List

Contents


Workshops

NFC/RFID Security & Privacy workshop

Bio: Philippe Teuwen

Philippe Teuwen is currently Security Researcher at NXP Semiconductors, dealing with various subjects such as Wi-Fi security, secure code execution, fault-injection, crypto, smartcards, RFID, NFC, etc

Radare2, a Concrete Alternative to IDA - workshop

During this workshop, we will present radare2, the reverse engineering framework in a practical way.

Bio: Julien Voisin

Julien Voisin is a computer science student. He is a C/Python programmer who enjoys privacy, reverse-engineering and software security/exploitation. As a Free Software enthusiast, he contributes to several projects, like Radare2,libotr,Tails... He might also be looking for an internship ;)

Bio: Anton Kochkov

Anton Kochkov is a reverse engineer and a lead developer in SecurityCode Ltd. Core member of coreboot, droid-developers/MILEDROPEDIA and MEre projects. His main interest - is a research of the early booting stages of computers (including embedded and mobile ones) and various firmwares, commonly ‘hidden’ from the eye.

Bio: Maxime Morin

Maxime Morin is the freshly new team leader of Malware.lu CERT, the first private CERT (Computer Emergency Response Team) in Luxembourg. He is fighting against the intentional blur in the industry and against meaningless terminology unfortunately used too often and widely. This struggle also involves a better understanding of the world of IT security and a better vulgarisation of the Science in General. During his studies he founded the first hackerspace in the Franche-Comté region, located in Belfort, France: HackGyver. It allows exchanges and cooperation between enthusiasts as well as the appropriation of technologies by many people interested in the field of IT security.

Workshop DFIR and Open Source

We'll simulate a drive-by-download attack on url. The goal of this workshop is to understand the compromission and which data are targeted

  • Collect artefacts with FastResponder (http://github.com/sekoialab/FastResponder)
    • Explain how the tools is used
    • Details all artefacts, utilities and which interesting informations to detect compromission
  • Collect PE,DLL,DOC,PDF etc.. and explain which informations and which db used to detect malware
  • Dump and Analyse Memory with Rekall and Volatility
    • Dump memory with winpmem and analyse the filedump
    • Load winpmem and use recall to analyse the memory directly
    • Analyse the results of volatility or recall to detect compromission
  • Make a timeline of each computers
    • Explains the timeline utility
  • Use ElasticSearch/Kibana/Logstash to understand the compromission
    • use ELK to facilitate search and analyse
  • Acquisition of disks:
    • using ewf format to acquire the disk
    • ewfmount
  • Extract MFT
  • Using Plaso (http://plaso.kiddaland.net/) to make a timeline of each disks
  • Make a timeline with ELK
  • Using DFF (http://www.digitalforensic.org/en/) to automatize tasks and researches
    • mount virtually the disk

Bio: Frédéric Baguelin

Frédéric Baguelin is core developer of the Open Souce project Digital Forensics Framework (www.digital-forensic.org). Directly after finishing his studies in computer science he decided with three smart dudes to create ArxSys. His everyday life consists of reading hexa, writing Python and C++ and developing trainings around forensics and open source tools. He is convinced that free and Open Source software culture is a chance to make rapid innovation and contribute to spread knowledge for future generations. He is also always available to troll while drinking good beers.

Bio: Sébastien Larinier

Sébastien Larinier currently is Senior Researcher and CTO at the CERT Sekoia located in Paris, member honeyproject chapter France and co organizer of botconf.

Sébastien focused his work for the last 5 years on botnet hunting, early compromission detection, forensic and incident response. Python addict he supports different opensource projects like FastResponder, OSINT Framework,Malcom.

Sebastien Larinier - @sebdraven

BetterCrypto Workshop: A Guide for SysAdmins

The BetterCrypto Project started out in the fall of 2013 as a collaborative community effort by systems engineers, security engineers, developers and cryptographers to build up a sound set of recommendations for strong cryptography and privacy enhancing technologies catered towards the operations community in the face of overarching wiretapping and data-mining by nation-state actors. The project has since evolved with a lot of positive feedback from the open source and operations community in general with input from various browser vendors, linux distribution security teams and researchers.

This workshop will give a concise guide on how to properly deploy networked services in a secure fashion that is applicable today. We will also give an update on the project as well as new development on the front of cryptography, attacks and TLS protocol standardization.

In addition, the workshop will touch on the basics of cryptography. However, this part can only give a gentle intro and a historical view on cryptography.


Bio: David Durvaux

David Durvaux was one of the few people that join Aaron & Aaron in their project of writing BetterCrypto.  His background is now mostly focussed on incident response.  He is a big fan of *nix systems and open-source tools.

Bio: Aaron Kaplan

Bio: Aaron Zauner

Self employed engineer for large scale infrastructure, HPC and information security. did front and backend development in the past, spent a lot of time in data centers and auditing code/networks and systems. http://azet.org


Workshop - Elasticsearch for incident handlers and forensic analysts

Incident handlers and forensic analysts are all confronted with the same problem: Finding a needle in a haystack, without knowing what the needle looks like.

It doesn't really matter if this haystack is made out of proxy logs, email logs, timelines, dns logs, ids, ... But what matters are the techniques we use to look at this data and find quickly what we are looking for.

