5/5 Style Event Wrap-up Talks

all right so for the last part like I said at the beginning if you missed one of the talks but you were really interested in it but you went to the workshop instead or you just missed it because you were doing Holloway Kong which is probably fine then now that - one last chance that you can ask questions from the presenters they will summarise what they were talking about what were the main questions during the during their talk what were the discussion focus down mostly I said we're gonna go in chronological order as they were but it's kind of a lot of time to do that and also by me who are the speakers and also some of our speakers

had to leave so and afterwards you can just come as as you as you wish some of them will have presentations in slide format some of them will just come up and do a talk so ya know let's start with you hello everyone I did make a talk about how to build awareness by employee one of the things that I said that we need to do it at work because private no one's want to look it's also most of the time to complicate to death so they are not interesting or they lose interesting about after two minutes of looking about that so if you go to work they need to know that companies also most of the

time more better touch touch it and then sell because of the company or at hospital there are lot of people who work there there are clients or patients so that's the reason the criminal will go earlier to the hospital and then look one by one person the training was more instruction for ICT or IT department or security department three steps three goals in a free in the first two steps you make them interesting if I make them interesting and willing to learn is to show them for you in the West Europe we also have outside of our company the link with my work where all our data when they talk to the colleagues or to

some people they were all always like what they never thought about that and they were like oh yes yes that is true so that way you make them really interesting to hear it then the second part of the training you try to explain the button happened with their data and then how you will make it a lot to the security department because they know the audience and every company's a little bit different so they can make their training based on that and the third part is a workshop in that part you can make different groups and work with the people where y8l that workshop because you make contact with people they know who you are

they saw you it's not just some name or some imaginary not from the IT department so they will know who you are and they can ask you what they don't understand they can ask you another tip what I said is that keep simple so don't go too much there because they don't understand so you will lose them in two minutes they are afraid that they need to know everything what you explained to them they think I must know that so they will stop thinking and never say I will never learned that so I quit so keep it simple and if someone wants to know more they will ask you so look your audience with who you talk and go with that and

if you want to explain something more ask them do you want to know something more okay then you go further so in that time you can go and talk about different topics with them that are important for the company or Hospital where you are and that after my talk we had a nice discussion and I was really surprised and thank you that you did make it Dave David because I did hear a lot of nice ideas somewhere we are more like talking the people but somewhere we'll were also about the rules and also I did say that the rules when they made people understand why they need to protect them then then they will accept all the rules

without questioning so much because they say minik when you come to the hospital and when you are sick and you don't feel good you follow orders of the nurse or for the doctor you don't ask why and explain when you don't feel good you follow them and then sometimes you ask how what but most of the time most people just follow the rules of all of the instruction of the nurse same way you can instruct another people who are not that tech like you a few idiots that I did like where like someone said then if some people are bad maybe if some people are bad like they did try to be bad bad bad but guy it was really simple

when they make problems after that you train them and after you explain them then you talk one or two times and then sorry you get fired because the company if you make your mistake because you don't care company will pay the how you call it but yes that or you will have a company will self problem because if someone break the chair or break things in a company you can do it one time second time you're fired another idea where like also talking about your family so people who have a children or family they will like also to protect themselves so you can mix both of them also some kind of gamification that you can see and try

people to hack each other but it has one time is was like go to Google and search about each other information and see what you can find and some people are most of the time surprised what they can find about another overawed can be find about themselves Internet some of them like in Mid East Maxim said it was like if you make some mistake okay the your account is locked so okay okay but that was that was pretty good summary anyone has a question to you know for the audience okay great so thank you up next Remi can you please sum up your presentation so hello my talk was about ending my wave and he was seen with a

chatbot so I start the project by instead in some money put everywhere in Internet and I stopped by a catching my way my thanks my to my own efforts and it was going to follow all the the log of the report and given Oldham our way so I wanted to autumn eyes this boring task and for this user haha - so it's a given engineering platform really very powerful come on details you want to start analyzing somewhere and you can make exploit with that and so yeah it's really nice and I use a Python script you can use you can script you can make script with Python with Radha there is a plugin for what it's called x.25 and so

