SPEAKERS


Alexander Ermolov - Independent Security Researcher

Andrey Akimov - Security Researcher

Brian Butterly - Security Researcher, Major SCADA-dependent company

Daniel Medina Velazquez - Security researcher, Intel's Offensive Security Research group

Dino Dai Zovi - Staff Security Engineer, Square

Elie Bursztein & Daniela Oliveira - Google & University of Florida

Fermin Serna - Chief Security Officer, Semmle

Fernando Gont - Security consultant and researcher, SI6 Networks

H2HC University: Bordini & Diego - Diretor de Inteligência Cibernética e Pesqui, New Space

H2HC University: Bruno Oliveira - Principal Security Consultant, Trustwave SpiderLabs

H2HC University: Joao Victorino - Pesquisador, PRIDE Security

H2HC University: Julio Della Flora - Professor de Graduacao e Pos, Diversas Universidades

H2HC University: Lucas Ferreira - Administrador de Sistemas, CTBTO

H2HC University: Nelson Brito - Cybersecurity thinker and philosopher

H2HC University: Nina Alli - Executive Director, Biohacking Village

H2HC University: Thais Hamasaki & Gustavo Scotti - Security Researchers, Intel STORM

Inbar Raz & Raziel Einhorn - Security Researchers

Marek Zmyslowski - Security Researcher, Cycura

Marion Marschalek - Security Researcher, Intel STORM

Matias Soler - Senior Security Researcher, Intel STORM

Stefano Zanero - Associate Professor, Politecnico di Milano

Vasco Franco - Independent Security Researcher

Veronica Valeros - Researcher and Intelligence analyst

 

 

  Bypassing a hardware based trusted boot through x86 CPU microcode downgrade
 Alexander Ermolov
  It is widely known Intel CPU microcode is hardcoded into CPU ROM, and for security reasons, should be updated every time CPU is powered on, including situations like waking up from Sleep/Hibernation states. This is usually done by a microcode loader in UEFI BIOS. I've discovered a vulnerability in this loader, which allows tricking it to downgrade the CPU microcode.

One of the obvious consequences of this attack vector is removing fixes (implemented in microcode) for vulnerabilities like Spectre var2. However, I've found out the older versions of microcode allows to load the older versions of Intel ACMs (Authenticated Code Modules).

ACMs are a special code modules developed (and signed) by Intel to support some Intel security technologies, like Intel Boot Guard, Intel BIOS Guard, Intel TXT, Intel SGX. "Supporting" means serving as a Root of Trust. These modules are loaded into CPU L3 cache (sometimes called AC RAM) and executed from there. Like the other code, ACMs can be updated/fixed, and for security reasons running a downgraded version of an ACM is deprecated. This is maintained by a microcode and, like mentioned above, the old version of a microcode loads an old (associated) version of an ACM.

This opens up an opportunity to exploit patched vulnerabilities in ACMs influencing on the technologies they support. Which in turn leads to bypassing the trusted/measured boot (hardware-based).

In this talk I'm going to show how exactly this could be done on a real Intel TXT & Intel BIOS Guard protected platform.
  Independent Security Researcher

 

 

  Fuzzing TrustZone TEE to break Full Disk Encryption in Android
 Andrey Akimov
  ARM TrustZone is now utilized in all modern ARM-driven smartphones. This technology provides hardware isolation for secure processing of sensitive data. The idea of the technology is to divide digital world into two: Normal World and Secure World. While Normal World is normally a traditional Android or Linux with all its userspace and kernelspace, the Secure World is something mythical, not widely known and often without any public accessible documentation and source code.

Even Android kernel doesn't have access to the data processed in TrustZone. And besides this sensitive data, breach to TrustZone can lead to other amazing things like compromising Root Of Trust and achieving rootkit persistence.

We will focus on getting into TrustZone from Android userspace in smartphones of Samsung Galaxy series and its Trustonic implementation of Trusted Execution Environment (TEE). Trusted applications, or trustlets, executed there, is one of the windows to TEE, and they turned out to expose vast attack surface. While they are custom format binaries, designed to run in a special environment, it is still possible to run AFL on them. We will show you our approach to automatically discover vulnerabilities in Trustonic trustlets with such a cool way as having proved itself feedback-driven fuzzing.
  Security researcher from Russia. Likes new technologies and cunning tricks that could be done with them. Focusing mostly on security analysis of binaries, dived into different CPU architectures, operating systems and technology stacks. So looking for general ways and universal approaches for exploring and hunting for bugs in them.

