Please note: the agenda is not yet final and subject to change
BSidesTLV Underground – Invite only
Underground access is for challenge winners only, LOG IN to retrieve your unique access token! https://challenges.bsidestlv.com/ (if you don’t know your password try asking @barnhartguy )
|12:35||Special Keynote : Dave Lewis, Global Security Advocate, Akamai & BSidesLV board of directors|
|13:35||Magda Lilia Chelly|
Opening Keynote Chris Nickerson, co-founder BSides Security Movement
Chris Nickerson, CEO of LARES, is an 18+ yr veteran of the Cyber Security industry. His main area of expertise is focused on real world Attack Modeling, Red Team testing and Adversarial Simulation. Mr Nickerson has held Sr. positions at Arrow Electronics, KPMG, and Sprint providing security testing and recommendations to corporations worldwide. He has spoken at most major Information Security conference in the world and is a TED speaker alumni. Chris has worked tirelessly to improve the companies he serves and the community alike, as a founder of the BSides security conference movement and founding member of the Penetration Testing Execution Standard (PTES). He is the featured member of the TrueTv series “Tiger Team” and author of the upcoming Red Team Testing book published by Elsevier.
From Zero to Phishing in 60 seconds
In the recent years phishing activity has grown rapidly, with thousands of phishing sites popping for a virtual moment that last weeks, days or even hours, before becoming ineffective, either getting blacklisted by security providers, or brought down by Internet providers and authorities, or (in most cases) both. In order to keep up with this dynamics, a significant portion of the phishing activity relies on phishing kits – software packages that allow quick and easy deployment of a new phishing site. In this talk we will give a glimpse to the world of phishing kits. We will present several phishing kits, and show how they facilitate easy creation of the phishing site, collection framework for the victims’ credentials, and simple configuration for the entire system. We will focus on families of kits which according to our comparison analysis are at least related to each other, or even derived from the same source.
Programming from 14 hacking from 16.https://www.imperva.com/blog/
VoIP, Printers and other PWNABLES!
Anything connected to the network should be secured. Over the years we've have countless breaches as the result of unsecure IP telephones, printers and even IP cameras. I will present the main attack vectors these present for hackers using live demos and real penetration testing cases I've encountered. This talk also covers how these can and should be secured.
Chief Hacking Officer at Garnizon, Alper provides penetration testing and cybersecurity consulting services.http://alperbasaran.com/
What Every Hacker Used to Know, a walk down history lane
The audience will learn about the origin of some terms and usage of today's world, and where these concepts have risen from. building on that I will introduce some older programming concepts, older languages and describe the thinking behind them - and how they are relevant for today. in conclusion, I will try to educate about the value of better understanding what was created and not just use the newest shining thing (without critically evaluating it). The talk will review some common terms and their origin (e.g. "Core"), some older concepts that were abandoned and programming languages based on concepts that re-emerging today. some of the research behind this talk is based on interviews, open sourced information and other related talks.
"Mr. Barnhart-Magen has over 15 years of experience in the cyber-security industry. He is currently a security research manager at Intel, where he focuses on reverse engineering and researching various embedded systems. Previously he joined Nation-E (an Industrial IoT startup) where he served as VP Engineering and CTO. Prior to that position, he spent five years at Cisco leading the Security Software and Countermeasures group. He led a team of cryptographers, security engineers and researchers focused on Cisco’s video security (formerly NDS). His achievements at Cisco got awarded with the “black belt” security ninja honor – the highest cyber security advocate rank."https://productsecurity.info
Mobile Containers—The Good, the Bad and the Ugly
This presentation relies on our RSA Conference US 17’ presentation, which got very good feedback from attendees. I’ll start by discussing different strategies of mobile containers - ranging from App-Based containers (e.g., SDK-based or through wrapping technologies) to OS-level containers. I’ll relate to inherent characteristics of these strategies – their merits but also shortcomings. I’ll then move on to focus on real-world mobile-security attacking techniques that target the premise of mobile containers’ value-prop: Enhanced Security and Separation of duties. This section will contain concrete threat & mitigation strategies taken from things we see “in the field”. Next, I’ll move to discussing the Android for Work framework – Google’s effort to provide a secure way to perform sensitive business activity, side-by-side with personal activity via Android devices starting Android 5. I’ll discuss the way the framework was built and focus on its premise of providing a secure separation between the personal (and non-guarded) profile and the business (and highly guarded) profile. At that point, I’ll uncover Skycure’s research of techniques (following a responsible and coordinated disclosure process with Google) that can break the secure separation by planting a seemingly innocent in the personal profile with “one leg” controlled by a remote attacker, and the “second leg” inside the presumably secure and separated business profile of Android for Work (we call it an “App-in-the-Middle” attack). I’ll do so by getting deeper into the mechanics of Android, and highlighting the capabilities (such as Accessibility and Notification APIs) that can be used maliciously by apps to mount attacks. The discussion will be accompanied with attack-simulation demonstrations. As a next step, I’ll show advanced attack concepts, such as utilizing Tapjacking in current Android versions, that can allow real-world mounting of App-in-the-Middle attacks. The presentation will conclude with concrete guidance to the audience about the actions they can take to mitigate their exposure.
