Rethinking Security When Assets Move Out of Your Control - Christine Bejerasco

Powerful computing capabilities accessible via browsers and thin clients are commonplace today. Many IT departments are subscribing to "as-a-service" models for software, platforms, and infrastructure which resulted in sensitive data falling to the custody of organizations we didn't even know we worked with.

In some organizations, this can mean subscribing to thousands of services that have varying levels of security posture. While we are not there yet, the trends show that we are heading fast towards the direction where the only thing left could be a terminal to access the assets that are no longer stored within our premises.

What threats have we seen in this new paradigm? How do we approach security when we can no longer contain our algorithms, data or even computing power?

This talk will be held in English.

Forward to the Past and Back to the Future - Cybercrime in 2024 and Beyond - Sami Laiho

Join Sami Laiho, Chief Research Officer of Adminize, for a look back in to what 2023 changed in the Security Threat Landscape and to hear his predictions on what will the future have in store for us.

This talk will be held in English.

FBlood, Urea and Firmware - Snoopy

Unfortunately, digitalization does not stop at the health industry. Accordingly, more and more medical devices are connected to the Internet, e.g. for remote maintenance or the collection of statistics. Unfortunately, the security of the device plays a VERY subordinate role in this. The proclaimed simplification and increase in efficiency sadly also make life easier for attackers.

This presentation sheds light on the security problems of a home dialysis machine that has been examined. Such a machine is often connected to the existing (and usually completely unsecured) Wi-Fi within the patient’s home. This gives the word operational risks a completely new life.

The findings of a pen test of the machine will be presented and suggestions will be given to aspiring and experienced healthineers on how to enhance security. This also primarily involves the mindset and the awareness of the developers.

As is common with my presentations, I will add some funny anecdotes that I cannot or must not put on the slides.

This talk will be held in German.

Current threats in the cyber space and the role of the police - Daniel Lorch

In this presentation, you will get to know internationally successful cooperation models within the investigative practice. You will learn more about the great expertise of the criminal investigation department before, during and after an IT security incident. Finally, we will also discuss what we can do together to counter the successful model of “crime-as-a-service” in order to provide more cyber resilience. Because only together we can successfully combat cyber threats.

This talk will be held in German.

AI between infinite possibilities and legal uncertainty - Joerg Heidrich

ChatGPT & Co. have arrived in day-to-day business in many companies. This raises the question of how the use of this new technology is to be assessed from a legal point of view. What about the copyright of the texts or images from the AI? What do I have to consider in terms of data protection? Can I oppose the use of my works by AI? In his presentation, Joerg Heidrich, specialist lawyer for IT law and legal advisor for Heise, uses the AI image generator Midjourney as an example to illustrate the current legal situation and shows you paths through the jungle of legal regulations.

This talk will be held in German.

Uninstalling Security: local privilege escalation through symbolic links - Frederik Reiter & Jan-Luca Gruber

Local privilege escalations are an essential part of attack chains of red team assessments in order to proceed with attacks without restrictions after an endpoint has been compromised.

In this context, we have looked for vulnerabilities and have indeed found a vulnerability vector in the Windows environment that has hardly been noticed by software manufacturers. Within a few months, a CVE assembly line could be opened, which led to local privilege escalations within various Enterprise software like RealVNC and VMware Workstation. To achieve this, symbolic links and opportunistic locks, both Windows built-in features, were used to trick highly privileged Windows services like Installer or EDR solutions.

In this talk, the vulnerabilities identified will be presented with many technical details and the Windows built-in security mechanisms and their limitations will be explained. In addition, there will be reports on the experience gained, and practical recommendations will be made on how to handle responsible disclosure processes.

CVEs in this talk: CVE-2022-43547, CVE-2022-41975, CVE-2023-25396, CVE-2023-0652, CVE-2023-1412, CVE-2023-20854

This talk will be held in German.

Artificial intelligence: What it is and why it concerns us all - Prof. Dr. Dr. Manfred Spitzer

Since the publication of ChatGPT, a language-based artificial intelligence (AI), on November 30, 2021, AI is discussed worldwide. Here it often remains unclear what is meant by AI; meanwhile, a lot of important knowledge already gained in this field is not talked about. Using examples from various fields of knowledge - medicine, military, climate, natural sciences, humanities, crime prevention, politics, economics - and the normal everyday life, this presentation will show what AI is and what AI can do. AI already permeates our life and our community, without any regulations, not to mention technology assessments. While ChatGPT essentially produces “stupid things” at worst, this is different for other fields: If we do not pay attention, AI can, in the wrong hands, threaten humanity. But it can - when used correctly - also contribute to the solution of urgent problems.

This talk will be held in German.

Serverless Security - Tal Melamed

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

While Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls, legacy security solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times. This means that the security teams struggle to keep up with the speed of development and the security is left behind. Attackers, on the other hand, take advantage of these uncharted waters to exploit serverless environments in the wild. In most cases we don’t even hear about it because no one knows before something really bad happens.

