Welcome Notes

 H.E. Youssef Hamad AlShaibani - C.E.O. of Dubai Electronic Security Center - UAE


 Maarten Van Horenbeeck - Vice President of Security Engineering at Fastly - United States

  • Vice President of Security Engineering at Fastly, the Content Delivery Network that speeds up web properties around the world.
  • He is also Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting over 300 members in 78 countries.
  • Prior to his work at Fastly, Maarten managed the Threat Intelligence team at Amazon, deployed PKI at Google and addressed product security vulnerabilities at Microsoft. Maarten holds a master's degree in Information Security from Edith Cowan University, and a Masters degree in International Relations from the Freie Universitat Berlin.


 Wim Remes - Chairman of the (ISC)2 Board of Directors - Belgium

  • Wim Remes is the founder of and principal consultant at NRJ Security, based in Belgium, and current chairperson of the (ISC)2 Board of Directors. He leverages 15+ years of security leadership experience to advise clients on reducing their risk posture by solving complex security problems and by building resiliency into their organizations.
  • Before starting NRJ Security, Wim was active as Manager Global Services EMEA at Rapid7, previously he has worked as managing consultant at IOActive, manager of Information Security for Ernst and Young, and as a security consultant for Bull, where he gained valuable experience building security programs for enterprise class clients. Wim has been engaged in various infosec community initiatives such as the co-development of the Penetration Testing Execution Standard (PTES), InfosecMentors, and organizing the BruCON security conference. He has been a featured speaker at international conferences such as Excaliburcon (China), Black Hat Europe, Source Boston, Source Barcelona and SecZone (Colombia). He was also a member of the (ISC)2 Board of Directors from 2012 until 2014, and chairperson in 2014 and 2016.


The Blackbox of DPAPI: the gift that keeps on giving

 Bartosz Inglot - MANDIANT / FireEye - Singapore

Windows Data Protection API (DPAPI) has been around since Windows 2000 and while widely used by developers due to its simplicity and the "blackbox" concept, it's not so well-known among DFIR community. Outlook, Internet Explorer, EFS, Skype' and the list goes on, many of every day's applications and Windows components rely on DPAPI for keeping user secrets safe, however, are they really that safe? This session provides an introduction into DPAPI from a DFIR practitioner's perspective, though red-teamers will also find it interesting. It takes the audience through 3 real-world examples of problems faced on Incident Response engagements, gradually building up knowledge as the stories unravel. At the end you will know how to decrypt DPAPI secrets offline and what has DPAPI in common with staging exfil, mysterious malware payload and RDP replay.

  • Bart is an Incident Response and Forensics Specialist in MANDIANT's Security Consulting Services team helping clients restore confidence in an event of a breach. He holds a degree in Computer Forensics, is a keen developer, enjoys inspecting network traffic and specialises in Windows forensics with fascination in volatile memory.
  • Having worked on Incident Response engagements around the world, Bart routinely develops new tools and ideas to solve on-the-job problems and to ensure Mandiant remains an industry leader. Some of these developments led to Bart's contributions to the Volatility project.
  • After spending 8 years in England, Bart recently relocated to South-East Asia as he believes it's still the most fascinating, culturally diverse, and opportunistic region in the world. The relative immaturity in Cyber Security in most countries, but also the "hunger to learn" that most businesses and government organizations display, offer a significant growth opportunity.


Transforming Open Source to Open Access in Closed Applications: Finding Vulnerabilities in Adobe Reader's XSLT Engine

 Brian Gorenc,  Jasiel Spelman,  Abdul-Aziz Hariri - Trendmicro (Zero Days Initiative) United States  Canada

The inclusion of open-source components into large, closed-sourced applications has become a common practice in modern software. Vendors obviously benefit from this approach as it allows them to quickly add functionality for their users without the need to invest costly engineering effort. However, leveraging open source for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. In those cases, misunderstood or poorly implemented open source allows attackers to bypass security mechanisms that may exist elsewhere in the proprietary system.

This talk provides insight into these side effects through an examination of Adobe Reader's XSLT (Extensible Stylesheet Language Transformations) engine, which is based on the now abandoned open-source project called Sablotron ' an XML processor fully implemented in C++. We focus on techniques for auditing the source code of Sablotron in order to find corresponding bugs in Adobe Reader. We also present a new source-to-binary matching technique to help you pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader. Real-world application of these techniques will be demonstrated through a series of code execution vulnerabilities discovered in Adobe Reader's codebase. Finally, we'll highlight the trends in vulnerabilities discovered in Adobe Reader's XSLT engine over the last year.

