Abstract:
We would like to present how we built our Security Operations Center in Python on top of ElasticSearch and what are the learnings from running it for more than 3 years now. This tool can alert us during the night if there is any indication of compromise in our system and creates JIRA ticket for non-urgent alerts, so we don’t forget to get back to it the next day. Although it is not open-source, we will cover its architecture and most of the detection rules and third party integrations which can be useful for anyone running their own SOC.

We will talk about how we keep fine-tuning our automatic incident detection mechanisms by fighting false positives in order to improve the effectiveness of our SOC. We will demonstrate how smart detection rules can help you detect vulnerabilities in your web application like XSS and open redirect exploitation. But we will also show how such a tool can help in detecting infra-level compromise as well thanks to open source utilities like auditd, apparmor, snort or Reddalert.

Additionally, we will cover how we work together within and beyond the security team (e.g. code reviews in a devops environment) and how we try to incorporate learnings from previous incidents in order to improve our detection rules and incident response plan. Finally, we will highlight some good and bad decisions we made along the way so you can avoid making the bad ones yourself.

Bio:
György Demarcsek – Security Engineer at Prezi
He joined the Security Team at Prezi nearly a year ago, coming from CERN’s Technical Student program with an infra engineering background. He enjoys working in the intersection of software engineering and IT security. These days he helps improve and maintain the security infrastructure of Prezi and handle potential incidents.

Robert Kiss – Tech Lead of the Security Team at Prezi
He joined the team as a Security Engineer more than 3 years ago where one of his first projects was to build an internal Security Operations Center. Previously, he worked as a penetration tester for years but then decided to switch to the “”defensive side””. Now he tries to build tools and processes which help the team in protecting Prezi from the not-so-whitehat hackers.

Video/recordings:

[Slides] [Recording (MP4)] [Recording (OGV)]

Abstract:
Web technologies are moving to the desktop in a concerted effort to produce easily accessible cross-platform frameworks for native development. This opens up a new series of security implications as the context is no longer browser dependant.

This talk will demonstrate the growing risk that occurs with the introduction of new frameworks that gain rapid popularity and extensive proliferation, especially when the barrier to entry is fairly low. By analysing the extant risks inherent in these web oriented languages – as well as new ones introduced with the new frameworks – this talk seeks remediations and mitigations for these risks, including recommendations for change to the frameworks.

Bio:
Adam Rapley is a fourth year student studying Ethical Hacking at Abertay University who focuses on web security and web code in alternate environments, such as Electron. His research focuses on the implications of JavaScript code on the desktop and the security risks encountered within cross-platform landscapes. Adam is also an artist and is president of the Abertay Space Agency.

Video/recordings:

[Slides (PDF)] [Recording (MP4)] [Recording (OGV)]

Abstract:
Like it or not, password authentication remains relevant (including as one of several authentication factors), password hash database leaks happen, the leaks are not always detected and fully dealt with right away, and even once they are many users’ same or similar passwords reused elsewhere remain exposed. To mitigate these risks, computationally expensive (bcrypt, PBKDF2, etc.) and more recently also memory-hard (scrypt, Argon2, etc.) password hashing schemes have been introduced. Unfortunately, at low target latency their memory usage is unreasonably low, up to the point where they’re not obviously better than the much older bcrypt. This is a primary drawback that our yescrypt addresses.

In my talk, I will describe and provide rationale for both scrypt’s sequential memory-hard hashing and yescrypt’s numerous additions to it.

Most notable for large-scale deployments is yescrypt’s optional initialization and reuse of a large lookup table, typically occupying tens of gigabytes of RAM and essentially forming a site-specific ROM. This limits attackers’ use of pre-existing hardware such as botnet nodes. yescrypt’s other changes from scrypt further slow down GPUs, FPGAs, and ASICs even when its memory usage is low (and there’s no ROM), and provide extra knobs and built-in features.

Technically, yescrypt is the most scalable password hashing scheme so far, providing near-optimal security from offline password cracking across the whole range from kilobytes to terabytes and beyond. However, the price for this is complexity, and we recognize that complexity is a major drawback of any software. Thus, at this time we focus on large-scale deployments. For smaller deployments, bcrypt with its simplicity and existing library support is a reasonable short-term choice (although we’re making progress towards more efficient FPGA attacks on bcrypt under a separate project). We might introduce a cut-down yescrypt-lite later or/and yescrypt might become part of standard or popular libraries, making it more suitable for smaller deployments as well.

Bio:
Alexander Peslyak, better known as Solar Designer, has been into computer security and Open Source for over 20 years. He achieved a number of “firsts” in (anti-)exploitation, founded Openwall, (co-)wrote much of Openwall’s software including John the Ripper password cracker, contributed to third-party projects, runs the oss-security mailing list – among many other past and current activities. Alexander spoke at international conferences: HAL2001, NordU, FOSDEM, CanSecWest, PHDays, and ZeroNights.

Video/recordings:

[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]

Abstract:
It does not have an ISO standard. NIST barely mentions it. Despite dozens of publications coming out in Information Security every year, no dedicated book is on sight. Enterprise Risk Management frameworks barely touch on it – if they even do. A chapter in Tipton’s book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet – and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don’t like thinking about Information Security risks anyway.

Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises – but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with actionable material you can start using tomorrow.

Bio:
Marco Ermini defines himself as a senior ICT security expert. In his almost 20 years in ICT he was programming video games and Linux kernel device drivers, managing networks and UNIX systems, spending a decade as consultant travelling on client’s sites, becoming responsible for the security of the network of the biggest telco in the world, delivering risk assessments for virtualization and Cloud platforms, and finally being an Enterprise Security Architect. Marco has spoken at IDC Sofia 2010 and ISACA EUROCACS 2016, beside having delivered BrightTalk webinars and countless internal trainings.
Time permitting, he enjoys endurance sports such as ultra-running, as well as wandering through the world with his wife, meeting different cultures while trying all of the possible food they can get their hands on.

Abstract:
As a member of .HR GovCERT, we are involved into all major government related incidents, including state-sponsored APT attacks. In this talk I would like to present the technical analysis of one recent APT incident. During the incident analysis, we have encountered two different (though connected) campaigns against government users, where several 0-day exploits (Word+Flash) have been used. As in majority of incidents (even state-sponsored) typical “”phishing”” attack vectors are used (e.g. Word Macros or malicious attachment), we were quite astonished to get our hands on such malicious samples for analysis. As the analysis has been an unique experience, I believe that the audience will have a chance to learn a thing or two from the presented material.

p.s. I’ll try to obfuscate the non-technical details as much as possible because of the sensitivity of the incident

Bio:
Mirosalv Stampar – IT Security Advisor – Expert at Croatian Government’s CERT, part of the Information Systems Security Bureau (ZSIS). Born in 1982., writing and breaking computer code for as long as he can remember. A PhD candidate with Master’s Degree in Computer Science at Faculty of Electrical Engineering and Computing (FER), University of Zagreb, Croatia.

Hacker, challenge solver, occasional CTF-er and an author of sqlmap, open source project for automated detection and exploitation of SQL injection vulnerabilities, along with numerous other offensive and defensive information security tools (e.g. Maltrail, DSSS, DSXS, DSJS, DSVW, tsusen, etc.). Also, Croatian Chapter Lead for The Honeynet Project.

Video/recordings:

[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]