HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 8,
"next": null,
"previous": null,
"results": [
{
"code": "GDZYEC",
"speakers": [
{
"code": "AG9NKZ",
"name": "Wolfgang Hotwagner",
"biography": "Wolfgang Hotwagner is a Research-Engineer at the Cyber Security Research Team of the Austrian Institute of Technology(AIT), where he works on various topics like \"Pentesting\", \"Log File Anomaly Detection\" and \"Cyberrange\". He is a linux enthusiast and practices it-security in his spare time.",
"avatar": null
}
],
"title": "Logrotten - \"It's not a bug\"",
"submission_type": "Talk",
"track": null,
"state": "confirmed",
"abstract": "Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. This talk shows how easy it is to use logrotate in a dangerous way and illustrates the impact of this vulnerability. Finally the current state of logrotate will be discussed.",
"description": "Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.\r\nLogrotate supports different methods for creating new files. For example the directive “copy” makes a copy of the logfile and “create” creates a new empty logfile after rotating. If someone exchanges the log directory with a symbolic link just before creating the new logfile, logrotate will put the new file into a different directory. Such a scenario can be exploited if logrotate runs as user root and a low privileged user is in control of the path to the log directory. If this user exchanges the log directory with a symbolic link at the right time, logrotate will write the new file into the linked directory. After that the permissions of the created file will be adjusted and the attacker might have write access to that file.\r\nThis talk explains the various scenarios where logrotate can be configured in dangerous ways. It will be explained which software packages that were prone to this kind of attack were found. Finally the current state of logrotate will be discussed.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T11:05:00+01:00",
"end": "2022-11-19T11:35:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "YNAKFT",
"speakers": [
{
"code": "GUADRQ",
"name": "Timo Longin",
"biography": "Timo Longin is a security consultant at SEC Consult at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and, most importantly, has a passion for CTFs. His main focus is on web applications; however, infrastructure and hardware are not safe from him either. As a well-rounded offensive security researcher, he tries to find forgotten and new attack vectors that make the unthinkable possible!",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/IMG_20220802_080009-PhotoRoom_WLP6gHQ.png"
}
],
"title": "Melting the DNS Iceberg - Taking over your infrastructure Kaminsky style",
"submission_type": "Talk",
"track": null,
"state": "confirmed",
"abstract": "What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice, however, beneath the DNS there are hiding unexpected vulnerabilities!\r\n\r\nIf you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs or alike are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.\r\n\r\nIn my previous research “Forgot password? Taking over user accounts Kaminsky style” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I took a look at the root of the problem!\r\n\r\nIn this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit.",
"description": "1. Introduction, explanation of DNS cache poisoning, and the core problem of this research\r\n- The talk starts off with a short introduction and a brief refresher on DNS cache poisoning and its consequences.\r\n- As a transition from DNS cache poisoning and it’s consequences, I’ll give a short summary of my previous DNS research (https://sec-consult.com/blog/detail/forgot-password-taking-over-user-accounts-kaminsky-style/). This shows, how I identified DNS vulnerabilities in web applications and how this would’ve allowed me to take over user accounts via DNS cache poisoning.\r\n- Out of the 146 analyzed web applications, DNS resolvers of two web applications were especially insecure, since they allowed trivial Kaminsky attacks. The resolvers used by these two web applications were identified to be most likely closed (not directly accessible from the Internet).\r\n- This sparked the question about the security of closed DNS resolvers.\r\n2. Analysis of closed DNS resolvers\r\n- Firstly, I’m showing how closed resolvers can be indirectly accessed from the Internet via various means and which method we picked to scan around 7000 domains on the Internet.\r\n- Furthermore, I’m showcasing the required open-source “DNS analysis server” (successor of https://github.com/The-Login/DNS-Reset-Checker). As well, I’m explaining the test process of how to find vulnerabilities in closed resolvers.