HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 17,
"next": null,
"previous": null,
"results": [
{
"code": "CEY7FF",
"speakers": [
{
"code": "PBFPNF",
"name": "Giriraj Ravichandran",
"biography": "Security Engineer, RedTeamOps @Freshworks - OSWE, EJPT, Rastalabs HTB, CTF Player @TamilCTF\r\n\r\nI am Giriraj R., presently serving as a Security Engineer at RedTeamer at Freshworks. In my current role, I specialize in implementing automated solutions at an enterprise-wide level, as well as Purple Teamer. I have garnered substantial recognition through my active participation and victories in numerous Capture The Flag (CTF) competitions, adopting the moniker 'Cipherlover' and collaborating with the distinguished CTF team 'TamilCTF.' My profound insights extend to Purple Teaming, cloud security, and the operational aspects of the Security Operations Center (SOC). With a passion for cybersecurity, I'm committed to fortifying digital landscapes and continuously expanding my knowledge.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/Screenshot_2024-06-14_at_9.17.33PM_oEkqH0A.png"
},
{
"code": "VYCETL",
"name": "Naveen S",
"biography": null,
"avatar": null
}
],
"title": "The Dark Side of Installers: Security Flaws in macOS and Windows",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "canceled",
"abstract": "In this presentation, we will delve into the often overlooked security risks associated with macOS (.pkg) and Windows (.msi) installer packages. Installers are a critical part of software deployment, yet they can harbor significant vulnerabilities that, if exploited, can lead to privilege escalation and remote code execution (RCE).\r\n\r\nWe will start by unpacking the structure of macOS and Windows installer packages, shedding light on their internal components and the common security flaws that can be exploited. Through real-world examples and demonstrations, we will explore how attackers can leverage these flaws to gain unauthorized access and control over systems.\r\n\r\nAttendees will learn about the following key areas:\r\n\r\nUnderstanding Installer Packages: A comprehensive overview of the structure and function of macOS .pkg and Windows .msi files.\r\nCommon Security Flaws: Identification and explanation of typical vulnerabilities found in installer packages.\r\nPrivilege Escalation: How malicious actors exploit installer flaws to escalate privileges on both macOS and Windows platforms.",
"description": "Discover the hidden security risks lurking within macOS (.pkg) and Windows (.msi) installer packages in this essential talk. Installer packages are crucial for software deployment but can harbour significant vulnerabilities that lead to privilege escalation and remote code execution (RCE). \r\nWe’ll break down the internal structure of these installers, highlight common security flaws, and demonstrate how attackers exploit these weaknesses. Gain valuable insights into defending against these threats and protect your systems from potential breaches and avoid getting exploited. In this session we will discuss and develop our knowledge on strengthening and defenses against a critical, often-overlooked aspect of software security.",
"duration": 45,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T10:10:00+01:00",
"end": "2024-11-23T10:55:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "K3VPXA",
"speakers": [
{
"code": "UBYVSX",
"name": "Leo",
"biography": "Cyber Security Analyst & Researcher",
"avatar": null
}
],
"title": "Kernel Rootkit detection with eBPF time tracing",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "canceled",
"abstract": "Rootkits are a specialized form of malware, with the goal of absolute stealth.\r\nThey have lived through an evolution of development through the time,\r\nas have the efforts to detect them.\r\nThis talk presents a detection approach based on time probes that detect the delays caused\r\nby a rootkit.\r\nThis is realized with modern eBPF technology.\r\nAdditionally a general overview of rootkits is given.",
"description": "Rootkits are a sophisticated class of malware.\r\nThey are used in the post-exploitation phase by attackers,\r\nto maintain access and hide their tracks.\r\nRootkits underwent an evolution on in which layer of the system they reside, from system utilities over libraries, to kernel modules and even beyond the OS in the firmware.\r\nSimilarly the techniques rootkits use have evolved and\r\ncomplementary the the detection approaches have seen many additions and improvements.\r\nNevertheless a rootkit running with sufficiently high permissions (e.g. in the kernel) can theoretically always defeat a detection program.\r\nThus the development of rootkits and respective detection is a tireless arms race.\r\nI will give an overview of rootkit types and go a bit into depth on how kernel rootkits work.\r\nThen I will show that there are actually only a few places in the Linux kernel where a rootkit can gain rootkit functionality.\r\nWith this knowledge I will show how to design time measuring probes with eBPF that can catch the rootkits actions by the delays that it causes.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T11:30:00+01:00",
"end": "2024-11-23T12:00:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "LJ9BFA",
"speakers": [
{
"code": "UFQ8A9",
"name": "Jakob Bleier",
"biography": "themoep.at, security scholar at TU Wien, conjurer of pretty pixels, wiggles air into sound, he/him",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/jb_MvHAkOJ.jpeg"
}
],
"title": "ART is beautiful, but it takes a lot of work",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "Do you want to be a connoisseur of modern ART but always feel a bit too intimidated by it? Do you want to see the good, the bad, and the ugly sides of ART? Have you ever wondered what depths lie behind something seemingly simple?\r\nThen this talk is for you!\r\nThe Android Runtime is powering modern Android and aims to run apps - fast, resource-conserving, and uncomplicated. The former two were apparently more important, but fortunately, the ART is part of the Android Open Source Project - which means we can look under the hood to understand better what it does for apps, what it does to apps, and what it could do for us.",
