millions of Cisco Configurations obtained from other people scanning. Play with the question a bit; Who? TAP interfaces? Switch Vulnerabilities? Who is connected to who? Who else was already scanning this in Oct 2017? And how easy would it be to destroy the internet?

About speaker

Breaking stuff since the age of six left this guy with a piss’em off by pointing out flaws type of attitude. Known for doing things that might be questionable, mostly due to companies don’t listen until it’s too late.


An ice-cold Boot to break BitLocker

By Olle Segerdahl & Pasi Saarinen

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as “they are not possible using published techniques”.

We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.

About speakers

Olle is a veteran of the IT-security industry, having worked with both “breaking” and “building” security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure’s technical security consulting practice.

Pasi is an experienced security researcher with a background in both software and network security. In previous employment he has worked on a modern framework for white-box fuzz testing of binaries and security standardization of the 5G mobile network. While he has a very Finnish name, he plays for team Sweden in F-Secure’s technical security consulting practice.


Smart car forensics and vehicle weaponization

By Stefan Tanase & Gabriel Cirlig

As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars.

Given a relatively new car with an infotainment system completely decoupled from the car’s backbone (ignition, lights and such), we discovered a plethora sensitive personal information being stored completely in the clear during our smart car forensic investigation.

We were able to extract call logs, text messages and phone contacts from all mobile devices connected to the car. More worryingly, the navigation system logs were left completely unobfuscated, allowing a potential attacker to track the driver’s habits very precisely.

Live demo: A proof-of-concept vehicle weaponization attack will be shown during this talk. By abusing various debug tools present on the car’s infotainment system, we demonstrate how a malicious attacker would be able to track the position of the car in real time, or even do wardriving and network exploitation from the on-board computer of the car.

About speakers

Stefan Tanase – Principal Security Researcher at Ixia, a Keysight business
Stefan is an experienced security researcher based in Bucharest, Romania. Having spent the last 10 years of his career combating the world’s most sophisticated cyber threats, Stefan joined Ixia in 2017 as a Principal Security Researcher. Through innovative research projects and effective public speaking engagements, he actively contributes to keeping internet users safe. While Stefan specializes in collecting threat intelligence and monitoring the cybercrime ecosystem, he has a real passion for digital rights and internet privacy.

Gabriel Cirlig – Senior Software Engineer at Ixia, a Keysight business
Software developer turned rogue, went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye for everything shiny and new. For about two years he’s been tinkering at Ixia’s threat intelligence system as his full time passion while playing around with whatever random hardware comes into his hands. With a background in electronics engineering and various programming languages, Gabriel likes to dismantle and hopefully put back whatever he gets his hands on.


How did I get here?

By Dan Tentler

This talk aims to point out how companies that spend staggering amounts of money on both their security programs, and then after a breach, on incident response, can remain highly vulnerable. We’ll be doing live examples on the internet and we’ll be covering how redteams can use this to their advantage during target acquisition, and how blueteams can use this to expose their own risk surfaces to protect themselves.

About speaker

Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. He files race drones and crashes them in colorful ways. A lot. Dan scans the whole internet for fun and posts screenshots to twitter. He likes rum. Hand him a rum drink and ask him to tell you a story and he will, on the spot, conjur the spirit of George Carlin for you. No joke. Bring a helmet


DISSECTING THE BOOT SECTOR: The hunt for ransomware in the boot process

By Raul Alvarez

Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised?

About speaker

Raul Alvarez a Senior Security Researcher/Team Lead at Fortinet. He is a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering. Raul has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor,DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, andHackInParis. He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.


Shellcode injection without touching disk

By Reenz0h Black

Shellcode injection without touching disk in Windows is well understood and researched. The same cannot be said about *NIX (and Linux specifically). The talk will show modern offensive methods of code injection into a living process without leaving any artifacts on disk. These can also be used to bypass ‘noexec’ option configured on a mounted partition.

About speaker

Geek by passion, engineer by profession since last millennium. For many years he’s been working in global red team simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon – IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.