Virtual edition, September 30th and October 1st 2021

Rooting out security risks lurking in your kubernetes ecosystem

The goal of this workshop is to broaden the awareness of the how and why kubernetes attacks and escapes work and measures to secure the clusters. - Starting from a brief tour of the Kubernetes ecosystem - covering in-depth defense mechanisms for multiple critical resources - Then looking at cloud Native threat modelling scenarios using the tool(demo) - Demo on a vulnerable and secured infrastructure with the tool - Demo on continuous monitoring and alerting techniques - Sharing the slides, playground setup and the tool with the audience - Question and Answers

Takeaway

• Take home advanced actionable techniques to threat model and secure your kubernetes clusters.
• A commercial grade open source tool for scanning and alerting for kubernetes security issues
• A self hosted production grade kubernetes playground with pure kubernetes misconfigurations
• A digital guide of the content presented

The Spy in Your Mobile

Do you think it’s too difficult to spy on mobile phones considering OS security? Or are you already being watched by someone? Or do you suspect someone is trying to spy on you? Or do you know what happens when your mobile device gets lost? If you’re interested to get these answers, this talk is for you!

In this talk, I will be presenting my research made on various spyware functioning at the application level, OS level to analyze what it takes to spy on someone’s mobile. I will be also presenting an analysis of famous mobile hacks. This talk will discuss what are the prerequisites, attack vectors, various techniques used by attackers to spy on someone’s smartphone. I will be also presenting several researched spyware from the internet, the dark web, and social engineering techniques used by attackers for successful spying and data exfiltration.

Cybersecurity & The Board: Choosing success over the Sarlacc Pitk

I regularly have conversations with cybersecurity leaders and experts across a range of industries. Recently on my Cyber Security Effectiveness Podcast, I’ve spoken with board members from several market-leading companies, in the public and private sectors, to understand their perspectives on cybersecurity.

These conversations demonstrate that board members are paying close attention to their organizations’ security programs — their approach and effectiveness and the impact on risk posture. Additionally, board members’ influence on the direction of a company’s security program has grown. As a result, IT leaders must report regularly that security technology, people, and processes are optimized to protect and defend the organization so that when a breach or attack does take place, it will have minimal impact on the brand and bottom line.

Takeaways:

• Understanding what boards really care about
• Measuring and trending security effectiveness
• Rationalizing - exposing gaps, retiring ineffective solutions, and prioritizing investments
• Interpreting risk predicated on an intelligence-led approach to security
• Communicating effectively

Attacking Secrets in Cloud-based Applications

The talk will briefly review a typical cloud-based application deployment, and then talk about the different ways for provisioning cloud secrets, such as tokens and access keys, and finally discuss various attack vectors for extracting and abusing those secrets.

The art of Securing Webviews and a story behind CVE-2021–21136

Webview: An in-app Web Browser created to ensure seamless user experience without context switching between browser and mobile application. It allows developers to display web content directly into their mobile application and supports the concept of code reuse thus Webviews are extensively used in current mobile application development.

Through this presentation, we would talk about the common Webview related security issues and the techniques to prevent those security issues and make the mobile applications secure and robust. We would be talking about the following common security issues and their prevention:

• Insecure Deeplink implementation
• Insufficient URL validation
• Insufficient Webview hardening
• Lack of Webview isolation
• Unintended data leakage via misconfigured Webview

In the later part of the presentation, we would talk about the story behind getting the Chromium CVE:2021-21136 (https://bugs.chromium.org/p/chromium/issues/detail?id=1038002). A security issue in Android Webviews leads to leakage of sensitive data such as user’s auth tokens and shared secrets to the third party.

TLS Private Key Recovery

RSA is one of the most commonly used algorithm for providing confidentiality, integrity and authenticity of digital information. RSA is used to secure web traffic up to TLS 1.2. Today, web servers have a certificate which protects the traffic between the web server and the client browser. This certificate contains a public key of 1024 or 2048-bits. But what will happen when the key material of the certificate is not correctly generated? Are you still sure that traffic is protected and cannot be compromised?

Does Serverless Means Harmless?

When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks.

In this talk, we will examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world.

How to beat application DDoS attacks with CrowdSec & Cloudflare

Distributed Denial-of-service (DDoS) attacks have been targeting all types of businesses over the past few years. They have been used by hackers for quite some time and are some of the most common attacks but remain extremely efficient and harmful. The concept is simple: hackers hammer a given target from many different locations to take it down (and usually ask for money afterward as a condition to stop the attack).

E-commerce sites are one of the usual victims: an e-commerce site down is a site that isn’t making money. There are many ways and tools to perform this kind of attack and many layers of defense, but today we will focus on application (layer 7) distributed denial of service, L7 DDoS in short.