  • Brian Gorenc
  • Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world.
  • The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.
  • Jasiel Spelman
  • Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases.
  • Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch
  • Abdul-Aziz Hariri
  • Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team.
  • During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations.


From mimikatz to kekeo, passing by new Microsoft security technologies

 Benjamin "gentilkiwi" Delpy - Kiwi - France

In recent years, Microsoft has multiplied efforts to slow down some mimikatz behaviors... the most popular, and in some ways the most dangerous. During this presentation, we will make a retrospective at Microsoft's methods to prevent credentials theft, either in terms of fast/dirty patches or changes in infrastructure. Of course, with the equivalent of their bypasses, or alternative methods.

With the increase of detections and new security technologies in Windows, attack methods to elevate privileges have evolved. New teams are using methods that cannot be "corrected" ... they are now closer to protocols, near official methods, and standards offered by Windows. We will take a look at the latest features of mimikatz, but also of its turbulent little brother, Kerberos oriented; kekeo... All of this with a very particular focus on PKINIT Mustiness and Windows 2016; you will no longer look at your credentials and smartcards/tokens in the same way.

KIWI ADVISORY: Explicit credentials ' first rows can see cleartext credentials.

  • Benjamin Delpy, is a security researcher known as `gentilkiwi`. He spoke at PHDays, ASFWS, StHack, BlackHat, BlueHat, ' Security enthusiast, he publishes tools and articles in order to speak about products weaknesses and to prove some of his ideas. mimikatz has been his first software that reached an international audience. It is now recognize as a Windows security audit tool.


Agentless Post Exploitation on Device Guarded Systems

 Christopher Truncer - Mandiant - United States

Device Guard is a defensive technology introduced with the release of Windows 10 and Server 2016. Device Guard allows you to create code integrity policies explicitly defining the applications, publishers, etc. should be considered trusted, and blacklists anything not specifically allowed. Additionally, Device Guard auto-enrolls PowerShell to run in Constrained Language mode. When maintained, Device Guard can raise the bar for attackers to effectively control and utilize compromised protected systems.

Rather than looking into a Device Guard bypass, I wanted to look into a way to live off the land. WMImplant is a PowerShell-based tool which provides agent-less post-exploitation capabilities and was developed exclusively against Device Guard protected systems. I wanted to create the full functionality of a RAT that worked within the constraints of Device Guard - everything from remotely executing PowerShell scripts and receiving output, file transfers, code execution, and more. This talk will cover the constraints put in place by a Device Guard protected system, and will showcase how WMImplant is able to effectively operate on protected systems and offers meaningful post-exploitation capabilities.

  • Christopher Truncer is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community's ability to defend their network as well.


Security Research and Development with LLVM

 Andrew Reiter - Veracode - United States

LLVM is a compiler infrastructure project that is widely used by numerous important software development groups, such as Apple. It was developed to be modular and to have a nice intermediate representation (IR) in order to be an ideal framework for supporting multiple higher level language and architectures as well as be fertile soil for compiler re- search. This design also makes it a good place for building application security research tools, program analysis for security tools, and application protection code transformations. These range from static analysis of code to injection of dynamic analysis hooks and from the injection of runtime protections to the symbolic execution of code in order to perform model checking. The examples given are non-trivial areas of research and having a common development base, such as LLVM, can help to bridge the gap between researchers.

The end goal of this talk is for audience members/research colleagues to have a better understanding of the existing LLVM-based security tools and research and to have the means to con- tribute to such projects and/or research and develop their own such utilities. The talk will first introduce the LLVM project and the features that make it a powerful and popular framework. Following this will be brief survey highlighting existing security related projects and quick hacks that are LLVM based. These motivate the introduction of developing such code; we use code to explain how passes are used and act on IR. We go through the basics by developing a handful of passes that serve a variety of purposes from read-only call flow analysis to the injection of code. These will be followed by going through a very naive data exfiltration analysis tool. Lastly, the talk will briefly touch on useful tips for using LLVM and some possible ideas for research and development.

