Speakers

Back to top

Keynote Speakers

JP Aumasson

Keynote

About the Speaker:

Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security. He designed the popular cryptographic functions BLAKE2 and SipHash, initiated the Crypto Coding Standard and the Password Hashing Competition. He presented at conferences such as Black Hat, DEFCON, or Troopers about applied cryptography, quantum computing, and platform security. In 2017 he published the book "Serious Cryptography" with No Starch Press. JP tweets as @veorq.

Javvad Malik

Keynote

About the Speaker:

Javvad Malik is a security advocate at Alien Vault, a blogger and a co-founder of Security B-Sides London. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that he was an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors. An active blogger, event speaker and industry commentator Javvad is probably better-known as one of the industry’s most prolific video bloggers with a signature fresh and light-hearted perspective on security. You can follow Javvad on twitter as @J4vv4D

Talks

Parth Shukla

Intel AMT: Using & Abusing the Ghost in the Machine

Come see how Intel AMT can be used to completely own a modern machine permanently and without detection.

In the first half of the talk, we’ll see how an attacker can abuse the legitimate functionalities of Intel AMT to gain long term persistent access with little to no chance of detection. The demoed attack can be executed to take ownership of AMT in less than 60 seconds - either through supply chain or temporary physical access. We will then show how AMT can be used for persistent access to the machine via readily available and easy-to-use C&C tools. Finally, we will cover possible mitigations and preventions against such attacks.
In the second half of the talk, we will walk through the process of doing non-destructive forensics on an Intel AMT to which we don’t know the admin password (i.e. potentially attacker controlled!). We will also describe how to reclaim ownership of the AMT once forensics is complete. Finally, we will be releasing the Linux tooling we developed in order to facilitate AMT forensics.

What is Intel AMT?

Intel AMT is an out-of-band, always-on management technology, embedded into Intel chipsets supporting vPro technology, intended to allow remote management of equipment without the need for a functioning OS. Intel AMT is commonly available on all Intel-based business laptops & desktops as well as many high end consumer laptops & desktops.

About the Speaker:

Parth Shukla is a Security Engineer at Google in Switzerland. He works on efforts related to firmware/hardware security as part of the Enterprise Infrastructure Protection team. He worked for Google in Sydney, Australia for 3 years before moving to Zurich, Switzerland.
Prior to Google, Parth was an Information Security Analyst at the Australian Computer Emergency Response Team (AusCERT). While at AusCERT, Parth analysed the non-public data of the Carna Botnet that he obtained exclusively from the anonymous researcher of Internet Census 2012. Parth released a white paper on this analysis (bit.ly/carna-paper) and presented on it at various conferences, including: DeepSec 2013 in Vienna, Austria; Blackhat Sao Paulo 2013 in Sao Paulo, Brazil; APNIC 36 in Xi’an, China and AusCERT 2013 in Gold Coast, Australia.

David Sopas

GTFO Mr. User

In this talk, the author will present real case scenarios (aka hacking to PoC) showing the danger of large organizations ignoring high and critical security issues, with repercussions that would affect millions should the security threats fall into the wrong hands. Additionally, this talk will share tips on how to properly disclose bugs to companies without being a real Trump.

About the Speaker:

David Sopas is an AppSec research team leader at Checkmarx and is the co-founder of Char49. Google, Yahoo!, eBay, Microsoft, and many other companies have acknowledged his work. David is also a proven bug bounty hunter, currently ranking number 1 on Cobalt and best portuguese at HackerOne.

Jérémy Matos

Abusing Android In-app Billing feature thanks to a misunderstood integration

Android provides an In-app Billing API so that developers can sell extra features directly in their applications. In-app purchases are often used in games to buy credits enabling to get extra content, lives, etc...
But the integration of the payment feature is most of the time misunderstood: code running on the smartphone cannot be trusted.
Hence all the payment checks and attribution of content should be done on the server side. As it is not crystal clear in the documentation provided by Google, lots of games still do the processing client side.

We will exploit a real world Android game to get free credits. And see how easy it is to reverse engineer it and discover that checks are done client side.
Then thanks to Xposed frameworked we will write a one-line only hook bypassing the payment.
After that, we will show how to patch the bytecode of this application, injecting the content of the hook, to be able to redistribute it.

Finally, we will provide actionable recommendations on how to avoid that by having a quick look at what is done in AngryBirds.