"description": "Is this a security talk? Not directly, but it’s not not a security talk. It’s a fun(damentals) talk. The first step to hacking is understanding something, and the Android Runtime has a steep learning curve. This talk is an introduction to make it easier for others to explore the internals of the Android Runtime. Sharing is caring, after all.\r\nBecause the Android ecosystem is “mostly” open and documentation changes without notice under your feet, this is also a ranty talk to vent some frustration productively.\r\nIt will cover a brief history from the DalvikVM to ART and the changes under the hood. We’ll see the ART components, such as libart and dex2oat, and what code runs when the zygote starts, which spawns all app processes. We’ll also learn what compilation profiles are and how to get them (it’s free aggregated usage data, after all). Finally, the talk will showcase what the seclab.wien is working on to make the ART work for security and privacy research.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T14:45:00+01:00",
"end": "2024-11-23T15:15:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsv2024/submissions/LJ9BFA/art_illu_csIU8DD.jpeg",
"resources": []
},
{
"code": "HBEFDF",
"speakers": [
{
"code": "X8LEMP",
"name": "Mathias Tausig",
"biography": "Graduated in mathematics \r\nHolistic perspective on computers: former developer, sysadmin, security officer, university teacher and even computer salesman \r\nNow a security consultant specializing in application security \r\nOpen source lover",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/portrait_2023_jtHknGk.jpg"
}
],
"title": "The monster in your basement: Security risks of CI/CD systems",
"submission_type": {
"en": "Talk"
},
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "Continuous Integration and Continuous Delivery systems are omnipresent in today's development workflows. They help developers to focus more on their actual programming duties by automating repetitive tasks and allow the periodic usage of security tools. But the messy truth is, that in many organizations they are simply taken for granted as yet another development tool instead of being recognized for what they are: a system at the core of your infrastructure with almost unbounded permissions.",
"description": "This talk starts by elaborating why we even want and need CI systems in the first place, in order to build up the stage for the inherent security risks.\r\nThose are outlined based on the new \"OWASP Top 10 CI/CD Security Risks\" list and augmented by recounting \"war stories\" from real world security assessments an breaches of CI systems.\r\nFinally, a live demonstration shows, how easy an attacker can gain access to your build infrastructure via a malicious container image.\r\n\r\nContent warning: You might be a lot more nervous about your dev environment when you return to work on monday.",
"duration": 45,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T17:05:00+01:00",
"end": "2024-11-23T17:50:00+01:00"
},
"image": null,
"resources": [
{
"resource": "/media/bsv2024/submissions/HBEFDF/resources/SBA_Research_-_Security_risks_of_CICD_systems_td3bPmg.pdf",
"description": "Presentation Slides"
}
]
},
{
"code": "97VDHJ",
"speakers": [
{
"code": "DJNXR3",
"name": "Kirill",
"biography": "I have been working in cybersecurity for over 10 years. Currently, I am part of the IT security team in the game development industry. In my free time, I design cyber ranges for my side project, Defbox.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/Screenshot_2024-09-30_at_20.13.15_5oEiUIz.png"
}
],
"title": "Cyber Range Fails: Lessons learned from building Defensive Labs",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "I will share my experience in building defensive interactive labs. During the talk, I will cover typical cyber range architecture, its pros and cons. Listeners will gain insights into how to build their own cyber range.\r\nI will share the problems that listeners will most likely encounter if they decide to build a home lab. By the end of the talk, listeners will be informed on how to build their own cyber range and how to avoid common mistakes.",
"description": "I've been creating cyber ranges for a year. It turned out to be a non-trivial task. \r\nThe talk will be divided into four sections:\r\n1. What is a Cyber Range?: I will explain the concept of a cyber range and review popular solutions like GOAD and CI-CD Goat, focusing on their key functions.\r\n2. Cyber Range Architecture: I will cover the basic architecture of a typical cyber range, including components, network configurations, and integration approaches.\r\n3. Cyber Range Fails: I will share specific problems we encountered while building a hosted cyber range, focusing on technical issues and operational mistakes.\r\n4. Q&A. section.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T13:35:00+01:00",
"end": "2024-11-23T14:05:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "KQZ83W",
"speakers": [
{
"code": "7CBLZJ",
"name": "Manuel Kern",
"biography": "Manuel Kern is a researcher and security consultant who started his career as a server admin and soon shifted his focus solely to IT security. During his time as a professional pentester at the Austrian Institute of Technology, he explored ways to improve detection methods and decided to write his Master’s thesis on efficiently detecting adversaries in computer networks. This research led him to continue his academic path, currently working on his PhD in threat detection. In his free time he is NIS and ISO27001 auditor, amateur DJ and enjoys scuba diving.",
"avatar": null
}
],
