Area41 2014: Juriaan Bremer & Marion Marschalek: Curing A 15 Year Old Disease DEFCON Switzerland 2015-06-20 | Area41 Security Conference 2014: Juriaan Bremer & Marion Marschalek: Curing A 15 Year Old Disease
Defeating Behavior Detection Of Remote Code Injection - Rafael Salema Marques DEFCON Switzerland 2024-07-04 | Rafael Salema Marques / SWaNkThe injection of arbitrary code in a remote process is a well-know technique exploited by malwares. As defenders continue to intensify their efforts to uncover these actions, attackers must come up with new techniques and attack variations to evade detection. In this talk, I will present a novel approach to remote code injection that utilizes shared sections and handle inheritance between generations of processes to defeat behavior detection techniques. Additionally, I will be providing a detailed explanation and a proof of concept (PoC).
Public Cloud Public Attacks: A Summary Of Attacks Seen By CloudIntel - Himanshu Anand DEFCON Switzerland 2024-07-04 | Himanshu AnandIn an era where cloud computing is ubiquitous, the security of cloud environments has never been more critical. Our presentation delves into the intricate landscape of cloud security through an exhaustive analysis of data from CloudIntel, a comprehensive dataset of cloud-based attacks. This dataset, accessible at github.com/unknownhad/CloudIntel, offers a unique window into the types of attacks targeting public cloud platforms, the malware employed, and the tactics, techniques, and procedures (TTPs) used by adversaries. By dissecting incidents across various public clouds, we reveal the nuanced differences in attack methodologies, initial foothold, and exploitation tactics. Ourresearch not only sheds light on the current threats but also paves the way for enhanced defensemechanisms against cloud-based vulnerabilities.
Phishing The Resistant: Phishing For Primary Refresh Tokens In Microsoft Entra - Dirk-Jan Mollema DEFCON Switzerland 2024-07-04 | Dirk-Jan Mollema (Outsider Security)Microsoft Entra ID (formerly Azure AD) offers many options to harden your tenant against attackers.Most of these options are enforced using Conditional Access policies, which for example allow you to restrict users to authenticate with only phishing resistant MFA methods such as Yubikeys and Windows Hello for Business. These MFA methods are resistant against common attacks, such as attacker-in-the-middle attacks via fake login pages, because they will only authenticate against the real Microsoft websites. There is however a catch: the provisioning of such MFA methods is often done from scenarios where such strong authentication cannot be enforced, such as during the device setup. In this talk we will see that by phishing for regular refresh tokens, using some tricks that Microsoft uses during the Windows installation, we can actually obtain a Primary Refresh Token and even provision these Phishing Resistant authentication methods by ourselves. The talk will also cover new mitigations that Microsoft introduced to combat these attacks, and what you can do to protect your tenant.
Actionable Incident Response Documentation: When The Ink Meets The Road - Gergana Karadzhova-Dangela DEFCON Switzerland 2024-07-04 | Gergana Karadzhova-Dangela (Cisco Talos)This presentation will be a bold attempt to highlight the primordial importance of actionable incidentresponse documentation for the overall response readiness of an organization. The audience will bechallenged to think critically about their attitudes towards the creation of procedures anddocumentation, which are often associated with compliance audit checkboxes, and gain a newperspective on the value generated by documents such as an incident response plan and aransomware playbook. During this talk Gergana Karadzhova-Dangela, a Senior Incident Response Consultant with Cisco Talos IR, will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers both during the proactive activities but also during actual cybersecurity breaches.
Technical Deep Dive Into The XZ Backdoor - Timo Schmid DEFCON Switzerland 2024-07-04 | Timo Schmid (Google)In March 2024 a backdoor was discovered in xz-utils packages of Debian and Fedora, originating from the upstream XZ project. This talk will take a deeper look into the techniques used by the backdoor to infect its primary target sshd and the different evasion techniques employed in an attempt to hide itself and why these ultimately led to the backdoors discovery.
