Opening words by Sylvain Pasini (Professor at HEIG-VD), president of the Black Alps association and general chair of #BlackAlps18.
Welcome words by Juliana Pantet (Managing Director, Y-Parc S.A.) and Vincent Peiris (Dean of ICT department, HEIG-VD)
Redteaming is a method inspired by the military community practices according to which an independent group of skilled adversaries challenges systemic weaknesses within an organization to improve its defensive posture against external threat actors.
CERT Societe Generale has come up with an idea to find a better implementation for the method of Redteaming through the use of threat modeling inspired by the real-life adversaries’ tactics.
In today's keynote, we will try to custom-tailor a redteaming mission to the needs of your organization in a live mode and will look through the common do's and don't's relative to the implementation of such offensive security tools and methods for the benefit of large-scale financial groups.
White / Purple team leader at CERT
Running businesses in cloud environments where everything has an API, everything is built at new abstraction layers, and everything is running on someone else's computers presents new ways of thinking of things and new capabilities. This can allow you to greatly improve your security, but at the cost of changing how you do that security. This talk will discuss the current best practices and state of analyzing and understanding your cloud environments, along with where there is more work to be done.
AWS Security Consultant
Most Android hackers are researching application vulnerabilities using the rooting tool (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.). However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application. So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing. Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse. So in this talk I will analyze the security mechanism applied to Android OS and Application in detail at code level, and by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.
FSI (Financial Security Institute)
We've all seen the news about an implanted chip that allows to take remote control of your servers.
That's a bold claim, and many people were arguing about whether that story is legit or not.
But is such implant technically possible ?
In this talk, you'll discover the hidden gems you can get when you RTFM, and how to create your very own hardware implant.
Cyber Security Expert
The Java Key Store (JKS) is the Java way of storing one or several cryptographic private and public keys for asymmetric cryptography in a file. While there are various key store formats, Java and Android still default to the JKS file format. JKS is one of the file formats for Java key stores, but JKS is confusingly used as the acronym for the general Java key store API as well. This presentations explains the security mechanisms of the JKS file format and how the password protection of the private key can be cracked. Due the unusual design of JKS the developed implementation can ignore the key store password and crack the private key password directly. Because it ignores the key store password, this implementation can attack every JKS configuration, which is not the case with most other tools. By exploiting a weakness of the Password Based Encryption scheme for the private key in JKS, passwords can be cracked very efficiently. Until now, no public tool was available exploiting this weakness. This technique was implemented in hashcat to amplify the efficiency of the algorithm with higher cracking speeds on GPUs.
IT security analyst
In the last year there were several advances in practical quantum computing: now there are free quantum chips available on the cloud for everyone, and the largest quantum chips exceeds 50 qubits, a number called the quantum supremacy because theoretically a quantum chip exceeds the power of a classical computer. We'll explain how to program a quantum chips and give the results of our research regarding reversing some cryptographic building blocks like P-Box, S-Box, CRC-8 and XOR functions using quantum circuits. We'll see the implementations and run some circuits on real hardware to see how near we are from attacking real cryptography.
IT security expert
0xFFFF and Iceman will show you the latest revision of proxmark3 tool, rdv40, a successful kickstarter that brought NFC analysis to the next level. Identifying common issues in the Proxmark community. RRG formed to produce new hardware such as the long range HF reader and LF reader. What's so special about the PM3 rdv40? Onboard storage SIM interface Improved HF + LF antennna Improved HF antenna Improved 'capsule' LF antenna QC process Covert + discreet Current capabilities of offical firmware and popular forks. Analysis of uniquie + difficult tags and how to overcome them
Rfid Research Group RRG
Rfid Research Group RRG
This talk will present the activities of Group123 during 2017 and 2018. I will present campaigns against South Korean targets (individual users and organizations) and campaigns against non-Korean financial institutions. The purpose of our presentation is to describe the different campaigns by starting with the infection vector (Hangul Word Processor or Office document), the malware installation and the final payload (such as ROKRAT). During the investigation period we discovered that this actor has different capabilities such as espionage and destruction. Finally, we will describe a rise of power concerning this group and the usage of a Flash 0-day (CVE-2018-4878) during months. Additionally I will mention an Android app that Korean malware linked to this group.
