Abstract:
Today’s security updates are too big, too risky and too late. It is common for enterprises to thoroughly test security updates and install them several months after they have been released, which leaves them open to inexpensive attacks. Now this problem is getting a solution: micropatching – hot patching in a microsurgical manner, with patches so tiny that they could be distributed on Twitter.

Bio:
Mitja Kolsek’s (CEO and Co-Founder, 0patch and ACROS Security) last 15 years of career comprise co-leading a small security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name and discovering vulnerability types which were previously unknown. In addition to finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he’d like to leave information security someday in a state where it’ll be seriously difficult to break into a typical network deploying standard and inexpensive security solutions. He is writing technical blog and whitepapers on information security. He is also presenting at renowned conferences such as RSA Conference USA, RSA Conference Europe, HITB, Source, DeepSec and others.

Video/recordings:

[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]

Abstract:
Techniques to bypass ASLR and NX are already widely known. The first thing the modern day exploit writer searches for is a powerful information leak to defeat ASLR, and then introduces a ROP payload to avoid having to inject shellcode effectively bypassing NX. Therefore the search for better mitigation techniques against memory corruption exploits has bloomed.

First we will take a brief look at attempts to use more fine-grained randomization to protect binaries. Unfortunately many attempts can be defeated by using more powerful information leaks, which again has spawned more infoleak resilient randomization schemes.

A very promising concept is Control Flow Integrity (CFI). We will look at what CFI is and what the problems are and how it restricts an attacker. Recent academic work has shown some interesting results about the limits of CFI. Furthermore we will look at some examples on how a CFI implementation looks like.

Since the problems of CFI have become more clear focus has shifted again on preventing the actual hijacking of the instruction pointer. Protecting code pointers already has a history with mitigation mechanisms such as RELRO and stack canaries. The Code Pointer Integrity (CPI) project has generalized this to all code pointers. We will take a look at how this protection is achieved.

In the end we will take a look at what can be achieved with memory corruption without hijacking the program control flow. We will briefly discuss the results of Data Oriented Programming and a possible protection mechanism called Write Integrity Testing (WIT).

Bio:
Michael Rodler is currently a CS student at TU Graz and writing his master thesis about exploit mitigation technqiues. His first contact with binary exploitation happened at FH Hagenberg when he was talked into joining their local Capture The Flag team. At TU Graz he founded the LosFuzzys CTF team, which coincidentally won last years BSides Ljubljana CTF. He also worked in the security industry, mainly in the area of secure coding. Furthermore he worked on dynamic analysis of android malware.

Video/recordings:

[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]

Abstract:
Most embedded devices have web interfaces written like it was 1998 and perl was still cool. We show how to use various problems in browser to find the vulnerable devices, how to use CSRF to interact with them and XSS to export data.

By getting the user just to visit a page under our control when on their home network it may be possible to: reflash firmware, dump and export the PSK from wifi extenders, reprogram DNS settings and/or run arbitrary commands.

if we can get a computer to join our fake “”free wifi access point”” we can also steal cookies – which can include full username and password in the case of particular devices.

Some of these issue have been fixed by the vendor in the case of BT, Netgear, D-link. Others are still outstanding – Coredy, Edimax, Netgear (again), Belkin.

Bio:
Jamie Riden has degrees in maths and computers, and AI and likes building and breaking stuff. In real life he’s a pen-tester but also writes some code as badly as you might imagine a pen-tester would. He has an Erdős number of 4, quite undeservedly.

Abstract:
“With this talk, we want to revive the interest in the largely ignored method of web application account compromise through cookie stealing, by introducing a new powershell module “”CookieMonstruo””, which aims to be the default post-exploitation tool for session hijacking.

Through the use of this tool we will show the implications of lax session management controls in web applications, especially the ones providing a social login functionality. We will show various demos of how the tool can be used and discuss possible mitigations for this risk.”

Bio:
Martin von Knobloch is a Senior Security Consultant at FortConsult, Denmark. Apart from his role as a pentester and security advisor, he enjoys evangelizing the regular citizens about what a dangerous place the Internet can be, while advising them how to engage in safe IT security practices. Tired of the getting the usual question that immediately follows after introducing himself as a white-hat hacker: “Oh, does that mean that you can hack my [insert social media site/e-mail provider/etc.]?”, he decided to embark on a journey of discovering a practical hacker’s approach to achieving this goal.

Video/recordings:

[Slides (PDF)] [Recording (MP4)] [Recording (OGV)]

Abstract:
The concept of deception security has been around since early 1990. However, its rate of adaption has been very slow. Deception security has been primarily used for research (ad-hoc hobbyist using honeypot systems or commercial rebranding of the same systems) and rarely as a protection mechanism. The security industry has a very limited understanding of Deception security and is not using it at its full capacity.

This is presentation is based on my research into Deception security. I will take you through a journey starting from deception fundamentals in real-world to Deception Defence. I will describe a hand-picked selection of principles in Deception Defence and explain how deception tactics can be used by an adversary, i.e. Deception Offence.

Lastly, depending on the time available, I will demo a setup of a Deceptive Defence platform on Azure and Office 365. I will show by applying some smart configurations and with no additional tool, you can significantly increase the cost of an attack. In one example, by applying a simple change to a host, I have 30 times increased the time to a successful reconnaissance.

Bio:
A random guy from down-under that had got everyone to eat Kremsnita for the first BsidesLjubljana

Presentation:

[Slides (PDF)]