Digital Self Defense For Investigative Journalists - Rico DEFCON Switzerland 2024-07-04 | Rico (SRF)In today's digital age, investigative journalists face unprecedented threats to their work and theirsources. As an IT Security Engineer working for the public Swiss radio and television (SRF) I’m working on privacy solutions and secure communication methods with potential sources. I'll share practical strategies for journalists to navigate the digital realm securely.Topics include digital surveillance in Switzerland, threat modeling, secure communication tools, dataprotection, source anonymity, digital footprint management, and legal/ethical considerations. Join me to empower journalists to safeguard their work and uphold freedom of press.
Machine Learning For Enhanced Malware Detection & Classification - Solomon Sonya DEFCON Switzerland 2024-07-04 | Solomon SonyaMalware continues to increase in prevalence and sophistication. VirusTotal reported a daily submission of 2M+ malware samples. Of those 2 million malware daily submissions, over 1 million were unique malware samples. Successfully exploiting networks and systems has become a highly profitable operation for malicious threat actors. Traditional detection mechanisms including antivirus software fail to adequately detect new and varied malware. Artificial Intelligence provides advanced capabilities that can enhance cybersecurity. The purpose of this talk is to deliver a new framework that uses Machine Learning models to analyze malware, produce uniform datasets for additional analysis, and classify malicious samples into malware families. Additionally, this research presents a new Ensemble Classification Facility we developed that leverages several Machine Learning models to enhance malware classification. To our knowledge, this is the first research that utilizes Machine Learning to provide enhanced classification of an entire 200+ gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families. New, labeled datasets are released to aid in future classification of malware. It is time we leverage the capabilities of Artificial Intelligence and Machine Learning to enhance detection and classification of malware. This talk provides a pathway to incorporate Artificial Intelligence into the automated malware analysis domain.
Efficiency vs Security: Unveiling The Risks In Cloud-Based Endpoint Management - Oleksandr Kazymyrov DEFCON Switzerland 2024-07-04 | Oleksandr KazymyrovAs organizations shift to cloud environments, they increasingly rely on tools like Microsoft Intune forefficient endpoint management. This transition from traditional to cloud-based infrastructuresintroduces a complex array of risks, including possible misconfigurations and new vulnerabilities.This presentation encapsulates our comprehensive examination of transitioning to a modern cloudplatform. Our research reveals that configurations aimed at enhancing efficiency can, paradoxically,turn into vulnerabilities, allowing adversaries to exploit and compromise the integrity of endpoints,despite being originally designed to streamline IT operations. We will discuss in detail methods forprivilege escalation, addressing both the enrollment and device usage phases. Through real-worldexamples, we plan to demonstrate the process of creating a backdoor, exemplified by the creation of a user account with administrative privileges. The backdoors not only bypasses device security controls, but also allow you to bypass the “known device” checks in Entra ID conditional access policies. Such vulnerabilities are particularly concerning in scenarios where internal threats collaborate with external actors, significantly increasing risk. The technical findings are translated into business risks, highlighting the critical need for a balance between endpoint security and operational usability. Attendees will acquire important knowledge about the nuances of cloud security for endpoints, the importance of vigilant configuration management, and strategies for securing against both internal and external threats in a cloud-centric world.
Shells At Midnight: Turning A Spam Filter Against Itself - Michael Imfeld DEFCON Switzerland 2024-07-04 | Michael Imfeld (modzero)The RFCs for email addresses are surprisingly flexible in regards to what is considered a valid address - a fact that is most often overlooked by developers. In this talk, we will show that attackers can abuse assumptions of what developers consider safe input and how this can be exploited. Using a real-world example, we will disclose multiple vulnerabilities which we identified in a mail spam filter appliance used by governments, universities and healthcare institutions.
Cloud-native Software Supply Chain Security: The Hard Truth - Daniel Drack DEFCON Switzerland 2024-07-04 | Daniel DrackEverybody is talking about SBOM, attestation, MFA, signatures and other security measures - but who is actually implementing them?This session will provide you with a technical overview of current cloud-native software supply chain security best-practices. Plus it will give you an idea of the adoption of said best-practices in the industry.