 

 

  Embedded Research & Automation
 Brian Butterly
  There are a lot of differences between testing software and hardware / embedded devices, two of the big ones being feedback and input. While there are often many options (i.e. virtualization, log files, debugging) when testing a defined piece of software, an embedded device might just be a black box with a button and an LED. Especially when wanting to automate testing or perform fuzzing a lack of feedback or even automated input can be a back breaking issue.

Luckily there are a lot of both simple and professional solutions for solving these challenges which range from cheap Arduino based bread-boards over well-chosen sensors to Logic Analyzers. The talk will give an overview how security researchers can utilize knowledge from the maker scene to quickly put together custom test rigs which will enable them to perform full or at least semi-automated testing.

First, we will have a closer look at typical outputs of embedded devices (LEDs, sound, vibration and other actors) and see how these can be converted into digital information which can be collected at any chosen point in time. We will then utilize the collected information as simple feedback for fuzzing scripts. While doing so we will also try a few options to identify the reboot / crash of a device.

Afterwards we will have a look at the other side, input. By utilizing the same tool set we will have a look how a researcher is able to automate the pressing of a physical button or a click on a touch screen and various other inputs a device might accept. Here we will also cover options to crash and restart (reset) a device at will.

Eventually we will use the shown skillset to create a brute-forcer for an electronic safe, which has very limited input and output options.
  Brian currently works in incident response in a very large and crazily diverse environment for a German company. There he aims at developing new methods for protecting even the strangest control systems and the overall surrounding networks. Still, at heart, he is an open minded security researcher and into breaking everything he can get his finger onto. Having worked in the areas of embedded-, hardware-, mobile- and telecommunications-security he has a lot of war stories and experience at hand and is always happy to share.

 

 

  Modern Heap Exploitation: The poison NULL byte
 Daniel Medina Velazquez
  In this talk we will go through the journey of heap exploitation by showing how a simple NULL-byte off-by-one vulnerability can be used to obtain arbitrary code execution within a target using one of the latest versions of Glibc. Glibc has been hardened over time to prevent heap exploitation, however, as we will show, it is still possible to bypass some of these checks. The presentation will cover the techniques and tricks used to successfully exploit the vulnerability in a realistic target with constrained heap manipulation.
  Daniel Medina Velazquez is a security researcher at Intel's Offensive Security Research group. His main interests are embedded systems security, exploit development, and micro-architectural attacks.

 

 

  Keynote
 Dino Dai Zovi
  Keynote
  Dino Dai Zovi is an information security industry veteran and entrepreneur. Dino is also a regular speaker at information security conferences having presented his independent research at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The iOS Hacker's Handbook" (Wiley, 2012), "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). He is best known in the information security community for winning the first PWN2OWN contest at CanSecWest 2007.

 

 

  Analyzing phishing campaigns targeting Gmail users
 Elie Bursztein & Daniela Oliveira
  With over 1.4 billion active users and millions of companies entrusting it to handle their email, Gmail has a unique vantage point on how phishing groups operate. In this talk we Gmail telemetry to illuminate the differences between phishing groups in terms of tactics and targets. Then, leveraging insights from the cognitive and neuro-science fields on user's susceptibility and decision-making, we discuss how users from different demographic groups fall for phishing differently and how those insights can be used to improve phishing protections.
  Elie Bursztein leads Google's security & anti-abuse research, which helps protect users against Internet threats. His research focuses on advancing the state of applied-cryptography, machine learning for fraud and abuse, at risk user protections, and web security. He is the author of 60+ scholarly publications for which he received 6 best papers awards. Elie gave over 20 talks at leading industry conferences and received multiple industry awards including the Back Hat Pwnie award. He was invited to give over 20 guest lectures to numerous universities including Stanford, Berkely and Tsing Hua. Elie's work is regularly covered by major news outlets including the Wall Street Journal, CBS, Forbes, Wired, the Huffington Post and CNN. Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.

