Security Fest 2024
In the realm of Application Security, the journey from the 1960s to the present day is a story of remarkable evolution and progress. This keynote presentation aims to embark on an enlightening historical exploration, tracing the trajectory of the field from its nascent stages to its current sophistication.
The talk begins by setting the scene in the early 1960s, a time when application security was in its infancy. This era was marked by practices that would be deemed alarming today: plaintext password storage, lax password policies, inadequate access control measures, rudimentary or non-existent cryptography, and a host of other glaring security oversights. These practices, while standard for their time, laid the groundwork for the fundamental principles of application security.
As we journey through the decades, the presentation will highlight key milestones and turning points in the evolution of application security. This includes the emergence of more robust cryptographic techniques, the development of comprehensive password policies, and the implementation of advanced access control systems. Each of these developments represented a significant leap forward in securing applications and protecting sensitive data.
A pivotal aspect of this narrative is the role of the Open Web Application Security Project (OWASP). The talk will delve into how OWASP has been instrumental in shaping the field, offering insights into its contributions and the impact of its guidelines and resources on the global application security landscape.
Beyond the historical recount, this keynote also serves to inspire and energize those in the security industry. It's a field often mired in the relentless pursuit of addressing failures and vulnerabilities, a pursuit that can be intellectually and emotionally taxing. By offering a macroscopic view of the industry's evolution, the presentation aims to highlight the significant progress made and the positive trajectory we are on. It's a reminder that, despite the challenges, the field of application security has made tremendous strides and continues to advance in protecting the digital world.
This retrospective is not just an academic exercise; it's a beacon of hope and motivation for security professionals. It's a testament to the industry's resilience, adaptability, and relentless pursuit of a more secure digital environment. Attendees will leave not only with a richer understanding of the field's history but also with renewed vigor to continue pushing the boundaries of what is possible in application security.
As ESXi virtualization environments face an escalating onslaught of ransomware threats, this presentation draws from experiences gained by Truesec in handling several incidents involving ESXi ransomware, such as Akira, AlphV, and Trigona. The threat landscape has evolved, with ESXi ransomware becoming a staple tool for various threat actors. Topics of interest include, but are not limited to:
Threat Intelligence: An exploration of the evolving landscape of ESXi ransomware threats, insights into different strains, and the integration of ransomware as a standard tool for numerous threat actors. Additionally, a discussion on how the leaked source code from Babuk has reshaped the threat landscape.
Malware Analysis: In-depth examinations of ESXi ransomware strains, encompassing code analysis, behavioral patterns, and evasion techniques.
Incident Response: Case studies and lessons learned from real-world ESXi ransomware incidents.
Forensic Analysis: Insights into forensic methodologies tailored for ESXi ransomware investigations.
Protection: How can customers protect their VMware platforms against these attacks?
Insight into Exploitation: Explorations into the methods and vulnerabilities exploited by ransomware actors, with a specific emphasis on understanding attack vectors, exploitation techniques, and vulnerabilities within ESXi environments.
The presentations aim to contribute to the collective effort to fortify defenses and mitigate the impact of ESXi ransomware incidents, with a particular focus on enhancing threat intelligence capabilities.
While external assessments may pinpoint certain vulnerabilities, the specific details of misconfigurations, unique to each organization, may slip past even the most diligent administrators. During this session, I will stress the crucial importance of internal assessments, shedding light on commonly overlooked configurations that could be exploited by skilled adversaries.
To emphasize this, we'll showcase how custom PowerShell scripts and LDAPsearch one-liners act as our reliable tools in this assessment.
So saddle up, put on your cowboy hat, holster those PowerShell scripts, and join me for a technical hoedown where we'll explore how to secure your Active Directory.
With the improvements in technology, hackers are also getting equipped with better rigs day by day. For every new technology being developed to secure cyber space, hackers are trying to research various attack vectors to penetrate them, ultimately rendering them somewhat useless, if things go wrong (which go wrong every now and then). Apart from usual attack vectors in software, hackers have started exploiting the hardware side of computing infrastructure; which has given birth to some famous attacks (e.g. Meltdown, Spectre, Fan-smitter). This paper presents yet another attack vector, which uses temperature pattern of CPU dice as transmission medium to leak data covertly, and then uses that to make containerized processes talk to each other. The paper talks about motivation behind the research, design and analysis of covert channel, challenges, and possible countermeasures against it.
This research delves into the dynamic convergence of telecom and hardware hacking, focusing on vehicular networks and innovative tools. The study reveals vulnerabilities in modern vehicular networks, uncovering covert techniques in telecom hacking and the manipulation of connected vehicles. Through meticulous examination and advanced tools, the research dissects cryptic methodologies such as GPS Spoofing within the realms of telecom, hardware hacking, and illicit stations. From a black-hat perspective, the investigation not only identifies vulnerabilities but also exposes potential pathways for exploitation. The findings stress the immediate need for innovative countermeasures in contemporary security protocols, inviting telecom enthusiasts and hardware hackers to explore the intricate landscape of vehicular cybersecurity. Emphasizing nuanced security aspects, the research underscores the urgency for innovative approaches, pushing the boundaries of existing security paradigms in the interconnected domains of telecom, hardware hacking, and clandestine aspects associated with connected vehicles. As technology progresses, understanding and exploiting these vulnerabilities become imperative, shaping the future landscape of illicit activities in the interconnected realms of telecom and hardware hacking. The call is clear—forge ahead into uncharted territories, armed with ingenuity, and redefine the boundaries of cybersecurity in the evolving landscape of connected vehicles.