"title": "Is an IDS any good, or how skilled is your Red Team?",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "Traditional IDS benchmarks rely on predictable, static attack patterns using predefined scripts and attack vectors. But do these methods really test the robustness of modern detection systems? In this talk, we’ll introduce Stealth Cup, a new approach to IDS benchmarking that leverages real hackers to put systems through their paces. \r\n\r\nStealth Cup challenges teams of ethical hackers to infiltrate simulated, yet realistic IT/OT environments while remaining undetected. It’s a competition where stealth is the key to victory, and the best team walks away with more than just bragging rights.\r\n\r\nThe Stealth Cup kicks off in Q1/Q2 2025 - are you ready to disappear?\r\n\r\nSign up [here](https://stealth.ait.ac.at) to get the latest informations about the Stealthcup.",
"description": "",
"duration": 30,
"slot_count": 1,
"do_not_record": true,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T10:55:00+01:00",
"end": "2024-11-23T11:25:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "GMKDT7",
"speakers": [
{
"code": "XW7SXN",
"name": "Hetti",
"biography": "Hetti is an IT Security Expert based in Vienna and part of the finest Viennese Hackspace [Metalab](https://metalab.at).\r\n\r\nDuring day he is breaking IT infrastructure for a living and at night he works on fun hacking projects and deals with state-of-the-art legacy infrastructure. \r\n\r\nHe enjoys traveling to community based IT (Security) Conferences and Camps. \r\nYou can also find him at the [Chaos Computer Club Vienna (C3W)](https://c3w.at) where he is mainly involved with [Chaos Macht Schule (CmS)](https://c3w.at/schule/). \r\nOn some weekends he is hunting flags with the successful academic CTF Team [We_0wn_Y0u](https://w0y.at).",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/profile_pic_hetti_zbsa1YI_QeiQEDC.png"
},
{
"code": "FEZ3AN",
"name": "Clemens",
"biography": "Clemens, member of the hackspace Metalab.at, is an embedded linux and network engineer with a background in community wireless networks, electrical engineering and \"enterprise\" system archeology.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/ZBbTJHlHoDUZFfHyyZlukVDk_PfhupY3.png"
}
],
"title": "unexpected coffee: a dive into industrial coffee machines",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "A bit more than two years ago, in early summer of 2022, someone contacted us at the Metalab Hackspace if we would be interested in an electronically defective, but probably repairable industrial coffee vending machine. An industrial coffee machine with a touchscreen and cocoa toppings? No idea where we would find enough room for it or if it would actually be used, but of course we'd be interested!",
"description": "After a few months of collecting (additional) dust and annoying a few members, we started the quest to get this machine back to work and to explore the (questionable) world of industrial coffee vending legacy, from hardware, over electronics to software architecture. \r\n\r\nThis is a talk about how we repaired the machine, how these machines usually work, a dive into legacy software and electronics setups, and why those coffee vending machines taste like they do.\r\nLast but not least, we will discuss how we started to reverse engineer the internal system communication and if we would award a hackvalue of over 9000 for this type of machines.\r\n\r\nThere is also the final question: does it run Doom?",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T14:45:00+01:00",
"end": "2024-11-23T15:15:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "WEERXD",
"speakers": [
{
"code": "TBT9RV",
"name": "Alex Archondakis",
"biography": "Alex has nearly a decade of experience in penetration testing and currently works as the Director of Consulting at TrustFoundry, a U.S.-based cybersecurity firm. With a strong focus on web application security, Alex combines deep technical expertise with strategic leadership, guiding teams to identify and mitigate complex security vulnerabilities. He prides himself upon his ability to explain technical concepts to non-technical people.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/aa_fnLdYY1.jpg"
}
],
"title": "Anti, Anti Automation",
"submission_type": {
"en": "Talk"
},
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "An invisible, never-ending battle is being fought between those creating anti-automation solutions and those finding ways to bypass them. This talk aims to provide the audience with a foundational understanding of these anti-automation mechanisms, alongside the techniques and tools commonly used to circumvent them. Attendees will gain insights into the principles behind anti-automation defences, as well as an exploration of how these measures are evaded in practice.",
"description": "In today’s digital environment, anti-automation controls are essential for protecting online systems from misuse and abuse. However, just as quickly as these defenses evolve, so do the techniques to bypass them. This session offers a comprehensive look into the world of anti-automation, starting with the basics of how these controls are designed and implemented. We’ll then delve into the methods attackers use to overcome these barriers, showcasing the tools and strategies employed in real-world scenarios. Whether you’re a cybersecurity professional, developer, or simply interested in the dynamics of automation defense, this talk will provide valuable insights into the ongoing challenge of balancing security and accessibility in the face of ever-evolving threats.",
"duration": 45,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T16:15:00+01:00",
"end": "2024-11-23T17:00:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsv2024/submissions/WEERXD/aa_nzHQLyK.jpg",
"resources": []
},
{
"code": "WW7JUK",
"speakers": [
{
"code": "GUADRQ",
"name": "Timo Longin",
"biography": "Timo Longin (also known as Login) is a senior security consultant at SEC Consult at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and has a passion for CTFs. His main focus is on web applications; yet, infrastructure and hardware are not safe from him either. For example, in his prior research, Timo discovered DNS vulnerabilities in web applications, hosting providers and even entire countries. However, most people know him for discovering SMTP smuggling. As a well-rounded offensive security researcher, he tries to find forgotten and new exploitation techniques that make the unthinkable possible!",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/IMG_20220802_080009-PhotoRoom_WLP6gHQ.png"
