Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps19.
HEIG-VD, president of Black Alps
Bug Hunting, just as any other type of hunting, requires preparation, skills, practice, and patience. Over the past 10 years, Google has been hunted by thousands of security researchers from around the world. As a result, we have paid millions of dollars for thousands of vulnerabilities in Google products and services.
But when one runs the security response team for a company of this size, you have literally millions of people trying to talk to you, and from those, one has to find a way to, first, get the noise under control, and then, find ways to grow your community to receive even more and better reports. To make this possible, we had to invest in automation, education, appreciation, recognition, entertainment and outreach - but most of all? Trust.
In this talk you'll learn about some of our favorite vulnerabilities from the last decade, and show why we love this program so much. Then you'll see how we fine-tuned it to make it sustainable for 10-years. And finally, how we have used it for growing the rest of Google's product security program. This talk will go through some of our biggest failures as well as some of our most surprising insights - in the hope that you can avoid making our mistakes, and maybe get inspired by how we tackled them.
Spoilers? We support public disclosure of unfixed bugs. We pay bug hunters even when they don't find bugs. We put senior engineers in front triage. We encourage bug hunters to dispute reward decisions.
In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years. We want to present answers to unanswered questions of our previous wireless desktop set research and raise the awareness of security issues and practical attacks against vulnerable wireless input devices.
The memory is full of incredible artefacts. Some of them are secrets being used for security purpose, such as encryption keys. Acquiring memory and analysing it in order to find such secrets could help you get around some security measures. This talk is about a Bachelor thesis which has been written this summer, at HEIG-VD. It will expose the obtained results and the methodologies used to recover treasures from memory. It will then explain how to use the recovered artefacts to gain access to protected data. The research is focused on the Apple disk encryption solution, FileVault 2 and some common password managers you may be using. The work was performed on an OS X environment, but same methodologies could be applied on different systems.
Retour sur le Bug Bounty de Swisscom d'un chercheur qui a trouvé une centaine de vulnérabilités chez eux. Le but est de parler un peu du scope particulièrement important, de présenter quelques statistiques, mais aussi de décrire quelques vulnérabilités qui ont pu être découvertes chez eux.
Connected glucose sensors are a very handy way for people with diabetes to get their glucose readings and adjust their insulin treatment. How does the device work? We'll walk you through our investigation, from the PCB to the firmware, to NFC communication.
Principal security researcher
Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.
IT security analyst
The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive, Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS.
One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.
Chief Technology Officer
Net Alpha Financial Systems
When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.
To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing.
This talk will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it’s possible impact.
Qui ne connaît pas le jeu BurgerQuiz présente par Alain Chabat et son équipe de joyeux compagnons.
Base sur plusieurs centaines d’audit de code source sur divers langages ce talk propose de revisiter de manière humoristique les codes les plus loufoques, à risques, les erreurs, les bonnes pratiques rencontrées en securite.
Techniques related to computing on encrypted data are more and more deployed by large companies, notably to build privacy-preserving, GDPR-compliant large-scale systems. We propose to provide a high-level, synthetic and hopefully easy-to-understand overview of the capabilities of cryptographic schemes allowing to compute on encrypted data.
Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.
Product Engineer in Security & Cryptography
We frequently see the same types of security vulnerabilities appearing repeatedly over the course of a software project’s lifetime, and often across multiple projects. In this talk I’ll be discussing how security teams at companies such as Google and Microsoft use variant analysis to address this in their own software.
Le domaine de la cybersécurité a évolué très rapidement ses 3 dernières années. Les formations qualifiantes en cyber sécurité sont pour la plupart assez récentes. L’expérience dans ce domaine passe par beaucoup de pratique. Comment valoriser cette expérience et en faire un atout pour pouvoir évoluer dans de nouveaux métiers ? Quelle formation choisir et avec quels objectifs ? Quelles compétences sont nécessaires pour pouvoir accéder à des postes spécifiques en cybersécurité ? Comment bien valoriser ses expériences pour obtenir l’emploi souhaité et préparer son avenir ? Il est aussi primordial de bien comprendre les profils attendus sur les nouveaux métiers et de qualifier son propre parcours professionnel pour trouver le poste rêvé.
L’intérêt de réfléchir à une telle démarche est direct et permet d’acquérir les bons outils pour piloter et maitriser sa propre carrière. Les nouveaux métiers dans ce domaine sont nombreux et sont plus accessibles parfois qu’il n’y parait. Un panorama de l’emploi et des formations dans la cybersécurité et dans les technologies émergentes mettra en valeur les actions clefs à mener pour obtenir le poste souhaité.
President & Co-founder
The year is 2089, Venice is under the water and Bitcoin finally replaced Dollar as the global reserve currency. Let's try to change the course of events. Verifiable Delay Functions (VDF) is a new fascinating cryptographic primitive that is revolutionizing the blockchain space. Notably cryptocurrencies (Bitcoin et al) that use consensus strategies based on Proof of Work (PoW) burn a considerable amount of electricity. The promise of a tool like VDF is to (used in combination with Proof of Stake or other similar tecniques) eliminate such a plague. Many cryptocurrencies (notably Ethereum 2.0 and Chia ) are currently evaluating this approach. On top VDF can be used to build Verifiable Lotteries, encrypt into the future and much more. In this talk we are going to present what a VDF is and how, due its peculiar properties, is actually a rare object in the mathematical Universe. We will also see how to construct a simple VDF and we'll give some hint of some more complex ones.
PatrOwl is an Open Source, adaptive and scalable Security Operations Orchestration Platform. The main objective is to provide a continuous and full-stack risk overview of your assets, using open-source tools, commercial solutions or custom scripts.
Cryptocurrencies and blockchains are still relatively new, and there
have been plenty of news stories about people losing money through
compromises in various components making up a blockchain ecosystem.
Those components include base blockchain infrastructure, smart contracts, DApps and wallets.
Topics explored during this workshop:
Senior Security Engineer
This is a workshop about cryptography that aims to be as little about cryptography as possible, in order to focus on what matters for engineers and application builders: protecting their data and information—be it in transit, on endpoints, or in databases. We'll first review the general principles (what encryption really means, and why it's harder than it looks), and then provide recommendations of tools, APIs, and software to deploy state-of-the-art yet easy-to-use cryptography in your applications.
Product Engineer in Security & Cryptography
This year's badge is already packed with lots of features, but what if you want to add your very own feature in it ? If that's the case, feel free to hop in this workshop and learn how to program the badge to your liking. Maybe you'll learn something cool in the process ?
This workshop is 100% hands-on, with very few slides, lots of programming and (hopefully !) fun. Have a cool idea ? Want to work with others on a bigger project ? Join in ! # Prerequisites - A laptop - A micro-USB cable
A system indexes files by MD5. How secure is it?
This workshop is an introduction to file manipulations, hash collisions attacks and how to combine both to exploit them.
It doesn't require any cryptographic knowledge.
It covers all existing hash collisions attacks for MD5 and SHA1:
This training is based on the new Hacking-Lab 2.0 platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com).
This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the Linux command line and also have basic knowledge of the HTTP protocol.
Requirements for participants:
Compass Security Schweiz AG
Compass Security Schweiz AG
Call For Proposals: Talks and Workshops
The submission process is now closed (it was open until 31 July 2019).
The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.