About the Speaker:

Jérémy Matos has been working in building secure software for more than 10 years.
With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution.
He led code reviews and security validation activities for companies exposed to reputation damage or where the insider is the enemy.
He now provides software security services at his own company.
And presented last year at DefCon Crypto Village a new attack vector on encrypted messaging apps called Man In The Contacts.

He also teaches application security and blockchain technologies in Swiss and French universities."

Kieran Roberts

Hardware Basics - why and how to break hardware.

Hardware is everywhere and 'hardware hacking' has grown massively in popularity over the last few years.
Despite this it is still considered to be somewhat of a black art, useful materials can be relatively hard to come by especially for those without an electrical engineering background.
In addition to this there are a huge number of facets to ‘hardware hacking’ and an array of ‘end goals’ which muddies the water even more.
This talk aims to cover a number of basic attack techniques from gaining a simple root shell via UART to jtags to some complex attacks such as side channel analysis and side channel attacks via power glitching.

About the Speaker:

Graduate of Abertay currently working as a Senior Consultant at NCC Group living in Munich, Germany. Interested in 'hardware hacking' as a hobby/side project.

Ben Herzberg

V!4GR4 BotNet: Cyber-Crime, Enlarged

Trafficking of counterfeit pharmaceuticals is a massive industry, and have been known for its persistent usage of different blackhat techniques in order to maintain its operation. A large part of those attempts are web application attacks, which are used in order to operate a huge network which generates substantial income to its operators.
In this session we're going to introduce some of the main Methods of Operation for these groups, estimate the size of this operation, and why it matters.
We will walk through real attack data, to see some of the latest attacks generated by these organizations, and discuss how organizations can be better protected against those attacks.

About the Speaker:

Ben has years of experience in hacking stuff, writing code, and in his past was a red team leader, and technical leader as a CTO and research manager.

Ben is the group manager of Imperva's research group, consisting of elite security researchers and developers - researching Applications Securtiy, Network Security, Data Analytics & Machine Learning.

Tiago Pereira

Botnet activity monitoring through process puppeteering

Monitoring botnet activity to produce threat intelligence often requires the development of specialized tools that speak the malware protocol, join the botnet and extract relevant information or exploits some of its weaknesses. The development of these tools (often called trackers, crawlers or milkers) can be hard and time consuming as it involves long reverse engineering hours, re-implementing network protocols from scratch, and operating it without being detected by the botnet operators. This presentation will share a few fun moments developing and deploying these tools and show how to make the process (slightly...) less painful, by using memory injection and binary instrumentation to re-purpose real malware as a botnet monitoring tool, while disabling its malicious capabilities.

About the Speaker:

Tiago Pereira is an information security professional with over 10 years of experience, during which, he has had the opportunity to work with multiple organisations ranging across several industries (e.g. Telecommunications, Finance, Energy, Government), and to perform hundreds of different projects in diverse areas of security such as consulting, penetration testing, security auditing, forensics, incident response and threat intelligence.
Passionate about forensics and reverse engineering, he is currently a threat researcher at Bitsight Technologies (Anubis Labs Team) where he focuses on malware and threat research.

Vincent Ruijter and Bernardo Maia Rodrigues

I Boot when U-Boot

Personal computer systems are now considerably more secure than embedded devices. Trusted Platform Module (TPM) and secure boot are readily available and even default in a lot of new desktop computers and laptops. Numerous small office and consumer devices, including routers and smart televisions, however, are lacking even the most basic security features.

In this talk we will demonstrate and describe the inner-workings of a custom developed (Fully Weaponised IoT Cyber™) bootkit, which gains persistence on U-Boot based embedded devices, at a lower level than even the firmware. Firmware updates and factory resets usually do not interfere with the bootloader, as a small problem could render the device unusable for an end-user: the bootkit will therefore remain present. By including a properly functioning killswitch and a multi-boot like technique, it is possible to switch between a regular and a backdoored image to thwart detection.

Enterprises and ISPs must take this additional attack surface into account, and put effort into detecting and responding to this threat. Well-known security researchers have long advocated for easier ways to verify and demonstrate the integrity of hardware, but this comes at a price that vendors are not willing to pay for security. Recently however, regulatory bodies have started to enforce vendors to lock-down their wireless devices, in order to prevent them from operating outside of their certified frequencies. But these 'vendor lock-downs' are not sufficient to increase the device security, as we will demonstrate, it's just a minor inconvenience.

About the Speaker:

Bernardo: Bernardo works as an Ethical Hacker for KPNs (Royal Duth Telecom) REDteam. He enjoys hacking (and bricking) embedded devices including routers, modems and TVs. He presented on security topics at the NullByte Conference, the null Amsterdam chapter and local venues. He frequently participates in CTFs with TheGoonies and is famous for not using buzzwords like IoT, APT and Cyber in his bio.