\r\n- After that, we explore the first example of a vulnerable closed DNS resolver and combine it with a short detour to Kaminsky attacks. This ensures a general understanding of off-path DNS cache poisoning attacks and why the discovered resolver is vulnerable.\r\n- We then go into an in-depth analysis of how we can find all the systems/domains that are using the vulnerable closed resolver. This shows how thousands of domains are linked to vulnerable resolvers due to being managed by one hosting provider or ISP. Here I’m using a hosting provider for “cloud and security” as well as an e-mail provider as examples.\r\n- Then, I’ll reveal the results of an Internet scan of roughly 7000 domains. Even though “only” 25 DNS resolvers were found to be vulnerable, thousands of systems are affected.\r\n- I next explain the possible attack vectors to exploit systems using these vulnerable resolvers. This ranges from simple spam protection bypasses (spoofing SPF, DKIM and DMARC) to complete system takeovers.\r\n3. Conclusion\r\n- In the conclusion of the talk I'll cover some key takeaways and why the DNS is still a hot topic!",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T10:30:00+01:00",
"end": "2022-11-19T11:00:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsidesvienna-2022/submissions/YNAKFT/iceberg_logo_dns_zvR3H8M.png",
"resources": []
},
{
"code": "PV7STU",
"speakers": [
{
"code": "NESVPZ",
"name": "Godwin Attigah",
"biography": "Godwin Attigah is a Security Engineer at Google. Before working at Google, they worked at Microsoft's Cyber Defense Operation Center, where they primarily focused on detecting and managing incidents involving state-sponsored actors. Godwin's work in security includes reverse engineering, detection engineering, security tool development, statistical modeling, and machine learning.",
"avatar": null
}
],
"title": "Malware And Exfiltration : A Telegram Story",
"submission_type": "Talk",
"track": null,
"state": "confirmed",
"abstract": "Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted.\r\n\r\nAs a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice.\r\n\r\nWe have observed the usage of Telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g.\r\nSaved passwords\r\nCryptocurrency wallets\r\nCredit cards\r\nFiles from personal directories\r\nDirect messaging applications sessions (Telegram, WhatsApp, etc.)\r\nOS information\r\nMachine credentials\r\nGeolocation\r\nScreenshots(in some cases live webcam view)\r\n\r\nOur discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community.\r\n\r\nIn our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram.\r\nThe techniques we discuss include:\r\nCorrelating attacker identity to the real world\r\n- Image Correlation\r\n- Username correlation\r\nMessage Interception via\r\n- Updates\r\n- WebHooks\r\n\r\nThroughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space.",
"description": "",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T17:40:00+01:00",
"end": "2022-11-19T18:10:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "UR9EQT",
"speakers": [
{
"code": "N9KQS7",
"name": "Paul Coggin",
"biography": "Paul Coggin is a Cyber SME at nou Systems, Inc. His expertise includes space systems, service provider, and ICS/SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. Paul is experienced in leading network architecture reviews, vulnerability analysis, and penetration testing engagements for service provider, enterprise, space systems and tactical networks. Paul is a regular instructor at International conferences teaching networking, hacking and forensics courses. He has a BS in Math\\Computer Science, MS in Systems Management, MS in Information Assurance and Security and a MS in Computer Information Systems. In addition, he holds numerous industry network and security certifications.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/paul-coggin-portrait_Ocyh7mG.jpg"
}
],
"title": "Hey You! Get off my Satellite!",
"submission_type": {
"en": "Talk"
},
"track": null,
"state": "confirmed",
"abstract": "Hey You! Get off my Satellite!\r\n\r\nAbstract:\r\nThere are many components and systems that may be targeted in a space\r\nsystem by adversaries including ground station systems and satellites. In\r\nthis presentation we will discuss ideas for providing cyber resiliency in\r\nzero-gravity. Both theoretical and real-world examples of cybersecurity\r\nissues concerning satellite systems will be covered. This presentation\r\nwill step through attack trees for targeting satellite systems.\r\nRecommendations best practices for securing satellite systems will be\r\ndiscussed. In addition, new ideas industry is currently developing for\r\nimproving the cyber resiliency of space systems will be presented.",
