Keynote - The Smart Fuzzer RevolutionThe last 2 years has seen greater advances in automated security testing than the 10 before it. AFL incorporated known best practices into an easy-to-use tool, the DARPA Cyber Grand Challenge provided a reliable competitive benchmark and funding for new research, and Project Springfield (aka SAGE) is now available to the public. These new technologies have the potential for massive impact on our industry.
Dan Guido leads the strategic vision for Trail of Bits’s products and services, and manages its day-to-day operations. Dan prioritizes work on automated, scalable tools that make a measurable impact for elite organizations ranging from Facebook to DARPA.
Since founding Trail of Bits in 2012, Dan has built the company with people that span the gap between academic research and real-world problems. He pushes his team to study complex computer science topics, and modern attackers’ tactics, techniques and procedures.
It’s through this approach that Trail of Bits addresses the root causes of its clients’ challenges, and develops tools that make a lasting impact. When possible, Dan prefers to share the knowledge those tools embody, and to open-source them to the infosec community for use, maintenance and improvement.
Keynote - Hacking Portugal and making it a global player in Software developmentAs technology and software becomes more and more important to Portuguese society it is time to take it seriously and really become a player in that world. Application Security can act as an enabler, due to its focus on how code/apps actually work, and its enormous drive on secure-coding, testing, dev-ops and quality. The same way that Portuguese navigators once looked at the unknown sea and conquered it, our new digital navigators must do the same with code. This presentation will provide a number of paths for making Portugal a place where programming, TDD, Open Source, learning how to code, hacking (aka bug bounty style) and DevOps are first class citizens.
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security knowledge, learned Git, created security vulnerabilities in code published to production servers, delivered training to developers, and building multiple CI (Continuous Integration) environments; Dinis had the epiphany that the key to application security is “Secure Continuous Delivery: Developer’s Immediate Connection to What They’re Creating”. This ‘Immediate Connection/Feedback’ concept is deep rooted in the development of the O2 Platform, and is something that will keep Dinis busy for many years.
Memory Corruption is for Wussies!This is a technical presentation about a very interesting non-memory corruption bug that (still) exists in every OS X version except El Capitan 10.11.4 or higher. The bug allows arbitrary code execution of any binary, which can be abused for privilege escalation, bypassing System Integrity Protection (SIP) and also kernel code execution - essentially bypassing all OS X protection mechanisms with a single vulnerability.
A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks DRM protections for fun and profit, annoys HackingTeam, trolls Apple’s product security team, loves to solve weird problems, and tries to spread some knowledge. Lately very interested in improving OS X security and malware research. Wrote a long OS X rootkits article for Phrack last year.
Currently working at SentinelOne, a next-generation AV company, where I co-authored its Mac produc. These days I break random stuff and create proof of concept security technology.
MTLS in a Microservices WorldOne obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment.
Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.
The way of the bounty"The way of the bounty" tells the experience that I had in the last year regarding bug bounty programs. I'll give a brief introduction to what bug bounties is but my main focus will be to deliver the best and most of the common vulnerabilities I found on bug bounty programs. Where to search? Can I still find issues on public programs? Does bug bounty affects the security industry in some way?
I’m security consultant for Checkmarx and security team leader for Char49. I love to hack web applications and I’ve been acknowledged by discovering security issues in Google, Yahoo!, eBay, Microsoft and many others companies.
Regarding bug bounties I’m ranked top30 at HackerOne and number 1 at Cobalt.
Semi-Offline Attack on the Android Full-Disk EncryptionWith Android 5.0, Google announced to enable full-disk encryption with every device out-of-the-box. Along with other smartphone manufacturers announcing similar efforts, this lead to criticism by law enforcement officials. Interested in how "dark" we are actually going, we have analysed the security of Andoird's full-disk encryption. The assessment revealed that the previously known Offline Attack indeed was resolved by Google. However, by changing a small aspect in the attack prerequisites, we have discovered that a similar attack is still possible. We named this attack the Semi-Offline Attack, pinpointing that the device is required during the attack. Though, the computationally intensive calculations of key derivation functions is still leveraged to a different and more powerful host. While increasing the attack time and complexity, the difference between the Offline and Semi-Offline Attack are not huge.
Oliver Kunz is an information security consultant. Working in the field of information security for several years. He has assisted his clients to resolve incidents, perform risk assessments, and analyse the security of applications. His current main field of research is mobile related security, in particular of Android systems and applications.
From your PC to your nearest ATM: a history of the sneakiest financial malwareThe traditional way of milking dry a bank's automated teller machine (ATM) was to blow it up. Literally, steel and everything... but there's a new kid on the block. Modern criminal gangs around the world have now figured out that deploying ATM malware is an easy shortcut to jackpot up to the latest banknote inside. In this talk, we describe all the reasons that have led the criminals to develop their new golden goose, the strategies they use and each of the main malware families in this new battlefield as well as the criminal organizations responsible for this new threat. The challenge these malware writers face is accessing the special hardware of these machines: pinpad, card reader and the cash cassettes. Different malware families solve this their own particular way. The paper describes each family in detail as well as the geographical area it comes from. An overview of the criminal organizations behind these threats is presented. We will conclude with some lessons learned and recommendations on how to protect these very special machines.
David Sancho joined Trend Micro in 2002, having fulfilled a variety of technical security-related roles. Currently, his title is Senior Anti-Malware Researcher, and he specializes in web threats and other emerging technologies. In his more than 17 years of experience in the security field, David has written and published a number of research papers on malware tendencies, has been featured in the media, and has participated in customer events where he has presented on business issues and malware-related topics. His interests include web infection methods, vulnerability exploitation, and white-hat hacking in general.