Dr. Daniela Oliveira is the IoT Term Associate Professor in the Department of Electrical and Computer Engineering at the University of Florida. She received her PhD in Computer Science from the University of California at Davis. Her current research interests include understanding and addressing cyber deception and phishing in an interdisciplinary fashion. She received a National Science Foundation CAREER Award in 2012, a Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama, and the 2017 Google Security, Privacy and Anti-Abuse Award. Daniela is an experienced public speaker, having given talks at National Academy of Sciences (Distinctive Voices Program), USENIX ENIGMA Conference, TEDx, and in many universities. She is a National Academy of Sciences Kavli Fellow and a National Academy of Engineers Frontiers of Engineering Symposium Alumni. Her research has been sponsored by the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the National Institutes of Health (NIH), the MIT Lincoln Laboratory, and Google. She was born and raised in Brazil and on her spare time she loves going to Disney World with her husband Marcio and her 10-old daughter Brooke. She is a dog lover and has a two-year-old German Shepherd, Wagner.

 

 

  Keynote
 Fermin Serna
  Keynote
  Fermin J. Serna is a Computer Science Engineer graduated at the prestigious Madrid's UCM currently working as Chief Security Officer at Semmle responsible of protecting corporate assets as well as running the security research team focused on open source security.

Previously to Semmle he served as Head of Product Security at Google for almost 8 years where he build, run and oversaw the application security program for Google products. Fermin has also worked at Microsoft at the MSRC Engineering team where he envisioned and built the industry recognized EMET tool. Fermin also served as CTO and co-founder of NGSEC and S21SEC in Spain.

Fermin has found, been credited and published multiple security vulnerabilities on software developed by Microsoft, Google, Adobe, Oracle and open source (dnsmasq, glibc, ...). Because of this Fermin has been recognized with multiple awards including a RootedCon lifetime achievement award and two nominations, one winner, of a Pwnie award for Best client side bug in 2016. Fermin is also a regular speaker at security conferences such as BlackHat, Syscan, Bluehat, H2HC, Rootecon, DeepSec, Source, Summercon, ...

 

 

  Network Reconnaissance Adventures in IPv6 Land
 Fernando Gont
  As a result of the exhaustion of the IPv4 free address space, more and more sites are becoming dual-stacked -- that is, available over both IPv4 and IPv6. Due to the vast size of the IPv6 address space, traditional network reconnaissance techniques (such as "ping sweeps") are no longer effective, and thus alteranative ones need to be devised and evaluated. In this presentation, we will explore the topic of IPv6 network reconnaissance from a practical perspective, with real-world examples that employ a number of open source IPv6 tools we have developed. Additionally, we will provide insights about the most effective IPv6 network reconnaissance techniques, and some key findings resulting from our own exploration of the IPv6 Internet.
  Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world.

Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.

Gont is currently working as a security consultant and researcher for SI6 Networks (). As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published 30 IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts. Gont has also developed the SI6 Network's IPv6 Toolkit () -- a portable and comprehensive security asessment toolkit for the IPv6 protocol suite, and the IoT-toolkit ( -- a security assessment toolkit for IoT devices.

Gont runs the IPv6 Hackers and the IoT Hackers mailing-lists (), and has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 2011, DEEPSEC 2011, LACSEC 2012, Hackito Ergo Sum 2012, German IPv6 Kongress 2014, H2HC 2017, Positive Hack Days 8, Hack In Paris 2018, and Troopers 2018. Additionally, he is a regular attendee of the Internet Engineering Task Force (IETF) meetings.

More information about Fernando Gont is available at his personal web site: .

 

 

  Raspy on Aircraft
 H2HC University: Bordini & Diego
  A cada dia as aeronaves se tornam mais conectadas, ofertando serviços de acesso a internet a bordo para os passageiros, mas quais os riscos deste tipo de acesso? A pesquisa é resultado de um pentest realizado em um Airbus A320 onde foram explorados diversos vetores de ataque tendo como pivot um Raspberry a bordo de uma aeronave. O que seria possível fazer com um device tão minimalista? Quais os riscos para os tripulantes? Estas e outras perguntas serão respondidas durante a apresentação.
  Thiago Bordini