"description": "",
"duration": 60,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T15:20:00+01:00",
"end": "2022-11-19T16:20:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "MUWQKG",
"speakers": [
{
"code": "RMC9NN",
"name": "Sebastian Bicchi",
"biography": "Sebastian is well known in the german-speaking Infosec-Community. Besides medial coverage, Sebastian is the founder of Sec-Research GmbH and is author of a book about hardware hacking.",
"avatar": null
}
],
"title": "Charlatans in InfoSec - from Kim to Jonathan",
"submission_type": {
"en": "Talk"
},
"track": null,
"state": "confirmed",
"abstract": "A brief introduction to the world of InfoSec charlatans - from KimDotCom to JonathanData. Why it's important to expose them - and how you can do it. This talk not only covers historical charlatans, but also teaches common techniques and behaviors of fraudsters. It also explains why it is important to expose such fraudsters.",
"description": "InfoSec as a community and as a profession has attracted a lot of charlatans. In this talk you will get an overview of InfoSec charlatans. Starting from famous people like Kim (DotCom) to less known but still funny characters like Jonathan Scott (aka jonathandata1) - you will meet them all. You'll also learn how to spot charlatans and why this is important - for the community and for people outside the community. \r\nYou'll get a deep dive into the mindset of scammers - including common techniques they use and how to fend them off. All techniques presented will be demonstrated with examples. After this presentation, you will have all the tools you need to protect the community (and yourself) from scammers/fraudsters/charlatans.",
"duration": 60,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T11:40:00+01:00",
"end": "2022-11-19T12:40:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "9ALTGS",
"speakers": [
{
"code": "UW3HG3",
"name": "Abdullah Joseph",
"biography": "Abdullah Joseph is a software engineer with a special interest in security and over a decade of experience. He worked as the mobile security team lead of Adjust, providing a secure mobile analytics service to clients around the globe, while overseeing the security of the company's open-source libraries integrated in over 25,000 mobile apps, totalling over 400+ billion data points and 25 petabytes of traffic per month.\r\n\r\nHe is also the holder of GREM, GMOB, GPEN and GXPN security certifications and a speaker at OWASP, CodeMotion, Hack-in-the-box, R2Con and Android Security Symposium conferences.\r\n\r\nHe currently works as a senior software engineer for an internet technologies nonprofit implementing secure and uncensored protocols for dissidents and journalists to communicate with the free internet.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/1558000834494_P1xp2pj.jpeg"
}
],
"title": "Nothing To Hide: Privacy-Preserving Cryptographic Authentication In Practice",
"submission_type": "Talk",
"track": null,
"state": "confirmed",
"abstract": "Governments, email vendors, social media websites, and even your favorite food recipes forum require account registrations where you pass your secret, often the same, password over insecure channels, riddled with sniffing agents while subjecting your online identity to theft, data breaches, and a whole bag of privacy concerns.\r\n\r\nThis doesn't need to be the case. With the massive explosion of fast, secure, and privacy-preserving cryptographic protocols, your credentials need never leave your device and websites don't need to store your passwords for authentication to complete.\r\n\r\nIn this talk, I'll introduce zero-knowledge password protocols; a well-established field of cryptography that puts privacy first, as well as demo a full implementation of such a protocol live.",
"description": "The problem and the reason I made the project is very nicely put forth by the famous cryptographer Matthew Green: https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/. The protocol I'm working with was very recently standardized by IETF (mid 2020) right here: https://datatracker.ietf.org/doc/html/draft-krawczyk-cfrg-opaque-06.\r\n\r\nThe goal of this talk is to share the knowledge regarding this new protocol (namely, OPAQUE) and the field of zero-knowledge cryptography. The benefits for it in the terms of password authentication and privacy are tremendous and they're well studied. My contribution to the space will be a Go implementation of the protocol that can be used in any form, a backend, and a frontend JS SDK, as well as sharing a simplified explanation of the math behind it.\r\n\r\nThe protocol, backend and frontend codes are open-sourced with a prototype. See here https://github.com/afjoseph/plissken.",