}
],
"title": "SMTP Smuggling Revisited – Still Spoofing E-mails Worldwide?!",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "Since 1982 we’re sending e-mails across the globe with the Simple Mail Transfer Protocol (SMTP). Nevertheless, just last year, a simple yet crucial mistake in popular SMTP implementations was discovered, allowing for so called SMTP smuggling. Have you ever wanted to send e-mails as [email protected] while still passing SPF checks? SMTP smuggling had you covered! However, with global fixes applied, this is now another story.\r\n\r\nTherefore, building upon the knowledge established in the initial discovery, this talk delves deeper into the intricacies of SMTP smuggling, unveiling novel exploits and targeting unexpected attack surfaces. Starting from SMTP smuggling fundamentals, we’re analyzing theoretical and practical ways to once again send an e-mail as [email protected].\r\n\r\nHence, we again shine the light on SMTP and see what this protocol has left to offer!",
"description": "1. Introduction\r\n- The talk starts with a short introduction and a brief anecdote about finding vulnerabilities.\r\n- This transitions to a short story about SMTP smuggling and how this research happened in the first place.\r\n2. Covering the basics\r\n- Following the introduction, we’re then covering some SMTP basics, including SMTP infrastructure and some common terminology.\r\n- Based on this knowledge, we will go over SMTP smuggling theory and previous findings of the initial SMTP smuggling research, laying the foundation for further research to come.\r\n3. Test infrastructure and analysis methods\r\n- Here, we cover the used tools and methods that make SMTP analysis possible.\r\n- This includes the SMTP analysis tools available at https://github.com/The-Login/SMTP-Smuggling-Tools.\r\n4. Building upon SMTP smuggling\r\n- In this section, we’re going over potential theoretical SMTP attacks and attack surfaces, including:\r\n - Encoding Confusions\r\n - Line Length Breakout \r\n - Smuggling via BDAT \r\n - Smuggling dangerous/exotic SMTP commands\r\n - etc.\r\n5. The findings\r\n- With the knowledge gained from the previous sections, we can now move on to the somewhat unexpected findings.\r\n- Instead of classic SMTP smuggling, we look at software affected by a novel type of SMTP From header spoofing, being SMTP header smuggling.\r\n- This includes e-mail services hosted by REDACTED and Apple (iCloud).\r\n6. Conclusion\r\n- We end the session with some closing words about SMTP (smuggling) vulnerabilities. \r\n\r\nReferences: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/, https://www.youtube.com/watch?v=V8KPV96g1To, https://smtpsmuggling.com/",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T14:10:00+01:00",
"end": "2024-11-23T14:40:00+01:00"
},
"image": "http://cfp.bsidesvienna.at/media/bsv2024/submissions/WW7JUK/SMTP_Smuggling_logo_white_nIJIkqB.png",
"resources": []
},
{
"code": "GUGKXJ",
"speakers": [
{
"code": "LLFQD8",
"name": "Julian-Ferdinand Vögele",
"biography": "Julian-Ferdinand Vögele is a senior threat researcher at Recorded Future’s Insikt Group. With extensive experience in malware research, he specializes in tracking infrastructure linked to both cyberespionage and cybercriminal operations. Prior to joining Recorded Future, Julian-Ferdinand worked in offensive security and studied computer science at UCL in London. He is a fellow of the European Cyber Conflict Research Initiative (ECCRI).",
"avatar": null
}
],
"title": "Exposing Predator's Infrastructure: The Impact of Public Exposure and Heightened Sanctions",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "The ongoing use of mercenary spyware, such as Predator, for purposes beyond legitimate law enforcement raises concerns regarding privacy, legal implications, and the physical safety of targeted individuals, their employers, and those involved in these activities. Although marketed ostensibly for counterterrorism and law enforcement, there is a well-documented pattern of Predator being used to target civil society, including journalists, politicians, and activists. This presentation aims to demonstrate how Predator has been exposed and the impact on their operations when combined with political re-evaluations, such as sanctions.\r\n\r\nIn the first part, we examine the multi-tiered Predator delivery infrastructure network identified and exposed by Recorded Future. This includes delivery servers, upstream servers, and infrastructure that is highly likely linked to Predator customers. We illustrate how, among other things, spyware operators initially responded to public reporting in September 2023 and continued their operations with minimal changes to their modus operandi. Our investigation uncovered ongoing Predator usage in at least 11 countries, including two previously unidentified: the Philippines and Botswana.\r\n\r\nIn the second part, we aim to evaluate the operational status of Intellexa’s Predator after more than a year of major publications. These include Citizen Lab’s report on the hacking of Ahmed Eltantawy, Amnesty’s Predator Files detailing leaked documents about capabilities and an in-depth investigation into Indonesia, and infrastructure exposure by private security companies like Recorded Future. We illustrate how public reporting, alongside unprecedented sanctions and political efforts to combat spyware proliferation—including the US adding Intellexa to the entity list, an EU resolution, a US visa ban for various individuals involved with Intellexa, and the initiation of the Paul Mall Process—has significantly impacted Predator’s operations.\r\n\r\nIn the end, we will zoom out, offering insights into the future direction of Predator and providing an outlook on the future of the entire landscape of the mercenary spyware ecosystem.",