In this workshop we will tackle these problems with a combination of three tools: Elasticsearch, Logstash and Kibana. This trio known as ELK has grown immensely in popularity since the creation of the company in 2012. It is attracting users from the leaders like Splunk, ArcSight, ELSA and co. Together they provide a very powerful blazing-fast open source data analytics tool. Real-time or completely offline. In a single node, in a cluster or in a distributed architecture.

This workshop is highly recommended if you want to work faster with and get more out of things like: mactime, proxy logs, supertimeline, mail logs, (passive)dns logs, firewall logs, syslog, ...

The goal of this workshop is to guide you in the first steps with ELK so that you don't loose time learning it by yourself. After this workshop you will: - be able to install your own ELK (single or multi-node) - have a ELK virtual machine you can play with immediately - have a copy of readymade dashboards and configurations for various log-formats - be able to write your own import filters for the formats you encounter - be able to create your own graphical views in Kibana and visualise your logs - enrich your logs with additional value from geoip, field-extraction, user-agent extraction, ... - probably immediately search for unused servers to build your own ELK cluster at work

If you have an idea of a (forensic) file/log-format that you'd like to be able to parse feel free to contact me at christophe@vandeplas.com and we'll see what can be done.

Requirements: - Computer to boot the OVF virtual computer (VMWare, VirtualBox, ...)

Bio: Christophe Vandeplas

Christophe Vandeplas is an incident handler and malware analyst in the Belgian Defence CERT. He focuses on network forensics, malware reverse engineering as well as computer forensics. His main contributions to the community were the creation of MISP, pystemon and the organisation of the FOSDEM conference for many years.


Workshop (ENISA): Mobile threats incident handling and Identifying and handling electronic evidence

During the first session “Mobile threats incident handling “ participants will be presented how to conduct biopsy on malicious mobile applications and how cyber criminals are creating profit in mobile environment. As workshop is conducted using open source and free tools participants can follow the steps on their computers.

During the second part “Identifying and handling electronic evidence” trainers will present one option on how to build artifact analysis environment using free tools, and additionally participants can see and try the power of memory forensics.

We will be providing VMs on removable media on-site, in order to support the hands-on sessions, so participants should have:

  • Application to run Virtual Images, such as VirtualBox or similar software.
  • The laptop should preferably have at least 4 G of RAM, capable processor (i5 or i7), and more than 20 GB of free HD space.


Bio: Cosmin Ciobanu

Cosmin Ciobanu is currently working as an expert in network and information security and information security officer at ENISA. Before ENISA he worked for the IT Security Dep. of national ISP in Romania as an IT Security engineer. Most of his work so far has been related to network security, pen-testing & vulnerability assessment, detection & prevention of cyber-attacks.

Bio: Yonas Leguesse

Yonas Leguesse is an Expert in Network and Information Security at ENISA. His main interests are: Android reverse-engineering, Android and web development. He is also a home automation hobbyist.

Bio: Lauri Palkmets

Lauri Palkmets is an expert in network and information security at ENISA. He has been active in the area of training and exercises for a while, and his main interests are artifact analysis and incident response. Before joining the agency he was working for Estonian Defence Forces as head of Cyber Incident Response Capability

Workshop: Memory Forensics for Cisco IOS

Memory forensics is the next step the forensic community has taken. In this workshop, you can learn memory forensics for Cisco IOS. Learn how to use the Network Appliance Forensic Toolkit with a real Cisco IOS router. There are ten routers for attendees of this workshop. Come early to secure your spot on a router. You'll need a laptop to connect to the router (serial console and Ethernet).

NAFT Project: http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/ Video: https://www.youtube.com/watch?v=-MEnKSeRMy4 Article: http://www.issa.org/resource/resmgr/journalpdfs/feature1212.pdf


Bio: Didier Stevens

Didier Stevens (Security Consultant, Didier Stevens Labs, Contraste Europe NV) is an IT security professional well known for his security and forensic tools, like the Network Appliance Forensic Toolkit (NAFT).

Didier holds many IT certifications and is an MVP Security. You can find his tools on his security blog http://blog.DidierStevens.com

Bio: Xavier Mertens

Xavier Mertens is an independent security consultant. His job focuses mainly on protecting his customer's resources by applying "offensive" (pentesting) as well as "defensive" security (log management, SIEM, security visualisation). In parallel to his daily job, Xavier maintains his security blog (blog.rootshell.be), is a BruCON (www.brucon.org) co-organizer and offers some spare time and resources to initiatives like the EuroTrashSecurity (www.eurotrashsecurity.eu) podcast.

Likedin: http://www.linkedin.com/in/xmertens Twitter: https://twitter.com/xme

Workshop: Quarkslab team, IRMA – An Open Source Incident Response & Malware Analysis Platform

IRMA (http://irma.quarkslab.com) is an open-source asynchronous system aiming at helping analyze suspicious files.

We all know that anti-virus (AV) are a failure: if someone is basing his security on this one product, failure is sure. Despite that, everyone also considers AV are also needed to detect the generic attack vectors. A not new idea is to use several AV engines. Due to costs and performance constraints, one host cannot run tons of AV. So, several solutions have appeared lately to provide a central place where suspicious files can be tested towards major AV engines. However, testing suspicious files is only a first step. When one will detect such a file, he might want to apply different analysis, like running it in a sandbox for instance, or statically analyzing the file which requires first to unpack it most of the time. In this lab, we will:

  • Recall our major motivations to build such a system,
  • Present the overall architecture of IRMA which has been designed as a 3 part system,
  • Guide you to setup your own system, running in virtual machines, in less than 30 minutes,
  • Develop together a new analyser and include it to your own IRMA setup,
  • Discuss the mechanics under the hood for people willing to contribute to or to reuse this project.