In this talk we will discover how CrowdSec can be leveraged to provide an effective countermeasure against L7 DDoS attacks on websites protected by Cloudflare. This is done by combining the powers of CrowdSec with the Cloudflare API to filter away malicious connections in an effective (and free!) manner.

Atomistic Internet of Things (IoT) Penetration Testing Methodology

Although there are more than 50 billion Internet of Things devices, there is not much information online on how to test them for security vulnerabilities. Companies are starting to add more and more intelligent devices to their internal networks, and that opens the room for a new era of security incidents we have not yet seen. During the talk, I will explain why there is not much information about IoT pentesting and define a pentest methodology based on my research and the research available online. I’ll combine the methodology with a checklist to be used by pentesters to make sure nothing is left behind when performing IoT pentests. This is meant to be the starter pack used by any company willing to get IoT security testing capabilities.

Chances and Challenges of Machine Learning in Cybersecurity

Artificial Intelligence, Machine Learning, Deep Learning - these terms are often used interchangeably and for marketing purposes. If we were to believe some of the colorful marketing claims, machine learning could solve many problems that cybersecurity has been struggling with such as detecting new and unknown attack attempts and automatically taking defensive measures before any harm is done. By understanding how machine learning actually works, we will be able to understand why it is no silver bullet for cybersecurity but only yet another tool with its own strength and weaknesses. The talk will explain the basic principles of machine learning and show scenarios and tools where it can be applied for cybersecurity. Also the challenges and dangers of machine learning will be considered: how attackers can target machine learning algorithms or use machine learning for their own malicious purposes.k

Using policy delay to gain RCE and to execute Ransomware to infection victim machine

The purpose of this presentation, it’s to execute several efficiency and detection tests in our endpoint solution, bringing the result of the defensive security analysis with an offensive mindset performed in the execution of some techniques, regarding the test performed, the first objective it was to simulate targeted attacks using invasive techniques such as Dll Injection using Payload created by msfvenom based on Metasploit platform, and using a PowerView, that is a PowerShell tool to gain network situational awareness on Windows domains.

It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality, It also implements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options. For detailed output of underlying functionality, pass the -Verbose or -Debug flags.

As a Second test the idea it was to use Shell Injection using payloads created by via msfvenom based on PowerView as well using the same strategic to the firsts test, this cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. And as a Third test we used a tool that can perform DLL injection using a tool known as Remote DLL Injector from SecurityXploded team which is using the CreateRemoteThread technique and it has the ability to inject DLL into ASLR enabled processes. The process ID and the path of the DLL are the two parameters that the tool needs using Payload created by msfvenom. And the fourth test was to download a Ransomware directly on the victim’s machine using powerschell scrito and execute itself exploring the policy delay and finally the last test consisted in running the stress test using a script python script with daily malwares, provide by MalwaresBazaar by request using API access, and the some moment perform the powershell to download a Ransomware directly on the victim’s machine

Biohacker: The Invisible Threat

Biohackers exist and walk among us. Most security professionals would not allow users into their environment with offensive security tools. How do you address individuals who have surgically implanted such devices into their bodies.

I have multiple sub-dermal implants that range from NFC, HID/Prox and RFiD devices. This allows me to become the attack vector. In this talk, I provide a brief overview of the types of bio-implants on the market and share various case studies on the potential damage malicious biohackers can inflict.

I also demonstrate how I am able to quickly compromise loosely connected devices and open a reverse TCP Shell to a CnC server through my attack [email protected] in under three minutes.

Finally, I show how I steal HID Proximity Card Data and write that back to the implant. This avoids any physical evidence of a breach. This also allows me to gain access to data as well as physical access to secured locations.

As security professionals, we must anticipate the unknown. These include any individuals that enter our facilities or are simply around us in public. These types of attacks are becoming more common. A majority of security community are not aware they exist. Discussions on what was once thought to be science-fiction are now science fact.

Through continuing education on phishing and social engineering attacks, tightening MDM restrictions, endpoint management, behavioral analytics, least privilege and privileged access, we can take preventive measures around the threats we can’t see.

To the docs and beyond!

On the journey to explore some non-traditional attack vectors, I picked up developer documentation as a possible attack vector. Why Developer Docs? It provides a holistic reference of the platform/feature to the end-user, be it a developer, hobbyist, or a hacker like me! Also, almost every IT company out there has a documentation of some form or the other, making this a juicy and widespread attack surface. Well No! Just the presence of documentation itself doesn't guarantee any vulnerabilities, but instead, gaining a deep understanding of the feature or product through a thorough read of the docs followed by hand-picking possible issues is the art here. The main idea behind this talk is to leverage documentation to aid exploitation of security vulnerabilities. It goes through four individual security issues that I've discovered through the said approach.