It's been mostly silent for two years on the DDoS front in Switzerland, but IoT devices and growing network capacities could bring the next wave of DDoS attacks anytime now. Technical reasons make it likely that the trend towards application level DDoS will continue. Defense against big DDoS attacks either force you to use a protection service or start to work with GeoIP defenses. The CDN protection services will ask for your certificate keys, though, which effectively means that an application level DDoS will force you to hand over your keys to a foreign company as no Swiss DDoS protection company exists. Alternatively, you will need to cut international IP traffic via GeoIP which is not always an option either. And even if you pursue this, traffic might still overwhelm your carrier implementing the GeoIP filter. But there is a path rarely travelled: It could allow you to survive an attack with the help of BGP: You stop advertising your route internationally, but concentrate on local peering partners: You hide from the global internet during the attack, but remain online locally.
Dr., Security Engineer
3 years after the launch of the bug bounty program at Swisscom it is time to take a step back. This talk starts from the point of view of a (somewhat frustrated) bug hunter and walks back from the launch of the program to the current state. Crossed looks from the company and the researcher outline the difficulties encountered on both sides, shows what improved over time and how. It is a story of collaboration and communication. A second part will disclose some interesting vulnerabilities that were found and fixed through the program. Those are not yet chosen but will probably include RCE, SQLi, prevented data leaks or other high-impact issues. ▼Authors
Security Analyst CSIRT
IT Security Analyst
Compass Security AG
Many headlines talk of cryptocurrency malware as "the new ransomware" or 2018's new menace on computers. Whenever something big hits PCs, it usually gets ported to smartphones. In this talk, we'll investigate the status of cryptocurrency malware on mobile phones. The first ones were Android/CoinKrypt and Android/BadLepricon. We'll reverse engineer code of some newer ones such as Loapi, AdbMiner, HiddenMiner or some of the numerous instances of CoinHive riskware. Despite their increasing power, mining on smartphones has its limits. For example, mining Bitcoin on a smartphone does not make sense. We'll see which cryptocurrencies are mined on smartphones and discuss how profitable this is for cyber-criminals. We'll follow the earnings of the authors of HiddenMiner, based on live captures we were able to get.
Security Researcher EMEA
Creating cyber security software is much more challenging than developing any other type of software, and there are various dilemmas and considerations to be taken into account when choosing the right components. Today, as the trend is to shift security to the left, knowledge in this area becomes more crucial for developers, UX designers, software architects, and anyone involved in this field. In this presentation, I combine my 13 years of R&D security experience with examples of recent breaches and discoveries in order to show the importance of making the correct decisions in each of the development stages for securing software.
Check Point Software Technologies
Vault is an open-source tool by Hashicorp specifically designed for securing and managing all kind of secrets, from passwords to database credentials or encryption keys. In this talk, we start by laying out the foundations of Vault by discussing the concepts of untrusted storage backends, authentication methods, sealing/unsealing processes, response wrapping, and dynamically generated short-lived secrets. Building up on that, we present several real-world scenarios and demonstrate how Vault can be used in these situations to implement an architecture with a high separation of concern and low trust. For every scenario, we seek to put ourselves in an attacker's shoes, and analyze what would be the impact of the compromission of each component on the overall architecture.
Lessons learned from a security team member of a widely used open source project (Jenkins). How to solve security issues when you need to face multiple constraints like living in public/private plugins ecosystem, assuring backward binary compatibility, providing escape-hatch or even better progressive migration. I will present our approach to tackle those obstacles with practical examples.
