Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps19.
HEIG-VD, president of Black Alps
Bug Hunting, just as any other type of hunting, requires preparation, skills, practice, and patience. Over the past 10 years, Google has been hunted by thousands of security researchers from around the world. As a result, we have paid millions of dollars for thousands of vulnerabilities in Google products and services.
But when one runs the security response team for a company of this size, you have literally millions of people trying to talk to you, and from those, one has to find a way to, first, get the noise under control, and then, find ways to grow your community to receive even more and better reports. To make this possible, we had to invest in automation, education, appreciation, recognition, entertainment and outreach - but most of all? Trust.
In this talk you'll learn about some of our favorite vulnerabilities from the last decade, and show why we love this program so much. Then you'll see how we fine-tuned it to make it sustainable for 10-years. And finally, how we have used it for growing the rest of Google's product security program. This talk will go through some of our biggest failures as well as some of our most surprising insights - in the hope that you can avoid making our mistakes, and maybe get inspired by how we tackled them.
Spoilers? We support public disclosure of unfixed bugs. We pay bug hunters even when they don't find bugs. We put senior engineers in front triage. We encourage bug hunters to dispute reward decisions.
In Switzerland we focus our discussion mainly on cyber risks, omitting the fact that there are chances, too. In his keynote, Florian Schütz will discuss some ideas on what chances Switzerland might unlock to position itself in the digital future.
Federal Cyber Security Delegate
In our talk, we will present new security tales of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years. We want to present answers to unanswered questions of our previous wireless desktop set research and raise the awareness of security issues and practical attacks against vulnerable wireless input devices.
The memory is full of incredible artefacts. Some of them are secrets being used for security purpose, such as encryption keys. Acquiring memory and analysing it in order to find such secrets could help you get around some security measures. This talk is about a Bachelor thesis which has been written this summer, at HEIG-VD. It will expose the obtained results and the methodologies used to recover treasures from memory. It will then explain how to use the recovered artefacts to gain access to protected data. The research is focused on the Apple disk encryption solution, FileVault 2 and some common password managers you may be using. The work was performed on an OS X environment, but same methodologies could be applied on different systems.
Retour sur le Bug Bounty de Swisscom d'un chercheur qui a trouvé une centaine de vulnérabilités chez eux. Le but est de parler un peu du scope particulièrement important, de présenter quelques statistiques, mais aussi de décrire quelques vulnérabilités qui ont pu être découvertes chez eux.
Connected glucose sensors are a very handy way for people with diabetes to get their glucose readings and adjust their insulin treatment. How does the device work? We'll walk you through our investigation, from the PCB to the firmware, to NFC communication.
Principal security researcher
Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.
IT security analyst
The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive, Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS.
One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.
Chief Technology Officer
Net Alpha Financial Systems
When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.
To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing.
This talk will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it’s possible impact.
Ethereum is a widely spread cryptocurrency, dealing with hundreds of millions USD worth ethers per day, and often used in decentralized application context. The recent hard fork, named Constantinople, introduced the new controversial create2 opcode to the EVM specification. In this talk, I'll show how this opcode can be dangerous with a concrete attack scenario, and how users can defend themselves against it.
Ingénieur sécurité / assistant HES
Techniques related to computing on encrypted data are more and more deployed by large companies, notably to build privacy-preserving, GDPR-compliant large-scale systems. We propose to provide a high-level, synthetic and hopefully easy-to-understand overview of the capabilities of cryptographic schemes allowing to compute on encrypted data.
Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.
Product Engineer in Security & Cryptography
We frequently see the same types of security vulnerabilities appearing repeatedly over the course of a software project’s lifetime, and often across multiple projects. In this talk I’ll be discussing how security teams at companies such as Google and Microsoft use variant analysis to address this in their own software.
Le domaine de la cybersécurité a évolué très rapidement ses 3 dernières années. Les formations qualifiantes en cyber sécurité sont pour la plupart assez récentes. L’expérience dans ce domaine passe par beaucoup de pratique. Comment valoriser cette expérience et en faire un atout pour pouvoir évoluer dans de nouveaux métiers ? Quelle formation choisir et avec quels objectifs ? Quelles compétences sont nécessaires pour pouvoir accéder à des postes spécifiques en cybersécurité ? Comment bien valoriser ses expériences pour obtenir l’emploi souhaité et préparer son avenir ? Il est aussi primordial de bien comprendre les profils attendus sur les nouveaux métiers et de qualifier son propre parcours professionnel pour trouver le poste rêvé.