I for one welcome our new Cyber Overlords! An introduction to the use of machine learning in cybersecurityIn this talk we will present some techniques that we use on a day to day basis in our research, where we combine our internet-wide data scanning and acquisition platform with ML/Data science techniques which allows us to find things faster or extract results in a more automated way. We will focus on practical cases and examples that even our audience at home will be able to use if they want. A couple of examples we will look at is how to classify images such as VNC screenshots, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used.
Tiago, Filipa, Ana and Florentino swim in data every single day. From looking at what people are downloading to how they are exposing themselves, we LOVE DATA!
Tiago (@Balgan) is the CEO and Data necromancer at BinaryEdge however he gets to meddle in the intersection of data science and cybersecurity by providing his team with lovely problems that they solve on a daily basis.
Filipa (@filipacsr) is the Data Diva at BinaryEdge, she dances the macarena with numbers to get them to tell her all their dirty secret.
Florentino (@fbexiga) is the Data MacGyver at BinaryEdge, on a daily basis he needs to deploy infrastructure used to analyse big and realtime data.When not doing that he can be found creating models to analyse data,give me an orange, i’ll give you a skynet. Why an orange you ask? I’m hungry and like oranges, there!
Ana (@ana_barbosa90) is the Data Ferret at BinaryEdge. She is small and hides between the 110th and 111th characters of the ascii code to see and show data in that unique perspective of someone who can’t reach the box of cookies stored on top of the capitol ‘I’
Lessons Learned from a Bug Bounty OperatorMozilla operates (one of) the oldest bug bounty programs in existence. In this presentation, I will share some of my experiences helping operate the web bug bounty program at Mozilla and some of the lessons I've learned along the way; the good, the bad, and the ugly.
Jonathan Claudius is a Pentester at Mozilla. He is a member of Mozilla’s Enterprise Information Security team; where he’s focused on security assessments, the Mozilla Web Bug Bounty program, and security engineering efforts.
He has over 15 years of experience in IT with the last 13 years specializing in offensive and defensive security roles. Before coming to Mozilla, Jonathan was a Senior Lead Security Researcher at Trustwave SpiderLabs. Jonathan has also presented at DEFCON, BlackHat, BSides Chicago, SOURCE Boston, THOTCON, and other leading security conferences.
Introducing Man In The Contacts attack to trick encrypted messaging appsMobile messaging applications have recently switched to end-to-end encryption. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC).
Jérémy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he was involved in designing and implementing a two-factor authentication product with challenging threat models, particularly when delivering a public mobile application. As a consultant he helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks.
Challenges of secure codingAt SIG we have an extensive experience in performing secure code reviews and guiding software developers on how to implement security best practices. Secure coding is an extremely challenging task and even trained developers struggle with defining, implementing and adopting secure coding guidelines. Over the last years we have found some gaps in the recommendations for secure coding guidelines that lead to enormous and recurrent difficulties in the development of secure applications. In this talk we will address this topic by presenting the challenges of secure coding, focusing in particular web applications security. We will also report on our findings regarding the ongoing security code review research performed in cooperation with the Radboud University Nijmegen in the Netherlands.
Bárbara Vieira is a researcher from SIG based in Amsterdam, the Netherlands. Before she was a post-doc in the Digital Security group and PILab, at Radboud University Nijmegen, the Netherlands. She finished her PhD in 2012 at University of Minho, Portugal and has been actively contributing to the areas of information security, cryptography and privacy over the last years.
Hacking PythonPython certainly is a great programming language to help you getting things done. It provides such a high level abstraction that makes humans so comfortable and confident about their code.
Francisco Ribeiro is a computer security engineer with over 10 years of work experience in both offensive and defensive sides. Francisco likes science and technology interested in computers since early age. Currently working for Mimecast as a Security analyst, most of his experience has been in penetration testing and source code analysis but also worked in forensic investigations and different aspects of monitoring.
Studied Computer Engineering in Faculty of Sciences on University of Lisbon where also became MSc on System Architecture and Computer Networks, enjoys learning programming languages specially when they come with a different way of thinking towards problems. UNIX, web, memory analysis are some of his areas of interest and lately has been interested in graph databases and machine learning.
Attackers Gh0st st0riesThis presentation will be about previous pentests i've done i'll show some examples and sometimes scary stuff that one can find in some organizations. The presentation would begin showing some stuff that is possible to do while testing WiFi networks, external networks, and webapps.
Since young age i was very curious about computers, however was never a fan of consoles, but of ZXspectrum yes! (and later of course the PC)
I’ve worked as a Sysadmin for 12 years, mostly on a Public institution and on a Bank institution.
I work as a Pentester since 2011 and this is realy what i like to do!
I like to share experiences from all the work i’ve done as a sysadmin and pentesting.
Brace YoSelf: DDoS is ComingThe interactive workshop starts with a DDoS attack being done against an organization, demonstrating the vague nature of such attacks. From there we continue to:
Dima Bekerman is a security researcher and data scientist at Imperva Incapsula’s security research labs, specializing in Human/Bots classification.
Dima holds a MSC in Cyber Security from Ben-Gurion University in Israel, in which he specialized in machine learning and data mining. Prior to being a security researcher in Imperva Incapsula, Dima was a researcher at Deutsche Telekom innovation laboratories and a developer at Applied Materials.