The first issue deals with the improper usage of blacklists(i.e: a list of all non-permissible entities) to prevent Cross-Site-Scripting (XSS) and how I bypassed it with the help of developer documentation.

The next issue talks about two security misconfigurations, (i.e: incorrect system configurations) in the Slack instance of a company. Slack, which is already known for its granular security controls, leaves ample space for humane errors and hence generates security flaws.

The Third Part of my talk is about the AEM (Adobe Experience Manager) Querybuilder Framework and how to leverage data exfiltration just via Adobe's developer documentation of the same. Rather than relying upon automated tooling, learn how docs help us in building handcrafted payloads and even how to combine them to gain maximum leverage out of AEM Querybuilder and score a critical bug!

The Fourth issue brings about the possible risks of incorrectly exposing a staging API without authentication. The finding presents an exposed Swagger UI, which is an open-source GUI representation for documenting underlying REST APIs. Upon exploration of the same, three critical security issues were uncovered, The first being a Local File Read,The Second, a Local File Write, The Third, a Local File Delete, all without the need for any user authentication or credentials.

Last but not the least, a bonus finding briefing about missing CORS policies, possibly usable to steal user specific information via XML HTTP Requests (XHR).

Finally wrapping it up with some key takeaways, helpful to keep in mind while building and breaking web applications.

Offensive Azure Security

These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that’s may become weakest link in the chain.

A demo-based session shows attacks on the weakest link in 3 scenarios: Hybrid Active Directory, Legacy VM-based application and Modern Application.

The session includes: - Pentesting Azure AD Connect - Bypassing authentication & MFA - Getting control over Compute - Extracting secrets from Key Vault - Getting Access to App Service and Azure SQL Database - Exploring Azure Web App Firewall

Smart Home Devices: Assets or Liabilities?

Over the past few years, the global market share of Smart Home devices has been growing strongly, and it is forecast to keep enjoying increasing growth for the foreseeable future. This explosion of devices on the market has caused many companies to push out their products for highly competitive prices at a rapid pace.

Even though these home automation devices often offer a wealth of interesting and exciting features, there is no easy way for consumers to assess their security at the time of their purchase. Just like the demand for smart home devices has spiked, so has the amount of media coverage on data breaches, privacy violations or security issues associated with these devices.

At the time of writing, the European Union Agency for Cybersecurity (ENISA) has published several guidelines for manufacturers to assist them in securing their Internet of Things (IoT) products, which these Smart Home devices are a part of, but binding regulations do not exist. Due to how close these devices are tied into our daily routines and living spaces, they are a tempting target for malicious actors, posing a serious security risk.

When buying an off-the-shelf solution in an (online) shop, the consumer generally expects devices to hold up against a baseline of security and privacy expectations, but has no way of verifying if this is indeed the case. This research assesses the current state of the market by taking a closer look at the security and privacy implementations of a range of devices currently available in popular stores and online shops. Furthermore, I’ll investigate a potential need for binding regulations and formulate some recommendations on how these IoT devices can be tested and regulations can be enforced.

Privacy and Safety of NB-IoT Devices

With the widespread use of technology in daily life, as well as the need for society to use techniques to enhance work, the IoT definition and technology has developed. Today, the use of this technology is prevalent in various sectors, such as agriculture, IT, transport, etc.

Major privacy issues in IoT include authentication, identification, and device heterogeneity. After studying many threats and risks that have harmed this technology, experts have recognized the different factors such as sending plain text data, the potential to break into dashboards of management, authentication mechanism vulnerability, and so on.

In order to implement this technology in a safer and faster context, a new technology based on mobile cellular network called Narrowband Internet of Things was developed. This technology operates in the fourth mobile network generation and uses the relevant elements in these networks.

In this research, an effort has been made to investigate the vulnerabilities in these networks, especially in the radio filed, which is the most accessible subnet. To conduct this research, open-source tools such as OpenLTE and SDR, in an environment where the NB-IoT sensors were active in a LTE network were used. A listening device to receive exchange messages implemented. A Catcher to receive the transmitted values of IMSI based devices, which are considered active subscribers, has been setup. After this scenario, using rogue eNodeB, TAU messages are sent to NB-IoT sensors.

A finding from this experiment shows that the sensors have disabled due to lack of connection to the cellular network.

Kicks & chips: an investigation into scalper bots!

Reseller bots are programs designed to automatically buy a large amount of an exclusive item. The aim of many of the users of these bots is to buy a large quantity of highly-south items — which often sell out within a matter of minutes — and resell them at a higher price for profit. This phenomenon has taken on several iterations over the years, from ticket bots to sneaker bots; following the recent shortage of GPUs used for video games and cryptocurrency mining, similar bots have been made to snatch up products from brands such as Nvidia and AMD in the past year. Such bots can be easily found for sale or for rent on the internet.

