BruCON 0x0B has ended
Thursday, October 10

08:30 CEST

Registration & Breakfast
Thursday October 10, 2019 08:30 - 10:00 CEST
00. Lounge University

09:45 CEST

BruCON Opening
Thursday October 10, 2019 09:45 - 10:00 CEST
01. Westvleteren University

10:00 CEST

Why isn't infosec working? Did you turn it off and back on again?
My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

avatar for Rob Fuller

Rob Fuller

Rob has over 14 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks - as well as performing penetration tests and Red Team assessments against those... Read More →

Thursday October 10, 2019 10:00 - 11:00 CEST
01. Westvleteren University

10:00 CEST

ICS and IoT Village
Thursday October 10, 2019 10:00 - 19:00 CEST
02. Westmalle University

10:30 CEST

Beautifying Binaries
Limited Capacity filling up

Analyzing a binary or firmware often starts from a more or less blank page of assembly code. Decompilers such as the Hexrays or Ghidra decompiler can make assembly code more readable but if symbol information such as function names, user defined structures or class information are missing it can still be a mess to work through.

Enriching you project with symbol information is a lot of work but in the end can be the difference of successfully achieving your reversing/bug finding goals.

Within this workshop i will present various approaches and open source tools to add symbol information to a real world firmware and then will train to use these with the attendees inside a prebuild virtual machine.

avatar for Benedikt Schmotzle

Benedikt Schmotzle

After having worked in the infosec field for many years Benedikt is currently employed as offensive security researcher for a small German firm. He likes to figure out easier ways to tackled hard problems which he also enjoys to do while rock climbing.

Thursday October 10, 2019 10:30 - 12:30 CEST
03. Chimay Novotel

10:30 CEST

Elastic Stack for Security Monitoring in a Nutshell
Limited Capacity full

Elastic Stack is one of the most commonly used open source data analysis and management platform today.  It quickly became popular among security professionals too and it is also the building block of many open source and commercial SIEM.  Elastic Stack is designed for speed and ease of use; it indexes data as it is ingested (write once read many or "WORM" storage) and it is extremely scalable and powerful, making ad-hoc queries and real-time visualization very easy.

The components in the Elastic Stack are designed to be used together and releases are synchronized to simplify the installation and upgrade process. The stack consists of:
- Beats, which is the platform for single-purpose data shippers;
- Logstash, which is a server-side data processing pipeline that ingests data from multiple sources, transforms it, and then sends it to one or more outputs ("stash");
- Elasticsearch, which is a distributed, RESTful search and analytics engine;
- Kibana, which lets users visualize data with charts, graphs, and dashboards.

During this two-hour workshop, we will see how to use Elastic Stack for security monitoring and cover the following topics:
- Beats (filebeat, winlogbeat, auditbeat, etc.)
- Logstash (input, filter, and output plugins)
- Elasticsearch (cluster, node, index, shard, mapping, search, aggregation, etc.)
- Kibana (index patterns, searches, visualizations, dashboards, etc.)
- Elastic Stack Alerting and Security (X-Pack, ElastAlert, Search Guard, ReadonlyREST, etc.)

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

avatar for David Szili

David Szili

David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. David is also an instructor at SANS Institute, teaching FOR572: Advanced Network Forensics. He has more than eight years of professional experience in penetration testing... Read More →
avatar for Eva Szilagyi

Eva Szilagyi

Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than eight years of professional experience in penetration testing, security source code review, vulnerability management, digital forensics, IT auditing... Read More →

Thursday October 10, 2019 10:30 - 12:30 CEST
05. La Trappe Novotel

10:30 CEST

Malicious RTF Document Analysis
Limited Capacity full

Rich Text Format (RTF) documents are also used to deliver a malicious payload. Unlike Word documents, they can not contain VBA macros. To achieve code execution, malware authors have to exploit vulnerabilities, or social engineer the recipient into executing an embedded payload.

Microsoft Equation Editor vulnerabilities are being widely exploited, and this is reflected in the increased popularity of the RTF format with malware authors.

The RTF format also lends itself to many obfuscation tricks, making the task of the analyst much harder.

In this workshop, Didier Stevens will teach you analysis of malicious RTF documents in his typical workshop style: this means hands-on, many exercises, and just a few slides.

avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →

Thursday October 10, 2019 10:30 - 12:30 CEST
04. Orval Novotel

11:00 CEST

Security transition from 4G to 5G: are we secure enough?
5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers.

