Slovensko | English

Opisi predavanj - HEK.SI 2018

  • My toaster is a criminal, Urban Suhadolnik
    Zakaj je varnost v IoT in ostalih embedded napravah pomembna in kakšne so posledice, če (ker) se tega ne držimo?

  • How we introduced NIS Directive into Croatian legislation?, Jurica Čular, Croatian Government's CERT
    On May 9, Croatia will, along with other EU member states, introduce new cyber legislation as a result of NIS Directive transposition. Creating a policy in dominantly non regulated environment was a challenging process that involved many stakeholders with different cyber awareness potential. This talk will bring insight into key stakeholders involved with new policy and detailed explanations of Croatian approach used to tackle with key NIS Directive demands.

  • Why everybody should do CTF/Wargames?, Miroslav Štampar, Croatian Government's CERT
    This presentation covers different aspects of CTF/Wargames that author finds particularly important in self-learning of any individial involved in information security field. Most of all, by presenting couple of cases that could be found (freely) on Internet, audience should get a better picture of vast range of possibilities that could help them to become better at everyday job activities. Instead of sitting helplessly and watching bad guys win the (online) fight, everybody should try harder and prepare by learning (solving) something new each day.

  • Core Banking Systems, Crypto coins and other business solutions are under attack, Balázs Hambalkó, Balasec
    What is it? You think you own it because you have bought it. But it's useless for you, thanks for the people's approach. It's IT Security at your system!
    I will be talking about what are the reasons the enterprise level companies/solutions (banks, agencies, Core Banking Systems, Crypto coins, and so on...) are still suffering
    and are being under (successfull) attack. Based on some true story I encountered in 2017 ...

  • CVE-Scraper, Alex Conti, Politecnico di Milano
    During pentest activity the most painful part is reporting the issues found. We are struggling to improve our reporting method, decreasing in the meanwhile the time we spend on it. We think that in this way it's possible to focus on the real pentest activity, more useful and a lot more enjoyable! I have an idea to make vulnerability reporting faster and also to make it easy find software vulnerabilities, exploits and remediations. Online there are plenty of sites that make available CVEs for a specific software version and there are also many places where it is possible to find exploits. In order to automate this process I thougth to download and maintain updated some CVE's databases, indexing vulnerabilities and looking for details offline. Alternatively the search could be made online in real-time, in order to waste the less space possible on disk.
  • mBills - mobilna denarnica, ki prispeva k etičnosti in transparentnosti plačevanja, Jerica Urbančič in Primož Zupan, MBILLS d.o.o.
    mBills je mobilna denarnica, ki uporabnikom omogoča plačevanje z mobilnim telefonom 24/7/365 v realnem času: hitro, varno, enostavno, ugodno. Po drugi strani pa je mBills enotna odprta rešitev za mobilno plačevanje, v katero se enostavno vključi katerokoli podjetje. Vizija MBILLS, ki od 1. decembra 2017 nastopa s podporo Petrola, je omogočiti uporabnikom, da bodo lahko kadarkoli, kjerkoli in komurkoli plačevali s telefonom. Na drugi stranki si podjetja (od prodajalca na stojnici, prodajnih avtomatov, taksijev pa vse do velikih nakupovalnih centrov) želijo sprejemati negotovinska plačila na enostaven, hiter in cenejši način, kar mobilni telefoni nedvomno omogočajo. MBILLS že danes uspešno zasleduje svojo vizijo – omogoča namreč plačevanje v vseh situacijah, ki jih našteva raziskava Evropske centralne banke o uporabi plačilnih sredstev v evro območju: plačevanje v trgovinah in na bencinskih servisih, nakazovanje denarja prijateljem na telefonsko številko, plačevanje v restavracijah, na smučiščih, spletno nakupovanje, plačevanje mesečnih položnic, plačevanje v mobilnih aplikacijah, plačilo s slikanjem QR kode in plačila na avtomatih.

  • Varnostne ranljivosti, odgovorno poročanje in pametne pogodbe, Gregor Pogačnik, Fundacija SICEH
    Pogledali bomo primere ranljivosti v pametnih pogodbah (na Ethereumu) zaradi katerih je "izginilo" več milijonov. Vedno več organizacij ponuja nagrade za odgovorno razkritje varnostnih pomanjkljivosti. Nagrade so včasih le simbolične, drugič pa gre za relativno visoke zneske. Kakšna je realna cena za popolno izkoriščenje določene ranljivosti na sivem trgu, lahko le grobo ocenimo. Je pa številka verjetno pogosto višja od nagrad. Pri pametnih pogodbah po drugi strani točno vemo s kolikšnimi sredstvi imamo opravka. To še toliko bolj poveča izziv, kako motivirati raziskovalce v odgovorno poročanje.

