Talks and speakers at Area41 conference 2018

more talks will be announced shortly...

Costin Raiu (@craiu)
Costin specializes in analyzing advanced persistent threats and high-level malware attacks. He is leading the Global Research and Analysis Team (GReAT) at Kaspersky that researched the inner workings of Stuxnet, Duqu, Carbanak and more recently, Lazarus, BlueNoroff, Moonlight Maze and the Equation group. Costin‘s work includes analyzing malicious websites, exploits and online banking malware.
Costin has over 23 years of experience in anti-virus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers‘ Organization (CARO) and a reporter for the Wildlist Organization International. Before joining Kaspersky Lab, Costin worked for GeCad as Chief Researcher and as a Data Security Expert with the RAV antivirus developers group. Costin joined Kaspersky Lab in 2000 and became the Director of the Global Research & Analysis Team in 2010. 
Some of his hobbies include chess, photography and the Science Fiction literature.

Amanda Berlin (@InfoSystir)
Over the last decade, technology adoption has exploded worldwide and corporations have struggled to keep pace. Usability and revenue creation have been the key motivating factors, often ignoring the proactive design and security required for long-term stability. This change in landscape has led to many organizations having to engage in a game of InfoSec catchup, often realizing that their Information Security Program has either not received the executive backing that it required or simply never existed in the first place. If you are currently in this situation, you may not even know where to start. We'll go over great steps to start with that will have little impact on budget, but a large impact on moving forward for a more secure environment. This will be an informative dialog backed by real life experiences in the industry.

Amit Dori (@_AmitDori_) (Votiro)
Upon infecting a machine, typical malware usually establishes a communication channel with a C2 server in order to operate. This communication channel is used to receive commands or 2nd stage payloads and for data exfiltration. This kind of communication is quite noticeable for security researchers and incident responders, and can be used to identify and block the threat. What if an attacker could use legitimate applications, found on almost every Windows machine, for communication purposes? It would surely make it harder for the security industry to identify and block such an attack. Hackers who could make that happen would find themselves with a lucrative product on the online black markets. Our research has shown that such applications exist - and one of the most vulnerable is Google Chrome. Chrome is considered to be a fairly trusted application, whose network traffic no one tends to monitor and can easily bypass process whitelists as it is so very common it might create false positives. Furthermore, it supports multiple communication off-the-shelf protocols, allowing for very versatile attacks. WebRTC, which Chrome uses for some of its communications activities, has turned out to be a boon for many users and websites, saving both time and effort by eliminating the need to install third-party extensions and scripts. But every silver lining has a dark cloud; WebRTC, combined with Chrome, provides a potentially lethal combination that has the potential to spread malware, eavesdrop on users, silently operate audio and video equipment on laptops or devices, and more. It's lethal for two reasons; First, it bypasses the usual C2 setup, where a victim‘s computer or device gets instructions from a control machine – and in which communications packets and processor activity is noticeable-- at least to those who bother to look. Many don't, but at least the opportunity to do so exists. But with WebRTC exploits, there are few clues as to what is happening, and how a victim's system is being compromised. And second, it's Chrome; who would suspect a solid, well-known browser of being a hacker vehicle? Few indeed – which is why its traffic is usually not monitored, and it easily bypasses process whitelists, since many of the anomalies it presents could safely be chalked up to false positives.

