Abstracts and Bios

Keynote: Complexity didn’t kill the cat

Today, we build and use complex systems that we no longer fully understand. Past assumptions are no longer valid, and complete prevention is unattainable. It’s time to challenge our assumptions about complexity and how to handle uncertainty. Not seeing a cyber-attack coming is excusable. Building something fragile to them is not.

Bio: Stefan Frei [Website]

For more than 20 years Stefan Frei has been working in cyber security at the interface of society, economy, and technology – on both the offensive and defenders’ side. He worked in the areas of penetration testing, security architecture, security research, and threat modelling at home and abroad. Stefan has a long track record of explaining and predicting emerging cyber threats & solutions.

Stefan Frei works for SDX Security and teaches Cyber Security at ETH Zurich. His past employers include Accenture Security, Swisscom, NSS Labs, Secunia, and ISS X-Force.

Lessons Learned From Finding My First CVE

Earlier this year, after being inspired by Dubflow’s article describing how to dork Github for CVEs, I decided to embark on the journey to find my first. Knowing little about code review, and even less about the pains of setting up FOSS programs, I dove head first and brute forced my way towards finding three in one project! Whilst it felt like an accomplishment at the time, I quickly came to realize that there were many steps along the way that could have improved my processes, sped things up, and landed me far more CVEs!

Through my presentation I will take the audience from my humble beginnings as someone first starting this journey, describing the pains, and their solutions, so that they may be able to find their first CVE. I will highlight the Github dorks created by Dubflow, explain why ChatGPT sucks for security code review, detail the “Security Research Mindset” (first illustrated best by Mark Dowd), cover the roadblocks I encountered when first setting up a project for analysis, and drill into the importance of note taking.

Bio: Julian [LinkedIn]

Penetration tester by day, Julian identifies vulnerabilities to exploit for a wide range of clients. OSINT enthusiast by night, Julian follows emerging threats to the Western world.

APT28: Following bear tracks back to the cave

In May 2024, the German Federal Government publicly condemned cyber espionage operations carried out by a Russian state-sponsored group. We track this group as ITG05 sharing overlaps with APT28, UAC-0028, Forest Blizzard and Fancy Bear. In addition to Germany, a large number of NATO member states as well as the Ukraine have been subject to long-term intelligence gathering missions executed by ITG05. ITG05 is also linked to the hack of the German Bundestag in 2015 as well as the attacks targeting the 2016 US presidential elections.

In this talk we will cover all aspects of ITG05’s most recent campaigns, carefully following the timeline of evolving TTPs resulting from shifts in priorities and resources. The most recent lures are indicative of high-profile targets across the globe, and the continuous improvement of malware deployment and capabilities are evidence of the significant threat posed by ITG05. The audience will experience an in-depth analysis tracing malware such as Headlace, Masepie and Oceanmap back to its origins. Finally, we will take a quick peek into the crystal ball and discuss what the future might hold.

Bio: Golo Mühr [LinkedIn]

Golo is a malware reverse engineer and threat researcher with IBM X-Force, where he spends his time digging into the dark arts of cybercrime. With a passion for tracking threats he’s developed expertise in analyzing and reporting on a wide variety of maliciousness, ranging from banking trojans and botnets to high-profile ransomware and nation state actors. He is dedicated to sharing his research to help others stay ahead of emerging threats.

The Pitfalls of Poor Remediation: How Companies Sabotage Incident Response Efforts

In this presentation, we will explore the critical missteps organizations often make during the remediation phase of a cyber incident. We’ll examine real-world examples and analyze how these errors not only undermine incident response efforts but also exacerbate the impact of the incident. Attendees will gain insights into common pitfalls and learn best practices to ensure their remediation strategies are effective, efficient, and ultimately, successful in mitigating cyber threats.

Bio: Giorgio Perticone [LinkedIn]

Cyber Security Consultant obsessed with the idea of ​​playing detective in front of a pc, catching bad (cyber) guys and saving (business) damsels in distress. Active player for various community projects, he recently started hosting a CyberSecurity Podcast called SECURITYbreak

Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) – An Overview

Cloud security incidents have increased significantly in recent years, with cloud-conscious attacks more than doubling in 2023 according to CrowdStrike Intelligence statistics. Based on over 120 cases sourced from CrowdStrike incident response, managed threat hunting, and managed SOC services which are highly reflective of the actual threat environment that companies face every day, this talk gives an overview of the most common tactics, techniques, and procedures (TTPs) that adversaries use when compromising the cloud. We will be looking into two incident response cases where actors gain unauthorized access, exfiltrate data, and deploy ransomware.
Defenders walk away from this talk with a clear picture of what the most common techniques are, how to hunt for the presented techniques, and how to defend against them.