Requirements:

  • git
  • Vagrant version 1.5 or higher

( VirtualBox Virtual Machine Manager, as it is used by default by Vagrant ( see https://www.vagrantup.com/downloads.html )

Bio: Guillaume Dedrie

Guillaume Dedrie is a software developer, specialised in frontend development. He likes to automate everything and try to evangelize firms around the world with the emerging DevOps culture. If you're looking for him, you'll probably find him in a Paris Meetup.

Bio: Alexandre Quint

Alexandre Quint is a software developer. He was previously involved in the IPS module development at Stormshield, worked for the French government as both security and software engineer, and started his career as card security engineer at Gemalto.

Talks

Marion Marschalek - Keynote about "TS/NOFORN Talk"

“Ready are you? What know you of ready? For eight hundred years have I trained Jedi. My own counsel will I keep on who is to be trained. A Jedi must have the deepest commitment, the most serious mind. This one, a long time have I watched. All his life has he looked away… to the future, to the horizon. Never his mind on where he was. …Hmm? On what he was doing.”

Digital Jedi's eight hundred years are yet to come; but what would Yoda say today if he could see us?


Bio: Marion Marschalek

Marion Marschalek works as reverse engineer and threat researcher for Cyphort Inc. She has written articles for C't magazine and Virus Bulletin. Marion is a frequent speaker at international conferences including Defcon Las Vegas, RSA San Francisco and POC Seoul. In March 2013 she won Halvar Flake's Female Reverse Engineering Challenge.

Jeremy Brown/David Seidman - Microsoft Vulnerability Research: How to be a Finder as a Vendor

Here at Microsoft, our people often find security issues in other vendors’ products, fueling the need for a coordinated approach to working with those vendors to get those bugs fixed. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same management, in the role of a finder, that we’d like to see from other companies and researchers when reporting vulnerabilities. This presentation will cover the creation of MSVR, including an in-depth look at our processes, and how your company can have a centralized program to do the same. We’ll finish things off with a technical run through of some of the vulnerabilities our finders have discovered and reported through MSVR, showing you what is was like working with vendors to get them fixed advisories released thereafter.

Bio: Jeremy Brown

Jeremy Brown is a developer / security researcher at Microsoft. He started off there with the Malware Protection Center, reversing patches, analyzing malware and exploits in the wild, before then moving on to Windows Security to make the next version of Windows even more secure than the last. His interests include things like kernel security, static code and binary analysis, fuzzing, vulnerability coordination and disclosure as well as bug hunting techniques.

Bio: David Seidman

David Seidman is a Senior Security Program Manager Lead on the Microsoft Security Response Center team, where he manages Microsoft's response to normal and high-priority security incidents such as active attacks using an unpatched vulnerability. Prior to working at the MSRC, David managed development of Microsoft Office security updates and service packs. He holds a Bachelor's degree in Computer Science and a Master's in Cognitive and Neural Systems from Boston University. When not putting out fires on the internet, David enjoys triathlon, mountain climbing, Brazilian jiu jitsu and brewing his own beer.​


Jordan Bouyat - USB Fuzzing : approaches and tools

Few work has been published on vulnerability research in USB hosts or devices. As a consequence, a handful of tools exists for fuzzing USB (Frisbee Lite, Umap, etc.) and some of them are now outdated. This talk presents the USB protocol, a state-of-the-art of existing techniques, giving feedbacks on them. We also describe the tool we developed upon Umap and the architecture we set up to perform fuzzing on USB 2 host stacks.

Bio: Jordan Bouyat

Jordan Bouyat is an IT security student who is currently doing his MSc internship at Quarkslab. He is following the Cryptis Master of Science at Limoges University in France.


Claudio Guarnieri - Embrace the Viper and live happy

If you have been working on researching malware attacks long enough, you probably developed as I did an increasing frustration while trying to manage your collections of samples. You probably devised a more or less coherent structure of text files, folders and subfolders. Even more probably you lost or forgot many of your samples along the way. However what goes even beyond pure frustration is trying to make a sense out of the infinite amount of scripts that you found yourself using over the time to do your work: Python, Ruby, Bash scripts written by all sorts of people, in all sorts of formats producing all sorts of outputs and scattered all over the Internet. It's a disaster. About a dozen years ago our exploit developer and pentester friends figured they had similar problems and came up with all the popular exploitation frameworks that we're all still using today.

Following their noble tradition I created a tool called Viper, a modular binary management and analysis framework that allows you to easily organize your malware repository and provides you a unified solution to create, collect and execute analysis modules of different kinds. In this presentation we'll walk through Viper's ins and outs and afterwards you'll be able to reorganize your stuff and sleep well at night again.

Bio: Claudio Guarnieri

Claudio is a hacker and an independent security researcher. In the past he worked as malware analyst and later as a researcher in Rapid7 Labs. He is a core member of The Shadowserver Foundation and of The Honeynet Project.

He's an open source developer and created Cuckoo Sandbox, a prominent malware analysis system, Viper and runs the Malwr.com service.

Claudio is also a dedicated advocate for civil rights. He co-authored many of the publications on FinFisher, Hacking Team and other surveillance providers with CitizenLab and sits in the Investment Committee of the Digital Defenders Partnership.

