Opisi predavanj - HEK.SI
Army of Undead – Tailored Firmware Emulation
The exploding number of embedded systems, like network cameras, routers and programmable logic controllers (PLCs) of the past years raise the question how secure these devices are and which connections are established in the background. As these devices are often concepted as closed systems, a popular possibility is emulation of the firmware of such devices. Past projects like FIRMADYNE by Chen et al. and Automated Dynamic Firmware Analysis at Scale by Costin et al. showed that emulation of such devices is possible, but only by doing manual modifications on the Linux kernel and restricted to few architectures. During this talk, comprehensive methods for tasks like finding the file system root, determining the exact instruction set and emulating the target firmware in an automated manner will be discussed. All these steps can be done by simple scripts and open-source components without changing the code of any kernel. In contrast to known projects, a wide spectrum of CPU architectures (SH4, PPC, ARMv5/6/7, MIPS/MIPS64 and x86) as well as different init systems (System V / D) can be covered.Partial emulation of incomplete firmware upgrade files was also done to check libraries for known vulnerabilities. This was achieved by using the combination of Buildroot and QEMU. The methods, that were tested for the past year, were used for identifying vulnerabilities in various embedded devices without owning the hardware. The overall outcome of different known and unknown vulnerabilities was recorded during a large scale study through over 40 different vendors. Many of the easily found vulnerabilities could have been avoided while few others, that were more difficult to find, are harder to mitigate. A smaller count of backdoor-like functionalities were also identified in some of the tested product firmware.
AWS Security: Sweet dreams vs reality - Case Study
This talk is a guide through some of the most common vulnerabilities in AWS deployments and ways how hackers exploit them. Come to have a look from a hacker's point of view. It helps you to become a better defender.
Cognitive Hacking - Age of Covid
The science of persuasion has become more sophisticated in recent years, especially thanks to technology. Digitally crafted information can trigger economic collapses, wars and influence people's behavior.
How easy is to influence and program people without their knowledge? How hard is it to persuade a part of the population big enough to destabilize a democracy?
Cognitive hacking is the practice of changing the behavior of the target by manipulating the perceptions and exploiting psychological vulnerabilities.
In a world where fake news dominates the conversation, attackers find more and more ways to produce and exploit misinformation.
This talk will explore the ways in which cyber criminals are exploiting COVID-19, using the health and economic turmoil to gain advantage from the human factor and the emotions caused by the pandemic.
Community powered IP reputation system
Presenting open source security engine able to analyze visitor behavior and provide adapted response to attacks. Its power comes through IP reputation data shared with community.
Connected vehicles cybersecurity - status and next steps
The forthcoming ISO 21434 standard "Road vehicle Cybersecurity Engineering" (currently still under development) and the UNECE regulation R155 "concerning the approval of vehicles with regards to cyber security and cyber security management system" have the clear objective of ensuring that all major players in the automotive sector, be their vehicle manufacturers (so-called OEMs) or component suppliers (so-called TIERs ), are aware of the importance of cybersecurity in the product development process, implementing what is defined as the "security by design" approach.
We will review shortly the Automotive hacking history, its challenges and the future steps due to these important standards and regulations.
Connecting the Dots: How Threat Intelligence Protects the Applications
Today we can see that digital technologies are the core of every business. The automation and the connections achieved with these technologies have revolutionized the world’s economic and cultural institutions but they have brought additional risk in the form of cyber attacks.
What is Cyber Threat Intelligence and how you can implement it properly to protect your business?
In this presentation you will find how to integrate it into your Application Security Program but also solutions that automate data collection and processing, integrate with other solutions or services, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors.
COVID-19 Cyberfraud Risks – year long Christmas party for cybercriminals and business’ defrauding government release funds
The emergence of the COVID-19 pandemic and related government shutdowns has placed a lot of business’ under massive pressure. Organizations and their employees are faced with increased fraud exposure. It appears to be a never-ending Christmas party for the cybercriminals with a plethora of targeted and themed attacks. Everything one knows about cybercrime but with a COVID-19 flavor: themed phishing emails, malware and fake phone calls as well as fake tax release promises. All preying on insecurity and uncoordinated governmental communication. Aside from the cybercriminals the “good guys” business’ themselves are engaging in fraud and apply for release funds not meant to be for them or are cooking up their figures for lost revenue (in a German case a fraudster applied 91 times for funds and was successful in three cases! By the way be using the same account information). We will look at the past year from a risk perspective and discuss where the risk for incompliance and fraud is the greatest. How can you apply proper controls inside your own business or how to use your knowledge from this lecture to consult your clients.
This course program is designed for all IT professionals involved with information system security, computer forensics, and incident response. Highly recommended for ethical hackers, system administrators, bankers, security professionals, law enforcement professional, incident handlers, security officers, defense and military personal.
Dark Web
Stefan will present what the dark web is, setting up the environment, how to protect yourself, link directories, bitcoin cryptocurrency on the dark web, which is why it is important, encrypt message with PGP, creating onion website and to show how to access the dark web over the phone via android.