"description": "",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T13:35:00+01:00",
"end": "2024-11-23T14:05:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "CDKBSY",
"speakers": [
{
"code": "3TPGJD",
"name": "Roei Sherman",
"biography": "Roei Sherman is the Field CTO at Mitiga, a leading Cloud Incident Response company, where he leverages his extensive expertise in cybersecurity to drive innovation and guide strategic initiatives. With over a decade of experience in adversarial cybersecurity roles, Roei specializes in Red Team operations, utilizing an adversarial mindset and guerrilla tactics to enhance defensive strategies across various security engagements, including training, lectures, and consulting.\r\nRoei's career began in the Field Intelligence unit of the IDF, where he continues to serve in the Reserves. He has held significant positions at AB InBev as Global Director of Offensive Services and as an information security consultant and Red Team leader for EY Israel. His technical acumen encompasses red team engagements, cloud security, social engineering, physical security, deception, and incident response.\r\nRoei is known for his ability to think like an attacker, providing invaluable insights and strategies for robust cybersecurity defenses. His contributions to the field have made him a sought-after speaker and consultant, helping organizations strengthen their security posture against evolving threats.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/IMG_0137_G6Jrvy5.JPG"
}
],
"title": "Attackers Aren't Breaking In, They're Logging In: Cloud Security Asymmetry",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "In today's digital landscape, adversaries have shifted their focus to the cloud, finding it easier to attack and compromise than traditional on-premises systems. This talk explores the asymmetry in cloud security, where attackers find the cloud environment more accessible and easier to exploit, while defenders struggle to keep up. We will delve into the reasons behind this imbalance, including the global accessibility of cloud services, the critical role of identity as the new perimeter, and the low barrier to entry for attackers needing only a single set of credentials. Additionally, we'll discuss the lack of visibility in cloud environments compared to the well-established practices in on-premises setups, and how the diverse configurations and logging systems of various cloud providers add to the complexity. Finally, we will address the unique skill set required for incident response in the cloud and the industry's current readiness. Attendees will gain a comprehensive understanding of these challenges and learn practical strategies to enhance their cloud defense capabilities.",
"description": "Adversaries are not “breaking in”, they are “logging into”. They are innovating, adapting their techniques to exploit the unique opportunities and vulnerabilities presented by cloud environments.\r\nThis talk dives deep into the minds and methods of attackers as they navigate the shift from traditional on-premises environments to the vast, dynamic expanse of the cloud. \r\nThis talk will uncover the nuanced strategies, sophisticated tools, and evolving targets of these adversaries, emphasizing their opportunistic adaptation to cloud-specific security gaps. Attendees will gain insights into the latest attack vectors that are uniquely effective in cloud environments, from exploiting misconfigurations and weak identity and access management policies to leveraging insecure APIs and manipulating cloud-native features. We will explore how attackers perceive the cloud as a fertile ground for exploitation, adapting their mindset to the cloud’s architectural complexities and the inherent challenges it poses to traditional security paradigms. Highlighting a pivotal shift, this presentation will reveal that attackers have fundamentally changed their techniques, moving away from the approaches we've known so far, necessitating that defenders undergo a similar transformation to effectively counteract these advanced threats. By highlighting real-world case studies and dissecting successful cloud breaches, this presentation aims to provide a comprehensive understanding of the attacker's perspective, revealing how their approaches shift in response to cloud adoption. Attendees will leave with a profound understanding of the critical need for cloud-native security strategies and the knowledge to anticipate, identify, and defend against the sophisticated tactics employed by adversaries in the cloud. This talk is designed to arm cybersecurity professionals with the insights needed to fortify their cloud environments against the ever-evolving threat landscape, ensuring a proactive and resilient defense posture in the face of cloud-centric attacks.",
"duration": 25,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T11:35:00+01:00",
"end": "2024-11-23T12:00:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "H83CJX",
"speakers": [
{
"code": "BXDTQZ",
"name": "Sarah Mader",
"biography": "Sarah is a Senior Consultant at NVISO, with a focus on Red Team Assessments. Complementing her cybersecurity experience, she has developed proficiency in Operational Technology (OT) assessments and continues to specialize further in this area.\r\n\r\nShe possesses a Master's degree in Applied IT Security, which has been enriched by her diverse experiences in cybersecurity roles across various companies.\r\n\r\nIn addition to her professional work, Sarah is dedicated to contributing to the community by leading workshops and delivering presentations at international industry conferences.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/Sarah_Mader_XJhRCgY.JPG"
}
],
"title": "Red Team Operations in OT: A peek behind the curtains of hacking industrial systems",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "In an era where industrial systems are increasingly targeted by sophisticated cyber threats, understanding how these attacks take place and how to defend against these attacks is crucial. This presentation will provide an in-depth look at Red Team operations within Operational Technology (OT) environments, such as factories and power plants.",