Diretor de Inteligência Cibernética e Pesquisa na New Space Prevention Inteligência Cibernética. Executivo com mais de 20 anos de experiência no mercado de inteligência cibernética, atuando com análise e prevenção de ameaças e fraudes cibernéticas e disseminação de conteúdo educativo sobre o assunto para profissionais e empresas. MBA em Gestão Estratégica de TI e Segurança da Informação. Palestrante em diversos eventos nacionais e internacionais como YSTS, EkoParty, H2HC, CIAB, SecurityBSides, SANS, dentre outros. Membro da HTCIA (High Technology Crime Investigation Association) Organizador da Security BSides São Paulo

Diego

A tech guy. Pentester e Analista de Threat Intelligence, Diego vem dedicando os últimos 6 anos na área de TI em estudos voltados para a área de Segurança Ofensiva. Entusiasta de tecnologias Wireless (802.11, 802.15.4, 802.15.1, RFID, SDR), também tem grande interesse em pesquisas e estudos nas áreas de OSINT, Hardware Hacking, Inteligência/Contrainteligência e Pentest de forma geral.

 

 

  Windows Objects Exploitation
 H2HC University: Bruno Oliveira
  This preso will drive the audience to know and understand some of the Windows objects that can be utilized during a kernel exploitation. Since the kernel holds every information regarding all aspects from the userspace, it is interesting to observe attack possibilities that could be done while on this privileged area.
  Bruno Oliveira is MSc, computer engineer and Principal Security Consultant at Trustwave's SpiderLabs. During his career, always kept focus in offensive security, nowadays works full-time in penetration testing at Trustwave and still spends some extra (good) time on RE and exploit development. Spoken previously in many conferences around the globe as H2HC, YSTS, SHA2017, BlackHat, SOURCE, HackInTheBox, Ekoparty, THOTCON, AppSec USA, etc.

 

 

  Construindo Bootkits: Ideias para GRUB com Linux
 H2HC University: Joao Victorino
  O objetivo dessa palestra é mostrar algumas estruturas internas do GRUB2 que, quando manipuladas, permitem a infecção da imagem de um sistema operacional assim que ela for carregada. Além disso, será mostrado os principais desafios para infectar um processo em userspace a partir de um implante no kernel.

A palestra se baseará no Linux Kernel >= 4 (x86-64) e, ao final, será mostrado que na ausência de Secure Boot é possível comprometer um sistema sem qualquer modificação no filesystem.
  Pesquisador de Segurança na PRIDE Security, e interessado em fundamentos de computação, tem aprendido com alguns amigos que o hacking é, sobretudo, uma arte.

 

 

  Anti Tamper em Maquinas de Cartao
 H2HC University: Julio Della Flora
  Com a supracitada palestra visamos apresentar técnicas de anti tamper em máquinas de cartão de crédito, bem como tentativas de bypass dessas tecnologias (quando aplicável).

Diversas máquinas de cartão serão abordadas, comumente modelos básicos e com baixo custo.

Técnicas de aquisição de dados em memórias flash trarão exemplos de obtenção de informações acerca do hardware do equipamento. Senhas de acesso padrão e outros dados importantes serão passíveis de descoberta explorando técnicas de extração de dados.

Quando possível, mecanismos de comunicação como jtag, uart entre outros serão explorados para obtenção de informações.

Em resumo, a pesquisa propõe a apresentação de técnicas de exploração de hardware (nem sempre bem-sucedidas) em dispositivos embarcados pra transações financeiras.
  Certificação Microsoft em servidores Windows, bacharel em Ciência da Computação, especialista em Redes de Computadores e Segurança de Dados, Mestre em Ciência da Informação, Especialista em Docência para o Ensino Superior. Atuou como professor de graduação e pós graduação em diversas faculdades como: Unopar, Unifil e FAG, ministrou cursos em parceria com o Senai-Londrina, Atuou como professor de Eletrônica Digital e Instrumentos de Medida na Fundação de Ensino Técnico de Londrina, Coordenador da Pós-graduação em Segurança da Informação e Ethical Hacking, Coordenador da Pós-graduação em Ethical Hacking e Cybersecurity EAD. Analista de segurança da informação e entusiasta em hardware hacking. Palestrou em conferências de segurança como H2HC, YSTS, RoadSec, entre outras. Possui 8 anos de experiência com tecnologia e segurança da informação. CVE's publicadas: CVE-2018-20823, CVE-2019-12762.