His research on malware and espionage has been covered by the likes of The New York Times, Washington Post, Wired and many more. He presented at security and privacy conferences worldwide, including BlackHat, Hack In The Box and the Chaos Communication Congress.


Xeno Kovah, Corey Kallenberg, John Butterworth, Sam Cornwell - SENTER Sandman: Using Intel TXT to Attack BIOSes

At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our “Smite’em the Stealthy” PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smite’em, to sleep.

But if you’ve been following our work (specifically “Defeating Signed BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”) you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC Sandman attack using the same infrastructure as Copernicus 2. We will also explain what can be done against this kind of attack, and how the latest Copernicus 2 attempts to prevent opening the door to the Sandman. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you’re vulnerable, and what you may be able to do about it.

Corey Kallenberg, Xeno Kovah, John Butterworth, Sam Cornwell - Extreme Privilege Escalation On Windows 8/UEFI Systems

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined “Runtime Service” interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them.


Bio: Xeno Kovah

Xeno Kovah leads a team of 5 researchers focusing on low level PC firmware and BIOS security. His specialty area is stealth malware and its ability to hide from security software and force security software to lie and report the system is clean when it is not. To combat such attacks he researches trusted computing systems that can provide much stronger guarantees than normal COTS. He is also the founder and lead contributor to OpenSecurityTraining.info, where he has posted 8 days of material on x86 assembly, architecture, binary formats, and rootkits. His next class will be on Intel TXT.


Amihai Neiderman - How I hacked my city

This is a in depth walkthrough on how I managed to get from an IP address in my city's public WIFI into taking over the network exit nodes. During the course of May this year I conducted a research of an unknown device. In the beginning I only had an IP of the WAN part and an open port. From there I had to find ways to identify the product I was seeing and eventually successfully exploiting it and by that effectively taking over the network.

Bio: Amihai Neiderman

Amihai Neiderman is an independent security researcher from Israel. He specializes in Malware reverse engineering and in vulnerability research.


Anamika Singh - WiHawk - Router Vulnerability Scanner

The elements that play a major role in today’s network architecture are router, gateway, switch, hub, access point etc. In a typical network, wireless or wired router is the key element responsible for connecting the LAN to the internet. A router can be connected to two or more data lines from different network which play the important role of forwarding data packets within computer networks. Security measures at each and every component in network are imperative and there has been significant development in last decade to make networks even more secure. While powerful security rules have been implied at different components of network, router has been one such sensitive and essential element in network which is still poorly configured by companies. They can be compromised by attackers to gain unauthorized access to the private network and can lead to malicious activities like following:

1. An attacker could configure the router to use a malicious DNS (Domain Name System) server, which can then lead to redirection of users to malicious websites. 2. An attacker can set up port forwarding rules to expose internal network services to the Internet. Vulnerabilities in the management interfaces of wireless routers, vulnerabilities in protocols, inconsistencies in router software and weak authentication can expose the device to remote attacks and thus can be compromised by attackers. These issues had been raised by researchers in late 2012 but even if companies provide patches to upgrade management interface and inconsistencies in router software, these vulnerabilities are unlikely to go away soon because many users never update their routers and other embedded systems. Due to above said vulnerabilities there are different types of attacks possible on routers which have been identified: 1. DDos Attack 2. CSRF 3. Brute Force 4. Buffer Overflow 5. Authentication BYpass 6. ROM-0 Attack . In a wireless network there are thousands of Wi-Fi routers which are configured with default user name and passwords, which make them vulnerable to security breaches.

All we can do to find above mentioned vulnerability, scan your router manually and find if your router has any vulnerability mentioned above, But for a non-technical person it’s hard to find out if router is vulnerable or not, this is major reason millions of routers are left open to vulnerabilities and on top of it Vendors doesn’t provide patches for found vulnerability at same time. Now finding these vulnerabilities and making sure that the router in use is not vulnerable to any of the mentioned vulnerabilities is not easy and so far we didn’t have any tool which will prompt you before being victim of attack that your router is vulnerable to any of the above mentioned attack.

WiHawk is an open source tool for auditing IP addresses to sniff out Wireless routers which are configured with default admin passwords and find out the routers which are vulnerable to Bypass Authentication, Cross Site Request Forgery, Buffer Overflow and FTP Authentication Bypass. The tool can be used to identify following types of security vulnerabilities in provided IPs:

a) Authentication Bypass b) Routers configured with default username/passwords c) ROM-0 attack d) Backdoor Vulnerability

Bio: Anamika Singh

Anamika Singh is Product Security Analyst at Ironwasp Information Security Solutions Private Ltd. She has a keen interest in Application Security. After having 2 years of experience in companies like PayPal and Cognizant Technologies as a Software engineer, she left to pursue her interest in the Application Security domain. She started using Python to convert her security ideas to working tools. She is the author of WiHawk, the Wifi Router Vulnerability Scanner. She is an active member of null Chennai chapter. She was a speakers at nullcon, HITB/Haxpo Amsterdam Defcon Kerala 2014 and HITB/Haxpo Amsterdam. She was also invited to speak at Defcon Las Vegas, Bsides Vegas 2014.


Francisco Falcon - Breaking Out of VirtualBox through 3D Acceleration

Oracle VirtualBox is a popular virtualization software which provides -among many other features- 3D Acceleration for guest machines through its Guest Additions. This feature allows guest machines to use the host machine's GPU to render 3D graphics based on then OpenGL or Direct3D APIs. Being a complex piece of software, the 3D Acceleration code -which runs in the context of the VirtualBox hypervisor- opens the door to security problems.

