#BlackAlps2017 was an event enabling to discuss the latest threats, mitigations and advances in cyber security. The event features cyber security experts from Switzerland and abroad. It is addressed to anyone with an interest in cyber security or connected to the internet, e.g., CEOs, CIOs, CISO, CTOs, developers, and researchers.
Black Alps was held the Wednesday 15th and Thursday 16th November 2017 in Y-PARC, Switzerland.
Black Alps offered several talks on very hot topics. The program committee is composed of international experts and guarantees a high-quality program.
Black Alps also offered workshops allowing participants to deepen their knowledge in specific domains.
Talks and workshops were organized on two distinct tracks:
The two tracks was recorded and broadcasted on youtube (except sensitive talks).
The event was a great opportuninty for the participants to meet people and to expand their network. Several coffee breaks, lunches and aperitifs were organized. In addition, two evenings were held in stylish places. These moments are perfect to get the best out of networking.
Black Alps offered the possibility to extend the experience by participating to three side events:
Capture The Flag (CTF) is a game-like competition where participants are required to solve various cyber security challenges, such as attacking a Website, reverse engineering and/or exploiting an appliaction, and many others.
This was an unique side event for celebrating the 10th years of the HEIG-VD, the fusion of HEG and EI-VD. This events was not focus on technical aspects, but on political and industrial aspects around cyber security. The cyber security team also presented the Bachelor and Master degrees as well as several R&D projects in Information Security.
A corporate event was organized on a specific topic: Entreprise en cyber-danger ! Comment se défendre ? (2015: data privacy, 2016: blockchain). Several presentations, including startups, was offered to participants.
15-16 November 2017, Y-PARC, Yverdon-les-Bains, Switzerland
Very nice event and knowlegable people !
Great organization, everything worked smoothly.
It was my first time and I hope to attend again in the future.
Great talks and networking. Catering was impressive.
Friendly, nice organisation, staff available and committed to attendance and sponsors, great hotel.
You can access the records of the talks on our channel.
It takes time to build a mature security program, particularly at rapidly-growing companies that are innovating. In addition, cloud computing enables innovation and scale but does not necessarily simplify a company’s security needs and strategy. In this keynote, we look at some of the security and privacy challenges that young companies face today. We share some anecdotes and lessons learned from our own experiences as we grew rapidly in a cloud-first environment.
Chief Security Officer
This presentation will try to present and illustrate the evolution of the IT-security landscape in Switzerland. What challenges we had to face, what are the ones we still need to address.
Scannerl (https://github.com/kudelskisecurity/scannerl) is a modular distributed fingerprinting engine implemented by Kudelski Security. It can fingerprint thousands of targets on a single host, but can just as easily be distributed across multiple hosts by leveraging the power of Erlang and its actor model.
With the growing expansion of the IoT, proximity technologies are becoming more and more important to interact with things around us. Apple and Google have released their own beacon protocol, namely iBeacon and Eddystone, but are they really secure for any kind of use? We will study thoroughly both protocols and their capabilities, and discuss several vulnerabilites, illustrating them with live demos. Additionally, we will see that future protocols will unfortunately allow very long-range fingerprinting and attacks on most IoT devices, so we will give recommendations to reduce these threats.
Information Security Consultant
Econocom Digital Security
Locky born early 2016 had quickly become one of the prevalent pieces of ransomware in the wild having massive campaigns that landed on at least 90,000 PCs per day  around the world on its early debut. It was clear during that time that Locky would be a major ransomware threat that both end-users and enterprises would be facing.
More than a year and a half later, Locky continues its massive ransomware attacks at a scale of 23 million infected emails being circulated in just 24 hours . Locky also holds majority of the ransomware profit with a conservative figure of $7.8 million  in it’s less than 2 years of operation. The more revenue Locky ransomware generates, equates to more it can invest in it being effective and being distributed more widely.
The talk will detail the result of the continuous monitoring of Locky. This will delve into the technical details of the Locky ransomware. It will focus on three technical aspects: its system behaviour, its configuration, and C&C communication.
Initially, the topic will talk about Locky’s prevalence in the wild and how it behaves on landing on a PC. An overview on the timeline of Locky’s changes and improvements to remain effective will be presented.
The talk will also have a detailed understanding of the configuration of Locky, this would include the automation on extracting said configuration.
