09:00 - 09:05
Attila Marosi-Bauer - Opening Ceremony
09:05 - 09:45
Alex Ilgayev & Ilia Shkolyar - Github Actions Security Landscape
Github Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration.
As part of our research of the Github actions security landscape, we discovered that in writing a perfectly secure Github actions workflow, several pitfalls could cause severe security consequences. Unless the developers are proficient in the depths of Github best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product.
During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into Github actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.
09:50 - 10:10
Salma Taoufiq - Automating False Positive Whack-a-Mole with Real-Time Behavioral Analytics
Security Operations Centers (SOCs) strive to provide an infallible line of defense to their customers against targeted attacks and malware lurking in the cyberspace. For that, several security sensors are used to flag any suspicious activity, ensuring that even needle-in-the-haystack attacks are caught. However, not every suspicious event is truly malicious. As such, these detectors can quickly generate an overwhelming influx of alerts for SOC analysts to inspect. Thousands of alerts to manually sift through every single day, out of which only a minute proportion constitutes true relevant alerts that require action. In an endeavor to help analysts strike a balance between thoroughly protecting their customers and controlling the alerts firehose, we present a lightweight system that automates this grueling process. It triages critical alerts while filtering out false alarms. Our approach leverages the historical context around alerts across the underlying heterogeneous detector technology and serviced organizations. Using these signals, the model automatically filters out more than 52% of the noisy false alerts daily compared to the existing manual workflow, while successfully prioritizing more than 90% of the true critical alerts and bringing them to analysts’ attention.
10:15 - 10:55
Dávid Pethes aka six - Breaking the Bridge: Hacking Wrapped Coins and Tokens
As more cross-chain projects come out in the blockchain space, we often see them getting breached by new types of Bridge vulnerabilities (think about the Wrapped ETH hack where $320 million was lost).
This is where the so called "Web3.0" and "Web2.0" meet. Most exploitation methods rely on the combination of using smart contract functions and typical web server provided functionalities. We'll look into how these complex systems can be hacked and propose truly decentralized solutions.
10:55 - 11:10
11:10 - 11:50
Szilárd Pfeiffer - How Crypto Libraries Effect a DoS Attack?
The Diffie–Hellman key exchange is affected in D(HE)at vulnerability (CVE-2002-20001), a DoS attack forcing the server to compute the CPU-intensive part of the mechanism overloading it seriously. Of course, the effectiveness of the attack depends on the key sizes, the used cryptographic protocol, and the server application, but it also highly depends on the cryptographic library implementation. There are significant differences between the crypto libraries in what bandwidth is sufficient to consume a whole CPU core on a server. I will demo how a server that implements TLS, SSH, or IPsec protocol can be overloaded and how the peculiarities of the crypto implementation influence the vulnerability.
11:55 - 12:15
Tobias Schrödel - How to Get Your Laptop Stolen - and How to Get it Back?
Tobias was testing an "anti-theft software" for laptops on a German TV show when it turned out that finding a real thief is not that easy. The story finally slipped away when a brutal criminal and a bodyguard entered the scene. But the person who finally ended up spreading the most fear surprised everyone. Unfortunately, the funny parts of this shooting could not be broadcasted on TV ... but they will be part of this lecture. So take your seat and fasten your seatbelt while you listen to this hilarious story, in which nothing went as planned!
12:20 - 13:00
András Tevesz - Offensive Rust Tales
In connection with an internal red team task, I designed and built a Rust-based Windows application that avoids and circumvents all current protection on a 100% fresh Windows 10 machine.
Protections I had to avoid: Automatic Sandbox Analysis, Chrome Browser Protection, Antivirus, Endpoint Protection, Firewalls, and other built-in protections for Windows 10.
The goal was to implement a non-persistent offensive device that creates the smallest possible footprint on the background, thus reducing the risk of falling over and being analyzed.
The presentation describes the development process, the components used, as well as any problems that may arise and their solutions. (As well as some key moments in a video demo.)
13:00 - 13:45