Threat actor tactics in a classic on-premises environment are well documented and understood. For example, extracting credentials from memory and then pass-the-hash is a common technique to move laterally in Windows. But how do threat actors move laterally between cloud workloads and compute instances? What are the common persistence techniques, and what are the high value targets we need to protect?
Alexander is Principal Forensic Consultant at Truesec and will in this session share his learnings from thousands of hours of enterprise forensics. You will learn how cloud tactics differ from on-premises and see the latest techniques used in real attacks against cloud infrastructure.
Everything is a subscription with a cost now. Nothing is cheap, either. The services that were supposed to help us out are turning out to be lots of overhead. How do you defend yourself without logs? How can you even tell you're getting attacked? The ancient ways still work! You can do practically anything an appliance or cloud service can do using plain old linux. Want a typing indicator for a remote server? How about shielding an on-prem exchange server from the internet, or making it completely invisible? What about monitoring logs across multiple servers, and then changing firewalls based on the entries? Trapping attackers inside of dancing ascii art? It can all be done, and more! Using the power of all the stuff under the hood of all those expensive appliances people keep buying. You can do a lot with the right linux command line swordsmanship. Let me show you!
Explore the dynamic and ever-evolving landscape of artificial intelligence (AI) in the realm of cyber security, focusing on the intricate balance between offensive and defensive strategies. The digital era has ushered in an arms race between AI technologies, where the advancements in one domain fuel innovations in the other. We define and delineate offensive AI, exemplified by automated hacking, phishing, and social engineering, as tools that pose significant threats to digital security. In contrast, defensive AI, with its focus on automation in anomaly detection and predictive analytics, serves as a bulwark against these threats.
This discussion is not just about the technology but also about the broader implications, including the ethical considerations and the need for a robust defense mechanism to protect digital assets. Imagine techniques using video, images, and voice to impersonate individuals and influence the public. This is why Anna will also delve into real-world case studies, such as the success of Recorded Future's Intelligence Agent for Defenders, to illustrate the practical applications and impact of these AI technologies.
The talk aims to provide key takeaways on the importance of staying informed and actively engaged in the dialogue surrounding offensive and defensive AI applications. It's a call to action for continued vigilance and collaboration in the field of AI to ensure a secure and ethical digital future.
In a mobile-first world, user registration using only a phone number has become pretty common, this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers.
This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities. We will touch upon how authentication and authorization bugs can originate from user registration and how this can lead to full account takeover, password stealing, and denial of service. The speaker will draw from their own experiences in identifying and addressing these vulnerabilities, providing valuable insights into this common issue.
Finally, the talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues from occurring.
Attendee Takeaways
* Security engineers will gain valuable experience in identifying and addressing authentication bugs, helping them to improve their skills in this area.
* Developers will be encouraged to think more broadly about potential edge cases and vulnerabilities in their applications, leading to stronger and more secure authentication and authorization controls.
Digital identity solutions are on the rise in many countries. Is your identity card stored on your mobile phone in a safe and secure manner? What risks do digital identity solutions pose, and how easily can criminals exploit them? What to look out for when implementing and using a digital identity system implemented in your country?
During my talk I will:
• analyse security of digital ID systems based on Poland's latest digital ID solution,
• show how a digital ID system can be used to hijack your identity,
• showcase critical vulnerabilities in a system storing sensitive information of millions of Polish citizens,
• give tips on how to maintain security when implementing digital ID systems.
After this talk, the audience will understand the risks associated with national digital ID systems. They will also know what to look out for when using, implementing or testing such systems.
How to become an Incident Response Rockstar?
After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder – which also holds true in digital forensics.
As a bonus, we will discuss less-known artifacts like MPLogs and the bitmap cache.
By attending this talk, participants will be better and more efficient Incident Responders as they can focus on key aspects of an investigation.
Let me take you on a journey as close to zero day exploit as you can come without being the actual finder of the vulnerability your self.
Lets take a closer look at a critical, real world attack from this year affecting around 25 000 sites. From a completely unauthenticated (any one in the world) state, bad actors get admin access to your website, your neighbours website and turn your servers to their bitcoin miners with RCE (Remote Code Execution).
We do some serious, yet simple and easy to understand, hacking live on stage. I walk you through the steps involved in this attack and we try it out on a website of our own.
Your expensive firewall, premium hosting or strong password policy is not going to help against these attacks :/
So lets talk security, hacking, countermeasures that works and; you guessed it. Disaster recovery!