"description": "We will begin by outlining the fundamental differences between OT and IT security, highlighting the unique challenges and vulnerabilities present in OT systems. This foundational knowledge sets the stage for a deeper exploration of the current threat landscape within OT environments.\r\n\r\nThe core of the presentation will focus on real-world case studies from our Red Team assessments. We will walk you through the methodologies we use to simulate real attacker behaviours, from initial infiltration to identifying critical vulnerabilities, all while ensuring minimal disruption to operational processes.\r\n\r\nAgenda:\r\n\r\n- Introduction: Overview of Operational Technology (OT) and Red Teaming\r\n- Distinguishing IT from OT: Key Differences and Implications\r\n- Current Threat Landscape: Emerging Threats and Vulnerabilities in OT\r\n- Red Team Operations in OT Environments: Strategies, Tools, and Techniques\r\n- Case Studies: Real-world Examples and Lessons Learned",
"duration": 40,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T16:15:00+01:00",
"end": "2024-11-23T16:55:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "NF9TK8",
"speakers": [
{
"code": "NJSNDS",
"name": "Tamir Ishay Sharbat",
"biography": "Tamir Ishay Sharbat is a software engineer with a passion for security and in particular AI security. His current focus is identifying vulnerabilities in enterprise AI products such as Microsoft Copilot and Copilot Studio, crafting prompt injections and elaborate attacks, and implementing effective security measures to protect these systems. With previous experience as a startup founder and CTO, Tamir is also a Techstars Tel Aviv alumni",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/profile_pic_jAfKZao.jpeg"
}
],
"title": "Hacking Your Enterprise Copilot: A Direct Guide to Indirect Prompt Injections",
"submission_type": {
"en": "Talk"
},
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "Enterprise copilots, from Microsoft Copilot to Salesforce’s Einstein, are adopted by every major enterprise. Grounded into your personal enterprise data they offer major productivity gains. But what happens when they get compromised? And how exactly can that happen?\r\n\r\nIn this talk we will see how we can turn these trusted enterprise AI assistants into our own malicious insiders within the victim organization. Spreading misinformation, tricking innocent employees into making fatal mistakes, routing users to our phishing sites, and even directly exfiltrating sensitive data!\r\n\r\nWe’ll go through the process of building these attack techniques from scratch, presenting a mental framework for how to hack any enterprise copilot, no prior experience needed. Starting from system prompt extraction techniques to crafting reliable and robust indirect prompt injections (IPIs) using our extracted system prompt. Showing a step by step process of how we arrived at each of the results we’ve mentioned above, and how you can replicate them to any enterprise copilot of your choosing.\r\n\r\nTo demonstrate the efficacy of our methods, we will use Microsoft Copilot as our guinea pig for the session, seeing how our newly found techniques manage to circumvent Microsoft’s responsible AI security layer.\r\n\r\nJoin us to explore the unique attack surface of enterprise copilots, and learn how to harden your own enterprise copilot to protect against the vulnerabilities we were able to discover.",
"description": "Intro: The promise of enterprise copilots\r\n\r\nEnterprise copilots such as Microsoft Copilot and Salesforce Einstein promise to bring even further productivity gains into the enterprise. Providing the ability to ask questions about files and emails, summarize long documents for you, create Powerpoint presentations and much more. But with that promise comes also a great risk, overreliance. And this time it’s even worse.\r\n\r\nMicrosoft Copilot: Our guinea pig for the session\r\n\r\nMicrosoft has been pushing their Copilot anywhere they can think of. It’s their flagship AI product. We’re going to demonstrate all of the techniques directly on Microsoft Copilot. Showing how we can (easily) manipulate Microsoft’s responsible AI layer into acting completely irresponsibly.\r\nMicrosoft Copilot is built as a sophisticated RAG system. Upon getting the user’s prompt Copilot runs a query to search for the relevant documents, then appends the results to the user’s prompt and sends the full prompt - including context (i.e. relevant files’ contents) - directly to the LLM. This RAG architecture repeats itself across enterprise copilots and has notable exploits. Here we’ll deep dive into the architecture itself.\r\n\r\nExtracting a protected system prompt: Advanced techniques\r\n\r\nSystem prompts are not only specific instructions that tell the LLM how to act, they are also crucial for developing more advanced attacks. Because of the sensitivity of the system prompt many AI applications try to protect their system prompt. But is it enough? And can you circumvent these protection layers? \r\nWe’ll show how we can extract the system prompt of an unprotected GPT . We’ll continue to show how Micorosft tried to protect their Copilot’s system prompt and finally we’ll demonstrate proven techniques to circumvent these protections. In addition we’ll see how these techniques also work on other protected AI applications.\r\n\r\nIntroduction to prompt injections: Diving into indirect injections (IPIs):\r\n\r\nPrompt injections are a great way to manipulate AI apps into doing things they aren’t supposed to. But there isn’t a lot of damage I can cause if I have access only to my own data. Enter Indirect Prompt Injections. A way to manipulate other people’s Copilots. Mixed together with RAG poisoning which is a way to mislead Copilots into confidently outputting false information, we get a whole new attack path, brought to us exclusively by AI overreliance. Here we show hands on how you can execute a RAG poisoning attack and combine it with indirect prompt injections to make it even more powerful.