L’intérêt de réfléchir à une telle démarche est direct et permet d’acquérir les bons outils pour piloter et maitriser sa propre carrière. Les nouveaux métiers dans ce domaine sont nombreux et sont plus accessibles parfois qu’il n’y parait. Un panorama de l’emploi et des formations dans la cybersécurité et dans les technologies émergentes mettra en valeur les actions clefs à mener pour obtenir le poste souhaité.
President & Co-founder
The year is 2089, Venice is under the water and Bitcoin finally replaced Dollar as the global reserve currency. Let's try to change the course of events. Verifiable Delay Functions (VDF) is a new fascinating cryptographic primitive that is revolutionizing the blockchain space. Notably cryptocurrencies (Bitcoin et al) that use consensus strategies based on Proof of Work (PoW) burn a considerable amount of electricity. The promise of a tool like VDF is to (used in combination with Proof of Stake or other similar tecniques) eliminate such a plague. Many cryptocurrencies (notably Ethereum 2.0 and Chia ) are currently evaluating this approach. On top VDF can be used to build Verifiable Lotteries, encrypt into the future and much more. In this talk we are going to present what a VDF is and how, due its peculiar properties, is actually a rare object in the mathematical Universe. We will also see how to construct a simple VDF and we'll give some hint of some more complex ones.
PatrOwl is an Open Source, adaptive and scalable Security Operations Orchestration Platform. The main objective is to provide a continuous and full-stack risk overview of your assets, using open-source tools, commercial solutions or custom scripts.
In the UK, railway rolling stock is within the scope of NIS. This is a new challenge to the industry, and Arriva has been at the forefront of responding to it. There are many challenges and responsibilities are not entirely clear but lessons have been learned which Arriva can share.
Digital Train Programm Manager
Arriva UK Trains
The information security of cyber physical systems, often referred to as operational technology (OT), is not only a growing concern for companies that use OT for their daily activities but for society in general. The impact of cyber-incidents on companies often takes on new dimensions when availability is critical, as is commonly the case with OT - well-illustrated in the 2017 case of shipping company Maersk. The same incident also had a societal aspect, leaving many people in Kiev stranded as public transport, the airport and petrol stations were impacted.
For companies such as the Nederlandse Spoorwegen (NS), where OT contains a physical safety component, the impacts on society and the company can be even greater. The safety of our passengers is paramount therefore we must ask ourselves if OT systems are compromising our safety levels. Within this context, the NS has been working on maturing information security for OT, specifically for rolling stock (train) cyber security. Due to new developments, such as the introduction of the European train management system (ERTMS) and the NIS directive, the need to address OT security is continually increasing within a high impact area.
This growing need provides new challenges for the NS information security team. While most of the team members are experienced information security professionals, their experience in the OT domain is still limited. As a result, they have to mature information security for the OT domain while exploring and mastering this new domain.
This presentation will describe differences between information security for IT and information security for OT. These not only stem from differences in the specific information assets to be addressed, but more importantly from differences in culture, background of decision makers and governance. Nevertheless, there are more similarities than differences. Making optimal use of the similarities while respecting the differences is the key to success.
Information Security Officer
Nederlandse Spoorwegen (NS)
Cryptocurrencies and blockchains are still relatively new, and there
have been plenty of news stories about people losing money through
compromises in various components making up a blockchain ecosystem.
Those components include base blockchain infrastructure, smart contracts, DApps and wallets.
Topics explored during this workshop:
Senior Security Engineer
This is a workshop about cryptography that aims to be as little about cryptography as possible, in order to focus on what matters for engineers and application builders: protecting their data and information—be it in transit, on endpoints, or in databases. We'll first review the general principles (what encryption really means, and why it's harder than it looks), and then provide recommendations of tools, APIs, and software to deploy state-of-the-art yet easy-to-use cryptography in your applications.
Product Engineer in Security & Cryptography
This year's badge is already packed with lots of features, but what if you want to add your very own feature in it ? If that's the case, feel free to hop in this workshop and learn how to program the badge to your liking. Maybe you'll learn something cool in the process ?
This workshop is 100% hands-on, with very few slides, lots of programming and (hopefully !) fun. Have a cool idea ? Want to work with others on a bigger project ? Join in ! # Prerequisites - A laptop - A micro-USB cable
A system indexes files by MD5. How secure is it?
This workshop is an introduction to file manipulations, hash collisions attacks and how to combine both to exploit them.
It doesn't require any cryptographic knowledge.
It covers all existing hash collisions attacks for MD5 and SHA1:
This training is based on the new Hacking-Lab 2.0 platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com).
This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the Linux command line and also have basic knowledge of the HTTP protocol.
Requirements for participants:
Compass Security Schweiz AG
Compass Security Schweiz AG
Call For Proposals: Talks and Workshops
The submission process is now closed (it was open until 31 July 2019).
The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.