In this talk, we will discuss common risks and challenges in serverless environments as well as new attack vectors and common techniques attackers use to exploit Serverless applications. Finally, we will demonstrate how attackers can exploit newly discovered CVEs to target Serverless applications without being noticed.

This talk will be held in English.

C&C Wak-a-malware – Amichai Shulman & Stav Shulman

A key component to any botnet is a robust C2 infrastructure. This infrastructure should be resilient and stealthy. Therefore, researchers focus their efforts on detecting and intercepting a botnet’s C2. This is useful for initial detection and tracking of malicious activities by the same actor.

Today most C2 infrastructure is based on hosts controlled by the attacker. These are either special purpose servers and endpoints, or general servers hijacked by the attacker. Some advanced operations are using different methods to evade detection of their C2 communications. Techniques include code injection into hosts kernel, tunneling over common protocols and use of public cloud share apps. The more evasive techniques require large efforts and sophistication, not common among the majority of attackers.

Yet, the biggest challenge for attackers is that once a botnet’s C2 components are detected and identified by researchers, all existing bots lose their connectivity FOR EVER.

In our presentation we will discuss the evolution of evasive C2 infrastructure based on evidence from actual campaigns. We’ll discuss the pitfalls of current state-of-the-art techniques and present a new approach to C2 infrastructure. This new approach is based entirely on public infrastructure, accessible to attackers of any skill level. The most important feature of our infrastructure is the ability of existing bots to rise from the dead and restore communications with the operator, regardless of efforts made by researchers to tear down the infrastructure. Leaving the defense community to play a vicious game of whack-a-mole against relentless malware. We’ll show that this technique can be easily applied to any OTS backdoor to dramatically increase the persistence of attack campaigns.

The goal of our presentation is to prove that persistent and resilient C2 infrastructure is not the sole property of high-end attackers. Hence defenders and solution providers must prepare for this new age of stealthy campaigns.

This talk will be held in English.

NTLM: The Legacy Protocol That Won’t Die – Elad Shamir

As we enter 2024, the legacy of NetNTLM, a 30-plus-year-old authentication protocol, continues looming over enterprise security. Despite Microsoft’s advice against its use since 2010, NTLM’s deprecation remains a challenge. Contrary to the belief of most security practitioners who consider NTLM-related attacks to be a solved problem or of negligible risk, attackers have been developing advanced adversary tradecraft abusing NTLM for decades, and it is now one of the most effective avenues for compromising internal systems, including Active Directory and the entire enterprise identity infrastructure.

In this talk, we delve deep into the world of NTLM, uncovering the most impactful techniques for exploiting its vulnerabilities. We’ll review sophisticated NTLM-related attacks orchestrated by top-tier threat actors, highlighting tradecraft that remains largely unknown in the security community. Our journey will traverse the evolution of NTLM, from its basic concepts to advanced real-world relay scenarios, including subtle yet impactful abuses.

But there’s more than just exposing the problem. We’ll engage in a solution-oriented discussion, exploring effective mitigation strategies, Microsoft’s plans for addressing these vulnerabilities, and the practical challenges in eradicating NTLM’s legacy. Whether you’re a seasoned security professional or new to the field, this presentation will equip you with a nuanced understanding of NTLM’s current risks and prepare you to better attack or defend networks against these enduring threats.

This talk will be held in English.

Hack your boardroom! – Edwin van Andel

We all know the feeling: We work at a nice company, where we have basic security measures in place, but how do you convince the board to take those extra steps?

We are hackers, or maybe technical ciso’s, we know the risks, but how do we actually get their attention? What stories should we tell? How should we behave?

In this talk, I will try to do just that. From a hacker’s perspective, I will introduce ’the bored board member’ and try to convince him of the importance of good security by showing him a shitload of real and mostly funny security ‘related' examples. Will he fall for it? Or will the board stay bored? And if it doesn’t work, then what does?

Yes, there will be some real tips and tricks in the talk as well, next to some nice technical pwonage and some beautiful hacks!

Keep smiling folks!

This talk will be held in English.

Writing Secure Software – Using MyBlog as Example – Felix von Leitner aka Fefe

I have previously given talks about security principles and approaches like Least Privilege, TCB Minimization, and Self Sandboxing. The most frequent feedback has been "I don't know how to apply this in practice". So, in this talk, I will show how I applied those principles in a real-world software project: a CRUD web app MyBlog.

I introduced dangerous attack surface on purpose so I could some day give a talk about how to apply these techniques to reduce risk. This is that talk.

I will also introduce the concept of append-only data storage.

The end goal of this talk is to show how much more security you can achieve if you don't take an existing architecture and try to sprinkle security over it, but you make architectural decisions with security in mind.

This is rarely done in practice because there is a fundamental disagreement between security and software engineering. Security is about limiting what can be done with the software, while software engineering is about not limiting what can be done with the software.

My goal with this talk is to show what kind of security gains are possible architecturally. You, too, can sleep soundly at night. Even if the software is written in C. Even if you have bad ACLs or a buffer overflow in the software.