\r\n\r\nRobust IPIs: using the system prompt to craft indirect injections\r\n\r\nThe IPIs we demonstrated previously are good, but they are inconsistent. How can we make them more reliable? Use the system prompt we extracted. By combining “secret” information from the system prompt into the IPI we can take it from flakey to robust. More than that, once we know from the system prompt how the Copilot is meant to behave we can use these dispositions to make our IPI even more powerful. And ofcourse, we’ll demonstrate exactly how (hands on). All while showing exactly how we evade Microsoft’s responsible AI controls.\r\n\r\nWreaking havoc: how IPIs can be used in real life - Turning Microsoft Copilot into our agent of chaos\r\n\r\nIPIs are powerful, but how exactly can they be used? Here are a few which we’ll demonstrate and analyze:\r\n1. When a user asks for a bank account we use Copilot to switch it to the wrong one (demo).\r\n2. When a user asks for web information - we fool Copilot to give a phishing link instead (demo).\r\n3. When a user asks to summarize their emails - we fool Copilot into sending sensitive data out using Bing search (demo).\r\nWe can do all of this damage completely from outside the org. Without even compromising a single user account.\r\n\r\nDefense\r\n\r\nWe can’t leave you completely undefended against all of the things we demonstrated in this talk. Here we’ll recommend ways to detect IPIs and highlight the necessity of a skeptic mindset when dealing with AI outputs.",
"duration": 45,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T10:45:00+01:00",
"end": "2024-11-23T11:30:00+01:00"
},
"image": null,
"resources": [
{
"resource": "/media/bsv2024/submissions/NF9TK8/resources/BSides_Vienna_2024_-_Hacking_Enterprise_Copilots_oP8mBI8.pdf",
"description": "Slides"
}
]
},
{
"code": "GTDZAR",
"speakers": [
{
"code": "EBCYMH",
"name": "Martin Haunschmid",
"biography": "Martin was a long-time developer, before one of his websites got hacked. This way, he realized you can earn money (officially, of course, and always with a permission to attack) doing something he now considers the best job there is. Nowadays he's mostly doing Application Security in the form of black-box web-app penetration tests and source code reviews via his company Adversary GmbH.\r\n\r\nOther than that, he tries to communicate his fascination with the industry to not-so-technical folk by producing the \"Hacks of the Week\" and sometimes does talks.",
"avatar": null
}
],
"title": "Persons who stare at Source Code.",
"submission_type": "Talk",
"track": {
"en": "Second Track"
},
"state": "confirmed",
"abstract": "Source code review is a skill which complements the black-box toolset perfectly. In this talk, we'll go over the basics of source code review, sources and sinks, some pitfalls and learnings I had from doing (way too) many reviews. Then, we'll have a few challenges: Can you spot the vulnerability of famous CVEs in the source code? Featuring Ivanti, JetBrains and GitLab!",
"description": "",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 2 (3.1 (Kreativ))"
},
"start": "2024-11-23T14:10:00+01:00",
"end": "2024-11-23T14:40:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "7WSPY8",
"speakers": [
{
"code": "KWAAFA",
"name": "Jürgen Brandl",
"biography": "Jürgen Brandl is a senior cyber security analyst and has 10 years of experience working in incident response, protecting both governmental and critical infrastructure from cyber attacks. In his current role, he is researching and advocating for the need to use AI to face the emerging threat landscape.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/95392785_2673196256246495_6373562842552991744_o_GTL0iRC.jpg"
},
{
"code": "GU7EG3",
"name": "Aaron Kaplan",
"biography": "Aaron Kaplan\r\n\r\nBackground: Computer Science TU Vienna and Mathematics Univ. of Vienna.\r\n\r\nCurrently working for DIGIT-S.2 where he focuses on how AI can help IT security and Cyber Threat Intelligence Analysis.\r\n\r\nPrior to joining DIGIT-S.2, Aaron was employee #4 of CERT.at, the national CERT of Austria from 2008-2020. \r\n\r\nAt CERT.at, he co-developed and founded the IntelMQ Incident Response automation framework (intelmq.org).\r\nDuring his time at CERT.at he held multiple additional roles. Amongst others, he was member of the board of directors of the global Forum for Incident Response and Security Teams (FIRST.org) between 2014-2018. \r\n\r\nHe is a frequent speaker at (IT security) conferences such as Blackhat, hack.lu, FIRST or Falling Walls, amongst others.\r\n\r\nHe is the founder of the FunkFeuer (http://www.funkfeuer.at) free wireless mesh community ISP in Austria. Funkfeuer, received international attention as a role model for bottom-up networking. Amongst others an article in Scientific American [1]\r\n\r\n\r\n\r\nAaron likes to come up with ideas which have a strong positive benefit for (digital) society as a whole and which scale up.",
"avatar": null
}
],
"title": "Fine-tuning an LLM on CTI reports for fun and profit",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "LLMs turn out to be highly practical for summarising and extracting information from unstructured Cyber Threat Intelligence (CTI) reports. However, most models were not trained specifically for understanding the lingo of CTI. We will present our custom, local LLM, fine-tuned for CTI purposes. But how would we know if it's any good? That only makes sense with a CTI text benchmark dataset. Trying to solve these two challenges was quite a journey. Set-backs guaranteed. We will share our findings.",