During this presentation we will show how a program running inside a VirtualBox guest OS can exploit memory corruption vulnerabilities located in the code that implements 3D Acceleration for OpenGL in order to break out of the VM and execute arbitrary code on the host OS.

We will start the presentation by taking a look at the Guest/Host communication mechanism, and discussing how VirtualBox implements hardware-based 3D acceleration for OpenGL graphics. Then we'll be ready to uncover three memory corruption vulnerabilities (CVE-2014-0981,CVE-2014-0982 and CVE-2014-0983, all of them discovered during this research) which can be triggered from within the guest OS in order to corrupt the memory of the VirtualBox hypervisor process running on the host OS; finally we will focus on the exploitation phase, discussing how to leverage these vulnerabilities to create an information leak that will allow the guest to read arbitrary memory from the hypervisor (thus allowing to bypass ASLR), and how to hijack the execution flow, ultimately leading us to escape from the virtual machine and gain arbitrary code execution on the host machine.

The talk will finish with a live demo of the Guest-to-Host escape, in which a program running inside a virtual machine will break out of the VM, bypassing protections like ASLR and DEP on the host OS.


Bio: Francisco Falcon

Francisco Falcon is a Senior exploit writer at Core Security. He has been doing reverse engineering since 2004. He has published security advisories detailing vulnerabilities in software products from IBM, Oracle, Novell, Google and SAP. He is interested in reverse engineering, programming, vulnerability research and exploitation. Also, he has been a speaker at REcon 2012, Ekoparty 2013, Hack.Lu 2013 and REcon 2014.


Sebastian Garcia - Botnets Behavioral Patterns in the Network. Analysis, Monitoring, Detection and Blocking

We present a behavioral-based network traffic model and free software tool that can detect and stop botnet traffic by identifying specific malicious behaviors. Most of the current Antivirus, IDS and IPS systems still use fingerprint knowledge, predefined rules, statical features and blacklists to detect the malware in the network. While still useful and fast, these technologies do not have the power to recognize the behaviors in the network and therefore can not give the users a semantic, high-level technology to detect botnet traffic. Our model of traffic behavior is independent of the payload and IP addresses and is only based on three features of the network flows. To create our model we analyzed dozens of monthlong botnet captures in our Malware Capture Facility Project and we extracted the inherent characteristics of their time-based behaviors. Our Markov Chains-based detection method was compared and verified in real captures with normal, botnet and unknown data.

Using our method we developed a PoC tool that can create new models of known malicious actions, visualize them and then detect similar traffic in the network by generalizing these models. Based on the results, we believe that this tool can greatly help improve and protect users from sophisticated attacks.

Bio: Sebastian Garcia

"Sebastian is a hacker researcher and teacher. He is now finishing his PhD on the detection of botnets/malware by analyzing their traffic and creating behavioral models of their actions. He likes to analyze network patterns with machine learning tools, specially on malware and botnet traffic. He is part of the UNICEN University in Argentina (ISISTAN-CONICET) and a researcher in the ATG group of Czech Technical University in Prague.

He believes that free software machine learning tools can help better protect users.

He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, keystroke dynamics, bluetooth analysis, privacy protection, intruder detection, robotics and biohacking.

In the CTU University he is managing the Malware Capture Facility Project where they are capturing long-lived botnets and freely publishing real and labeled datasets.

@eldracote https://www.researchgate.net/profile/Sebastian_Garcia6 http://mcfp.felk.cvut.cz/


Shahar Tal - I hunt TR-069 admins - pwning ISPs like a boss

Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices.

Bio: Shahar Tal

Shahar Tal leads a team of vulnerability researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that’s Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain. Shahar is a proud father, husband and a security geek who still can’t believe he’s getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.


Eric Leblond, Paul Rascagnères - D&D of malware with exotic C&C

Description & Detection of malware with exotic Command & Control: to be managed by its operators, a malware needs to contact Command & Control (C&C). The C&C can be used to give order to the infected machine, can be used to receive ex-filtrated documents... This talk will present exotic communication channels and how to detect the flow thanks to the famous open source IDS Suricata.

Bio: Paul Rascagnères

Paul Rascagnères is a malware analyst for the G Data SecurityLabs. He is specialized in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits’ analysis. He is a worldwide speaker at several security events.

Bio: Eric Leblond

Eric Leblond is co-founder of Stamus Networks a company providing Suricata based appliances. He is also a Free Software and Security hacker. He has started as lead developer the NuFW project which objective was to establish a safer and stricter way to do identity based filtering on network firewall. In 2004, he co-founded a company to promote the project and was the CTO till 2011. He's also a member of Netfilter coreteam. He is maintainer of ulogd2, the Netfilter's userspace logging daemon. He has started working on the development of IDS/IPS Suricata in 2009.


Paul Jung - Bypassing Sandboxes for fun… Profit will be realized by sandbox vendors.

Nowadays malware sandboxes are commonly used by malware researchers. Sandboxes have also find they place commercially as a new security device. Not surprisingly, As was firewall in the 90’, IPS in early 2K and Web applications firewall recently, they are presented as a new silver bullet security device in the threat detection arsenal of vendors.Even if it could be very helpful in some cases. It’s not as perfect as vendors claims. Since all protections are subject to countermeasures, bypassing sandbox detection is now a feature commonly seen in malwares and droppers samples.

