Talks

Legend
Demo    Video    Tools


7 sins of ATM protection against logical attacks


by: Timur Yunusov
Everyone is perfectly familiar with logical and black-box attacks on ATMs. But hardly any countermeasures have been taken so far: banks are sure that their devices are perfectly protected, until hackers prove them wrong. The most frequent reason why this happens is developers, engineers, and security staff' lack of expertise: they have a vague idea on attacks sources and vectors and what they should monitor and improve. In this presentation, we'll discuss in detail how exactly hackers break into ATMs and bypass security measures to make machines spit out all the money.

     

Breaking into the iCloud Keychain


by: Vladimir Katalov
Do you remember 'celebgate'? Well, iCloud is not just about backups and private pictures. There is quite a lot of data that is also being *synced* across all the devices, and so stored in the iCloud. iCloud Keychain (that keeps your passwords and credit card data) is the most protected data among all other iCloud-synced categories, but still there is a way to break into it, and funny enough, it is *easier* for the accounts with two-factor authentication enabled.

     

Demystifying The Ransomware and IoT Threat


by: Christopher Elisan
We have seen a rise in Ransomware attacks in the past year. While we are recovering from these attacks a new wave of DDoS attacks using IoT devices suddenly thrust into the limelight. In this talk, I will discuss all the stages of a ransomware attack. How it works and how a researcher can handle each of the stages with tried and true analysis techniques. I will then shed light on how IoT are used in DDoS attacks by discussing how the malware used in the latest IoT DDoS attack works and how it can be manipulated for future attacks. Then I will discuss how a combination of Ransomware and IoT attacks can be a bigger threat in years to come.

     

Dissecting Exploit Kits


by: Daniel Frank
The Exploit Kit market has been evolving during the past two years, while APJ users are among the most affected victims. The presentation will briefly overview the Exploit Kits market, guiding the audience through the infection flow, from the landing page, through malicious JS and Shellcode execution, to the final payload, such as Ransomware or Banking Trojans. Live demos of stepping through the infection flow of two Exploit Kit variants will include: JavaScript deobfuscation, Shellcode and other malicious payload Reverse Engineering and analysis.

     

Drone Hijacking and other IoT hacking with GNU Radio and SDR


by: Arthur Garipov
Internet of things is surrounding us. Is it secure? Or does its security stand on (deemed) invisibility? SDR (Software-defined radio) and GNU Radio can answer these questions. In this presentation, we will play some modern wireless devices. They have similar protocols, and none of them encrypts its traffic. We will show how easy it is to find them using SDR and proprietary chipsets, and how to sniff/intercept/fuzz these devices using a small python script and GNU Radio. As an example we will show a Mousejack attack to wireless dongles, wireless keyboard keylogger and even a drone hijacking.

     

Femtocell Hacking - From zero to Zero-day


by: Jeonghoon Shin
This presentation deals with Femtocells – small, low-power cellular base stations typically designed for use in a home or small businesses that are now being introduced to service LTE customers all over the world.

     

Finding Your Way to Domain Admin Access and Even So, the Game Isn’t Over Yet.


by: Keith Lee
In this presentation, we discuss the tricky scenarios we faced during internal penetration test engagements and how we have developed a tool to solve those issues. We want to fill the gap from after cracking a password hash (normal user) from NetBIOS/LLMNR/WPAD attacks to compromising the entire Domain as well as solving a few tricky issues that we as penetration testers face.

     

Hacking Robots before Skynet


by: Lucas Apa
Robots are going mainstream. In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, as sex partners, cooking in homes, and interacting with our families.

While robot ecosystems grow and become more of a disrupting force in our society and economy, they pose more of a significant threat to people, animals, and organizations if the technology is not secure. When vulnerabilities are exploited in robots, physical features can be utilized by attackers to damage property, company finances, or cause unexpected consequences where human life can be endangered. Robots are essentially computers with arms, legs and wheels, so the potential threats to their physical surroundings increase exponentially and in ways not widely considered before in computer security.

In recent research, we discovered multiple critical vulnerabilities in home, business and industrial collaborative robots from well-known vendors. With responsible disclosure now completed, it’s time to reveal all the technical details, threats, and how attackers can compromise different robot ecosystem components with practical exploits. Live demos will showcase different exploitation scenarios that involve cyber espionage, harmful insider threats, property damage, and more.

Through realistic scenarios we will unveil how insecure modern robot technology can be and why hacked robots could be more dangerous than other insecure technologies. The goal is to make robots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to businesses, consumers, and their surroundings.

     

HUNT: Data Driven Web Hacking & Manual Testing++


by: Jason Haddix
What if you could super-charge your web hacking? Not through pure automation (since it can miss so much) but through powerful alerts created from real threat intelligence? What if you had a Burp plugin that did this for you? What if that plugin not only told you where to look for vulns but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tools? Well, now you do! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities (SQLi, CMDi, LFI/RFI, and more!). This data is parsed from hundreds of real-world assessments, providing the user with the means to effectively root out critical issues. Not only will HUNT help you assess large targets more thoroughly but it also aims to organize common web hacking methodologies right inside of Burp suite. As an open source project, we will go over the data driven design of HUNT and it's core functionality.