 

 

  Como detectar uma bomba atômica?
 H2HC University: Lucas Ferreira
  Esta palestra irá apresentar o CTBT (Tratado de Proibição completa de Testes Nucleares) com foco nas tecnologias usadas para implementar o seu Sistema Internacional de Monitoramento, que coleta dados para detectar explosões de armas nucleares ao redor do mundo. O foco da apresentação será nas tecnologias usadas nos sensores e na análise dos dados. Também serão abordadas outros usos (monitoramento de mamíferos marinhos, previsões meteorológicas, alertas de tsunami, acompanhamento de vazamentos radioativos, etc.) para os dados coletados.
  Lucas C. Ferreira é um administrador de sistemas com alguns (poucos :) cabelos brancos, que já trabalhou em grandes e pequenas empresas, sempre com foco em administração de sistemas e segurança da informação. Hoje é o líder da equipe de administradores de sistemas Unix e Linux do CTBTO, cuja missão é manter os sistemas de monitoramento de explosões nucleares "up-and-running". Lucas é também um membro da OWASP onde ocupa a posição de Líder do Capítulo de Viena (Áustria).

 

 

  NIDAVELLIR: Building Powerful Tools (Weapons?)
 H2HC University: Nelson Brito
  Ten years ago a prototype tool has been built, which was suppose to automate the penetration tests tasks... This prototype tool served as the basis for other projects that came along these years, such as: POP, ESF, T50 and Inception. Originally named Exploit Next Generation, the tool had a modular approach with 71 files and 13,552 lines of C code and Assembly, using a variety of techniques to successful exploit a vulnerability. This presentation will talk about how to create and build a working prototype tool, covering some basic and advanced concepts to illustrate the strategy adopted (fingerprinting, assembly components, shellcode, polymorphism, etc.) -- half of the presentation will be code demonstration.
  I'm merely another cybersecurity thinker and philosopher, occasionally researcher and enthusiast, addicted to computer and network (in)security, being the creator of the T50 and the only Brazilian to speak at the extinct PH-Neutral (invite-only) in Berlin. As a sought-after speaker I've presented in some of the most notorious conferences in Brazil: BSides, H2HC, YSTS, ROADSEC, etc. My researches are: POP, ESF, T50 and Inception — highlight to T50, a tool widely used by companies validating their infrastructures, incorporated by ArchAssault, BackTrack, BlackArch, Debian, Kali and Ubuntu.

 

 

  Gamification Will Lead to Better Medical Device Resilience
 H2HC University: Nina Alli
  Gamers don't usually start their games by reading the manufacturers directions (amirite?) for the how-to's on a game, we just get in there and figure it out. Hackers use the same practice when getting into a system, learn and break by doing. This talk will go through what the medical device manufacturer community can learn from gaming to better secure their devices.
  Nina is the Executive Director of the Biohacking Village: bringing together security researchers, to integrating Medical Device Manufacturers, Citizen Scientists, and Hands-On lab together to share findings, discover vulnerabilities, and existing solutions, unmet needs, opportunities, market and path to commercialization. Nina is currently working on a multi-industry cybersecurity resilience model that includes operating model, plan impacts, linkages to industry frameworks to implement best practices and integration for an improved operating and defensive alignment with increased literacy for patients, medical device manufacturers, legal and federal governance, and sustainability.

Nina is a guru of trivial knowledge and RPG fan, especially the ass kicking games. For exercise, she run from rabid dogs, wrestle alligators while simultaneously participating in eating contests, and running for public office. For fun, she drives with her eyes open, plays hopscotch in the rain, race big wheels, has staring contests with wolverines, and passes out band aids to gunshot victims. Her favorite word is "interesting", since it has multiple meanings and all appear positive on the surface.

 

 

  Dissecting a linux kernel exploit
 H2HC University: Thais Hamasaki & Gustavo Scotti
  In this talk we will give an insight into Linux kernel exploitation, starting from a CVE report already discussed on https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html.

We encourage you to read the blog post prior to the talk. Don't miss the opportunity to ask direct questions about this vulnerability and the techniques to write kernel mode exploits. We are going to give examples of writing bypasses and debugging techniques to help you on the development of your own exploit.