  • (Advanced) Android Mobile Application Hacking, Mislav Boroš, INFIGO IS d.o.o.
    There are numerous books and tutorials out there describing the basics of Android mobile application security, however, most of them heavily rely on tool usage.
    While tools certainly help, in many situations they simply do not work as intended and leave you in a blind-alley with the deadline approaching.
    This presentation will demonstrate some examples of how to efficiently reverse and modify tested Android applications, based on dozens of mobile application penetration tests performed by INFIGO IS.
    Instead of blindly using different tools, we will get our hands dirty and show how to bypass and intercept custom encryption modes, manually remove different security controls (like certificate pinning and jailbreak detection) and even quickly develop custom testing applications while recycling the original application code.

  •  Protislušni pregled, Aleš Ažman, Detekta d.o.o. in Tibor Tajnšek, Detektivsko Varnostna Agencija Dva Fokus d.o.o.
    - Hollywood ali realnost?
    - Protislušni pregled (Technical Surveillance Counter Measures (TSCM) )
    - INFOSEC & TSCM
    - Naprave za prisluškovanje in snemanje
    - Izvajanje pregleda

  • Zloraba shranjenih profilov wifi omrežij, Andraž Jelenc, FRI in FMF
    Življenje bi si danes težko predstavljali brez brezžičnega interneta. Omogoča nam, da lahko pošiljamo elektronsko pošto in brskamo po spletu brez, da bi za seboj vlekli mrežni kabel. V prihodnosti se bo pomembnost te tehnologije le še povečala, saj bodo prek wifija komunicirali tudi vodni števci, hladilniki in srčni spodbujevalniki. Velik del brezžičnih omrežij predstavlja wifi, katerega varnost v veliki večini temelji na varnostnih protokolih WPA (v preteklosti WEP). Vendar pa nam to prav nič ne koristi, če se naprava samodejno poveže na dostopno točko v napadalčevi lasti. Privzete nastavitve napravi narekujejo, da naj se samodejno poveže na znano dostopno točko, kar lahko izkoristimo, da postane man-in-the-middle. Do popolnega nadzora nad omrežjem in vašimi napravami pa od tod ni več daleč.

  • Kako v podjetju izvesti penetracijski test s pomočjo etičnega hekerja?, Matej Lamut Skok, NLB d.d.
    Vsa podjetja se trudijo, da zagotovijo čim boljšo varnost svojih IT sistemov. Ocenjujejo tveganja, nameščajo varnostne popravke, trudijo se z varnim programiranjem aplikacij, vzpostavljajo zaščitne in nadzorne sisteme za preprečevanje ter zaznavo vdorov, itd. Ali so ti ukrepi dejansko uspešni, se najbolje preveri s simulacijo napada, ki uporablja podobne tehnike, kot bi jih pravi napadalci. Tema predavanja je organizacija penetracijskega testa: kako izbrati sisteme za preverjanje, kaj naj penetracijski test obsega, kateri so najpomembnejši kriteriji pri izbiri izvajalca ter kako uporabiti ugotovitve in priporočila, ki jih dobimo od izvajalca testiranja.

  • The experience of CERT-UA in cyber threat counteraction, Yevheniia Volivnyk, CERT-UA
    Presentation of CERT-UA team activity. APT attacks on the information systems of Ukraine. Cyber Incident Response Center. 

  • Human firewall, Gorazd Rolih, Slovenska vojska
    Informacijska tehnologija je danes z nami praktično povsod. Precej nam je olajšala življenje, po drugi strani pa nas tudi ogroža. Kakšno vlogo imamo pri tem ljudje, bo poskušal ugotoviti major Slovenske vojske Gorazd Rolih, ki že vrsto let dela na področju informacijske varnosti in ga med drugim zanima tudi psihološki vidik.

