Level: Technical

Abstract:
With its ability to use operating system symbols and recognize many, even undocumented system structures, WinDbg is a powerful tool and effectively the only debugger used to analyze kernel mode malware and inspect objects kept internally by Windows in a live debugging session or by analyzing the full memory dump.

Unfortunately, WinDbg’s learning curve has been traditionally steep, due to a large number of often unintuitive debugging commands, rudimentary user interfaces, and arcane scripting syntax.

Over the years there have been several more and less successful attempts to make WinDbg scripting simpler for the user, with the most widely accepted interface being the pyKd Python extension. Still, the WinDbg scripting remained far from being user-friendly.

Developers behind Debugging Tools for Windows have been aware of WinDbg limitations for some time and recently they put a lot of effort into making WinDbg more user-friendly. They have exposed new Debugger Object Model, with new dx command to inspect it, together with NatVis visualization specification XML language, and LINQ queries which allow the user to filter the results of the dx debugging command.

With the Debugger Object Model, they exposed many of the operating system objects tracked internally by the debugger such as processes, threads, handles, stacks, and others through a user-friendly hierarchical namespace. Users can simply inspect Debugger.Sessions.First().Processes to enumerate all processes in the current session. They also exposed the file system and WinDbg disassembler to allow for more advanced methods of debugging and program analysis.

Finally, a new Javascript scripting interface was created, to allow the user to inspect the object model and augment it by adding new object definitions to its namespace.

Although many researchers will question the choice of the programming language for the new scripting interface, there is no doubt that the latest Javascript extension makes scripting within WinDbg much more intuitive than any of the previous attempts.

This presentation will specifically focus on the WinDbg Debugger Object Model and the Javascript scripting interface for malware research by walking through analysis of a rootkit driver used in a recent crypto mining campaign. The attendees will be able to see the new scripting interface in action and return to their own research with a few new WinDbg scripting tricks in their pockets.

Bio:
Vanja Svajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked as a principal researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise. Vanja enjoys tinkering with automated analysis systems, reversing binaries and Android malware. He often attempts and successfully manages to present at the security-related conferences such as Virus Bulletin, AVAR, BalcCon, FSec, Infosec, RSA and others.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Technical

Abstract:
This talk will present a security investigation of popular IoT devices, aka smart/connected lightbulbs. It will introduce what is a smart light bulb, why it is interesting to look into it and why people should think twice when they install these devices at home. Four manufacturers were hacked during the last months (Xiaomi, Lifx, Wiz, and Tuya).
All the results will be presented.

Keywords: IoT security, hardware hacking, reverse…

Bio:
@LimitedResults – Offensive side, hardware hacker. Not a big talker/writer. No Affiliation. More hack to come…always

Level: Technical

Abstract:
Everyone is talking about common classes of bugs, sql injection, XSS, CSRF, IDOR etc. But, as in all things in life, there are more, fancier things that true bug connoisseurs love. This talk will show some nice deserialization and request forgery tricks. So if you want to expand your application security knowledge for either offensive or defensive purposes, this might be the talk for you.

Bio:
Tonimir Kisasondi is the Founder of Oru, a boutique information security consultancy from Varazdin, Croatia. He finished his Ph.D. in the area of cryptanalysis at the Faculty of Organization and Informatics, University of Zagreb. From his industrial cooperation side, for the last 10 years, he specializes in helping software, IoT and distributed systems companies from the EU and US build secure products from the design to the production stage. His professional and research area of interest is security architecture, application security, security testing & analysis and applied cryptography.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Tehnical

Abstract:
Mimikatz is a hacking tool that showed up in almost all significant IT incidents of the last few years. We all know it, although less of us know how it really works. In my presentation, I would like to share the Mimikatz story, how Benjamin Delpy kept developing it year by year, and how the developers at Microsoft tried to harden the OS. I will show the working mechanisms of Windows’ main protections and how Mimikatz bypasses them. I would also like to share my concept on how an enterprise defender can harden the environment in order to limit Mimikatz user efficiency in the network.

Bio:
Sandor Feher is an IT security enthusiast, who started his career in IT security almost 15 years ago and by now has high-level experience in many different fields. His areas of expertise include digital forensics and data recovery, malware analysis, incident response, penetration testing, blue and red teaming. He started his career in the governmental sector and then moved to the private one, lastly establishing a Hungarian IT Security startup called White Hat IT Security. He is a holder of some IT sec certifications like CISM, OSCP, OSCE, OSWP, etc. In his spare time he is a visiting lecturer of Obuda University, Budapest.

Level: Technical

Abstract:
This speech will guide you through some simple steps, which will improve the security on your IIS (Microsoft Internet Information Services). We will talk about one of the most common hacking methods called “spray and pray”, which affects every website. Where does the attacker come from, how to detect the attacker and how to protect ourselves.

Bio:
The Speaker is Thomas Ellegaard from Denmark. Born in 1968. He got his first computer (ZX Spectrum) in 1984 and has been addicted to programming ever since. In 1992 he started his own IT company which is still in business. The interest of security has been growing for the last 10 years and is a vital part of the programming in his company.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]