the good of this crowd is to reverse the malware and give you I have the communion control of the malware most of time to commen control was cryptic encrypted inside them our way and after that launch always the same script can be becomes boring so I choose another way to move to Matthias supports s so like a little people Muslim last time my place to talk with my friend on the chat internet shut and we used telegram so I find the but cool but and it's this bot is compatible with a lot of chat protocol like telegram is eep eep eep hot and slack whatever and we don't create a baton telegram and use this but

to control with Adjani but but readers all the website catch all the malware confirm the drop site to my honey pot and aggregate all the log into the website and you can follow the the new sample or when it's coming into the into the telegram chat and you can reverse directly the malware from the telegram shut so yeah it's quite useful and you can make some reversing very powerful and we quickly and no money to to make a reverse thing you need a laptop in circuits not there is not a good one why is it not only one you can make it a thing with your phone so that's pretty cool so so yeah I receive a lot of

feedback but my but and some people could find things besides good so I'm happy to - no - no but yeah it's all for my side so I don't know if you have some questions okay next Klaus for example can come so what about small to medium business security I worked for some years for a small bank trying to build security starting from very little and then slowly over years moving up and I talked about the reasons doing security for small companies is hard because they don't have skills at of time they don't have the people we didn't moved on to a security framework that I built with more than 200 controls that any small to

medium business can implement if only they have say one IT as in which of course some don't but these controls can't be implemented without much in the way of budgets much in the way of skills and much in the way of time it's efficient it's something that every ISM be can do so I put that out on the internet and the goal then is for SMBs to find it and for the community to tell the sambisa about it because all it takes for one SMB to start improving their level of security is one security champion within the company it doesn't need to be an IT doesn't need to be in security just one champion wants to make a change and make

things better and they can start improving and then we talked about how once you have started doing security in SMB you actually have strategic and tactical advantages over big companies because you're flexible and adaptable and you can make quick decisions that was my talk we also had a lot of discussion afterwards on different ideas are you gonna put the slides on the website I'll send you the slides right you can find this nights on the B sides website you can also find the framework called Minimum Viable security by searching online or going to peer list and searching our peer list is on P list so there is and I hope you will help spread the word because as we discussed

in the comments after the talk as some PS that do get hit either with a breach or with ransomware they often go out of business especially if they're really small it really hurts them hard to get hacked qui encrypted so they need this any questions

yes sure one control that I find really really useful is to use either a met or Malwarebytes anti-tech sploit it's rather simple for Amit you will need to create various profiles based on what users do in the jobs because it has certain crashes here and there but these two tools just block so much attack surface for you email is Amit is not going to be end-of-life Amit is incorporated into Windows 10 which no one has anyway and it still works fine for Windows 7 which people have so don't worry yeah but you want to pay the small fee that it is for the administration console so you can manage it centrally it's not expensive that was my talking next up so there was

there was one question wait wait wait you're running away there was one question

no license terms I would say then it's BSD no because that's the that's the most widest I get no if I'm not mistaken that's BSD license okay cool thanks again okay yeah yeah you're ready apostle's okay thank you hi everyone again so more technically it was about an attack that is common in object-oriented languages either it's Java Python dotnet it's called deserialization i'm demonstrated the attack i demonstrated the popularity of the attack it's used in many other protocols the serialization is used in many protocols it's used by countless of vendors and every vendor that try to use that protocol digitalization Predacon failed because there are some secrets of the serialization process that they were not

aware of they became public very recently like a few years ago two years ago and suddenly all this way all these vendors were found to be vulnerable and it's a very reliable attack easy to exploit and it affects all software layers not just the application layer frameworks libraries application servers even the Java platform itself the runtime so for example Oracle released an update for the Java platform two days ago it contains four vulnerabilities in serialization three years three months ago another four vulnerabilities in the Java platform it's also in the new OS top ten that will be released tomorrow absolutely so this is real quick the process UCLA's an object that lives in memory and you dis realize it back again

to another computer that this realization process is the problematic how to solve the problem stop using the serialization stop using the technique however it's not you do not control all layers or that of software that ran on your platform or even legacy you don't control that so you have to putz however putzing it was obvious that from many talks here today passing can break your application the Oracle update that was released two days ago it's not backwards compatible so you want to solve your problem your vulnerabilities but it might break your application so it's not easy to putz so how do you stop the vulnerability you can use any of these three approaches and what I what I