Yair Amit is Co-Founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Amit has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Amit managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Amit led the research and implementation of IBM’s next-generation application security technology. Amit holds a B.Sc., summa cum laude, from Tel Aviv University in bioinformatics.https://www.skycure.com/blog/
Healthcare CyberSecurity is in Critical Condition
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon’s Heinz College and on the 2016 HHS Cybersecurity Task Force.
AtomBombing: Injecting Code Using Windows’ Atoms
We breakdown AtomBombing into three main stages: 1. Write-What-Where – Writing arbitrary data to arbitrary locations in the target process’s address space. 2. Execution – Hijacking a thread of the target process to execute the code written in stage 1. 3. Restoration – Cleaning up and restoring the execution of the thread hijacked in stage 2. While we delve into each stage, we’ll also discuss hurdles that we had to overcome to accomplish the final code injection technique. For example: In stage (1), we call a function that expects three parameters. However, APC only supports function calls to just one parameter. We show how it was possible to bypass this by leveraging the underlying implementation of APC (and not through the documented API). In stage (2), we present how to overcome DEP. This was needed because we couldn’t assume to have RWX memory in the target processes. In stage (3), we show the internals of the APC mechanism from the perspective of the target process. We further demonstrate how to use coincidental functionality of APC’s dispatch function to allow the attacker to clear their footprints from the hijacked thread. While the above steps work only on non CFG-protected processes, we’ll end the talk by demonstrating how to inject code into CFG-protected processes as well. We do this by allowing both indirect calls to CFG invalid functions as well as bypassing CFG’s stack pivot protection. Ultimately we present the complete code injection flow.
Tal has a strong interest in cyber-security, mainly focusing around OS-internals, reverse-engineering and low-level development. As a cyber security research team lead at enSilo, Tal’s team is responsible for integrating OS research and malware analyses findings into enSilo’s core platform. In particular, Tal is keen on “documenting the undocumented” in the Windows OS including CFG and other mitigation technologies, Windows service mechanisms and code injection techniques. Tal holds a BSc. in Computer Sciences from University of Haifa, Israel.http://breakingmalware.com
Peekaboo! I Own You. The Tale of Hundreds of Thousands Vulnerable Devices with no Patch, Ever.
Imagine that you've purchased your small a cheap ip security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only two HTTP packets. This presentation details two very severe zero-day vulnerabilities in a commonly available, white-label IP camera sold by many vendors (we ordered 40 models of cameras from 40 different merchants). Exploiting these vulnerabilities would have allowed us to get a root shell on hundreds of thousands of devices with just two HTTP packets (per device of course). While IoT hacking isn’t new, this presentation will give you a good example of what security on embedded devices looks like in today’s Mirai botnet world and how painfully easy it is to find severely alarming vulnerabilities on such devices. The technical details haven’t been released since we wanted to wait for the vendor's response. But that response never came. Now that we have finished the responsible disclosure process, we feel comfortable talking about the technical details. I’ll walk through all the steps in our research, from hardware hacking to firmware dumping to just plain ol’ reversing. I’ll demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. There will be root shells, there will be exploits, there will be tears.
"Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. He also has extensive experience researching attacks on large scale networks and investigating undocumented OS resources and APIs. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for an Israeli intelligence agency, specifically in embedded system security. He's presented at RSA, BSides Tel Aviv, CircleCityCon, LayerOne and other conferences."http://twitter.com/0xamit
Hillbilly BBQ: Your rail networks put to use to facilitate OUR party…
We’ve focused on numerous forms of transportation over the years with varying degrees of success. We now turn our attention to the rail industry as a whole. The reviews here and disclosures cover everything from freight to passenger through to the intermodal systems. We take a look at the infrastructure and architecture of the rail networks, the bridges, tunnels and all other aspects from the locomotives themselves through to the communication systems and platforms. The idea is to both understand and then explore (and exploit) the various attack surfaces in a tongue-in-cheek manner to create our own trains, move them about the systems at-will and eventually create a set of worst case scenario’s that would result in a set of sticky, explosive and somewhat deadly messes that the industry needs to sit up, consider and address before it’s too late. We will cover exploits without giving away code, attack vectors with detailed information both directly and within the 3rd party/vendor architectures of the entire rail system. Hopefully this will be both informational and entertaining AND provides further research ideas for others in the community to take up and explore.
Roberts is considered one of the world’s foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. With increasingly sophisticated attack vectors, Roberts’ unique methods of addressing the evolving threat matrix and experience with a variety of environments - Enterprise, Industrial, and IoT, make Roberts and his team an indispensable partner to organizations that demand robust, reliable, resilient and cost-effective protection.https://twitter.com/sidragon1
Web Cache Deception attack: A new web attack vector
Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts. The vulnerability was found in multiple major websites, PayPal among them.
28 years old, married + a dog named Java (after the coffee beans). Have been around the security field for the last 7 years. Nowadays work as an information security team leader in EY Advanced Security Center in Tel Aviv. Research on my free time.https://omergil.blogspot.com
Moshe Zioni (dalmoz)
Don’t let the cuteness fool you – Exploiting IoT’s MQTT protocol
"Connect all the things!" is, for some time now, the main theme when talking about IoT devices, solutions and products. Our eagerness to find new, at times - innovative, ways to make anything to rhyme along the anthem of the internet is a great promise for malicious activity. As those devices supposed to be lightweight they mostly rely on a small fingerprint stack of protocols - one of those protocols is the message protocol - MQTT. We will go deep into protocol details, observe how common is to find such devices (and how), and several novel ways to abuse any one of tens of thousands easily spotted publicly facing MQTT brokers on the internet for "fun and profit".
Moshe Zioni (dalmoz)
I’ve been researching security since youth, positioned professionally since I was 18, when I was actually surprised to find a place for my enthusiasm and, hopefully, talent. Consulted many industry leaders, banks, software vendors, insurance companies, health organizations, governments and telecommunication service providers, both domestic and international. Interested in all security aspects, keeping my aperture wide and viewing the whole picture while can talk the talk and walk the walk when it comes to bits & bytes. Moshe have published research papers and presented at many conferences – including CCC in Germany, Hack-in-Paris in France, 44CON in the UK, BSidesTLV and others.https://twitter.com/dalmoz_
Iftach Ian Amit
Closing Keynote : Iftach Ian Amit, Co-Founder of DC9723 and Board of Directors BSidesLV
Iftach Ian Amit
Ian Amit has over a decade of experience in hands-on and strategic roles, working across a diversity of security fields: business, industry, marketing, technical and research. His current role with Amazon as Senior Manager of Security Engineering covers application security, penetration testing, and red teaming. Previously, Ian served as Vice President at ZeroFOX, Director of Services at IOActive and held leadership roles at Security-Art, Aladdin, Finjan and Datavantage. He is a sought after speaker at conferences such as BlackHat, DefCon, RSA, and InfoSecurity. He founded the Tel-Aviv DefCon chapter (DC9723) and also was a founding member of the Penetration Testing Execution Standard (PTES).
last man standing