To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
10:00
10:00
30min
The rise and fall of Baldr: Frankeinstein's malware enjoys a wild ride
Albert Zsigovits

In January, 2019, SophosLabs discovered a new family of credential stealing malware that called itself Baldr was being marketed on message boards used to advertise malware. In a short period of time, the developer of Baldr made a significant number of improvements and updates, including two major releases. Baldr enjoyed a rapid growth in sales and within a few months, had more than 200 criminal customers who were using it to steal valuable credentials, mainly from video game players, who were the most frequently targeted victims. In this talk, we will discuss the mechanism by which Baldr performs its tasks, how the malware markets and promotes itself, and some of the vulnerabilities in its command-and-control panel, which has allowed other criminals to take over its C2 servers.

Conference Hall
Dachsaal
10:35
10:35
30min
A handshake for vulnerabilities - A short dive into Krack and Dragonblood
Christoph Rottermanner, Philip Madelmayer

We all know and love it and would like to have it available all over the world - Wireless LAN. A technology that is used in many places to provide free Internet access, enable networking for various components or to move freely in offices and at home. But how secure is the wireless network that connects so many devices?
This talk will explore this question and try to give a brief overview of the functionality of the encryption standards WPA2 and WPA3 and explain known attacks on these two standards. The talk will also demonstrate the use of the well-known Krackattack.

Conference Hall
Dachsaal
11:10
11:10
45min
Code diving for pop chains
Wolfgang Hotwagner

PHP Object Injection is a well known web vulnerability that could allow an attacker to perform different kinds of attacks by reusing and chaining existing code of the application(gadgets). Sometimes it is easier to find the vulnerability than discovering a proper chain for a remote code execution. This talk illustrates the long road of searching for various "POP chains" by disclosing details of a vulnerability for Okay-CMS. The code of the application will be analyzed and possible payloads will be discussed. A working unauthenticated remote code execution exploit will finally proof the concept.

Conference Hall
Dachsaal
12:00
12:00
30min
AI Application for Detection of Android Malware APKs and Fake e-Commerce Websites
Roman Graf, Olivia Dinica, Aaron
  • MAL2 project employs AI for malware and fake websites detection and comprises two parts:
    1. Neural Network-Based Technique for Android Smartphone Applications Classification
    2. Automating Fake e-Commerce Website Detection through Machine Learning
    In our talk we will speak about AI applications for different domains of Cyber Security and demonstrate advantages of AI approach compared to previous solutions.
Conference Hall
Dachsaal
13:30
13:30
30min
seccomp — Your Next Layer of Defense
Philipp Krenn

Why should you allow all possible system calls from your application when you know that you only need some? If you have ever wondered the same then this is the right talk for you. We are covering:

  • What is seccomp in a nutshell and where could you use it.
  • Practical example with Elasticsearch and Beats.
  • How to collect seccomp violations with Auditd.

Because your security approach can always use an additional layer of protection.

Conference Hall
Dachsaal
14:05
14:05
40min
ÆCID: A self-learning Anomaly Detection Approach Based on Light-weight Log Analytics
Max Landauer, Markus Wurzenberger

Existing signature-based intrusion detection systems are based on manually-defined patterns that are known to correspond to particular attacks and are therefore unable to disclose any previously unknown threats, such as zero day exploits. ÆCID (Automatic Event Correlation for Incident Detection) alleviates this problem by employing self-learning anomaly detection. ÆCID is capable of automatically learning the complex syntax of log files, classify events, and extract relevant parameters for advanced analysis. This includes the derivation of rules regarding the correlation of events as well as occurrences of parameter values. In addition, ÆCID carries out statistical analyses on the observed values and reports all significant changes of system behavior to security analysts. ÆCID’s open-source log sensor, the AMiner that enables efficient log parsing, allows to build log analysis pipelines using a number of modules. The AMiner is designed as a light-weight component that fits seamlessly into any system and has minimal requirements regarding processing power and required memory. Finally, the AMiner in combination with ÆCID supports connection to existing security solutions, such as SIEMs, by providing interfaces to standard message queue technologies, such as Kafka.

Our talk will consist of two parts: First, we will discuss some basic considerations when it comes to log data analysis and outline our strategies of tackling the encompassed challenges, including the parsing of logs from heterogeneous sources and design of anomaly detection methods. Then, we will present some selected features of ÆCID in a practical demonstration.

Conference Hall
Dachsaal
15:05
15:05
30min
When Your Biggest Threat is on Your Payroll: Drivers & Enablers of Insider Threat Activity
Christina Lekati

It is an irony in organizational security: Although so much capital is invested in the protection of the organizational assets against external threats, some of the largest compromises have occurred as a result of insider threats, sometimes resulting in irrecoverable damage, reputation risk, and liability. This type of threat is more important for organizations that are part of the critical infrastructure and industries where intellectual property and the protection of sensitive information are critical elements for their operations.
Employees in security-focused environments learn to treat outsiders with suspicion and to maintain trust boundaries. However, it is often the case that once an “outsider” enters the payroll of an organization they are given a "carte blanche" in terms of trust and disclosure of information. They are now treated as the "insiders" that they are- members of the same tribe, fighting and working towards the same goals and using their skills to benefit their organization. Employees do not always realize that some “colleagues” consider the exploitation of organizational weaknesses a high-reward activity that serves their personal interests better than loyalty to the employer.

This presentation aims to shed light on the challenging topic of insider threats. It will discuss the motives that lead employees to unauthorized disclosure of sensitive information, process corruption, electronic sabotage, and/or the facilitation of third-party access to organizational assets. Research has repeatedly found a clear link between insider activity taking place and exploitable weaknesses in an organization’s security and management processes. Therefore, this talk will go on discussing the organizational factors enabling insider threat operations as well as countermeasures against them, by combining the lessons learned on insider activity prevention from the fields of counterintelligence, psychology, and cyber-security.

Conference Hall
Dachsaal
15:40
15:40
30min
Building a Red Team in a complex environment
Ahmed Sherif (@_ahmadsherif)
The question which have been always asked, do we really need an offensive security team in our organisation?

In this presentation I'm going to talk about my journey of building-up the offensive security team at one of the biggest Dutch banks. What are the takeaways, approach, achievement and mistakes done during that journey.

Conference Hall
Dachsaal
16:15
16:15
30min
Network Attacks for Red Teams and Blue Teams
Michael Kafka

Security features for network functions are not commonly deployed on
typical installations. This allows attackers to freely move around in a
network once a single point was compromised. Weak network security
enables Lateral movement of an adversary and can also be exploited by
Red Teams.

The Talk starts with a brief discussion of network functions on Layer 2
and 3 and gives a brief history of famous malware families and campaigns
which were used in the past. Also we will define the goal of network
attacks.

Then we discuss several techniques like ARP/ND spoofing/poisoning, MAC
flooding, attacks on FHRP like VRRP or HSRP, UPNP, route injection and
IP source route and more. We will show how these attacks are conducted,
what we can achieve and also how to deploy countermeasures for mitigation.

Conference Hall
Dachsaal
17:00