  • Hackers, Threats and Cyber Defence: the S&T Slovenija approach, S&T Slovenija d.d.
    Hekerji in etični hekerji. Napadalci in obramba. Gre za konstantno bitko med dvema stranema, vmes pa imamo uporabnike, njihove podatke in način dela z njimi. Predavanje bo prikazalo glavne poudarke te bitke, kot so recimo nekatere tehnike hekanja, kako poiskati in reagirati na grožnje ter kako zgraditi primerno kibernetsko obrambo. Prikazali bomo tudi izkušnje ekipe S&T Slovenija d.d. na področju kibernetske obrambe in nekaj primerov. 

  • Designing practical Audit Trails in Oracle, Pete Finnigan, Oracle Security specialist
    Pete will present the situation faced by most DBAs. An Oracle database that has limited audit trail settings provided by Oracle by default. These settings have been enabled since version 10.2 but do they work" do they provide accountability? - lets see. Pete will breifly introduce two web applications that are developed with Oracle as the back end and show how during hacking the applications and revealing such details  as credit card numbers (PCI)c and customer details (GDPR) how well Oracles default audit trails perform; do they catch the actions performed, can we detect what happened and by who. Then Pete will introduce the features of a simple policy based toolkit that he has created himself for the Oracle database and install this. he will then hack the database again and see if the results are instantly better; they should be.

  • NAT64 eksperimenti v Go6Lab-u in orodje NAT64Check, Jan Žorž, Go6 / Internet Society
    As many mobile operators were moving to IPv6 only which is incompatible with IPv4 on the wire, it’s necessary to employ transition mechanisms such as 464XLAT or NAT64. The Go6lab NAT64/DNS64 testbed was therefore established so that operators, service providers, and hardware and software vendors can see how their solutions work in these environments.
    This has already generated significant interest, and instructions on how to participate are available on the Go6lab website.
    When using NAT64 there are many things that need to be checked to ensure they work correctly. NAT64check has therefore been developed to allow websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed. For example, even if a web server is not running IPv6 (why not?), hardcoded
    IPv4 addresses can cause NAT64 to fail.

  • onyx - unique search engine that crawls entire web and identify outdated platforms , Primož Cigoj, Institut Jožef Stefan
    Onyx is a solution to create a unique search engine that crawls entire web with one and only purpose to index current running software version and identify outdated ones. Based on the security hole and indexed version of the software would be possible to assess the potential damage. Owners of the websites who are running vulnerable software could be warned to update their software. Based on collected data (indexed websites) it would be possible to predict and define geographical damage, as geo location of each server is available to retrieve while indexing websites. Estimated damage caused could be calculated and reported, geographically and in numbers of users.

  • Predajaj znanje naprej, pomagaj pri varnosti (Share your knowledge, help with security), Elijah Hlastan in Žiga Deutschbauer, Fogy Tech
    Have you ever sat in a café and logged onto Facebook? Maybe your bank account? Did you ever wonder who else was logging on with you, watching what you do, stealing your credentials?
    As hackers, we think about these problems regularly. Which is why we are creating a product to protect individuals from data theft. Come and interact with us as we present our product in development, and share your ideas with us as we work to build a safer browsing experience for others.
    The world of cyber security is strange and uncertain. You could almost say the future is a bit FOGy.

  • The PENtesting is mightier than the sword, Matija Verić, Atia Consulting
    The PENtesting is mightier than the sword - We will cover why is Penetration testing important, what are the prerequisites for both, a customer and a penetration tester, to make the best out of the project. Furthermore, we’ll be showing selected information from the real cases.

  • Princess and the beast in the cyberworld, Aleksandar Mirkovic, eSigurnost
    From zero to full control
    Demo will include:
    Evil twin attack, Java aplet exploit and WannaCry exploit, priviledge escalation, hashdump and lateral movement on network.
    I will create a fairy tale about a Company Manager sending some emails from coffeshop being unnoticable hacked, and unintencionaly bringing hacker into company, so hacker can hack the whole company from inside.

     


ZLATI SPONZORJI

  S&T         Infigo        ALUF

BRONASTI SPONZORJI

  siq       SI-CEH     Comtrade 

V SODELOVANJU Z

Planet e-učenja           Palsit  

 

MEDIJSKI SPONZORJI

rAČUNALNIŠKE NOVCE       Mojaobčina        Monitor Pro      Avtomatika 


Ta spletna stran uporablja piškotke. Z obiskom in uporabo spletne strani soglašate s piškotki.  DOVOLIM Več informacij o piškotkih najdete tukaj.