Security Software Engineer
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms using Kubernetes as our driving example. (Pod Security Policy, Network Policy, etc). We will also cover open source tools - such as Anchore, Falco and Sysdig Inspect - that can be used to maintain a secure computing environment. We will cover the entire process from image scanning, to runtime security and forensics in volatile containers. This is a practical tools of the trade talk: Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is organizing the largest and the most advanced live-fire cyber defence exercise in the world on a yearly basis since 2010. The Locked Shields exercise grows each year and in 2018 it was the largest one conducted so far with about 1000 participants and 30 different nations, involving 22 defending blue teams and an attacking red team with about 70 members. First, I will begin with a short introduction and history of the CCDCOE, its mission and activities. Next, I will continue with an overview of the exercise from a participant’s perspective, its training goals, the most interesting aspects, different teams and their roles. Then, I will continue with intelligence-led red team testing conducted within the financial sector and the different accompanying frameworks. And finally, I will conclude with a discussion about the value of such exercises when compared to traditional methods of security assessments and testing. The talk will be rather non-technical, aimed at security practitioners as well as decision makers, and based on publicly-available information.
Threat Intelligence & Red Teaming
Opening words by Sylvain Pasini (Professor at HEIG-VD), president of the Black Alps association and general chair of #BlackAlps18.
Welcome words by Yohann Perron (Alp ICT).
During his presentation, Pierre-François will present everyday challenges associated with a large Hospital information system. Such an institution has to manage a very large number of connected devices among which medical devices while cybersecurity is a constant and mandatory requirement in order to ensure patients safety and continuity of care.
Chief Information Officer
During his presentation, Stephan will present the solutions which have been implemented in order to ensure a sufficient level of security so an insulin pump can be controlled by a Smartphone. This will be the occasion to have an overview of the current state of the art in cybersecurity in the file of medical devices manufacturer.
During his presentation, Kim will present the status of the regulations that apply to Medical devices. A specific focus will be made on current requirements with regards to data protection and cybersecurity and possibly presenting applicable international standards that may be considered to fulfil these requirements.
Round Table - Pierre-François Regamey, Stephan Proennecke, Kim Rochat, and Julien Bachmann.
Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ....). Some smart contract handle thousand of ETH and can't be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that's also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense. This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.
Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90's, its main user base was primarily universities, research labs and supercomputing centers. In the past few years, however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions. At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python. During this two-hour workshop, we will learn about Bro's capabilities and cover the following topics: - Introduction to Bro - Bro architecture - Bro events and logs - Bro signatures - Bro scripting - Bro and ELK Requirements for the workshop: - A laptop with at least 8 GB of RAM and more than 30 GB of free disk space - VMWare Workstation or VMWare Player installed
Managing Partner, CEO
Alzette Information Security
Managing Partner, CTO
Alzette Information Security
This training is based on the Hacking-Lab platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com). This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the linux command line and also have basic knowledge of the HTTP protocol. Requirements for participants: Laptop Virtual Box or VMWare player Hacking-Lab LiveCD (media.hacking-lab.com) As a little add-on, we're playing a 30-minute "Min CTF", with 10 puzzles/challenges. They're not too hard, everyone should be able to solve a couple of them!
Lors de ce workshop participatif, nous aborderons les challenges liés au recrutement de profils techniques ainsi que les manières concrètes d’y répondre. 1.De la définition du poste au marketing RH, vous repartirez avec des pistes concrètes pour recevoir des candidatures intéressantes. 2.De la sélection des CVs à la conduite des entretiens d’embauche, vous apprendrez à identifier efficacement les profils les plus adaptés au poste et à la culture d’entreprise. Destiné à toute personne, non-professionnelle du recrutement, amenée à recruter pour son équipe, et qui souhaite partager ses expériences et repartir avec quelques astuces en poche.
Human Capital Consultant
Securing Apps Sàrl
Call For Proposals: Talks and Workshops
The submission process is now closed (it was open until 31 July 2018).
The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.