Bio: Sebastian Walla [LinkedIn] [@SebastianWalla]

Sebastian Walla is an expert for Cloud Threat Intelligence. He is the deputy manager of the Emerging Threats team focusing on Cloud Threat Intelligence at CrowdStrike. Since 4 years Sebastian worked as a reverse engineer and has been focusing on cloud intrusions for a couple of years. Sebastian studied Cybersecurity, has a Masters in Computer Science, and published a paper on automatically identifying and exploiting tarpit vulnerabilities to fight malware. He further holds the GREM and GCLD certification and presented at Euro S&P 2019 and Fal.Con 2023.

Now I See You: Pwning the Synology BC500 Camera

Data privacy and network security are threatened by the rapid spread of Internet-connected devices. This includes IP cameras which can be found in both residential and commercial environments. This talk outlines step by step how we successfully hacked the Synology BC500 IP camera for Pwn2Own 2023 Toronto.

Bio: Emanuele Barbeno [LinkedIn]

Emanuele has 10 years of experience working in the area of IT security and he is an IT Security Analyst at Compass Security since 2019. As part of Compass Security’s offensive security team, Emanuele conducts security analysis of web applications, external and internal networks, cloud infrastructures, as well as Android applications. Emanuele has responsibly disclosed vulnerabilities in different open source libraries and products, among others in products from Microsoft, Alibaba and others and is also responsible for giving various security-related trainings at Compass Security such as web application security and internal network with focus on the Active Directory security.

Bio: Yves Bieri [LinkedIn]

Yves has studied Computer Science at the ETH Zurich and holds a Master in Information Security. He has been working as an IT Security Analyst at Compass Security since 2019. In his job, he performs security analysis of web applications, external networks, cloud infrastructures, as well as iOS applications. Additionally, he is a teacher for web application and Active Directory security trainings and has been presenting talks at security conferences. In his spare time, Yves plays CTFs focusing on binary exploitation. He has won the Defcon CTF as part of team MMM multiple times and is a Defcon black badge holder.

GitFlops: Breaking Terraform Lifecycle Management Tools

Terraform is the go-to Infrastructure-as-Code tool used by the majority of DevOps and SRE teams to manage their infrastructure. In this talk we present a fundamental problem with the typical terraform lifecycle, for which every Terraform Lifecycle Management tool we reviewed is vulnerable to. Platforms such as Hashicorp Cloud and Atlantis provide elegant ways to automate working with Terraform, however the default configuration of these platforms is exposing thousands of organizations to a full compromise of the environment which Terraform is responsible for managing. After this talk both attackers and defenders will be equipped to better understand the security landscape of using Terraform at an enterprise level.

Bio: Elliot Ward

Elliot is a senior security researcher at software security company Snyk. He has a background in software engineering and application security.

Leveraging OSINT Techniques to help locate Missing Persons – Insights from TraceLabs Search Party CTF

Having been part of a team that came 7th out of 220 teams in one of the Trace Labs Search Party, this talk will explore what TraceLabs is, as well as some OSINT techniques and tools used for investigating real Missing Persons cases. We will also walk through a methodology that our team worked out after participating in the search party a few times.
This CTF is truly one of the most meaningful CTFs to ever exist. Missing people statistics show a huge number each year, so let’s make a big difference with our skills!

Bio: Anna Mazurkiewicz [LinkedIn]

Currently a SOC Manager at Quorum Cyber, with diverse work experience spanning across various industries and roles. Anna currently lives in Scotland, UK and is originally from Poland. Apart from being very interested in human factor in security, she is also a huge OSINT enthusiast, as well as enjoys learning more about anything malicious in cybersecurity.

What I learned about BLE while writing the Firmware for the 2024 Area41 Badge

When starting on the firmware for the Area41 2024 Badge, we were surprised how easy it is to have fun with BLE on an embedded platform. And then we started to understand how simple it is to announce phantom devices, like new, unconfigured TVs. Or that your next mouse jiggler is just a few lines of code away.

Bio: Adrian Wiesmann [Mastodon]

Adrian wants to understand how things work. To do this, he takes these things apart and takes a close look at the individual parts. His partner then puts them back together again, because it’s her coffee machine and she finally wants her brew.