Program

  • BSidesBUD Live! Stream // 1ST PART
    08:30 - 08:35
    Attila Marosi-Bauer - Opening Ceremony
    08:35 - 09:15
    Piotr Głaska - DNS in Offensive Techniques
    DNS is often a bit overlooked in cybersec world, but it is used in almost every malicious campaign. During the course of the session we will aim to cover: - How DNS is used in various phases of the intrusion kill chain - The technical mechanisms behind DNS as command and control (C&C) channel, data exfiltration, infiltration and more - How DNS is used in real attacks – we will walk through recent and most interesting examples of malware and APT attacks
    09:25 - 10:05
    Sergey Chubarov - Offensive Azure Security
    These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that's may become weakest link in the chain. A demo-based session shows attacks on the weakest link in 3 scenarios: Hybrid Active Directory, Legacy VM-based application and Modern Application. The session includes: - Pentesting Azure AD Connect - Bypassing authentication & MFA - Getting control over Compute - Extracting secrets from Key Vault - Getting Access to App Service and Azure SQL Database - Exploring Azure Web App Firewall
    10:15 - 10:55
    Filipi Pires - Keep Your Code Safe During the Development Path using Opensource Tools
    Practical demonstration of how a Developer can use a SAST tool for static analysis in code vulnerability, executing it in source code, byte code and/or binary and identifying security holes during the development process, analyzing many languages and codes, like as, C, C #, Java, Kotlin, Python, Ruby, Golang, Javascript, JSON… And searching for key leaks and security flaws in all files of your project, as well as in Git history and in addition to receiving a managerial view with all this analysis information.
    11:05 - 11:45
    Swetha Balla - Lessons from the Trenches: Improving Response by being “Data Wrangling” Amateurs in AWS
    Incident response in AWS can be challenging for a couple of reasons - either logs are not available, making response impossible, or the log volume is large, making it hard to identify anomalous activity. These challenges are not necessarily new or unique to the cloud environment. However, building a relatively simple data pipeline by leveraging some of AWS’s “data” services can help address these challenges. In this talk, I will share “data wrangling” skills that I have acquired by responding to multiple AWS breaches, with a focus on: - Which logs should be enabled, and why? - How to store these logs to reduce storage cost and improve query performance? - How to visualise logs? - A sample case study (focus on Cloudtrail logs) using these skills. This presentation’s key takeaway will be learning about some tools typically used by the data teams and using them for incident response.
    12:00 - 12:45
    Lunch break (45 mins)
  • BSidesBUD Live! Stream // 2ND PART
    12:45 - 13:25
    Itsik Mantin & Johnathan Azaria - AI in a Minefield: Learning from Poisoned Data
    a normality model constructed from previously seen traffic data. However, when the traffic originates from unreliable sources the learning process needs to mitigate potential reliability issues in order to avoid inclusion of malicious traffic patterns in this normality model. In this talk, we will present the challenges of learning from dirty data with focus on web traffic - probably the dirtiest data in the world, and explain different approaches for learning from dirty data. We will also discuss a mundane but no less important aspect of learning – time and memory complexity, and present a robust learning scheme optimized to work efficiently on streamed data. We will give examples from the web security arena with robust learning of URLs, parameters, character sets, cookies and more.
    13:35 - 14:15
    Assaf Sion - Hunting bugs in JavaScriptCore with CodeQL
    Hunting bugs in JavaScriptCore might be a difficult task to the common security researcher, but fear no more, CodeQL is here for the rescue! During this presentation we will learn what are side-effects in JavaScript and how they could cause bugs in the JavaScript engine. Then, we’ll gain knowledge about the capabilities of CodeQL, and discover the potential of variant analysis with CodeQL by translating these bugs into a pattern that CodeQL could find.
    14:25 - 15:05
    Vivek Malik & Kumar Vikramjeet - One Stop Anomaly Shop
    One Stop Anomaly Shop (OSAS) is a complete machine learning framework aimed to discovered anomalies in a given dataset. The open source project represents an implementation of several Adobe’s Security Intelligence Team Patents and White papers. The project aims to enable the user to create a custom pre-processing pipeline, using predefined recipes for numerical, categorical, text and combined datatypes. The output of the pipeline is a set of labels that describe the input data and that are later consumed by standard anomaly detection algorithms or supervised classifiers. The role of the pipeline/labels is to reduce data scarcity, while enhancing the accuracy of anomaly detection and supervised machine-learning algorithms even on small datasets. Its unique manner of tagging allows it to be used for a diverse range of datasets and projects. The Expert Knowledge Based tagging component makes it highly efficient at targeting security threats and shifts the underlaying operation from unsupervised learning towards a semi-supervised one. The open source initiative contains the full source code of the project but also a dockerized version, equipped with an OSAS Web UI and an Elastic Search OpenDistro installation and integration for fast graphical analysis of the results. The presentation will contain an end to end hands on PoC of how to levrage the off the shelf OSAS or how to fully customize a pipeline in just a couple of minutes/clicks. https://github.com/adobe/OSAS
    15:15 - 15:55
    Miklos Kiss & János Kovács & Bence Horvath - The use of Threat Intelligence to Enhance Automotive Security
    Engine power, fuel consumption, driving comfort, and handling of a car are just a few of the dimensions that define the quality of a car. With more and more core vehicle functions enabled by software running on specialized hardware chips, the security of those components is fast becoming another dimension of quality in the automotive industry, similar how physical safety is a major concern and quality parameter today. This talk aims to discuss the use of threat intelligence to empower both increased security in the design of new automotive systems, as well as keeping existing components secure against newly discovered vulnerabilities and attack vectors.