The talk will also explore Locky’s obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings we will have a better understanding on how Locky communicates to its C&C and the data being sent on every request.
Finally, using the technical knowledge acquired in the research, the talk will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users.
This research has been co-authored by the speaker and his teammate Floser Bacurio Jr.
Over the year, Java Specification Requests have been appeared such JSR 241 (Groovy) or JSR-245 (Unified Expression Language) to fit some needs like scripting, separating Java code in controllers from view and to allow easier access to Java components in MVC web applications.
Different libraries have been developed to implement these requests and all of them allow runtime code execution in some of their functions. Developers willing to support functionalities needing runtime execution have heavily used them. This wide usage and the lack of knowledge of developers on the sensitivity of these functions have led to the introduction of notable remote code execution vulnerabilities.
During this presentation we will cover the different libraries by showing previous vulnerabilities that affected applications using them. We will also cover how to safely use these libraries.
When a hash function is first broken,
the restrictions on the colliding PoCs pair are very complex:
it’s not uncommon that the first public PoCs are just random-looking blocks,
with no impact whatsoever on any system, besides being different and with the same hash.
In some cases, an identical prefix can be present on the start of both files of the colliding pair,
and the collisions blocks are calculated on this exact prefix.
It’s then possible to plan in advance a file structure, and craft a prefix that,
despite all the randomness of the collision blocks, will lead to a pair of valid files,
reliably working, with different and arbitrary contents.
A world of prettifying academic results to convince people to deprecate algorithms, where file formats rules have to be bend to play along with cryptographic restrictions, where PoCs are planned several years before they can be implemented, with a lot of computing power at stake.
JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile applications. But how well do you really know JSON?
I examined closely JSON specifications, wrote a corpus of test cases and tested various libraries against them. It turns out that JSON is not an easy and harmless format as many do believe. Indeed, I did not find two libraries that exhibit the very same behaviour.
Moreover, I found that edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, including a stack overflow in SQLite. This is because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all.
This talk shows how to find bugs by reading RFCs and raises awareness about the risks of simple specifications.
In Switzerland, the revision of the Data Protection Act will introduce a data breach notification obligation when personal data are at stake, similar to what prevails in most US States and what will be the standard in the EU with the GDPR. This is a huge change of paradigm.
Companies shall be ready and trained to face those new obligations. However, they first need to understand what is mandatory and the risks they are facing. Not disclosing a breach when required is a criminal offense, but the company often does not want to disclose a breach if this is not necessary, or simply prefer to disclose it latter.
We will cover the upcoming legal obligations applicable mainly to Swiss based organizations and the best practices to implement.
95% of Fortune 500 companies use active directory services, I will share attacks around Active Directory environment, and more specifically how to detect and prevent these actively without giving links to multi-million product vendors. These mitigations are taken from the last 10 years of real world scenarios and my study around this subject.
These are assured takeaways to help your network without much fuss in terms of time and resource investment. C'mon, the humble AD needs your help!
Director & Managing Consultant
The HydraBus is an evolutive multi-tool hardware which help you to Analyze/Debug/Hack/PenTest all types of electronic bus/chipset.
HydraBus is here because today we have plenty of IoT embedded hardware without having good open tools to analyze/debug/hack or test them.
This talk will focus on the hardware and mainly embedded open source firmware(hydrafw) / user commands features to be used by any guys interested in embedded hardware hacking from beginner to experienced hacker.
Head of Cyber
.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context.
Senior Software Engineer
Threat modelling is about using models to find security problems. In other words, it provides a methodical approach to performing a security evaluation. Some of the existing models such as Adam Shostack's STRIDE have become popular within the software development industry. Thus, threat modelling is today considered as a key activitty within secure software development methodologies. In this presentation, we propose to provide return on experiencce about how threat modelling can be leveraged in organisations to perform risk assessments and improve security management. Available methodologic variants, expected benefits of threat modelling, approach limitations and possible issues, existing tools, we will try to draw an accurate picture of where threat modelling currently stands. The presentation will be illustrated by concrete examples. As a second step we will explore possibilities to industrialise threat modelling, integrate it into a global risk management framework and make it an efficient process in the corporate environment for the sake of information security.
Information Security Consultant
ELCA Informatique SA
The Turla actor group has successfully attacked the MFA in Switzerland as well as defense company RUAG. Since then, GovCERT.ch has been analyzing the tactics and toolbox of this group. We are going to present the malware involved, detection possibilities, as well as defense strategies. The talk is based mainly on the already published report about the Ruag incident (https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case).