As personal hobby I had studied how malware try to bypass sanboxes. I have alsofound other tricks to bypass some of them. We will see common sandboxes detection tricks used in the wild by malware’s dropper.

Bio: Paul Jung

Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. These last 6 years, he has worked as a security architect in the network team of the European Commission.He also wrote a few articles in MISC Mag about DDos and related Botnets. Now He work as security consultant at Excellium Services CERT.


Fyodor Yarochkin, Vladimir Kropotov - Detecting bleeding edge malware: a practical report

This is a practical report on building infrastructure and aiming at detection of on-going, '0day' (0-known) malware campaigns through monitoring of network DNS traffic, HTTP traffic and cross-correlation with publically available information.

In this presentation the team will demonstrate methodology, tools and walk through several case studies of practical detection experience covering regional specifics of threat detection in Russia (former USSR region) and Asia-Pacific (Taiwan). The presenters will discuss application of machine learning algorithms and demonstrate those, which proved to be effective in applied threat detection.

Tools released: A framework for passive DNS analysis and HTTP traffic analysis will be released.

Bio: Fyodor Yarochkin, Vladimir Kropotov

Fyodor Yarochkin (chroot, o0o.nu) is a Security Researcher at Academia Sinica/Taiwan. He is a happy programmer and AI hobbyist in his free time. He is also a major contributor to Open Source security tools (snort, xprobe, etc). Fyodor has extensive experience in forensic analysis of malicious software, computer crime incidents, and intrusion detection. With his recent interest in large-scale computing he has access to terabytes of interesting data at hand.

Vladimir Kropotov is an independent security researcher. His main interests lie in network traffic analysis, incident response, botnet investigations, and cybercrime. He is a frequent speaker at a number of conferences including HITB, CARO, PhDays and ZeroNights.


Saumil Shah - Hacking with Images - Evil Pictures

This talk is put together with bits and pieces of my research in advanced exploit delivery mechanisms. What you see on your browser may not always be a pretty picture. In this talk, we explore how images can be used as active exploits. By shifting evil payloads to images, it is possible to defeat even the most sophisticated systems of threat detection. We shall see how exploits can be encoded in image pixels, executing Javascript through images, and lastly how vector images are being used in browser heap memory manipulation.

Bio: Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at awesome conferences like Deepsec, Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, travelling around the world and taking pictures.


Attila Marosi - Inside spying - Stripping the controversial FinFisher application for Android phones

Most possibly there is no need to make a long introduction when speaking about the famous FinSpy application, a product of the company FinFisher from Gamma Group. The large amount - 40 Gb - of data downloaded illegally gives matter to easy chat and make serious concern for every part of the professionally, politically or even those superficially interested only. I'm intended to deliver you details of my research made on one of the stolen codes, made for Android phones. When having learned its structure we'll try to bring it to life in order to test it' abilities. As a result of the analysis we will be able to create a well-crafted SMS which is able to disclose the exists of the tool on a device. Furthermore, with this technique we will be able to hijack the tool and we would gain full access on the device - thus we may have a law-enforcement tool to spy for us. No need to say it's not a common application we are used to see everywhere. The technical solutions are quite interesting.

Bio: Attila Marosi

Attila Marosi has always been working in information security field since he started in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher.

Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading lections and does some teaching on different levels; on the top of them for white hat hackers. He presented on many security conferences including Hacker Halted, DeepSEC, AusCERT, Troopers, and Ethical Hacking.


Dominique Bongard - Weak random number generator vulnerability in WPS External PIN protocol implementations

Wi-Fi Protected Setup is an optional certification program designed to ease the setup of security-enabled Wi-Fi networks. An online bruteforce attack against WPS PIN was published in 2011. As a consequence, rate throttling and lockout of bruteforce attempts are now common remediation measures. We have devised a new attack that leverages weaknesses in the random generators of some Wi-Fi access points to obtain the WPS PIN and WPA passphrase in one single attempt.

Bio : Dominique Bongard

Dominique Bongard is the founder of 0xcite, a Swiss company focusing on security for mobile and embedded devices. His previous position during 8 years consisted of leading the Threat Intelligence team for Kudelski Nagravision. Dominique is an experienced reverse-engineer and he regularly competes in Capture The Flag events.


Enno Rey, Antonios Atlasis, Rafael - Evasion of High-End IDPS Devices at the IPv6 Era

The forthcoming depletion of IPv6 addresses is now closer than ever. For instance, ARIN states that they are currently in phase three of a 4-phased "IPv4 Countdown Plan" being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago. Moreover, the nodes of the networks (end-hosts, networking devices, security devices etc.) are already pre-configured with IPv6 connectivity, at least to some extent. All the latest popular Operating Systems, from Windows to Linux or FreeBSD, send IPv6 messages out-of-the-box while the hosts are reachable by using at least IPv6 link-local addresses. So, IPv6 is finally here and it is definitely going to stay. However, what IPv6 does not forgive is the lack of security awareness. IPv6 is not IPv4 with just extended address space. Several times in the past has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, also brings with it several security issues. In this talk, we are going to present our latest research findings regarding the evasion of high-end commercial and open-source IDPS, all with latest patches, extending our previously presented work even further. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. During the talk, not only these issues will be demonstrated with live demos, but, additionally, the used techniques that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol will be described in detail and simple ways to reproduce them will be given. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.