"description": "Many CTI practitioners and companies experimented with LLMs for extracting information from unstructured CTI reports in the last year. Often, the dream is to automate the analyst's job to correctly identify, copy & paste TTPs, threat actors and relationships from the report and to convert it into STIX.\r\n\r\nAlas, off-the-shelf LLMs often fail at this task (GPT-4-turbo being already pretty good at the submission time). But there is another caveat: the requirements for IT security often demand that data remains on-premise or at least in a virtual server which is fully and only under the control of the organisation's IT team. For that we need local LLMs (as opposed to cloud bases SaaS/FaaS solutions such as openai.com's API). But how to achieve good results with local LLMs ? Can we beat openai?\r\n\r\n\r\nTo address the CTI text summarisation and information extraction problem, we\r\n\r\n1. propose an open source CTI LLM benchmark dataset which can be used to compare different LLMs and prompts\r\n2. a fine-tuned custom CTI LLM model (\"neuroCTI\") and\r\n3. evaluate it (as well as other LLMs) against the benchmark dataset and\r\n4. incorporate the infosec community in our endeavour \r\n\r\nThe model is freely available to the public.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T10:10:00+01:00",
"end": "2024-11-23T10:40:00+01:00"
},
"image": null,
"resources": [
{
"resource": "/media/bsv2024/submissions/7WSPY8/resources/BSides-2024.pptx_5iSXjax.pdf",
"description": "slides"
}
]
},
{
"code": "993J3A",
"speakers": [
{
"code": "MJ3KNB",
"name": "Paul Zenker",
"biography": "Paul loves all things cybersecurity and hacking. He loves to work in the areas of OSINT, Recon, Red Teaming and CTI for offensive purposes as well as AI security. He is an IT security analyst at NSIDE ATTACK LOGIC. He enjoys learning from others and sharing his knowledge. Outside the infosec world, he has an interest in sports, watch repair, and adding to his pile of unfinished projects, languages, and skills he tried to learn or build.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/Bild_Paul_0bzXwqM.png"
}
],
"title": "Didn't Last a Minute: Why We Can't Secure LLMs and Might Never",
"submission_type": "Talk",
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "I guess that no day in 2024 went by without a security person crying because they realized that their organization will employ an LLM application, and they are the one responsible for its security. This application will receive inputs from scary sources like customers, emails and the internet. But don’t you fear dear security person, there is a security vendor coming to the rescue. They bring tools and APIs that can be installed easily, work with everything and make all problems go away. Or do they? We will explore the landscape of current solutions, see how to break them, and release a new tool called \"Sprechen Sie Deutsch?\". This aims to help the security community understand these measures so that they can be improved in the future.",
"description": "This talk originates from my work with LLM applications and talking to developers and IT management that want to implement these tools securely. After showing them all the ways these generative AI applications can be insecure and how these insecurities often relate to prompt injection, they obviously want to know about countermeasures. At this point, traditional advice in blog articles and talks will point them to tools like Lakera, LLM-Guard, Rebuff or the measures implemented by providers like Azure. While it is always admitted that these solutions are not perfect, the discussion often stops there without explaining what \"not perfect\" means. This talk will do exactly that and showcase exploits against the protection systems and explain why they work and why they are so hard to fix.\r\n\r\nThis talk does not intent to blame LLM security vendors, they are brave and clever people who deserve our admiration. We badly need them to figure out a solution. However, this will only happen if the hacker community understands how to break these systems, before the bad guys do.",
"duration": 30,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T09:35:00+01:00",
"end": "2024-11-23T10:05:00+01:00"
},
"image": null,
"resources": []
},
{
"code": "ZJYRBU",
"speakers": [
{
"code": "X7LML9",
"name": "Stuart McMurray",
"biography": "Stuart is a Lead Engineer on the Offensive Security team at Klarna, where he focuses on Red Teaming, Unix, and general Swiss Army knifery. He's been on the offensive side of public and private sector security for seven years, during which time he's been an operator and trainer and developed a small arsenal of public and private offensive tools.",
"avatar": "http://cfp.bsidesvienna.at/media/avatars/8027-0o0o0-3xVDStxoyHa1bkJmXEvMpi_08Jcsze.png"
}
],
"title": "What's the Red Team doing to my Linux Box?",
"submission_type": {
"en": "Talk"
},
"track": {
"en": "Main Track"
},
"state": "confirmed",
"abstract": "This talk seeks to demystify red team operations against compromised Linux hosts. We'll briefly discuss the sort of things a hacker stands to gain, but the bulk of the talk will walk through a reasonably representative operation, mainly sticking with common command-line tools and demonstrating what goes on when a Linux host is compromised and, more importantly, why.",
"description": "What _really_ happens when the Red Team ends up on a Linux box? What are they looking for? Does anybody really use `ed(1)`? Oh, then, what do they use and why?\r\n\r\nThere's often quite a bit happening in that often mysterious bit between initial access (i.e. code running somewhere someone would rather it not) and the meeting to discuss findings. Turns out, though, that behind the shroud of mystery is equal parts party tricks and good old-fashioned Linuxing; no magic, superpowers, or arcane incantations necessary.\r\n\r\nIn this talk we'll walk through (the fun bits of) a poking at a single server, with a twist. We'll first have a quick look at a handful of the whys behind compromising an arbitrary host, but the bulk of our time will be spent taking our initial access and turning it into full compromise without fancypants hacker tools or TTPs; in other words, we'll hack sysadmin-style.",
"duration": 60,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"en": "Track 1 (Dachssal)"
},
"start": "2024-11-23T17:00:00+01:00",
"end": "2024-11-23T18:00:00+01:00"
},
"image": null,
"resources": []
}
]
}