In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks.

We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools.

We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

avatar for Altaf Shaik

Altaf Shaik

Altaf Shaik is a principal security researcher at Kaitiaki Labs and currently pursuing PhD at the Technical University of Berlin. He is experienced in analyzing cellular network technologies from radio to networking protocol layers. His recent renowned research includes low-cost 4G... Read More →
avatar for Ravishankar Borgaonkar

Ravishankar Borgaonkar

Dr. Ravishankar Borgaonkar works as a research scientist at Sintef Digital and undertakes research in securing next generation digital communication. His primary research themes are related to mobile telecommunication and involved security threats. This ranges from 2G/3G/4G/5G network... Read More →

Thursday October 10, 2019 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

A hackers view to the upcoming ISO/SAE 21434
ISO/SAE 21434 "Road vehicles – Cybersecurity engineering"

The automotive industry is currently working with the ISO and SAE standardization bodies to make a standard for automotive cyber security, expected to be released in 2020. After all, simply putting sometimes numerous wireless connectivity devices (e.g., GSM/3G/LTE, bluetooth, tire pressure sensors, ...) into a vehicle has again and again turned out to be a playground for attackers, and can haunt both customers and manufacturers in the long run.

This talk will give an overview of the key elements in the draft, and how they play together to minimize the risk of getting pwned while driving 250 km/h on the Autobahn. I will focus on the technical mechanisms as the point-of-view, and how they are usually embodied in a modern car. This will include signed software updates, authenticated CAN bus messages and secure gateways, just to name a few.

avatar for Martin Schmiedecker

Martin Schmiedecker

Martin Schmiedecker works as a security consultant during the day, teaches lectures at TU Wien on security & privacy by night. Court certified expert witness, and member of @c3wien. @Fr333k on Twitter.

Thursday October 10, 2019 12:00 - 13:00 CEST
01. Westvleteren University

13:00 CEST

Thursday October 10, 2019 13:00 - 14:00 CEST
00. Lounge University

13:30 CEST

Hands on BloodHound - Intro to Cypher
Limited Capacity full

Bloodhound is an open-source Active Directory object relationship graphing tool.
Initially design for offensive purposes, it has lately become a tool of choice for defense as well as regular admins wanting to have a clearer picture of their domains/forest.
In this session, attendees will learn the core Bloodhound concepts and UI navigation, before diving into Cypher - the Neo4j database query language.

Understanding the basic Cypher syntax is important for users to start writing custom queries, including 'Metric' queries that can not be perform in UI.

Various Cypher input techniques will be demonstrated, as well as a custom PowerShell tool build to interact with the bloodhound Database.

## What is bLoodnound?
-Intro to BloodHound & relational databases
-Bloodhound Node types and relationships
-Sharphound: Harvesting and Ingesting AD data
-Initial Setup & Sample DB
-Self Discovery & UI Secrets

## What is Cypher?
-Intro to neo4j Cypher language
-BloodHound Cypher 101
-Custom Cypher Queries (UI/Browser)
-Cypher over REST API
-Maniplulating BH DB with Cypher
-Advanced Neo4j Syntax tricks
-Pulling AD metric from BH DB
-Tool Demo: CypherDog


Thursday October 10, 2019 13:30 - 17:00 CEST
06.Rochefort Novotel

13:30 CEST

Active Directory security: 8 (very) low hanging fruits and how to smash those attack paths
Limited Capacity filling up

Welcome in PacFirm, the most insecure network ever, we have a very large Active Directory environment and we do no security at all. For now, no ghost has ever hacked our corporate network (at least we hope) but our new CISO requires us to perform a security assessment.

Your mission, should you choose to accept it, is to evaluate our security level and fix the issues.

In this fully hands-on workshop, we’ll guide you through 8 of the lowest hanging fruits weaknesses that we witnessed during numerous penetration tests. You’ll learn how to:

- Spot passwords inside user descriptions
- Find passwords on shared folders
- Spray passwords over accounts
- Quickly detect obsolete workstations and servers
- Get free password hashes by kerberoasting
- Pivot from machine to machine by reusing local credentials
- Spot machines where Domain Admins are connected
- Retrieve Domain Admins credentials in memory

Crackmapexec, Powerview, Rubeus, Mimikatz will be your best friends during this workshop.