The CTF To Career Pipeline - Jam (Vie) Polintan DEFCON Switzerland 2024-07-04 | Jam (Vie) Polintan (Google)CTFs are a fantastic way to learn about and develop one’s skills into cybersecurity. They’re accessible, open-source most of the time, and consistently offer top-tier challenges to improve your hacking acumen. But are they realistic? When someone wants to make the jump into their cybersecurity career, they’ll often find themselves asking the same questions and wondering as to the answer. Jam (Vie) Polintan discusses her experiences and outlines some common techniques and methods that she learned from CTFs which prove to be effective in her starting and maintaining her career.
Mastering Supply Chain Attacks With Client-Side Monitoring - Juerg Fischer and Dai Littlewood DEFCON Switzerland 2024-07-04 | Juerg Fischer (Splunk) + Dai Littlewood (Splunk)We often say in the cyber security world, you can’t detect what you can’t see. In the SOC, visibility iseverything, and the days of relying solely on the network perimeter and server-side monitoring is nolonger enough. Today, breaches are plenty and with it comes reputational damage and hefty fines. So as defenders, what can we do? Dive deep into the cyber battlefield where attackers, armed with cunning and creativity, launch indirect web skimming attacks through your digital supply chain. This high-stakes game often involves the exploitation of third-party javascript — the unsung heroes that power everything from your slick payment gateways to those addictive social media widgets and chic web fonts. Whilst your users are loving these new features, you’ve opened up yet another gap in visibility and posed a formidable challenge to SOC teams tasked with the herculean task of monitoring and neutralizing code modifications that could lead to disastrous data exfiltration. But we defenders can also get creative…walk with us in to the client side as we sift through a data set which likely already exists in your environment but you just don’t know it…yet. This is not your monitoring 101 class, and we’re not going to sit here and tell you about HTTP response codes. We're talking about the offensive side and defense; we're talking about strategies to spot exfiltration attempts through third-party code, turning your blindness into visibility and assurance. What's on the Agenda? Decrypting the code behind web skimming breaches via third-party integrations. Unveiling the tactics of attackers and their modus operandi in exploiting third-party code. Effective methods for collecting telemetry of third parties, including where and how to source it Analytical approaches to detect anomalies and correlate data Join the cyber guardians and elevate your security game to legendary status.
Guardians Of The Grid: Purple Playoffs In OT Adversary Emulation - Jeroen Vandeleur and Nick Foulon DEFCON Switzerland 2024-07-04 | Jeroen Vandeleur + Nick Foulon (NVISO)This session dives deep into the evolution of cyber defense tactics, laying bare the necessity of aholistic approach where offensive and defensive techniques are harmoniously amalgamated. Byjuxtaposing IT and OT, we unravel their innate intricacies and spotlight the compelling need for aharmonized security blueprint, especially during those critical junctures of incident analysis and swiftbreach detection. As we journey further, attendees will be introduced to the groundbreaking utility ofadversary emulation, spotlighting CALDERA's prowess for OT-specific plugins and submodules. Thisenlightening segment not only showcases the tactics, techniques, and procedures (TTPs) of potential adversaries but also delineates how defenders can counteract, adapt, and prepare. Our exploration doesn’t stop there. The crux of defense, as we advocate, hinges on a potent blend of technology and architecture. Learn how a meticulously crafted architectural model can become the lighthouse, illuminating dark spots and enhancing visibility within sprawling OT terrains. Moreover, we dissect state- of-the-art detection technologies, detailing the operational capabilities and unique advantages of Microsoft Defender for IoT. The climax of our discourse is an immersive emulation exercise set within the confines of a virtualized electric plant. This ambitious endeavor is a precursor to our groundbreaking project—a tangible, physical firing range tailored for OT security testing. Experience firsthand the strategies deployed, challenges faced, and the riveting results of this emulation.