Vincent: Pacifistic Internetveapon @ KPNs (Royal Dutch Telco) REDteam, who thinks he knows Linux. Moderator @ null Amsterdam chapter, with an endless curiosity for all things binary. Knows how to quit Vi ^[ESC!wqwq:wq!

Luís Grangeia and José Moreira

Fantastic signals and where to find them

This talk with be an introduction to software defined radio (SDR) for security professionals with little to no experience in this topic. We are security professionals that started to explore the RF spectrum to look for vulnerabilities and will share our experience and learned lessons.

We will look in some detail to our explorations in the portuguese RF spectrum such as: sniffing and manipulating Bluetooth Low Energy traffic, tuning into SIRESP (TETRA based emergency services network), looking at the signal for Via Verde (portuguese e-toll system), rolling your own GSM network and more.

We will cover the basics of what you need to get started in this area and try to make a point that the RF space needs a closer look by information security professionals.

About the Speaker:

José Moreira is a Mobile Hacker, Reverser, Linuxer. Author of the best camera mod ""Xperia Camera Unlocked"". Love to watch the world burn. Started with a basic RTL-SDR dongle, and last christmas, santa gave him a HackRF to hack around.

Luis Grangeia is an infosec professional for about 17 years, mostly doing security audits and pen-tests. He recently bought a BladeRF software defined radio that he intends to use to hack all the things.

Thomas Fischer

I Thought I Saw a |-|4><0.-

Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does that really mean? And what real impact does it have on the security team?

Threat hunting looks at a mountain of security data already being produced daily by the traditional monitoring solutions such as netflow data, firewall events and logs. Now include end point data and the events to review explode exponentially. The claim, from various vendors, is that the additional data provides greater visibility but for whom. Traditional incident detection doesn't necessarily take into consideration the endpoint events. Building a threat hunting activity scoped to start with end point data can significantly change the game.

This talk is a journey of how to dive into threat hunting and will cover the principals of threat hunting as a foundation while examining the challenges of working with large datasets that can be generated by end point data and analyse some of the tools claiming to ease this burden including machine learning.

About the Speaker:

As Global Security Advocate at Digital Guardian, Thomas plays a lead role in advising customers on their data protection activities against malicious parties. Thomas' 25+ years background in IT includes varying roles from incident responder to security architect at fortune 500 company, vendors and consulting organizations. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and ISSA UK chapter board member .

Allan Liska

The Business of Ransomware

There is a cliche that refuses to die that every malicious actor is some guy in his mom's basement downing Cheetos and Red Bull while furiously slamming away on the keyboard. But that is not the case, especially with most large campaigns. This presentation will discuss the business side of ransomware. Understanding how ransomware actors make money, how they are organized and how to hurt them provides practical and strategic information that both defenders and managers can use to better protect their organizations.

About the Speaker:

Allan Liska is a solutions architect at Recorded Future. Allan has more than 15 years' experience in the world of information security and has worked as both a security practitioner and an ethical hacker. He is the author of The Practice of Network Security, Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart Guide and the co-author of DNS Security: Defending the Domain Name System and Ransomware: Defending Against Digital Extortion.

João Pena Gil (Jack64) and Luis Gomes (JustPassingBy)

Practical Out-of-Band Data Exfiltration in 802.11

Out-of-Band exfiltration using 802.11 has been around for a while, but the code that is publicly available has limited functionality and not well suited for use in a real-world scenario.
In this talk, we will demonstrate a red-team vs. blue-team scenario live on stage, where an attacker will attempt to perform data exfiltration using the known techniques, and show how it is possible for the defense team to detect and even block or interfere with the exfiltration attempts. We will then escalate the red-team side by showing off a new method of data exfiltration that makes it a lot harder for the blue team to interfere, track or detect that it is in process, raising the bar for wireless IDS.

About the Speaker:

Luis has been in this area for 8+ years, spent most of it as a Security Engineer and Penetration tester. He has worked for various clients in the private banks and public sector, gambling and compliance projects and also some tech giants. Loves coding his own tools and breaking into security giving clients the best possible service.

João has worked in information security for 3+ years, making contributions for big open source projects like Metasploit, co-developed airpwn-ng, a tool for 802.11 packet injection and was a workshop instructor at DEFCON 25. He currently works as an Application Security Analyst at Checkmarx by day and as a Core Researcher at Cobalt IO, by night.