did in my presentation is I highlighted the limitations of every one of these approaches the first to actually the security manager is broken can be bypassed it has been bypassed is not reliable and then what what's left actually let me show you what's left its you have to do filtering some kind of filtering like what is blacklist you have to allow specific classes to be visualized or specific class is not to be digitalized but this is this is not easy it doesn't scale it's not in the price scale it's human it requires human intervention it's error-prone and it doesn't protect you yeah that's fine and then I I discussed about the instrumentation agents which is a very

popular way to perform filtering but they have a fundamental problem instrumentation agents live in the same address space as the application and this means if the application is compromised the agent is compromised so they're not reliable they shouldn't be used in my opinion that are inappropriate for cloud environments every business shifts to the cloud so they have this problem so there isn't a different solution I propose a different solution using virtualization let's visualize the time--time platform itself and by doing that we move the security controls from the application space to the hypervisor and when the security control is outside of the application space no matter what creation vulnerability exists it cannot affect the security control anymore so

so your security controls that module is a component that makes you secure is secure is isolated it's in the privileged space that cannot be touched by the application and then I introduced this technique the micro compartmentalization on privilege escalation that minimizes the privileges during this utilization so it avoids this privilege escalation and API abuse that is the effect of the deserialization attack so that was my talk key takeaways in my opinion you shouldn't be using intimidation agents for security the instrumentation API wasn't designed for that and you should think about other alternatives there are the reason technology right now that these high high end technology we keep investing it's called with ASP runtimes self-protection application self

protection you should Google about it and learn more about it that was the end of my talk and then we had a few questions one about wops i think from a very clever guy so web application firewalls web application firewalls can they mitigate this attack well I wouldn't say so they can mitigate it up to a point yeah just thinking that argument web application firewalls have to do again filtering blacklist and what listening and it's even worse because they have to do it outside of the context of the application so they see the stream the input that comes to the application and they have to make a decision should I should I allow the requesters not and

it's it's a silly way of doing it they depend on signatures and pattern matching this is a this is a way for example to fool a Web Application Firewall you create a stream as easy as that and they they think this is an attack which obviously this is benign doesn't do any harm but you can fool them real easy so you have fall positive seen in public use and firewalls and you depend on signatures if the update your signatures again again is not future proof that was my thank you any questions next is going be DD hello I'm DJ work for her and visa and we did a workshop on militias of his documents so why talk I do a workshop

about militias office documents well it's because we're talking about malware and malware is often executables a Windows executables but the autos malware autos they want to deliver it and you know delivering executables via email in a lot of organizations no longer works a PE file and executable you cannot mail it even with Gmail if you try to put it in a zip file it will recognize it and block it okay so that in most of the cases that no longer works so what they are doing now for several years now is putting the malware into documents like office documents of PDF files and that's what we did in workshop and we learned how to recognize such files and how to

analyze what they do statically so that was a workshop now why did I talk about that because I make open source tools to analyze such documents and for example office documents that you don't need microsoft office to be able to analyze such documents but for example that you can just use python on any operating system that runs Buyten and then you can use my tools to analyze such documents and that is what we in the workshop there were three types of exercises so I brought about 30 different exercises that step-by-step will introduce you into file format of office and how to analyze such files and extract the malicious code with my tools and many attendees of

the workshop didn't then you had also a couple of people who had brought the whole malware because that was the topic of the workshop bring your whole malware example with my tools an attendee was able to analyze one malicious document that he received recently it was a doc files or a word document which contains Marcos VBA macros and it contains a lot of levels of indirection because you have the VBA macros there inside you have something base64 and base64 encoded that turned out to be PowerShell which was in turn also office kated it was the obfuscated we had another layer of PowerShell and that PowerShell was a download I would download something from the internet trotty to disk and execute it

another sample that was brought somebody was a an RTF file a rich text format file and we were able to see in detail it was an RTF file and it contained JavaScript which looked malicious so that was already quickly established that we were dealing something with something malicious and then we had to the office gate to JavaScript but that was not something we could do by the end of the workshop so that's something that has to be continued and then the third thing that I brought for people who did not bring the whole malware and who were not really interested in the simple exercises a bit of a proof of concept maybe if you heard about it about two

weeks ago a new type of attack with dde and dynamic data exchange now it's not new it's an old technology but it has been used again so a dde dynamic data exchange one of the features of this technology allows you to execute code without having to use Marcos so and I bought two examples of this if you want more information you I posted a blog post about it and here is an example of the analysis with the Java file you analyze the document and here you can see what is launched you see that calculator is launched so you know it's a proof of concept and then also see Cal XE on Windows 10 you actually no longer have