Antoine Neuenschwander (@ant0inet) (SWITCH)
Blockchain is hip. Not only do crypto valley startups have high hopes in making groundbreaking innovations, cyber criminals also see high potential in crypto currencies for profit generation. Since fall 2017, ransomware has seemingly left the field to cryptominers. Instead of extorting Bitcoins from users, the malware runs silently in the background and parasites the system resources for cryptomining. With the advent of altcoins specifically designed for mining on general purpose CPUs and corresponding Javascript implementations (e.g. coinhive.com), webcryptominers are now proliferating. The SWITCH foundation as operator of the .CH registry is required by the Ordinance on Internet Domains (OID) to block domain names being used for the distribution of harmful software. In this session, I will present how webcryptominers affect the .CH zone and how SWITCH deals with such cases.
Antoine Neuenschwander (@ant0inet) (SWITCH)
Starting in 2016, many bike sharing services emerged in larger Asian cities, flooding the streets with 100 thousands of bicycles. The startups behind these services are aggressively competing for territory and investment, and have now also expanded to European Cities. The city of Zurich hadn't launched their 'Publibike' service yet, they were already outrunned by other private competitors. The way these 'Uber for bikes' services work is quite simple: clients use their smartphone to locate bicycles. Once nearby, they can unlock the bicycle directly from the app or by scanning a QR code. Unlike traditional rental services, however, which require bikes to be returned to a fixed docking station, users are free to leave the bikes anywhere on the street. The interesting part about these services is that they combine technologies such as IoT, mobile applications, geolocation and web services, all of which have their own attack surface. I had a closer look at two bike sharing services in Zurich with respect to security aspects and will share my findings with you in this session.
Carel van Rooyen (@carelvanrooyen) & Philipp Promeuschel
Xtensa having 100 million devices shipped in 2018 is becoming more prevalent in low-powered IoT devices deployed everywhere. In order to secure you first need to know how to exploit. Comparing ARM exploitation to the considerations for Xtensa exploitation should establish a baseline for comparison of the two, and make some of the ARM exploitation ideas transferable in the context of Xtensa.
Daniel Roethlisberger (@droethlisberger) (Swisscom CSIRT)
Many blue teams monitor large Windows populations for malware and intrusions based on sysmon. With macOS being increasingly targetted by adversaries, there is a need for a similarly effective and readily available tool on macOS that is able to log enough context to be useful in incident detection and analysis. I present a new open source tool for macOS, discuss shortcomings of existing alternatives, give background on the specific challenges of especially process tracking on XNU as well as the relevant userland and kernel facilities at our disposal and explain the approach chosen for the new tool. The talk is intended to be useful for both blue teamers of heterogeneous environments and those just interested in macOS/XNU internals.

David Liebenberg (@ChinaHandDave) (Cisco Talos)
This presentation will take an in-depth look at illicit mining activity conducted by Chinese cybercriminals. It will begin by examining the trend toward cryptocurrency attacks in general. Then it will focus on China, looking at the country‘s cryptocurrency environment, and examining how some Chinese actors are transitioning from DDoS to mining-focused attacks. Then it will analyze tools and techniques, looking at Monero mining and hacking tools purchased on Chinese forums as well as malware samples collected through honeypots and Chinese social media platforms. Finally, it will address ways to mitigate the threat, through blacklisting, collecting samples, and using human intelligence.

Dobin Rutishauser (@dobinrutis) (Compass Security)
While finding vulnerabilities in file parsers are trivial nowadays with tools like AFL or OSS-Fuzz, there are no good tools to perform automated vulnerability discovery on network servers. I present a self developed fuzzing framework which is able to intercept network traffic, and based on the recorded communication, fuzz the Linux based network servers.
Elliot Ward & Jake Humphries (Gotham Digital Science)
Ethereum is one of the fastest growing and most interesting blockchain platforms. This is mainly due to its ability to execute arbitrary code in the distributed network enabling developers to write fully decentralised applications. Source code for Ethereum smart contracts is compiled to bytecode, which executes in the Ethereum Virtual Machine, with persistent state stored in the blockchain. Open blockchain development concepts differ significantly from traditional paradigms and introduce a number of distinctive security threats to consider. This talk will introduce the key differences between blockchain and traditional ecosystems, discuss blockchain specific security concerns and highlight common insecure coding patterns. We will then present the findings and statistics from our large-scale analysis of the Ethereum blockchain for smart contract security issues. This will be followed by the public release of our open source tool for automated analysis of security issues in Ethereum smart contracts and reverse engineering of EVM bytecode.
Pascal Gloor (Quickline AG)
A short story of a hack. When a Swiss ISPs got hacked with potentially huge lawful interception consequences.
Himanshu Anand (@anand_himanshu)
During fileless or in-memory infection no files are written to the disk and the infection remains only in memory. This can make a detection of such a threat more difficult, as there is no file to scan. This talk will discuss the different methods of achieving fileless infections, as seen with threats like Poweliks or many PowerShell frameworks. We will discuss how attackers maintain fileless infection, as a reboot usually cleans up any infection. With more and more IoT devices getting attacked as well, we will examine the increase of fileless attacks on the *nix platform. We will conclude with some comments about future trends in this threat space and tips on how to protect yourself and your organization from these type of threats.
Michele Spagnuolo (@mikispag) (Google Switzerland) Lukas Weichselbaum (Google Switzerland)
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy.In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google.

