• BSidesBUD Live! Stream // 1ST PART
    08:30 - 08:35
    Attila Marosi-Bauer - Opening Ceremony
    08:35 - 09:15
    Piotr Głaska - DNS in Offensive Techniques
    DNS is often a bit overlooked in cybersec world, but it is used in almost every malicious campaign. During the course of the session we will aim to cover: - How DNS is used in various phases of the intrusion kill chain - The technical mechanisms behind DNS as command and control (C&C) channel, data exfiltration, infiltration and more - How DNS is used in real attacks – we will walk through recent and most interesting examples of malware and APT attacks
    09:25 - 10:05
    Sergey Chubarov - Offensive Azure Security
    These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that's may become weakest link in the chain. A demo-based session shows attacks on the weakest link in 3 scenarios: Hybrid Active Directory, Legacy VM-based application and Modern Application. The session includes: - Pentesting Azure AD Connect - Bypassing authentication & MFA - Getting control over Compute - Extracting secrets from Key Vault - Getting Access to App Service and Azure SQL Database - Exploring Azure Web App Firewall
    10:15 - 10:55
    Filipi Pires - Keep Your Code Safe During the Development Path using Opensource Tools
    Practical demonstration of how a Developer can use a SAST tool for static analysis in code vulnerability, executing it in source code, byte code and/or binary and identifying security holes during the development process, analyzing many languages and codes, like as, C, C #, Java, Kotlin, Python, Ruby, Golang, Javascript, JSON… And searching for key leaks and security flaws in all files of your project, as well as in Git history and in addition to receiving a managerial view with all this analysis information.
    11:05 - 11:45
    Swetha Balla - Lessons from the Trenches: Improving Response by being “Data Wrangling” Amateurs in AWS
    Incident response in AWS can be challenging for a couple of reasons - either logs are not available, making response impossible, or the log volume is large, making it hard to identify anomalous activity. These challenges are not necessarily new or unique to the cloud environment. However, building a relatively simple data pipeline by leveraging some of AWS’s “data” services can help address these challenges. In this talk, I will share “data wrangling” skills that I have acquired by responding to multiple AWS breaches, with a focus on: - Which logs should be enabled, and why? - How to store these logs to reduce storage cost and improve query performance? - How to visualise logs? - A sample case study (focus on Cloudtrail logs) using these skills. This presentation’s key takeaway will be learning about some tools typically used by the data teams and using them for incident response.
    12:45 - 13:25
    Itsik Mantin & Johnathan Azaria - AI in a Minefield: Learning from Poisoned Data
    Many security technologies use anomaly detection mechanisms on top of a normality model constructed from previously seen traffic data. However, when the traffic originates from unreliable sources the learning process needs to mitigate potential reliability issues in order to avoid inclusion of malicious traffic patterns in this normality model. In this talk, we will present the challenges of learning from dirty data with focus on web traffic - probably the dirtiest data in the world, and explain different approaches for learning from dirty data. We will also discuss a mundane but no less important aspect of learning – time and memory complexity, and present a robust learning scheme optimized to work efficiently on streamed data. We will give examples from the web security arena with robust learning of URLs, parameters, character sets, cookies and more.
  • BSidesBUD Live! Stream // 2ND PART
    13:35 - 14:15
    Assaf Sion - Hunting bugs in JavaScriptCore with CodeQL
    Hunting bugs in JavaScriptCore might be a difficult task to the common security researcher, but fear no more, CodeQL is here for the rescue! During this presentation we will learn what are side-effects in JavaScript and how they could cause bugs in the JavaScript engine. Then, we’ll gain knowledge about the capabilities of CodeQL, and discover the potential of variant analysis with CodeQL by translating these bugs into a pattern that CodeQL could find.
    14:25 - 15:05
    Vivek Malik & Kumar Vikramjeet - One Stop Anomaly Shop
    One Stop Anomaly Shop (OSAS) is a complete machine learning framework aimed to discovered anomalies in a given dataset. The open source project represents an implementation of several Adobe’s Security Intelligence Team Patents and White papers. The project aims to enable the user to create a custom pre-processing pipeline, using predefined recipes for numerical, categorical, text and combined datatypes. The output of the pipeline is a set of labels that describe the input data and that are later consumed by standard anomaly detection algorithms or supervised classifiers. The role of the pipeline/labels is to reduce data scarcity, while enhancing the accuracy of anomaly detection and supervised machine-learning algorithms even on small datasets. Its unique manner of tagging allows it to be used for a diverse range of datasets and projects. The Expert Knowledge Based tagging component makes it highly efficient at targeting security threats and shifts the underlaying operation from unsupervised learning towards a semi-supervised one. The open source initiative contains the full source code of the project but also a dockerized version, equipped with an OSAS Web UI and an Elastic Search OpenDistro installation and integration for fast graphical analysis of the results. The presentation will contain an end to end hands on PoC of how to levrage the off the shelf OSAS or how to fully customize a pipeline in just a couple of minutes/clicks.
    15:15 - 15:55
    Miklos Kiss & János Kovács & Bence Horvath - The use of Threat Intelligence to Enhance Automotive Security
    Engine power, fuel consumption, driving comfort, and handling of a car are just a few of the dimensions that define the quality of a car. With more and more core vehicle functions enabled by software running on specialized hardware chips, the security of those components is fast becoming another dimension of quality in the automotive industry, similar how physical safety is a major concern and quality parameter today. This talk aims to discuss the use of threat intelligence to empower both increased security in the design of new automotive systems, as well as keeping existing components secure against newly discovered vulnerabilities and attack vectors.
    16:05 - 16:45
    Daniel Nussko - Large-scale Security Analysis of IoT Firmware
    Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis. To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects. For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned. The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.
    16:55 - 17:35
    Filipi Pires - Discovering C&C in Malicious PDF with Obfuscation, Encoding and other Techniques
    Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more.
    17:45 - 17:50
    Attila Marosi-Bauer - Closing Notes