"duration": 30,
"slot_count": 1,
"do_not_record": true,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T14:45:00+01:00",
"end": "2022-11-19T15:15:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsidesvienna-2022/submissions/9ALTGS/logo_HIjZStH.png",
"resources": []
},
{
"code": "EAKWZL",
"speakers": [
{
"code": "88GGGQ",
"name": "Michael Bargury",
"biography": "Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure focused on IoT, APIs and IaC. Michael is passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/michael_yAcyZoU.jpg"
}
],
"title": "No-Code Malware: Windows at Your Service",
"submission_type": {
"en": "Talk"
},
"track": null,
"state": "confirmed",
"abstract": "Windows 11 ships with a nifty feature called Power Automate Desktop, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going..\r\n\r\nIn this presentation, we will show how Power Automate Desktop can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services. \r\n\r\nWe will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how Microsoft managed to enable it across their customer base without explicit user consent. We will also point out a few promising future research directions for the community to pursue.\r\n\r\nFinally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.",
"description": "",
"duration": 60,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T13:40:00+01:00",
"end": "2022-11-19T14:40:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "93FVM7",
"speakers": [
{
"code": "UKUU9U",
"name": "Steffen Robertz",
"biography": "Steffen Robertz is a Security Consultant at SEC Consult who specializes in embedded systems. In his Job, he focuses on retrieving and reverse engineering of firmwares in order to find vulnerabilities. Due to his background as an electrical engineering student, he also takes interest in RF systems and hardware development. He already published multiple security advisories via the SEC Consult Vulnerability lab.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/picture_tMVZ2Cn.jpg"
}
],
"title": "Self-Labeling Electronic Shelf Labels",
"submission_type": {
"en": "Talk"
},
"track": null,
"state": "confirmed",
"abstract": "Electronic Shelf Label (ESL) tags are increasing in popularity. More and more stores switch their price tags to digital ones for various reasons, such as competing with online wholesalers.\r\nIn this talk, we analyzed the 433MHz connection of a popular ESL tag and identified multiple security flaws that allowed us to spoof the RF signal\r\nand display arbitrary content on the displays. Furthermore, the original manufacturer of the E-Tag labeled microcontrollers was discovered.\r\nThis talk will give an overview of analyzing unknown hardware with an unknown RF protocol without any prior known research.",
"description": "We took apart multiple ESL tags distributed by a chinese manufacturer. These tags are especially popular in China and consist of an e-ink display and an LED. The base station will be connected to the local LAN and will translate packets to a proprietary 433MHz GFSK modulated protocol. We reversed this protocol and found multiple security vulnerabilities. The protocol does not protect against replay attacks. Hence, the tags can always be reset to an older price by replaying the previously recorded frames. Furthermore, we are able to craft our own packets and correctly modulate them with a HackRF. Therefore, we can fully control the display of all tags in a store. The only information required is the tag ID which is printed on the top of the label or could be sniffed from previous tag transmissions. \r\nA GNURadio Sketch was developed to correctly receive all packets and to forward them to a UDP port. A Python program is listening on this port and analyzing all contents. In addition, the script can be used to easily reprogram any ESL tag.\r\nOn top of that, a quick hardware security assessment was performed. We decapped the MCU of an E-Tag, which was only branded with the line \"E-Tag M1\". It turned out to be produced by STMicroelectronics and is most likely an STM8 microcontroller.\r\nAll in all, this talk will lead through the teardown of an unknown RF device and showcase, how signals can be intercepted and analyzed with predefined GNURadio blocks and some custom Python code.",
"duration": 45,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Urania Dachsaal"
},
"start": "2022-11-19T16:50:00+01:00",
"end": "2022-11-19T17:35:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsidesvienna-2022/submissions/93FVM7/testsetup_GQmzJZn.jpg",
"resources": []
}
]
}