This talk is held under TLP RED, so no recording or broadcasting possible.
DDoS attacks are one of the most prominent threats on the Internet nowadays. In this talk, we explore how hackers exploit servers with weak SSH credentials to build an army of botnets, later used to run high-volume DDoS attacks. After showcasing an experimentation where a honeypot was used to understand the attack pattern and collect relevant malware samples, we reverse engineer the Xor DDoS malware and break down its obfuscation mechanisms, the communication with its command and control server, and how it spreads in a vulnerable system.
The voting and election processes are the backbone of Swiss democracy and threats to those processes are not to be taken lightly. For this reason, the Federal Chancellery introduced new rules and requirements on Internet Voting systems back in 2014, defining thresholds on the availability of Internet Voting, subjected to three increasing compliance levels.
This talk will introduce some of the security properties defined in the federal requirements, and summarize the work done in collaboration between the eVoting group at the Berner Fachhochschule and the State of Geneva.
Etat de Genève
Suhosin is a great php module, but unfortunately, it's getting old, new ways have been found to compromise php applications, and some aren't working anymore; and it doesn't play well with the shiny new php7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) php security module, that provides several features that we needed: passively killing several php-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications' code.
A l'heure actuelle, l'entreprise est une cible de choix pour des attaquants aux modes opératoires et buts variés, allant de l'espionnage à la criminalité au sens strict du terme. La présentation visera à dresser un état des lieux des cyberattaques en cours en Suisse actuellement. Elle s'attachera également à clarifier le champ d'activité et les possibilités d'action de MELANI face à cette menace.
Cette intervention présentera les défis et les réponses mises en œuvre par le Canton pour faire face à l’évolution des cyber-risques.
Attentif à l’évolution de ces menaces, le canton de Vaud est aujourd’hui un canton leader de Suisse en matière de cyber-sécurité. Pour rappel, l’Etat de Vaud dispose depuis 2015 de son propre centre de sécurité informatique : le Security Operation Center (SOC). Ce service veille en mode 7/24 sur ces cyber-risques et se tient prêt à intervenir pour réduire l’impact des incidents de sécurité.
Etat de Vaud
Cette présentation illustrera l’intérêt d’une solution de type MDR (managed detection response).
Today we know that breaches are inevitable and when they are finally detected, it’s usually too late: enterprise data is already stolen, corrupted, or destroyed. The overwhelming majority of these attacks happen through endpoints because (1) endpoints grant access to data and (2) attackers have plenty of ways to break into endpoints, like phishing, social engineering, malware, and dozens more. So how do you protect enterprise data when endpoints get breached? This talk will introduce the concept of a data firewall that allows organizations to monitor, control, and regulate access to sensitive information, and protect them against all forms of data theft, compromise and ransomware even under breach conditions. A data firewall isolates critical data from threats even after an endpoint or the network has been breached, long before the attack can be discovered and remediated. This technology has been validated through issued patents and powered one of the finalists of the U.S. Department of Defense’s DARPA’s Cyber Grand Challenge.
Chief Operations Officer
This training is based on the Hacking-Lab platform (hacking-lab.com), providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at media.hacking-lab.com).
This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the linux command line and also have basic knowledge of the HTTP protocol.
Requirements for participants:
Destiné aussi aux cadres de PME possédant peu de compétences informatiques, cet atelier prends le pouls d'organisations médicales pour la conformité aux LPD et GDPR (RGPD).
Des variantess de techniques connues (cf. parties initiales de penetration testing) permettent l'analyse de données accessibles publiquement, des deux points de vue 'défense' et 'attaque', selon l'angle légal.
Les participants à l’atelier seront encouragés à former si possible des duos de compétences sur place (IT + management en entreprise) et prolonger sur leur laptop avec d'autres exemples.
The workshop is the continuation of the talk Hydrabus : Lowering the entry fee to the IoT bugfest where the attendance will be able to try by themselves practical examples of physical attacks on small challenges.
A VirtualBox image will be provided so it's highly advised to come with a laptop ready to run such an image. Notions in C language are strongly recommended. The workshop will be organized with a maximum of ten people.
Requirements for participants:
Call For Proposals: Talks and Workshops
The submission process is now closed (it was open until 31 July 2017).
The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.