Since examples of exploit code are interesting but not really show the complexity of the actual development process, our focus will be to walk through the complexity of taking advantage of a vulnerability report to write a real-life (and working!) exploit.
  Thaís Moreira Hamasak is a security researcher at Intel STORM (STrategic Offensive Research & Mitigations Team). Previous to that, she worked as a malware researcher @F-Secure, with focus on static analysis, reverse engineering and logical programming. Thaís started her career within the anti-virus industry working on data and malware analysis, where se developed her knowledge on threat protection systems. She won the "best rookie speaker" award from BSides London for her very first talk about "Using SMT solvers to deobfuscate malware binaries". Recent research topics include binary deobfuscation, generic unpacking and static analysis automation. She is an active member of the Düsseldorf Hackerspace, where she also leads the groups for Reverse Engineering and x86 Assembly. In her free time, you can find Thaís buiding tools, cooking or climbing somewhere offline.

Gustavo Scotti, a.k.a. csh is one of those guys who curiosity drives his life. If I am not learning new stuff, experimenting with dangerous things, or living life at its fullest, csh is a dull boy. I am an enthusiast of mechanical engineer, electrical engineer, computer engineer, physics engineer, and music engineer. To fund all my hyperactive mind, I work as a Security Researcher at Intel Corporation, hacking cool stuff, at the lowest level you could imagine. Known by some exploits, axur05 e-zine, reversed engineered the PS2, wrote some rootkits, sniffers, and some other stuff.

 

 

  Under Pressure: Real world damage with TPMS spoofing
 Inbar Raz & Raziel Einhorn
  Modern vehicles are equipped with Tire Pressure Monitoring System (TPMS) - a system that alerts the driver when the tire pressure is inappropriate. TPMS broadcasts an unencrypted data stream at known frequencies and has already attracted the attention of security researchers, who demonstrated the ability to spoof the transmission and cause an alert.

However, while previous research concluded that the worst case scenario would be forcing the driver to pull over for inspecting the vehicle - and by that facilitating some other illicit activities such as robbing or kidnapping - we will demonstrate a specific scenario which, using already-published research, could cause driver distraction, theoretically resulting in an unsafe driving scenario.

In this talk we will quickly go over the TPMS, show how to research it using Software Defined Radio and reach spoofing capabilities, and end by showing a proof of concept for our attack scenario. We will also include a "Fuckup" section where we will show you how we failed during the research and what we've learned.
  Inbar has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself, since the age of 9 on his Dragon 64. He spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, using his extensive experience of over 25 years at the IDF, Check Point, PerimeterX, and nowadays Argus Cyber Security, protecting the automotive domain from hackers.

Raziel has been working in the areas of Wireless Communication and Electronic Warfare for more than 10 years. Being fascinated by the possibilities that lie in the Cyberspace, he’s looking for ways to use tools and knowledge from the RF world, in order to discover new attack surfaces and vectors. Nowadays Raziel is working at Argus Cyber Security, protecting the automotive domain from hackers.

 

 

  Crash Analyzing with Reverse Tainting (Powered By Taintgrind)
 Marek Zmyslowski
  In recent years, fuzzing has become a popular and powerful method for vulnerability research. There are dozens of free and open frameworks available, with new ones arriving each month, but fuzzing itself is only part of the equation. Another part comes with triaging; or how to find only the relevant crashes when a fuzzer might find them in hundreds or even thousands. Often, these are sorted and binned based on the artefacts around the crash itself, but this is both naïve and superficial. In this talk, we will cover the use of taint analysis via ’reverse tainting’ as a potent alternative.

This presentation will show how reverse tainting can be used as a part of the crash analysis. The audience will see how it can give an easy solution as to the reasons for a crash based on its inputs rather than its effects. File formats are structured containing different fields. With reverse taint, it is easy to find the connection between that crash and the particular field in the structure. It can be very helpful for the future analysis of why the crash occurred.
  Currently Security Researcher @ Cycura where he is responsible for a different aspect of fuzzing services and vulnerability research. In the security industry for more than 12 years. Experience in the area of penetration testing, reverse engineering or vulnerability finding.

 

 

  Oh memset, where did you go?
 Marion Marschalek
  A compiler's code optimization is a scary beast. It tends to take over the thinking for a developer, kneads the input source into much smaller, faster and elegant output code, and in general happens to be very good at that too. Big help in this undertaking are so called compiler built-ins and intrinsics, which, as it turns out, are essential to study should one be interested in how compilers "disappear" function calls.