New Stories Of Money: Crypto, DeFi, Hacks & Attacks - Marco Preuss DEFCON Switzerland 2024-07-04 | Marco Preuss (Kaspersky)With current Bitcoin price increase, Crypto got more attention in the public, again - though underlying misuse, attacks and hacks are going on for many years. In this talk I will dig into different recent attacks, problems and common “how to behave”. I will cover starting from the more common attack methods to advanced and stepping into DeFi.
Call On Me, Unify! Hacking Desktop Phones - Michael Oelke DEFCON Switzerland 2024-07-04 | Michael Oelke (Pentagrid)In this talk, we dive into the vulnerabilities discovered in various Unify desktop phones during aresearch project. Insecure default settings and improper permission configurations expose thesedevices to remote compromise. We will explore the step-by-step process of identifying and exploitingthese vulnerabilities. Additionally, the session will demonstrate how a seemingly benign screenshottool was leveraged to escalate privileges. Due to the vendor's insecure by default approach, we believe there are many vulnerable installations outside. We will also discuss considerations for securing these devices within your network infrastructure to prevent similar threats.
Intelligence-Driven Threat Hunting: Exposing The Invisible Enemy - Sylvain Hirsch DEFCON Switzerland 2024-07-04 | Sylvain Hirsch (Mandiant)Advanced Persistent Threats (APTs) exploit gaps in traditional defenses, but their tactics, techniques, and procedures (TTPs) offer a roadmap for detection. This presentation reveals a proven methodology for uncovering and hunting APTs, leveraging the power of intelligence, frontline expertise, and deep TTP analysis. Gain actionable insights and learn how to apply these intelligence driven techniques to enhance your organization's threat hunting capabilities. This presentation will illustrate the methodology with real-world examples, including the identification of APT39 and APT41 cyber espionage campaigns.
Reconsidering Self-XSS And Exploring Novel Attacks With Cookie Tossing - Thomas Houhou DEFCON Switzerland 2024-07-04 | Thomas HouhouCookie tossing is a web attack that consists of injecting cookies from a vulnerable or malicioussubdomain in order to poison other websites under the same parent domain. As part of a coordinated vulnerability disclosure with the Swisscom Bug Bounty program and Project Jupyter, this talk will describe how such a technique can systematically turn Self-XSS into a high-impact bug and then explore how it also results in novel web attacks. Ultimately, the aim is to draw attention to the strong capabilities of cookie tossing and the many creative attack vectors it enables.
Automating Malware Development: A Red Teamers Journey - Gian Demarmels DEFCON Switzerland 2024-07-04 | Gian Demarmels (Redguard)Adversary simulation and red team operations play a crucial role in fortifying defences againstsophisticated adversaries. As defences getting better and EDR systems being deployed everywhere,malware development is becoming an important skill for red teamers.Red teamers are often in need to develop custom loaders capable of bypassing these defences.Developing a modern, customizable, and evasive loader involves multiple steps, which can be a time-consuming and complex process. Often multiple existing malware techniques need to be combinedand adapted to the respective situation. This talk delves into my journey of automating malwaredevelopment to create loaders for red team operations and discusses the challenges I faced.
Shufflecake, AKA Truecrypt On Steroids For Linux - Tommaso Gagliardoni DEFCON Switzerland 2024-07-04 | Tommaso Gagliardoni (Kudelski)Shufflecake is a novel, free, open-source data encryption tool that allows the creation of hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. This is useful for people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. You can consider Shufflecake a "spiritual successor" of tools such as TrueCrypt and VeraCrypt, but vastly improved: it is fast, supports any filesystem of choice, and can manage multiple layers of nested decoy volumes, so to improve user experience and make deniability of the existence of these partitions really plausible. Shufflecake is the result of a multi-year research aimed at solving fundamental limitations of plausible deniability tools. It has been peer-reviewed and presented at top IT conferences such as DEF CON Demo Labs and ACM CCS. It is under active development, and the open source community is welcome to contribute. In this talk we will present the history and limitations of other existing solutions, we will show how Shufflecake works and solves such limitations, and we will see why Shufflecake is an indispensable tool in the arsenal of users facing violent or coercive investigation.