    16:05 - 16:45
    Daniel Nussko - Large-scale Security Analysis of IoT Firmware
    Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis. To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects. For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned. The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.
    16:55 - 17:35
    Filipi Pires - Discovering C&C in Malicious PDF with Obfuscation, Encoding and other Techniques
    Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more.
    17:45 - 17:50
    Attila Marosi-Bauer - Closing Notes
  • Online Workshop Sessions
    # TRACK 1 #
    09:00 - 11:00
    Péter Zsíros - Introduction to AD Security Workshop
    TBD
    11:00 - 11:15
    Break (15 mins)
    11:15 - 14:15
    Vasant Chinnipilli & Pralhad Chaskar - Securing the Kubernetes Workshop - Cloud Native Way
    Attackers always get better with new attack techniques, so our threat modelling and defense mechanisms need to level up. While the rapid adoption of Kubernetes shows just how disruptive these technologies have been, they have also led to new security problems. The widespread popularity and many organizations without proper security measures in place have made Kubernetes infra the perfect target for attackers. The security of the Kubernetes cluster, of course, cannot be achieved in a single process. There are many moving parts within the Kubernetes cluster that must be properly secured. The goal of this talk is to broaden the awareness of the how and why kubernetes attacks works, escapes work, starting from a brief tour of the Kubernetes ecosystem, and then looking at advanced threat modelling scenarios, covering in-depth defense mechanisms for multiple critical resources, continuous monitoring and alerting techniques that are focused on securing cloud native architectures, all the way down to releasing a commercial grade opensource tool for continuous threat modelling and scanning the kubernetes clusters.
    14:15 - 14:30
    Break (10 mins)
    14:30 - 16:30
    Péter Zsíros - Type Confusion Workshop
    TBD
    # TRACK 2 #
    09:00 - 11:00
    Abraham Aranguren - Practical Mobile App Attacks by Example Workshop
    If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :) Attendants will be provided with training portal access to practice some attack vectors, including multiple mobile app attack surface attacks, deeplinks and mobile app data exfiltration with XSS. This includes: Lifetime access to a training VM, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises. This workshop is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps: An entirely practical walkthrough that covers anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Sheriff, apps that report human right abuse where a security flaw could get somebody killed in the real world, and more. The workshop offers a thorough review of interesting security anti-patterns and how they could be abused, this is very valuable information for those intending to defend or find vulnerabilities in mobile apps. This workshop is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps. Please come caffeinated, the audience will be challenged to spot vulnerabilities at any moment :)
    11:00 - 11:15
    Break (15 mins)
    11:15 - 13:15
    Romansh Yadav - Attacking/Defending Android Apps Workshop
    This training mainly focuses on the security aspects of world’s most leading mobile operating systems - android. In this training attendees will learn about their architecture, file system , security model , application components, OWASP mobile attacks Defense, reverse engineering techniques to uncover the security flaws within the application, method swizzling and runtime manipulation for the apps and hooking of the applications to exploit the security flaws. The training will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
    13:15 - 13:30
    Break (15 mins)
    13:30 - 14:30
    Abraham Aranguren - Hacking Modern Desktop apps with XSS and RCE Workshop
    If you are the kind of person who enjoys webinars with practical information that you can immediately apply when you go back to work, this webinar is for you, all action, no fluff :) “Hacking Modern Desktop apps: Master the Future of Attack Vectors” is a desktop app security course that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your desktop app security auditing kung-fu to the next level. The course covers attacks and mitigation against desktop apps on Linux, Windows and Mac OS X. The focus focuses on Electron but the techniques covered will be helpful against other desktop platforms, as well as CSP bypasses and other web security techniques. In this brief 60-minute webinar we will explain what the course covers and give you a few lab samples covering the following topics: ● Essential techniques to audit Electron applications ● What XSS means in a desktop application ● How to turn XSS into RCE in Modern apps ● Attacking preload scripts ● RCE via IPC Attendants will be provided with training portal access to practice the attack vectors covered. This includes: Lifetime access to a training portal, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises. Come and join us for this 60-minute hacking session, we’re sure you’ll leave with a thirst for more!