A common favorite to study is libc's memset function, which is known to occasionally fall victim to compiler optmization. Dead store elimination tends to think erasing content from memory is rather useless; we security folks disagree. By looking closer at how the compiler uses built-in functions, applies code inlining and chooses between call or inliner, we can learn a lot about its impact on security and potential ways for attackers to abuse this compiler behavior.
  Marion Marschalek is a former Malware Analyst and Reverse Engineer who recently started work at Intel in order to conquer the field of low level security research, where she nowadays spends an unusual amount of time looking at compiler source code. She has spoken at all the conferences and such, and seen all the things, and is one of the happiest hackers out there. Also, she runs a free reverse engineering bootcamp for women, because the world needs more researcherettes.

 

 

  Trashing like it is 1999: Unsolicited forensics on GPS trackers
 Matias Soler
  Hidden in a dark corner, in the bottom shelf of a huge rack full of old industrial cooking equipment, luminaires, and other weird objects, a bucket full of secrets was awaiting to be found. Who would have imagined that what was once destined to die as landfill, would finally end up revealing the secrets of one of the biggest food distribution networks in Argentina.

Join me in this journey of discovery, guided by the will to unveil the secrets hidden in these devices, that will make you think: what else are we ignoring that leaves scary details of our lives/companies dumped in the trash?

During this talk I will walk you through the process I took, from doing an initial assessment, analyzing the potential threat vectors, trying and failing multiple times, then failing again, until in the end simplicity was the key. While we travel this path together, I will talk about embedded MCU protections, bypasses, dumping flashes on corroded devices, and how to interpret data.
  Matias Soler is a Senior Security Researcher at Intel STORM team. Prior to that he worked for nine years at Immunity Inc where he has performed different tasks such as exploit development, reverse engineering, security research, and consulting. He has also taught trainings on binary and web exploitation. Matias has experience in both offensive and defensive areas within the information security field. He has previously presented at several international conferences such as Ekoparty, BlackHat Briefings and Infiltrate.

 

 

  Securing CyberPhysical Systems: Moving Beyond Fear
 Stefano Zanero
  Cyber-physical systems are attracting a lot of attention: attacks on connected cars received a lot of media exposure, as did attacks on industrial control systems, medical devices, and more generally on IoT devices. A lot of this interest is driven by vulnerability research (often in the form of "stunt hacking"). While useful and frankly engaging and attractive, this research does not really help answer the fundamental question of how to embed security analysis in design. In this talk, we will use automotive security as a case study to try to outline a risk-based design methodology that can be used to deal with our hyper-connected future.
  Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Besides teaching “Computer Security” and “Computer Forensics” at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 90 scientific papers and books. He is a Senior Member of the IEEE, the IEEE Computer Society, and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA. A long time op-ed writer for magazines, Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm; a co-founder of 18Months, a cloud-based ticketing solutions provider; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.

 

 

  Using Binary Ninja to find format string vulns in Binary Ninja
 Vasco Franco
  This talk is based on the article chosen by the reviewers of the Paged Out Ezine as the best article: https://pagedout.institute/download/PagedOut_001_beta1.pdf
  TBA

 

 

  Machete: 9 Years of Cyber Espionage Operations in Latin America
 Veronica Valeros
  Since early 2011, a threat actor has been conducting espionage operations in Latin America using an espionage tool known as Machete or Ragua. In this talk we will present the analysis of Machete based on the collection, reverse engineering, and analysis of more than a hundred Machete samples from 2011 to 2019. The large corpus of samples allowed us to study changes in its features and to map the gradual evolution of Machete from its creation until today. Our talk will focus on the technical aspects of this malware and the analysis of the decoy documents used in the spear phishing campaigns. Finally we will discuss how Machete managed to stay operational to this day.
  Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina, and co-founder of the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.

@verovaleros

 

 

 

 

 

 

 ORGANIZATION

 

 

 PLATINUM SPONSORS

 

 

 

 

 

 GOLD SPONSORS

 

 

 

 

 

 SILVER SPONSORS

 

 

 HACKING

 

 

 

 SUPPORTING ORGANIZATIONS