Bio: Enno Rey, Antonios Atlasis, Rafael

Enno Rey (@Enno_Insinuator) is a long-term network security geek who loves to explore devices & protocols, and to break flawed ones. He has been involved with IPv6 since 1999.

Antonios Atlasis, MPhil, PhD, is an independent IT Security Analyst and Researcher having over 20 years of diverse Information Technology experience. He is also an accomplished instructor and software developer and he has been granted a number of awards both for his academic work and his professional achievements. His main research interests include vulnerability discoveries in IPv6, SCADA systems, and other critical protocols.

Rafael is studying Informatics and specializing in Telecommunication at the Bonn-Rhein-Sieg University of Applied Sciences (Department of Computer Science). His research focuses on network and IPv6 security issues. He is working on his Bachelor Thesis about the "IDS-Recognition and Validation of IPv6 Extension Headers".


Frederik Braun - We're struggling to keep up (A brief history of Browser Security Features)

The web as it appears today consists of apps, rather than hypertext. Recent additions to HTML5 APIs and the web application landscape raises the stakes for browser security: The attacker may now easily shift his target to active browsing sessions rather than the underlying operating system. This talk covers the browser security model as it currently stands in modern user agents: After discussing legacy as well as recently added features, it will also present some expected enhancements in the browser security landscape. Following this overview, common bypasses and shortcomings of these security will be discussed.

Bio: Frederik Braun

Frederik is a Security Engineer at Mozilla, which means testing (and breaking) upcoming features before release. Frederik also develops security tools like ScanJS and helps with improving security features in Firefox OS. Frederik prefers distributed over centralized, free over proprietary, and Mate over Cola. He also takes part in CTF hacking competitions with the team Fluxfingers.


Andrzej Dereszowski - Funcap: Rapid reversing with IDA Pro

The presentation would be about a tool called FunCap (http://github.com/deresz/funcap). This script records function calls (and returns) across an executable using IDA Pro debugger API, along with all the arguments passed. It dumps this info and inserts it into IDA's inline annotations. This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments. In author's opinion this allows to understand the program's logic way faster than starting the "zero-knowledge" reversing. The plugin has earned the second prize in Hex-Rays Plug-In Contest 2013.

Bio: Andrzej Dereszowski

The author is an independent security consultant working for big organizations across Europe. His specialization is malware analysis and forensics. Apart from his $dayjob he is a security researcher and an active member of the security community. He was a speaker at Black Hat Europe, Microsoft TechEd, CONFidence, and other security conferences.


Serge Guelton - Python Code Obfuscation: Improving Existing Techniques

The Python language has attracted many uses over the past ten years, both in the academic and industrial context. To make software deployment easier or to make it harder to reverse the application, several Python packers have been developed. These tools ``freeze the Python code and bundle it with the interpreted in a single binary, eventually applying several obfuscation level in the process.

This article draws a quick map of existing Python-specific obfuscation techniques. It then leverages on the counter measures that have been used by reversers to propose innovative techniques based on joint source - interpreter obfuscation to make reversing and especially decompiling more difficult.

Bio: Serge Guelton

Serge Guelton is an R\&D engineer employed by the Quarkslab society and Associate researcher at Télécom Bretagne. He holds an engineering degree in Computer Science and a Phd in Compilation. He has been working on several optimization projects before working on obfuscation of Python or LLVM bytecode for Quarkslab. On it's free time, he's also the core developer of the Pythran (see http://pythonhosted.org/pythran/) compiler.


Mark Schloesser - Internet Scanning - Conducting Research on 0/0

For the last year Rapid7 has been running an internet scanning project out of its Labs research team. This talk presents an overview of the process involved, internet scanning history and current state and findings from the scanning efforts until this point. We will walk through interesting bits and pieces found on the internet and discuss how well we're doing as a security community with regard to the overall internet service landscape. The project is also trying to push the research community by publishing the raw scan datasets in the hope of accelerating vulnerability discovery and having a higher chance of finding misconfigurations and problems on the internet before they are misused.

Bio: Mark Schloesser

Mark Schloesser is a security researcher at Rapid7, analyzing threats and developing countermeasures to help defenders understand and protect against the risks they face. He is also deeply involved developing open-source software as part of the Honeynet Project and other communities. A strong focus for this has recently been building up the core of Cuckoo Sandbox, an automated malware analysis tool, as well as working on a real-time data-sharing framework. He also is a developer for the Dionaea honeypot and smaller projects such as the HoneyMap. In the 25th and 26th hour of the day, he likes reverse engineering malware and botnets and participating in CTF competitions. In case you need some help on an interesting project, he easily gets excited and involved if you netcat him @repmovsb.


Filippo Valsorda - The Heartbleed test adventure

This is the story of the online Heartbleed test many of you used earlier this year.

The system, a simple Go service with a static frontend, scaled from zero to 25,000 checks/minute in a few hours, reached a peak of ~50 backend servers and answered > 200 million requests in two weeks. It also provided one of the best overviews of the bug impact, with good statistics about the affected hosts.

The user base changed quickly, changing priorities. The concern for users privacy caused radical design decisions. Moreover, this was probably the first PoC in the wild and that required mindful consideration when first open sourcing the tool. Finally, the community feedback has been (mostly) great and overwhelming. The talk will go over the technical and practical background to all this.