Data protection and Bring Your Own Device (BYOD) - do it right
Deep dive into logic and complex flaws or why AI will not replace us soon
AI is one of the most popular buzzwords in last few years. There have been talks about AI replacing almost everything we (humans) do. But is the age of machines really that close?
In this presentation we will show some real case scenarios where it was required to have knowledge of several technologies combined with business process familiarity to exploit applications.
Automatic code reviews and vulnerabilities are good tools for finding simple and obvious security issues, however for those more complex vulnerabilities we still need good old human based intelligence and good engineering skills.
Defense Evasion on Microsoft Window OS
Demystifying Offensive security and Cyber surveillance – A view from the inside
In the last few years, offensive security has become a hot topic. In 2016 NATO officially recognized cyberspace as warfare domain. Few countries have already developed internal offensive security capabilities to overcome adversaries in this battlefield. Worldwide experts agree that a defense-only approach would not be enough to answer the challenge.
Even LEAs need offensive security capabilities in order to face criminal organizations in the digital era. In fact, standard investigative operations are no more sufficient to deal with the abuse of privacy-granting technologies used by criminals to remain undercover.
On the other hand, (sadly) too often, we read about offensive security solutions abused to prosecute journalists and/or political dissidents, or to invade citizenship privacy.
This talk would like to shed light on offensive security and the so-called cyber surveillance market, giving an insider view.
We will have a journey among a tangled forest of technical challenges, ethical and legal aspects.
Digitization and its impact on cyber security
Emerging and Disruptive Technologies - How Cyber-warfare affects military operations
It is already clear that we live in the “era of information”, where we process a vast amount of constantly growing information. Military operations could not have been more affected. Today, disruptive and emerging technologies, like AI/ML, Graph DBs, Space,
IoT/IoE, and more, are creating such an ecosystem that we have yet to harness it powers. All military operations held in the past millennia share a common factor; the need for precise, prompt, authentic and always available information. Three are the main factors that affect military operations, the weather, the terrain, and the enemy and our dependence in making the right decisions heavily depends on information on all three. Cyber space has emerged during the last years as the fifth domain (among Land, Sea,
Air and Space) of military operations, and the current swift is for an all-domain war fight. Cyber warfare can drastically affect the much needed information flow, and thus can be the decisive factor between victory or defeat.
ERP Security; dont forget the Oracle database
I often perform security reviews of big ERP systems for customers and i focus on the database level security and it shocks me that often customers treat the Oracle database as a black box and they often ignore the actual data security. This talk focuses on the security gap between the ERP level security controls and the database level. We must take care of all levels if we want to secure the data processed by any big business system.
Fantastic Secrets And Where To Find Them
There have been many security incidents caused by publicly accessible storage buckets with catastrophic impact in the past - not so much has been written about leaked secrets. A secret may be a password, access token, or certificate, and they leak just as often as S3 buckets with just as catastrophic effects. As secrets can take more forms than a storage bucket and can be leaked in even more ways, managing them is a challenging task. I will describe overall approaches how to manage secrets in a modern software engineering environment so leaked credentials will not occupy the top vulnerability class in your bug bounty program anymore!
Hacking the human: Exploiting primordial instincts
Social engineering threats are reported every year to be increasing dramatically in numbers. Phishing attacks are on the top threat vectors for various kinds of cyberattacks. Exploiting the human vulnerability continues to be the most attractive and successful path for threat actors targeting assets of organizations and individuals. The natural question that comes to mind is: “Why is social engineering successful?”.
In this presentation, human factor approaches, through several theories, are briefly analyzed and the human emotions that are targeted by social engineers are summarized. Then, based on the above, some common methods of social engineering are presented with examples. Furthermore, human reaction in usual situations is systematically documented and tabulated. The aim of this talk is to expose the techniques used in phishing and social engineering and explain the success of the used methods. Awareness of the methods may act prohibitively to certain attacks and dangers.
Hidden traps of storing data in the public cloud
IT security in a post-COVID world
For a long time, IT Security has been a secondary topic for a lot of companies. More often than not, it only came to mind after an actual data breach or security incident, and was often overlooked otherwise. Over the years, things like WannaCry/Petya or GDPR compliance helped raise awareness a little bit, but those soon faded out as well.
However, the new "Low Touch Economy" emerging as a result of the COVID-19 pandemic could provide the jolt that IT Security needed for a long time. With a lot more people working remotely, the need to secure devices (laptops, phones, etc.), communication channels, as well as on-prem & Cloud infrastructure is now higher than ever before.
The global pressure on innovation and developing new business models to adapt to these changes is high. This session aims to address some of the major shifts and impacts of remote work by providing some ways to balance innovation and IT Security, while also touching on some of the ever-growing gaps in security incident detection and response.