calc XE it has become a so that was a workshop work to do some exercises and successfully verse one malware that was brought thank you any questions thank you thank you to continue with the summaries George can you come please okay but if you have to mess with your resolution again then you have to just go without the Prezi Mac's notoriously bad with resolution and projectors nice nice he learns okay so my talk was about how you can use a partner to immunize web services to their own unknown and known vulnerabilities may be inferred parties may be in your application itself by basically defining a profile for them that means like a set of system

calls that they can do and I brought kind of like a case study let's say off off an incident response sorry I probably should have moved from here so we're basically we were using ffmpeg to convert some video files and a bug bounty researcher found a vulnerability in that particular version of that fan back and actually the quick solution was for us then to confine ffmpeg with at Parmer instead of immediately patching it of course later when we we patched it and we came up with with an up-armored profile which basically successfully mitigated the attack which could have been exploited to read some local files arbitrary local files on the on the EC tools that were running this service I

think one of the it would take tons of time now because I I already removed this IP from the security group and stuff - oh yeah but but actually no no sorry but you could just for those who were in here like I did the demo of the exploitation itself and it was basically a video converted by a fan pack that contained the contents of the extra password file as a demonstration anyhow we we came up with this profile and I think there was a really good point made here that the mitigation did not only depend on on a primer itself but on the facts as well that these files were not easily guessable so this is why he could

not steal with someone else's uploaded video fine and I think there's a really good point that a partner doesn't speak on that level right that's the so early application level who uploaded that video file to to our system a farmer only speaks system calls and files and and socket and stuff like that so I think that was that was kind of a pretty good point that that we we also got a bit lucky there that we already had that's that part good then I talked a bit about how this could be taken further not only confining ffmpeg but the entire web service itself since that's already you're a tech interface normally sir that could be vulnerabilities anywhere

else and then I try to show what kind of tooling we built around monitoring this whole thing and making it more usable more visible and just just easier to use and manage for for us and for the developers as well and I think this was kind of one of the key messages that a primer is it's a good tool and you can use it to to confine your web services but it's only as good as your profiles it's definitely something that you have to maintain and you have to continuously care about and you need all this kind of tooling around it and of course and this is the question we do not have a good

answer for and I would be really happy to talk with anybody if if you have some input on that so the question is how does it scale I mean we already do this for for a couple of processes but we have no idea how even with all this tooling all this monitoring around it how does it scale massively with a lot of a lot of services but we are kind of already on the path to figure it out but if anybody has some input on that then that would be awesome so that was my yeah any questions thank you Schama can you come next hi my name is Tamara thea we have a workshop about

data forensic and in response the topic was reindeer owned AVT x-files which you know is the Microsoft security event in which I I presented a tour I wrote some months ago that will let you choose to save a lot of time during the incident response handling and the forensic analysis the tool itself will let you to visualize all the relations between the users computers and domains which user is loading into a given computer at a given date time finally we we have been discussing about another tool focus on how to create some kind of a oxi IOC's or general rules in the same event event files I think we we all enjoyed the workshop I really really

proud to be here and if there is any questions let me know so that's all thank you very much thank you George can come next yes I can I'll just keep it short because one of the last and I mean between the weekend and you guys so we talked about si P and how hard it is to patch a CP systems and how much work it is because it's all needs to be done manually so I introduced like some tooling that we used and developed with a customer to automate things and apply patches more in a more automated which saves money time and you can raise the the frequency of applying patches and we had a short discussion afterwards

and I got good feedback that's it in short I don't want to make it any longer if there's any questions feel free to shout otherwise thank you and last but not least you're gonna have doing slides or okay so I know so my talk was about the HTTP implementations we had to look about the different headers like I will not explain all of them but it's just yes it's a very interesting header to force the browser east or west connect to your website in HTTPS we had a look about the risk and threats about HTTP connections and web sites then we other also look about other centers like HP KP which is quite questionable if you want

lament or not USD 300s be stopping so the new browsers needs to connect enter to verify the validity of the server certificates and also OCSP stapling is able to speed the process and another interesting not related to HTTP to DNS the NSCA which is why listing the certification authority that are authorized to generate certificate for your domain any question okay thank you we show good weekends