Bio: Filippo Valsorda

Filippo Valsorda is an Italian developer, security researcher and cryptography consultant. He's now Systems Engineer at CloudFlare, working on the Security Team.

He's the author and maintainer of the filippo.io/Heartbleed test, and has experience in applied cryptography implementation and exploitation. He's also a Open Source contributor and has done research on Bitcoin cryptography flaws.


Aleksandr Timorin - SCADA deep inside: protocols and security mechanisms

In my talk I'll share my experience in analysis of most popular open and vendor's specific proprietary industrial protocols. For each protocol will be presented packet structure, real examples, (in)secure features and possible hacks. At the end of the topic I'll share my practical approach, methodology and useful scripts. Also it’ll be presented protocol and software vulnerabilities with demos.

Bio: Aleksandr Timorin

I was graduated from the Mathematics and Mechanics Department of the Ural State University (specializing in System Programming). Worked in the development of applications for Oracle, of the web configurator of an IP telephony system, and of IBM WebSphere. Now I'm the Lead Specialist of the Security Assessment Department at Positive Technologies. Main specialization: SCADA/ICS penetration testing, industrial protocols. Made topics on PHDAYS III, PHDAYS IV, Power of Community 2013, CONFidence 2014 and workshop on 30C3.


Axelle Apvrille, Ludovic Apvrille - SherlockDroid, an Inspector for Android Marketplaces

With over 1,200,000 Android applications in Google Play alone, and dozens of different marketplaces, Android malware unfortunately have no difficulty to sneak in and silently spread. This puts a high pressure on antivirus teams. To try and spot new malware instances, we have built an infrastructure, named SherlockDroid, whose goal is to filter out the mass of applications and only keep those which are the most likely to be malicious for future inspection by Anti-virus teams.

SherlockDroid consists of marketplace crawlers, code-level property extractors and a classification tool named Alligator which decides whether the sample looks malicious or not, based on some prior learning.

During our tests, we have extracted properties and classified over 480k applications. Since the beginning of July 2014, SherlockDroid has crawled 88,369 applications with the detection of one new malware, Android/Odpa.A!tr.spy, and one new riskware. With previous findings, this increases SherlockDroid and Alligator’s “Hall of Shame” to 7 malware and potentially unwanted applications.

Bio: Axelle Apvrille, Ludovic Apvrille

Axelle Apvrille’s is currently a Senior Antivirus analyst and researcher at Fortinet, where she more specifically looks into mobile malware. She has been very happy to present at Hack.Lu in 2013, and in various other conferences (VB, Hashdays, Hacktivity, Insomni’Hack...). Axelle is a member of the pic0wn CTF team. That’s the 3-member team which managed to get in the Hall of Fame of local teams at Hack.Lu 2013 [AAB14] ;-)

Ludovic Apvrille completed a Ph.D. in 2002, in the Department of Applied Mathematics and Computer Science at ISAE, in collaboration with LAAS-CNRS and Alcatel Space Industries (now, Thales Alenia Space). After a postdoctoral term at Concordia University (Canada), he joined LabSoc in 2003 as an assistant professor at Telecom ParisTech, in the Communication and Electronics department. He obtained his HDR (Habilitation a Diriger les Recherches) in 2012. His research interests focus on tools and methods for the modeling and verification of embedded systems and Systems-on-Chip. Verification techniques target both safety and security properties. He’s the leader of the free and open-source UML/SysML toolkit named TTool, and of Alligator. Ludovic is also member of the pic0wn CTF team

Glib Pakharenko - Cyber attacks during the Revolution in the Ukraine and war with Russia

During the Revolution in the Ukraine and war with Russia from Nov 2013 till now a series of cyber attacks were performed against government and commercial IT systems. Most of them were DDos attacks. The targets were very different in their nature, including the President's site, media portals, banks, NGOs and even the Church. The power scales in range from several Mbits to one Gbit. The incident response approach and impact on the mission of organization has its specialties in each case. This research presents analysis of information from open sources about technical, social and other aspects of cyber attacks. It assess current capabilities and actions of victims, government agencies in charge for the attack investigation, and professional associations as well.


Bio: Glib Pakharenko

Glib Pakharenko is moderator of the largest Ukrainian IT security Linkedin group, organizer of its conferences, board member of ISACA and OWASP Kyiv chapters, DCUA CTF team member. He worked as IT and IT security specialist in several big Ukrainian and international companies. Now he leads IT audit function in large Ukrainian enterprise. With his help goes translation of the international IT security standards into Ukrainian and their popularization. Its primary interest is to help increase number of Ukrainian IT security community members and improve their professional skills. He would like to facilitate close collaboration between specialists in Ukraine and other countries. He holds CISA and CISSP credentials, master degree in Information Security.

Maximilian Hils - mitmproxy the man-in-the-middle HTTPS proxy

mitmproxy (mitmproxy.org) is an open source man-in-the-middle HTTPS proxy. It can be used as an interactive proxy to intercept and modify requests or as a passive proxy to act like tcpdump for HTTP. It is highly extensible using a simple Python scripting interface. In this hands-on demo, we will use mitmproxy to see what our smartphones are doing and how we can tamper with their requests.


Bio: Maximilian Hils

Maximilian Hils (@maximilianhils) is one of the two core developers of mitmproxy. He has been a Google Summer of Code student at the Honeynet Project twice and currently studies Information Systems at the University of Münster. In his spare time, he develops web applications and slays SSL dragons whereever he finds them.