Pushing Left, Like a Boss - Tanya Janca


With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left’, like a boss.

The Art of Fuzzing - René Freingruber


Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this talk is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. The demonstrations include fuzzing techniques with source code available as well as reverse engineering tricks for closed-source applications. After the talk attendees should not only know how to fuzz with famous public fuzzers but also how to dramatically enhance the fuzzing results.

ManaTI: Web Assistance for the Threat Analyst, supported by Domain Similarity - Raúl Benítez Netto & Sebastian García


The amount of new malware and variants of old malware increases continually. This generates a growing amount of network traffic to analyze, challenging researchers to find better detection methods. When threat analysts are confronted with such amount of traffic, they are usually overwhelmed, having less time to analyze the traffic. This situation generates less accurate results. In the last few years most malware had migrated their communication channels to web protocols, mostly to avoid being filtered from inside organizations. As a consequence, there is a great availability of traffic logs of web protocols to analyze. These logs are usually called weblogs. The use of weblogs for security analysis is an old practice with well documented results. The analysis of weblogs requires a deep knowledge of security topics, patterns analysis, malicious behaviors and protocols details: DNS, WHOIS, HTTP, etc. Unfortunately, these skills are difficult to acquire for the analysts. Analyzing millions of weblogs with speed and accuracy, balancing the amount of information and finding threats is, at least, a daunting task. It became clear, then, the need for a tool to assists analysts in this task. A tool to help analysts organize their work, improve their detections and speed up their analysis. In this context, we researched and created a new tool, called ManaTI, to assist network security analysts to find threats in weblogs faster. ManaTI allows the analyst to work with weblogs in groups, apply labels, make comments, use third-party services (such as VirusTotal), visualize statistics and create new background analysis modules. A special feature of ManaTI its is novel WHOIS similarity distance algorithm. This algorithm can find if two domains are related given their WHOIS information. ManaTI was evaluated with real analysts. There are two main conclusions: first, that ManaTI can increase the speed of analysts by a factor of 3.4 in average. Second, that the WHOIS similarity distance makes possible to find related domains. All our research and code was made public for the research community.

Five Days in the Life of a CMS Brute Forcing Malware - Anna Shirokova & Veronica Valeros


Web content management systems (CMS), specifically WordPress, have been widely adopted since their inception. Over 5% of the internets’ websites today use WordPress. Because of this wide adoption CMS are a constantly targeted by malicious actors looking for a cheap and disposable infrastructure for their malware. Compromised CMS are often used as temporary command and control servers, to host malicious files, or for various drive-by attacks. Brute forcing is the most common type of attacks against CMS, which takes advantage of users who often choose weak credentials. In order to avoid detection, malicious attackers use distributed brute forcing attacks against CMS websites with botnets designed specifically for this purpose. One of the most recent and prominent botnets in this area is Sathurbot. In this talk we will present an in-depth analysis of the Sathurbot botnet. The goal of the presentation is threefold: First, an introduction of Sathurbot botnet, historical context, and an overview of its modules. Second, a network traffic analysis of a five day real Sathurbot infection. Third, insights into the malicious actor’s operational techniques.

High-performance web application fingerprinting based on SCM repositories - András Veres-Szentkirályi


Network security assessments often reveal web servers running variou outdated versions of FLOSS web applications such as RoundCube, phpMyAdmin or SquirrelMail. Narrowing the set of vulnerabilities that could affect such a setup is easier if we know the version installed, however in many cases, obvious clues such as READMEs and changelogs are removed on purpose. When the source code along with its history is available online, it is possible to correlate static file contents with specific commit ranges, and we had done so in the past manually. However, much of this could be automated, so we developed a tool that can identify a Git commit range based on static file contents. It can be used either as a standalone tool or as a Burp Suite plugin. The talk describes and demonstrates our tool from source code to everyday usage, along with an intro to git internals to understand how this can be done fast on repositories with hundreds of thousands of commits. Source code is already up on GitHub, pull requests are welcome:

Mobile Banking (In)Security - Sneha Rajguru

There are over 1.2 Billion smartphone users worldwide and more adding every day, it can be said that smartphone has now become a standalone device to use. Individuals adopt smartphones not only to surf the Internet but also use it as means of entertainment, information, shopping, socialising, travel and to do banking, so much so that it is now a one stop solution for almost everything. Clearly the mobile banking and payment has become the de facto standard for banking activities. Banking apps on the smartphones has gained great momentum and this evolution has strongly reduced the traditional access to banks (i.e physically visiting a bank or even going to ATMs). As, we entrust the mobile apps and smart devices with our Passwords, Private Information and Money, certain critical issues arise, such as; are these apps really safe to use, do they protect our privacy, what exact kind of information are they leaking, are they stealing money from your bank accounts or are they vulnerable to be exploited by the attackers. In this talk, I am going to present a deep analysis of many mobile banking applications collected around the world and talk about the vulnerabilities which are of grave concern.

True Cost and Real Benefits of Industrial Internet of Things Security - Herbert Dirnberger


Basically, the Internet of Things has an enormous potential to make life easier but not without security. In a best practice talk the whole process how to implement security in iIoT Systems will be explained and discussed. The represented expected cost of security measures for minimize risk, the cost of incidents response and the benefit and value added of optimized processes in the whole system life cycle can help to solve to find the right alignment.

A Song of Botnets and Power: Blackout is coming - atrox

Power grids are a prime example of large-scale decentralized critical infrastructure pre-dating modern telecommunication by decades. The volatility of grids is often underestimated. To stabilize the nominal frequency power production and consumption have to be continuously kept in balance. As consumers are predominantly uncontrolled, operators have to adapt power plants’ output to the demanded power using elaborated models including parameters like weather, season, and time of the day. These models are based on the premise of a large number of small consumers averaging out their energy consumption spikes. However, an adversary in control of a sufficiently large number of computers can break this premise by synchronizing their load patterns and create artificial load spikes, pushing the grid out of its operational limits. Before that, grid security was often understood in a classic IT or CPS sense, i.e., attacking components over their digital interfaces. Our adversary does not have to rely on any current or future smart grid features for a successful attack.

Android Malware detection via ML - unknown students

Based on the DREBIN paper, we are exploring possibilities to improve the detection rate and reduce the FPR for Android APK malware detection via ML. This is a talk about a project which is currently WIP.