Armored Witness: Building A Trusted Notary For Bare Metal - Andrea Barisani DEFCON Switzerland 2024-07-04 | Andrea Barisani (WithSecure)We are building an Open Source https://transparency.dev/ witness, in collaboration with Google. Thisproject entailed creating new hardware (USB armory LAN with PoE) software (Trusted OS and Applet)leveraging on TamaGo and GoTEE frameworks. This presentation aims to discuss the journey of thisproject, achievements (such as bare metal Go IRQ handlers in space!) and results.
Insert Coin: Hacking Arcades For Fun - Ignacio Navarro DEFCON Switzerland 2024-07-04 | Ignacio NavarroSince we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.
Nearing The EPOcalypse: A Tale Of Vulnerabilities & Incentives In The Infosec Industry - Alain Mowat DEFCON Switzerland 2024-07-04 | Alain Mowat (Orange Cyberdefense)It has generally been accepted that vulnerabilities will endlessly be discovered and patched becausethe humans developing the software or hardware are prone to making errors. Though this holds some truth, accepting it as a foregone conclusion has given vendors an easy excuse to sell vulnerable products and even profit from it.During a vulnerability research project, my team and I discovered several vulnerabilities in McAfee (now Trellix) products, ranging from trivial Cross-Site Scripting issues to SQL injections and Admin account takeover in the ePolicy Orchestrator. Most of these issues were discovered within just a couple weeks of effort using command-line tools such as find and grep.These vulnerabilities will be presented and used as a steppingstone to discuss why we so easilydiscover SQL injections or even Buffer Overflows in the query strings of popular products.Though it may seem utopian to have a vulnerability-free world, aligning incentives and allowingcustomers to know how much vendors value the security of their own products (and ultimately that of their customers) could go a long way in improving on the current state and better protect everyone.
Action Anomalies: A Hackers Guide To Github Actions - Elliot Ward DEFCON Switzerland 2024-07-04 | Elliot Ward (Snyk)In the DevOps era of frequent releases, CI tools such as Github actions are powerful platforms toenable secure and rapid software releases, but what additional attack surface do these often privileged components come with? This talk covers a recent research project from Snyk Security Labs to understand Github actions in depth and how they can be attacked to leak cloud environment access tokens, arbitrary secrets and result in a full compromise of the repository. Security engineers,pentesters and bug hunters alike will come away knowing the threat landscape for Githubs CI platform, and through case studies of high impact vulnerabilities we have uncovered, be equipped to exploit and secure Github actions.
Switching 400000 Volts With A TCP Packet - Cyrill Brunschwiler DEFCON Switzerland 2024-07-04 | Cyrill Brunschwiler (Compass Security)With the history of blackouts in the Ukraine and the appearance of the suspended nuclear plantMuehleberg in the Vulkan leak its time to beef-up Swiss blue and red teamers with knowledge on theSwiss electrical grid and substations in particular. This talk aims to pass-on what I learned about theelectrical grid along my hacker journey and to prevent you from blowing stuff and being outsmarted by OT devices. The presentation will provide an overview of the Swiss electrical grid, including its network levels and electrical substations. We will delve into the workings of substations, the protective equipment used, and the logical representation of such. The role of Intelligent Electronic Devices (IEDs) will be explored, along with the communication processes between these devices. We will also discuss the IEC 61850 and IEC 60870-5-104 protocols, which are integral to the functioning of these systems. Additionally, we will discuss the pentest tool landscape, the concept of interlocking, and important considerations when dealing with protocols. Essentially, a talk about electrical grids from a hacker perspective.