Álvaro Felipe Melchor

Having fun while analyzing mobile applications

In this talk I will present how open source frameworks can be leveraged to carry out successfully mobile assessments. Nowadays, in the consultancy world you have to be ready at the time of evaluating mobile security. Therefore, knowing different frameworks and building your own tools are mandatory.

At the beginning of the talk will be presented different frameworks such as Frida and radare2 aimed for different kind of analysis (static vs dynamic) showing their strengths and how to use them to get the job done. Last but not least, a tool built from the ground up using Frida will be presented allowing to automatize many tasks such as cert pinning bypass, root detections, etc..

About the Speaker:

Álvaro Felipe is a Security Consultant at NCC Group and part of the dev core team of radare2 reverse engineering framework. During his career he has taken part in a large number of security projects and researches, focusing his skills on mobile application assessment, code review projects, fuzzing and application vulnerability research.

Workshops

Ricardo Dias

Static analysis of a RAT campaign

This workshop is a deep-dive into a remote access tool (RAT) distribution campaign. We will do static analysis all the way through, from the weaponised attachment, second stage downloaders, to the RAT config extraction in the end.

What you will learn:
- The workflow of static analysis
- Extract valuable information from a wide range of file formats
- Decompile .NET and Java
- Defeat encoding/encryption puzzles
- Develop python scripts for automation
- Extracting the RAT configuration file

Students are expected to bring their own laptop with VMWare or Virtualbox installed. USB sticks with VM images will be provided in the class. If your host OS is Linux/Mac OS X and you have Docker installed, a Docker file is also provided, for lightning-bolt analysis.

Lets make malware great again.

About the Speaker:

I'm a cyber security analyst and a passionate malware hunter. For the last 11 years I've been doing incident response, computer forensics and malware analysis.

Colin McLean

Web application testing with SWAG (Susceptible Web App Generator)

SWAG (Susceptible Web App Generator) is a new application designed for people learning Web Application testing. The application itself has a web front-end and allows the user to generate a unique vulnerable web application. There are 12 different basic types of web application that SWAG generates e.g. different on-line store, file sharing application, member management etc). Each application created is injected with random vulnerabilities (e.g. SQL injection, file upload vulnerabilities, file injection etc). The SWAG user can then perform a security test of the generated application. SWAG will also generate a report of the injected vulnerabilities for feedback purposes (i.e. the answers). The following video shows the application https://www.youtube.com/watch?v=0MKC1qxkbNU

The workshop will cover:
- The basic use of SWAG.
- Information gathering techniques.
- Enumeration techniques.
- SQL injection.
- Local File Inclusion vulnerabilities.
- File upload vulnerabilities.

About the Speaker:

Colin McLean is a lecturer in Computing at the University of Abertay Dundee in Scotland. In 2006, Colin developed the world’s first undergraduate degree with the word “Hacking” in the title. The BSc in Ethical Hacking at Abertay University in Dundee, Scotland has since become one of the main providers of graduates to the security testing industry in the UK. In 2016, Colin was featured in the top 100 key figures driving the digital agenda in Scotland by Holyrood Magazine. Colin has been a lecturer at Abertay University for 27 years and has talked at several of the leading Ethical Hacking conferences in Europe including BSides London, DeepSec Austria, BruCon Belgium, BSides Lisbon and BSides Edinburgh.

André Garrido and Duarte Sousa

IntelMQ - The full processment of a threat

The excess or absence of information available today combined with the lack of automation makes incident handling a huge challenge. IntelMQ was created for a constant improvement of feed processing so it can support the work of incident response teams.
IntelMQ was developed by FCCN (Fundação para a Computação Científica Nacional) and was later supported by other European CSIRTs with the aim of speeding up the treatment of information and improve the tool through shared development.
Through the collection and processing of feeds it is possible to filter molded data for the desired purpose.

This workshop intends to provide the trainees with the following skills:
[+]Understanding the IntelMQ framework
[+]Installing and configuring IntelMQ
[+]Understanding the structure of a bot
[+]Feed IntelMQ with Kippo SSH Honeypot

About the Speaker:

André Garrido - Worked as System and Network Administrator for 15 years but always having a sharp eye on security. During the last couple of years embraced security as a profession and became security analyst at Centro Nacional de Cibersegurança.

Duarte Sousa - Worked as SysAdmin and Developer for the last 17 years being the last 6 years fully dedicated to infosec. Duarte loves learning new stuff and being challenged by any new tech discovery. His motto is: Drink coffee, clean your mind and try harder!"