  • Andrew Reiter is a researcher at Veracode Inc where he focuses on both static and dynamic analysis of applications. He hold a B.Sc. and M.Sc. in Mathematics from UMASS-Amherst and has previously presented at Blackhat, CanSecWest, Toorcon, and others. A long time ago he was part of w00w00 and HERT research groups. In his free time, he enjoys cross-country skiing, darts, and doing math.


Supply Chainsaw: Practical software supply chain attacks

 Matt Weeks - root9B - United States

Supply chain attacks are a gold standard of exploitation. Evil coming through the same channels as legitimate software is rarely in a target's threat model since it is nearly impossible to defend against. But supply chain attacks are often assumed to be expensive, time-consuming, and personally risky; exclusively the domain of intelligence services or well-funded criminal groups. This talk will show how anyone can launch similar software supply chain attacks that are effective against a global audience, and do so in ways that are nearly impossible to trace. It will examine numerous popular software distribution methods and show how most of them have readily exploitable weaknesses.
For the popular software repositories, this talk will demonstrate how easy it is to upload unverified malicious code, and how it will be executed on countless systems with just a single errant keystroke or even no mistake at all. This presentation will show how comprehensive public information also enables us to identify and target individuals trusted by enormous user bases and automate credential theft and infection of widely trusted software at source, at publication, at distribution, and at the end user. Finally, this talk will show the results when many of these actions were performed in the wild with proof-of-concept non-malicious packages created to test and validate these infection vectors.

  • Matt "scriptjunkie" Weeks (@scriptjunkie1) has extensive experience in information security operations, research, and software development. He currently leads root9B's research and development arm. Previously, he was the Officer In Charge of the US Air Force's Intrusion Forensics and Reverse Engineering lab and a lead network defense tactician. As a researcher, he has uncovered vulnerabilities found to have affected millions of networks. As a developer, he was behind a significant portion of the Metasploit framework.


Hacking wireless SCADA systems

 Elena Feldman - Chelyabinsk State University - Russia

Speaker will talk about research experience in information security of industrial SCADA systems. Full process of typical research would be demonstrated. Hacking and controlling wireless sensors with SDR and GNU Radio. Also, speaker will talk about common defence vectors in wireless SCADA systems.

  • A forensic expert at F-lab. Senior Lecturer at the Department of Computer Security and Applied Algebra of Chelyabinsk State University. Deputy CTO at ER-Telecom. Elena started her career in the telecom industry as a core engineer and network architect. Studies IoT and mobile devices information security.


Exploring Your System Deeper

 Oleksandr Bazhaniuk - Intel - United States

You wanted to explore deep corners of your system but didn't know how ? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.

CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.

  • Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team at Intel, Inc. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at many conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest, Troopers, USENIX. He is also a co-founder of DCUA, the first DefCon group in Ukraine.


Windows Operating System Archaeology

 Casey Smith, - Veris Group (Adaptive Threat Division),  Matt Nelson United States 

The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence,and lateral movement and privilege escalation.

  • Casey Smith
  • Casey Smith (@subTee) is a Researcher with the Veris Group Adaptive Threat Division. His interests include testing and understanding defensive systems..
  • Matt Nelson
  • Matt Nelson (@enigma0x3) is a Red Teamer and Security Researcher with SpecterOps. Matt has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements.


Blinded Random Block Corruption

 Rodrigo Branco - Intel United States 

Protecting users' privacy in virtualized cloud environments is an increasing concern for both users and providers. A hypervisor provides a hosting facility administrator with the capabilities to read the memory space of any guest VM. Therefore, nothing really prevents such an administrator from abusing these capabilities to access users' data. This threat is not prevented even if the whole memory is encrypted with a single (secret) key. Guest VM's can be isolated from the administrator if each guest VM has its memory space encrypted with a unique per-VM key. Here, while the hypervisor's memory access capabilities remain unchanged, reading a VM memory decrypts the VM's encrypted data with the wrong key and therefore gives no advantage to the attacker. This is indeed the motivation behind some newly proposed technologies that are planned in future processors.

However, this presentation argues that the privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest VM's cannot be guaranteed. To show this, we explain and demonstrate a new instantiation of a "Blinded Random Corruption Attack". Under the same scenario assumptions that the per-VM keying method addresses, our attack allows the cloud provider administrator to use the capabilities of a (trusted) hypervisor in order to login to a guest VM. This completely compromises the user's data privacy.