We will examine several aspects of this reseller bot world. First, we will dissect how these bots work as well as the individuals — both programmers and sellers — behind them. We will review the products targeted by these bots and detail trends in the different products the bots are designed towards obtaining over the past few years. We’ll take a look at the money behind these bots as well, profiling several different bots available to consumers and spotlighting their prices and plans. Lastly, we will focus on who are the typical users of these bots, exploring both the bulk resellers as well as individual enthusiasts looking to get their hands on exclusive products.

Red Teaming AWS: Practice What You Preach

Building a culture of security is a journey that never ends, but this is a story of how one started. In a previous life working at a Cloud Native consultancy, we were experts on software delivery, but security was a skillset we rapidly needed to grow and cultivate.

To that end we conducted a surprise red team exercise targetting our AWS environment, by:

• Planning a fake company day and making an unanounced assault on our infrastructure
• Tapping communication lines so we could maintain a steady level of challenge
• Driving all actions through our most junior members
• And having a lot of fun

Learn how we built an enduring security culture that continues to grow and mature, and has become part of the company folklore. Culture is shaped through action not rhetoric, and if you want truly unlock DevSecOps there are few ways better than this.

AI+CTI=(Open)UEBA - An Equation That Works

The OpenUEBA framework implements a behaviour-based detection approach to analyse the behaviour of users and entities aligning them to know threats and latent variations determined from Threat Intelligence sources. The framework delivers a risk support tool allowing the technician to make the attack surface of users and entities preventing threats.

This project arose from the TDA Ciberseguretat challenge proposed within Smartcatalonia from the Generalitat of Catalunya with the Agency of Cybersecurity of Catalunya. The project will be implemented and validated within the environment of the public local administration and the University of Lleida.

Currently, all similar projects are black-box private solutions; OpenUEBA will break the current paradigm by providing an agnostinc open source solution, bridging the distance between the AI and cybersecurity realms.

On this talk, we will discuss the following points: - What’s the project and who’s behind it - Introduction of UEBA analysis - CTI (cyber threat intelligence) applied to behavior analysis - Contributing from the community - Next steps

Hacking Kubernetes 101

Kubernetes is the most popular container orchestrator today, with a huge increase in its use in enterprises in 2020. However, there is a great lack of knowledge about how to attack and how to secure a Kubernetes environment. Companies like CapitalOne and Tesla have recently suffered attacks for not having their Kubernetes environments secured. In this talk we will see from the basic concepts of this technology, to practical cases of attacks on clusters.

The Clutter That's Choking AppSec

“With more Tools, come more Vulnerabilities” – every Security Engineer In the age of DevSecOps, Shift-Left security strategies and automated tooling, an application security program is only as efficient as the rate at which vulnerabilities are managed. But with increasing demands on faster product go-to-market, automation technologies, diverse technology stacks and the ever growing demand for skilled appsec engineers, product leaders are at cross roads of Scale and Efficiency.

Have we as the security community paused to take at the silently growing clutter that’s choking even the well thought of application security programs? In this talk, I delve at the lowest common denominator of application security – The Vulnerability and look at how vulnerabilities at scale cause a disproportionate throttle on appsec efficiency. What’s going wrong?

• Results from SAST, DAST and SCA tools create large vulnerabilities data sets that are difficult to act upon
• Automated scan results from security tools are replete with false positives and duplicate entries that make remediation troublesome.
• Manual methods of triaging vulnerability data sets are inefficient and lower productivity.
• Improper vulnerability management increases friction between security and engineering teams What the audience will take-away at the 46th minute
• How methods of vulnerability correlation and de-duplication can significantly reduce appSec assessment and remediation time.
• How to effectively integrate vulnerability remediation with the engineering workflow.
• Understand the basic anatomy of a vulnerability to effectively prioritize and fix security bugs faster and better! Who would gain the most from the talk
• Security professionals who face problems managing vulnerabilities whilst dealing with more than one high priority item at the same time
• Engineering (Developer) teams who find the current vulnerability remediation workflow problematic
• CISO’s who want to lay down a mature and efficient AppSec Program

De-Google your Smartphone

It’s no secret that Google is an advertising company. The nature of the relationship between Google and it’s users is a privacy invasive one. Targeted advertising is growing more lucrative as our location, health information (smartwatch telemetry..), and browsing habits are all ingested by the Google engine for later monetization.

Step outside your comfort zone and try out a Smartpnone without Google apps. Bonus points if you can continue life with only the apps in the bundled app store, F-Droid.