     

Hunting Hunters with OSint


by: Michael Rebultan
Passive and reactive are the common denominators of a security breached. With this presentation, proactive approach will be showcase for the IT security professionals who are specially into SOC's, Analysis, and Forensics; where using Open Source Intelligence, adversaries can be defeated in no time. Just like any Hacktivists, they enumerate as much data as possible on their targets; from Social Engineering up to the C2 level in utilizing the OS Intelligence. Reversing the kill-Chain by proactively anticipating their attacks (DDOS, Brutefore, Ransmware, Unauthorized Scanning, etc…) is an efficient way of defending everyone's turf. I would be presenting and demonstrating different ways and tools that a security analyst and a cyber-forensic investigator could leverage as their Arsenal.

     

Strategies on securing your banks & enterprises (from someone who robs banks & enterprises)


by: Jayson E. Street
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk, Jayson will show how an attacker views your website & employees and then uses them against you. We'll start with how a successful spear phish is created. By using the information gathered from the companies’ own 'About' pages as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful countermeasures to help stave off or detect attacks. This discussion will draw on the speaker’s 15 years’ experience of working in the US banking industry on the side of defense. At the same time, Jayson will be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well, everyone will have learned something new that they can immediately take back to their networks and better prepare them against attacks!

     

The future of ApplePwn. How to save your money.


by: Timur Yunusov
It was obvious that this attack was possible by default: if the phone is jailbroken, then it's possible to steal the money, but for some reason everyone claimed about the opposite, considering "Apple Pay is the Most Secure Form of Payment". This is exactly what I would like to refute, considering in detail the flaws of Apple Pay on the phone (payment in applications and the web). The Apple Pay API allows you to do a lot on the client side (phone), which increases the possibility of attacks: request additional fields, do not sign the current fields, etc., which makes it possible to turn Apple Pay into a really "the most popular system for fraudsters".

When people ask about wireless payments (PayPass, ApplePay, SamsungPay, etc), everyone certainly claims that ApplePay is one of the most secure systems. The separate microprocessor for payments (Secure Enclave), absence of card data storing/transmitting in plaintext during payments - it looks like an ideal defense. However, the devil is in the details! We'll present the specially developed opensource utilities which demonstrate an example how hackers can reconnect your card to their iPhone or make fraud payments directly on the victim's phone, even without a jailbreak.

     

The rise of security assistants over security audit services.


by: Yury Chemerkin
Mobile applications have not only become daily things of our lives, but they have also become a part of XXI culture. Corporate IT and security professionals have same needs with typical customers who manage personal information only. To understand a security, users should keep in mind what happens with their OS, applications, and its data and divide risks into vulnerability and privacy group. The first group refers to actions that break either application or OS. It usually designed to rare involve any user actions to break security mechanisms and get access to user data. The second group refers to privacy issues and describes cases when data stored or transmitted insecurely. Developers ignore the data protection until they faced something or someone who makes them implement a protection, as it should be designed. Developer's privacy policies describe how much every developer cares about data, protect everything and assure users his app provides 100% guarantees. Many security companies develop their risky applications to show customers how much good their data protected. They use (or develop their own) automatic scanners to analyze application code and provide an auto-generated report. Anyway, no one of them can clearly say what data items protected and how bad that protection is. In other words, should user worry about non-protected HTTP connection if he does not know what data transferred over it? The downloading news might be acceptable; transmitting device information, geolocation data and credentials over the network in plaintext is not acceptable. Same to out-of-date OS. Is previous version so bad to worry to rush into an update or not? How was many user data items consumed by 3rd party services like Google/Flurry analytics? The last question is usually how much money user data does worth? The cheapest software costs less than $50; the average one does in 10 times more and forensics software costs over thousand dollars up to $20,000 that gives access to thousand devices and million data items. The saddest part of this story is 'Speed-to-market' idea that helps them to grab data from thousand applications improperly protected, especially, if customers use same data among more than one applications and have at least one bad protected the application. More same data shared between applications and more applications you use, the higher risk of data leakage customers obtains eventually. A new set of security challenges has been already raised. To answer this, we have been examining many applications to have the opportunity make results widely useful and available for IT and security professionals as well as non-technical customers to stay informed about app insecurity. The goal is integrating and introducing security, data privacy compliance to mobile application development and management. It helps to educate customers with useful security & privacy behavior mindset. Spreading information in different ways such as bulletins, EMM integrated monitoring service, or simple reports is a way to solve insecurity issues and help to reduce risks when using mobile applications.

     

Using R programming in Security Scenarios


by: Wilson Chua
R is a programming tool especially suited for machine learning. I’d like to showcase a couple of R scripts that can help the security professional in analyzing logs. Id like to present how R can be used to rapidly add ASnum information to a large security log file. This enables sysads to quickly send abuse reports and shortens the feedback loop time.