Lions at the watering hole
Dekeneas was started in October 2018, and in two years of activity we managed to successfully identify a series of web attacks, including some major campaigns that made the news recently, such as the Magecart campaign that infected 18,000 websites all over the world and the nation state attacks which used iPhone, Android and Windows 0day exploits to infect the victims. This presentation will sum up two years of activity and technically dissect the HTML implants used in some of these campaigns, to better understand how watering holes and browser exploits work and how can we protect against them.
M365 Security introduction
Microsoft Secure Score is a security analytics tool designed to help organizations understand what they have done to reduce the risk to their data and show them what they can do to further reduce that risk. Secure Score determines what Microsoft 365 services an organization is using, then looks at its configuration and behaviors and compares it to a baseline asserted by Microsoft. Rather than reacting or responding to security alerts, the Secure Score tool enables organizations to track and plan incremental improvements over a longer period of time.
Medical Device Security - Results from Project ManiMed
Our talk aims to present the results of the ManiMed project of the Federal Office for Inforation Security (BSI). Although MD IT sec is already considered in relevant laws and regulations regarding safety and performance, the general IT security posture of medical devices is not as mature as possible. This is due to a strong focus on safety, concomitant with a long product life cycle. Consequently, medical devices should be examined in-depth for IT security vulnerabilities throughout the product lifecycle, especially before being placed on the market. However, the maturity will only significantly improve if approval processes imply defined IT security requirements for medical devices. Further, a prompt and effective reaction of the medical device manufacturer after discovering vulnerabilities is only possible by making use of a framework of established and well-defined processes.
Okrogla miza: Testiranje phishing napadov
Izhodišča okrogle mize:
- Kakšnih tehnik se poslužujejo napadalci?
- Zakaj določenim phishing napadom lahko nasedejo tudi poznavalci?
- Kako prepoznati phishing sporočilo?
- Kako uporabnike spremeniti v obrambno linijo pred phishing napadi?
- Kako testirati phishing napade?
- Kakšne izkušnje imajo naši sogovorniki s testiranjem phishing napadov v svojih podjetjih?
- Boris Mutina, Excello s.r.o.
- Sozon Leventopoulos, Hellenic Armed Forces
- Dominique Brack, T-Systems Schweiz
- Pete Finnigan, Pete Finnigan Ltd.
- Matteo Cuscusa, Cuscusa Web & Security
- Andrei Bozeanu, Cybersecurity Researcher Dekeneas
- Nikos Benias, Hellenic National Defense General Staff/CyberDefence Directorate
- Marko Hölbl, University of Maribor, Faculty of Electrical Engineering and Computer Science
Oracle database password security deep dive
How each password algorithm works, cracking passwords in the database and designing secure passwords.
Pitfalls when Embedding Cryptography into Applications
Cryptography is a technique that allows data protection. The primary purpose is to ensure the CIA trio – confidentiality, integrity and authentication. Therefore, cryptography includes data encryption and other mechanisms like hash functions, digital signatures, and higher-layer security protocols such as TLS. In theory, most algorithms are secure but often fail because of how they are implemented/embedded in applications. Most security incidents are not the result of attacks on cryptographic algorithms but are caused by their improper application.
When embedding cryptography into applications, the pitfalls are often the result of errors in implementation, or the lack of adequate knowledge on when, where, and how to use a specific cryptographic building block. This can result in data disclosure, or it can enable an attacker to circumvent security mechanisms. In this case, even an unbreakable cryptographic algorithm does not benefit us, as it can be bypassed.
This talk would like to shed light on both mentioned problems when implementing cryptography solutions. We will look at use-cases where inadequate use of cryptography has influenced security.
Prediction for AI driven cyber security - Offensive and Defensive
Purpleteaming with MITRE att&ck
When offensive and defensive security capabilities are used in a purple teaming engagement, it represents high improvement capability to organizational security. There are many of purple team activities—some more reddish and some closer to blue. I discuss purple teaming challenges and provide examples of different types of purple teaming activities that I feel are effective, using MITRE ATT&CK framework and methodology.
SI-CERT: review of the special year
Status of Cyber Security in Pandemic time
Stringlifier
Stringlifier is an open-source python package that allows you to detect anything that resembles a randomly generated string in any plain text. It uses machine learning to distinguish between normal and a random character sequences and it can also be adapted for a fine-grained classification (password, API key, hash, etc.). It can be used in sanitizing application/security logs, detecting accidentally exposed credentials and as a pre-processing step for many machine learning (ML) applications including clustering and classification.
The entire source-code is available in the public Github repository (https://github.com/adobe/stringlifier), we include an easy-to-use python API and we provide a pip installation package that includes a pre-trained model.
Those killer emails
Why email attacks reached new top during the pandemic? No wonder, attackers are aware of old new ways to deliver the malicious content into computers left without the perimeter protection. Let's take a look on the most dangerous email scams.
On-Line
Ob prijavi na konferenco HEK.SI 2024, prejmete VIP VSTOPNICO za konferenco INFOSEK 2024!