Keynote: Hackers Perspective on New Risks: Revising the Cybersecurity Priorities for 2024 DEFCON Switzerland 2024-07-04 | Paula Januszkiewicz (Founder & CEO of CQURE)The transformation is gaining momentum! Over the last tumultuous years, investments in digitaltransformation have been growing, with companies worldwide exploring its potential by introducingnew technologies, approaches and social changes. As more data than ever is put online, cybersecurity is now a major concern for everyone – large corporations, governments, and companies of all sizes. The transformation, however, also has its dark side. Thanks to it, the hackers are able to exploit vulnerabilities in the infrastructure with even greater precision than before.As the financial, operational, legal, and reputational implications of neglecting cybersecurity riskscould be considerable, well-known analysis & protection methods should be developed andcomplemented. During this presentation, the most serious risks of 2024 will be explored and explained. Paula Januszkiewicz will demonstrate how hackers and cybercriminals identify and exploit threats using the most up-to-date techniques, so that you are able to observe them on your monitoring system and prevent them in the future. You will also become familiar with the most advanced phishing attacks, credential theft techniques, ransomware distribution methods, and ways of gaining access to vendor-controlled systems.Join Paula to understand what actually is possible in the year of 2024. As the cyber transformation leads to better effectiveness of hackers' activities, there is no time to lose!
How A Smart Conferencing Device Turned Into A Security Nightmare by Max Moser DEFCON Switzerland 2022-06-17 | ...
A Journey Into Exploiting The Source Engine by Niklas Brymko, Simon Scannell and Carl Smith DEFCON Switzerland 2022-06-17 | ...
The Intelligent Process Lifecycle Of Cyber Defenders - Extended Version by Desiree Sacher-Boldewin DEFCON Switzerland 2022-06-17 | ...
Pirates, Privateers, And Mercantile Companies In Cybersecurity by Florian Egloff DEFCON Switzerland 2022-06-17 | ...
Security Content Creator Panel by Carl Svensson, Robbe van Roey and Thomas Roth DEFCON Switzerland 2022-06-17 | ...
Building A Red Team – The Best Defense Is A Good Offense by Daniel Fabian DEFCON Switzerland 2022-06-17 | ...
DC4131 Virtual - Ange Albertini - Timecryption DEFCON Switzerland 2021-04-08 | Ange Albertini (@angealbertini) - Author of Corkami research (corkami.github.io)Timecryption - Clean Now, Malicious Later - Come listen to Ange´s latest research endeavours, warping our minds once more of his file format wizardry and what potential impacts they can have on things as we know. There will also be an opportunity for Q&A to pick his brain a little more...Based On His Partnered Research From: eprint.iacr.org/2020/1456Slides @ speakerdeck.com/ange/timecryption
Area41 2018: Thomas Chopitea: The Story Of Greendale DEFCON Switzerland 2018-07-10 | Area41 security conference 2018: Thomas Chopitea: The Story Of Greendale
Area41 2018: Area41 Team: Opening Ceremony DEFCON Switzerland 2018-06-18 | Area41 security conference 2018: Area41 Team: Opening Ceremony
Area41 2018: Area41 Team: Closing Ceremony DEFCON Switzerland 2018-06-17 | Area41 security conference 2018: Area41 Team: Closing Ceremony
Area41 2018: Pascal Gloor: The Day You Got Hacked DEFCON Switzerland 2018-06-17 | Area41 security conference 2018: Pascal Gloor: The Day You Got Hacked
Area41 2018: Dobin Rutishauser: Fuzzing For Worms DEFCON Switzerland 2018-06-17 | Are41 security conference 2018: Dobin Rutishauser: Fuzzing For Worms
Area41 2018: Paolo Di Prodi: The Future Of Threat Intelligence Platforms DEFCON Switzerland 2018-06-17 | Area41 security conference 2018: Paolo Di Prodi: The Future Of Threat Intelligence Platforms Sharing Data With Privacy In Mind
Area41 2018: Antoine Neuenschwander: Web Cryptominers In The .CH Zone DEFCON Switzerland 2018-06-17 | Area41 security conference 2018: Antoine Neuenschwander: Web Cryptominers In The .CH Zone
Area41 2018: Stephan Gerling: Swimming IoT Or How To Hack A Vessel DEFCON Switzerland 2018-06-17 | Area41 security conference 2018: Stephan Gerling: Swimming IoT Or How To Hack A Vessel