Pascal Junod (@cryptopathe) (Snap Inc.)
White-box cryptography is a niche domain of applied cryptography and software protection that often triggers negative comments by security experts: "It's broken!", "It's useless!", "It's security by obscurity!", etc. In this talk, we aim at shedding some light on the reality, debunk some myths and describe its current academic and industrial state-of-the-art and limits.
Seongsu Park (@unpacker)
Lazarus APT group is one large threat actor who is behind multiple widely known attacks such as Sony Pictures Entertainment hacking, Bangladesh Bank heist and Wannacry outbreak. In recent years, the biggest target of Lazarus is the financial sector such as cryptocurrency exchanges, and they are actively attacking as much as the value of cryptocurrency is rising. In this presentation, I will introduce TTPs of the Lazarus group for cryptocurrency exchange attacks and characteristics of each module for C&C server configuration and the feature of C&C server infrastructure. Eventually, attendees will understand the whole procedure from attack preparation to mission completion of theLazarus group.

Sergey Gordeychik, Alexander Timorin, Denis Kolegov (@scadasl) (DarkMatter)
Software defined network quickly become very popular in Enterprises. According Gartner‘s predictions by 2020 more than 50 percent of routers will be replaced with SD WAN Solutions. Vendors promises “on-the-fly agility, security” and many other benefits. But what the “security” really mean from hand-on perspective?
This presentation will introduce analysis of different SD WAN solution from the adversaries‘ point of view. Attack surface, threat model and real-world vulnerabilities in SD WAN solutions will be presented.

Stefan Friedli (@stfn42) & Michael Schneider
Red Team work has an image problem: The entire branch of adversarial testing has been declared dead over and over again this past decade, mostly by people who have not spent enough time in the industry to even fully grasp its potential. An unfortunate mixture of these curmudgeons, a common lack of proper scoping, the lack of qualified testers has served as ammunition to fuel the polemic claims that, once again, we are all doomed. In this presentation, we would like to illustrate, following real, anonymized projects of the past 24 months, how an adequately scoped, well-executed adversary simulation will illuminate an organization's weaknesses and also serve as a highly active catalyst for change - during the duration of the project, and way beyond.
Stephan Gerling (@ObiWan666) (ROSEN Technology & Research Center GmbH)
This Talk will show current security issues and attack vectors on modern vessels or yachts. Attacking vectors like GPS, AIS, Autopilot, IT equipment on board and others will be addressed. Therefore, modern Ships could named also "swimming IoT".
Thomas Chopitea (@tomchop_) (Google)
Ever wanted to do forensics and feel good about it? This talk will introduce you to what we affectionately call the GIFT stack: Google‘s suite of open-source tools for all things digital forensics and incident response. You will see how Greendale (a fictitious but very famous university) used this set of tools to articulate an effective response to a pretty severe incident last summer—all on a state-financed university budget!
Thomas Debize (Wavestone)
The pentesting domain is constantly evolving and has quite changed in the last decade in order to provide more and more sophisticated, (bug-free) and complete tools. The ability to process wide data sets coming from multiple tools is becoming a true pentesting core skill. This talk is nothing but the will of a 7-year experience pentester to share its coolest techniques, tools and procedures that he learned over time and that not everyone might be aware of. If you never heard about Jython, PyInstaller, CSVKit, Impacket, Frida, GNU Parallel, or you don‘t have a clue of how they can be applied for your pentesting day-to-day job ; come on in, you will for sure (I hope) take at least something practical back with that talk.