Level: Technical
Abstract:
The talk will present a web-based solution and its architecture for sharing secrets by utilizing HashiCorp’s Vault cubbyhole and single-use access tokens.
We’re going to introduce Vault and how to configure Vault (token policies in particular) to support this solution.
For end-users solution offers easy to use web interface with only two options. First being an option to write new secrets and define Time To Live of a stored secret, the second option will allow a user to insert the unique token in for it predicted field and display the secret.
For developers, the solution offers REST API which, also, support both actions. Making it easy for developers to integrate a solution into existing systems and automate the process of sharing secrets between applications and users alike.
Bio:
Dino Hrgetić, IT enthusiast with 3 years of experience in the Telco industry with a focus on role-based access controls and web development.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Overcoming challenges of secret sharing (Dino Hrgetić)
Level: Technical
Abstract:
The talk will discuss how ‘point addition’ works and how that leads to the Discrete Logarithm Problem of Elliptic Curves, then how the Elliptic Curve Diffie-Hellman algorithm is used, for example in HTTPS – and how you can actually find it using Wireshark. It will explain how to use ECC for digital signatures and why you don’t want to be like Sony when it comes to implementing them. It will discuss how ECC was used in an infamous random number generator and, finally, will take a brief look at the use of elliptic curves in post-quantum algorithms.
The goal of this talk is to keep things simple and understandable and no knowledge of maths is assumed. The talk won’t make anyone an expert on ECC — that would take years of study. But it might help one understand the context a bit better when you come across them in your research. And hopefully, it will also be a little bit fun.
NB the talk focuses on technical details, so I’ve listed it as ‘Technical’, but it explicitly doesn’t require any technical background.
Bio:
Martijn Grooten is a lapsed mathematician who by accident ended up working in security more than a decade ago. He is a conference organizer, product tester, paper editor, researcher, blogger and tweeter with a focus on malware, spam and threat intelligence and a weak spot for cryptography.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Getting Ahead of the Elliptic Curve (Martijn Grooten)
Level: Technical
Abstract:
As it’s not easy to come by a list of what to do in development, we took the opposite approach and researched how to make our code as bad as possible, security wise. Some of the topics we covered:
- Metasploit / quasar
- Android
- buffer overflow, stack smashing, etc.
- JWT on web and browser security (local/session store vs js store)
- WEB server HTTPS config
- ASLR, W^X memory violations, CFI
For every mentioned topic we tried to explore ways to be as insecure as possible and learning how such an environment can be exploited.”
Bio:
Goran Mekić is FreeBSD and Linux administrator, WEB developer, security researcher and low-level geek who recently found love for embedded and kernel development. I am a co-founder and teacher in Novi Sad hackerspace named Tilda Center.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on How did we teach (ourselves) security (Goran Mekić)
Level: Low Tech + Advanced Tech + 1337
Abstract:
For my talk “Security Expedition in b0rkenland” I wanted to prepare a live demo because people asked for it. So I checked out current public Proof of Concepts (PoC) for exploits and thought which one I can combine. This resulted in a couple of night hacking sessions until the exploit chain worked reliable enough to be
presented as a live demo.
I will not only show you the created exploit chain as live, but will also discuss with you which problems occurred while implementing it and how I solved them.
Bio:
Hetti – Technical Computer Science student from Vienna with a passion for IT Security and geeky stuff. He is one of the board members of the finest Viennese Hackspace Metalab. In his free time, he enjoys traveling to community-based IT Conferences. The Viennese Cryptoparty is organized by him, where he also holds lectures and workshops about a broad range of IT Security & Privacy topics. You can also find him at the Chaos Computer Club Vienna (C3W). On some weekends he is hunting flags with the successful academic CTF Team We_0wn_Y0u.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Creating an exploit chain – tackling the problems (Hetti)
Level: Technical
Abstract:
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic’s new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.
Bio:
Philipp lives to demo interesting technology. Having worked as a web, infrastructure, and database engineer for more than ten years, Philipp is now working as a developer advocate at Elastic — the company behind the open source Elastic Stack consisting of Elasticsearch, Kibana, Beats, and Logstash. Based in Vienna, Austria, he is constantly traveling Europe and beyond to speak and discuss open source software, search, databases, infrastructure, and security.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Scale Your Auditing Events (Philipp Krenn)