This shows, once again, that memory encryption by itself, is not necessarily a defense-in-depth mechanism against attackers with memory read/write capabilities. A better guarantee is achieved if the memory encryption includes some authentication mechanism.

  • Rodrigo R. Branco
  • Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher at Intel Corporation in the Security Center of Excellence where he leads the Core Client, BIOS and IoT SoC Teams. Rodrigo released dozens of vulnerabilities in many important software in the past. In 2011 he was honored as one of the top contributors of Adobe. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, Troopers and many others.


15 ways to break RSA security

 Renaud Lifchitz - Digital Security France 

We will do a research state of the art talk presenting as many as possible ways to attack RSA algorithm (encryption and signature cryptosystems), some of them being very new (discovered or implemented in the last few years). We will also show live computing demos with simple tools.

  • Renaud Lifchitz
  • Renaud Lifchitz is a French senior IT security consultant. He has a solid penetration testing, training and research background. His main interests are protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory. He currently mostly works on wireless protocols security and was speaker for the following international conferences: CCC 2010 (Germany), Hackito Ergo Sum 2010 & 2012 & 2014 (France), DeepSec 2012 (Austria), Nuit Du Hack 2016 (France), Shakacon 2012 (USA), 8dot8 2013 (Chile).


Practical attacks against Digital Wallet

 Loic Falletta - Yinkozi France 

Digital Wallets are used to purchase an item online or send funds to friends or family. Depending on the type of digital wallet used, the information stored might include debit, credit, prepaid or loyalty card data. Security research is focused on Android Pay, Apple Pay, and Samsung Solutions. However, mobile banking/payment applications are using their own mobile payment platform. What can go wrong?

The talk will go from assessing highly secure mobile applications (secure container, Secure Enclave usage, when the security tools fail) to the card agent (HCE payment, APDU analysis). I am also going to introduce a way to bypass the in-app fingerprint authentication on some configuration called ???Evil partner attack???.

  • Loic Falletta
  • Loic Falletta is principal security consultant at Yinkozi. Loic has spent over a decade working on penetration testing within highly secure environment. His recent work includes research in mobile applications, devops security and large scale web applications.


Stranger Danger

 Mohamed Saher (NSS Labs),  Ahmed Garhy (NSS Labs),  Nikita Tarakanov (Independant) - United States  Mexico

In an ever-connected world, people all around the globe are freely surrendering their personal information and privacy over to the helms of the social media giants with unprecedented trust. We are quick to not only share our biographies and interests with complete strangers through these social media platforms, but in the process, have also managed to redefine the traditional definition of a friend. Our blind trust in social media platforms to protect our information have allowed us to forgo the age-old warning of ???stranger danger in our search for fame and popularity, in meeting new people, or in the never-ending quest of finding true love.

But what happens when this information falls in the hands of the wrong people? What if the social media platforms have not done as good of a job as they claim in protecting our personal information? In protecting us from criminals, stalkers, and others that mean to cause us harm?

In this presentation, we identify some flaws in one of the most popular social media platforms used globally today and demonstrate how an attacker can not only retrieve information about its users, but also track their location and movements around the globe. We also demonstrate through a study experiment how to extract information from people unknowingly and in the process, identify users that tend to use the platform for committing fraudulent acts like misappropriation, prostitution, and pedophilia.

But not everything has to end on a negative note. We conclude by demonstrating how law enforcement could possibly use this same data to their advantage to find criminals that may be active on the platform.

  • Mohamed Saher
  • Mohamed Saher is Security Researcher with over 10 years of experience specializing in reverse engineering, windows internals and mathematics. My work and research spans numerous areas, including native software protection, copy protection technologies, virtualization, malware and exploitation. In my spare time I enjoy contributing to various reverse engineering forums, solving crackmes and math problems. You can find me in OpenRCE, Project Euler, woodman, crackmes and so forth. I have spoken in various security conferences such as BlackHat, ZeroNights, BSidesHH, DefCON SkyTalks and CISCP (Department of Homeland Security USA) and many more.
  • Ahmed Garhy
  • Ahmed Garhy is a researcher specializing in web based exploitation attacks, data analysis, and distributed systems. In my spare time, I enjoy analyzing web based exploitation and obfuscation techniques and contributing to open source projects that aid researchers and developers in their analysis.
  • Nikita Tarakanov
  • Nikita Tarakanov is security researcher, who has worked for Intel, Positive Technologies, VUPEN Security, CISS and independently. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation..