SPONSORS
PRESENTATIONS
Github Actions Security Landscape
Github Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration. As part of our research of the Github actions security landscape, we discovered that in writing a perfectly secure Github actions workflow, several pitfalls could cause severe security consequences.
Unless the developers are proficient in the depths of Github best-practices documents, these workflows would have mistakes. Such mistakes are costly – and could cause a potential supply-chain risk to the product.
During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into Github actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.
Automating False Positive Whack-a-Mole with Real-Time Behavioral Analytics
Security Operations Centers (SOCs) strive to provide an infallible line of defense to their customers against targeted attacks and malware lurking in the cyberspace. For that, several security sensors are used to flag any suspicious activity, ensuring that even needle-in-the-haystack attacks are caught. However, not every suspicious event is truly malicious.
As such, these detectors can quickly generate an overwhelming influx of alerts for SOC analysts to inspect.
Thousands of alerts to manually sift through every single day, out of which only a minute proportion constitutes true relevant alerts that require action. In an endeavor to help analysts strike a balance between thoroughly protecting their customers and controlling the alerts firehose, we present a lightweight system that automates this grueling process. It triages critical alerts while filtering out false alarms.
Our approach leverages the historical context around alerts across the underlying heterogeneous detector technology and serviced organizations. Using these signals, the model automatically filters out more than 52% of the noisy false alerts daily compared to the existing manual workflow, while successfully prioritizing more than 90% of the true critical alerts and bringing them to analysts’ attention.
Breaking the Bridge: Hacking Wrapped Coins and Tokens
As more cross-chain projects come out in the blockchain space, we often see them getting breached by new types of Bridge vulnerabilities (think about the Wrapped ETH hack where $320 million was lost). This is where the so called “Web3.0” and “Web2.0” meet. Most exploitation methods rely on the combination of using smart contract functions and typical web server provided functionalities. We’ll look into how these complex systems can be hacked and propose truly decentralized solutions.
How Crypto Libraries Effect a DoS Attack?
The Diffie–Hellman key exchange is affected in D(HE)at vulnerability (CVE-2002-20001), a DoS attack forcing the server to compute the CPU-intensive part of the mechanism overloading it seriously. Of course, the effectiveness of the attack depends on the key sizes, the used cryptographic protocol, and the server application, but it also highly depends on the cryptographic library implementation.
There are significant differences between the crypto libraries in what bandwidth is sufficient to consume a whole CPU core on a server. I will demo how a server that implements TLS, SSH, or IPsec protocol can be overloaded and how the peculiarities of the crypto implementation influence the vulnerability.
How to Get Your Laptop Stolen – and How to Get it Back?
Recording was not allowed for this presentation.
Tobias was testing an “anti-theft software” for laptops on a German TV show when it turned out that finding a real thief is not that easy. The story finally slipped away when a brutal criminal and a bodyguard entered the scene. But the person who finally ended up spreading the most fear surprised everyone. Unfortunately, the funny parts of this shooting could not be broadcasted on TV … but they will be part of this lecture. So take your seat and fasten your seatbelt while you listen to this hilarious story, in which nothing went as planned!
Offensive Rust Tales
In connection with an internal red team task, I designed and built a Rust-based Windows application that avoids and circumvents all current protection on a 100% fresh Windows 10 machine. Protections I had to avoid: Automatic Sandbox Analysis, Chrome Browser Protection, Antivirus, Endpoint Protection, Firewalls, and other built-in protections for Windows 10. The goal was to implement a non-persistent offensive device that creates the smallest possible footprint on the background, thus reducing the risk of falling over and being analyzed. The presentation describes the development process, the components used, as well as any problems that may arise and their solutions. (As well as some key moments in a video demo.)
Hackerek a Háborúban – Kerekasztal Beszélgetés (HUN)
Hacktivizmus mindig volt és mindig lesz. Egészen pontosan mindig lesznek olyan lánglelkű fiatalok, akik rendszerkritikusságukat vagy éppen hazafiságukat a hackerizmus eszközeivel élik meg. Amennyiben egy ország tudatosan törekszik ezen fiatalok honvédelembe való integrálására – hasonlóan a nagyhatalmakhoz –, akár rövid távon is megvalósítható az offenzív kiberképességek létrehozása.
A 2012-es Hacktivity konferencián készült felmérés szerint Magyarországon az információbiztonságban dolgozó vagy az iránt érdeklődő személyek 59%-a akár ingyen is szolgálná a hazáját, míg 27%-uk pénzt kérne ezért. Csupán 14% válaszolt úgy, hogy nem venne részt a honvédelemben. Bár a felmérés régi, feltehetően továbbra is sikerrel lehetne meríteni a magyar hackerek közül, ami tudatos tervezéssel a magyar kiberhadviselési képességek fejlesztésének egyik fontos eleme lehet. De mi a helyzet 2022-ben?
Egyáltalán, mit mond nekünk az ukrán-orosz háború a hacktivista csoportokról? A kerekasztal-beszélgetésen ezt járjuk körbe.
Acceptable Use of Internet; Categorizing The Web at Scale
Because of the prevalence of watering-hole attacks, drive-by-downloads, and browser exploits, the security of an organization is partly a function of the kinds of content its employees browse. The content of those websites widely ranges from pages that enable social networking to sites that engage in sharing protected intellectual property. To help organizations profile the risk of the internet usage of their employees we have developed a neural network approach for web content classification in support of security goals.
Introducing web control might prevent employees from accessing pages with inappropriate content, risk of legal liability, or that simply have a negative impact on productivity. Here we demonstrate that we can effectively expand upon the coverage of a blocklist for 80 distinct categories by building a machine learning model, using only the URL as an input, that can accurately predict the category of previously unseen websites.
Abusing ICMPv6 to Manipulate Network Traffic
ICMP is an Internet Control Message Protocol, hence as its name indicates it has capabilities to control the flow of traffic on the network layer. This means that certain scenarios such as network congestion, unreachable destination and excessive packet size are properly communicated and sometimes even remediated by the ICMP. ICMP is also not an exception when it comes to abusing its powerful capabilities – a malicious actor can craft the ICMP packets and manipulate the flow of legitimate network traffic.
This presentation dissects two Proof of Concepts- one attack injects the arbitrary IPv6 route whereas the other sends request to redirect all traffic via the router controlled by the attacker. The attack works against Windows (2012/2016/2019) as well as CentOS7 and is executed through the Proof of Concept script. Even more interesting is that both attacks abuse fully legitimate protocol functionalities. The attacking scripts do not create any complicated application payloads or corrupted headers. They simply abuse the protocol logic and relaxed default setting of Windows and CentOS operating systems to compromise them.
The InsideR x ThreaT
RATs, Ransomwares, APT Espionage and Vulnerabilities are all part of a blue team ongoing thoughts, on the other hand “The Insider Threat” is probably one of the most overlooked areas of those teams around the world. “Insiders” stories have been here forever with examples like Anat Kam & Edward Snowden- and while it is ALWAYS floating in the back of our head as defenders – we fail short in thinking of creative ways to pro-actively identifying rogue personnel. In this talk,
We will present the audience with different methods to use their EDR solutions not to solely spot threat actors- but also utilize the collected data to hunt for the next insider within their organization. We will of course, share unique Threat Hunting ideas and concepts that we believe will help organizations world wide covering this blind spot.
Injections… again?
In the most recent OWASP TOP 10 the category injection finally moved from the first position to a still respectable third place. Why is this category such an unkillable problem and why do people dismiss it despite of its prelevance?
In this talk we are diving into the jungle of injection attacks and will avoid the obvious. If you are interested in the diverse species in this group pop in for a lightweight talk!
Bug Bounty Recon The Right Way
When it comes to web applications security testing and looking for bugs, reconnaissance plays a crucial step in identifying the right path for spotting vulnerabilities. The power of deep manual recon led to some serious bugs discovered in a short amount of time. In the other hand, some people use automation in this process as an intention to speed it up and not waste too much time in understanding the organization and the technologies it uses.
In this talk we are going to cover the (unique) ways and methods to perform a healthy recon process on a bug bounty program. We will also cover some real world examples of bugs found using different recon techniques, as well as some tips to enhance your searching methodologies.