Hand-on exercises will be performed on our lab environment with more than twenty virtual machines. For each attack, we will also discuss about mitigation techniques.

This training is aimed at sysadmins or security professionals willing to start with Active Directory security and hands-on sessions. There is no specific requirement for attendees except a basic IS and infosec culture.

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) and an up-to-date RDP client. Each attendee will be given a USB key with a Windows virtual machine with the necessary pentesting tools to perform the lab sessions.

avatar for Remi Escourrou

Remi Escourrou

Rémi Escourrou (@remiescourrou) and Nicolas Daubresse (@nicolas_dbresse) are security consultant at Wavestone. For 4 years, they have been developing their skills as a pentester of IT infrastructure and more specifically on Active Directory environment. They are also involved in... Read More →
avatar for Nicolas Daubresse

Nicolas Daubresse

Rémi Escourrou (@remiescourrou) and Nicolas Daubresse (@nicolas_dbresse) are security consultant at Wavestone. For 4 years, they have been developing their skills as a pentester of IT infrastructure and more specifically on Active Directory environment. They are also involved in... Read More →

Thursday October 10, 2019 13:30 - 17:30 CEST
05. La Trappe Novotel

13:30 CEST

Malware Triage - Analyzing The Modern Malware Delivery Chain
Limited Capacity full

avatar for Sergei Frankoff

Sergei Frankoff

Sergei FrankoffTwitter: @herrcoreYouTube: https://www.youtube.com/oalabsSergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong... Read More →
avatar for Sean Wilson

Sean Wilson

Twitter: @seanmw     YouTube: https://www.youtube.com/oalabs Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor... Read More →

Thursday October 10, 2019 13:30 - 17:30 CEST
04. Orval Novotel

13:30 CEST

Offensive Whiteboard Hacking for Penetration Testers
Limited Capacity full

With this 4h workshop we will teach you how to use threat modeling as an offensive weapon. Traditional threat modeling looks at the attacker, the asset and the system.

With offensive threat modeling we look at the defender to understand his tactics and expose weaknesses.
The workshop uses a real-world use case provided by Toreon.

The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of offensive threat modeling. They will analyse the weaknesses of an Internet of Things (IoT) smart home deployment. This will enable the student to better perform a penetration test, red team engagement or bug bounty.


Sebastien Deleersnyder

Seba Deleersnyder is co-founder, CEO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized... Read More →
avatar for Steven Wierckx

Steven Wierckx

Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing... Read More →

Thursday October 10, 2019 13:30 - 17:30 CEST
03. Chimay Novotel

14:00 CEST

Cloud SIEM: What happened and what’s next?
The successful fusion of cloud native SIEM and AI is a watershed moment in cybersecurity that many are yet to fully grasp. For those organizations tainted by past on-premise SIEM experiences and burdened by promises unfulfilled, cloud SIEM ushers in the dream of real-time threat discovery and mitigation at a cost both the CFO and CISO find compelling.

Cloud SIEM is a watershed moment not because of the realization of its integrated technologies, but for the changes it will affect on operational security teams and risk management processes far into the future.
Being able to preemptively identify and categorize an attack in motion before it escalates, and being able to proactively disarm or neuter that attack before evolving into a viable threat, is well within the grasp of first-generation cloud SIEM. What happens next for cloud SIEM?

This session examines the role of “Threat Hunters” and security analysts when incident identification and response becomes just another API, how SecDevOps will embrace cloud SIEM and spearhead threat response, where and when AI will inevitably have to cede expertise to in-house experts, and how an ROI for enterprise security just landed on the CISO’s lap.

avatar for Gunter Ollmann

Gunter Ollmann

Gunter Ollmann serves as Chief Security Officer (CSO) and helps drive the cross-pillar strategy for the Cloud and AI Security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before joining... Read More →

Thursday October 10, 2019 14:00 - 15:00 CEST
01. Westvleteren University

14:00 CEST

Securing ICS Systems – OT vs IT
The aim of this presentation is to discuss the subject of how Operational Technology (OT) differs in relation to Information Technology (IT), how this should affect any approaches to testing the security of OT systems, and what the impact of applying a traditional penetration testing model to an OT system is likely to have.

For example, the security of an IT system centers on the protection of data from observation, alteration or deletion. However in OT the key security principals lean more towards ensuring the reliability and safety of the system. This shift in priorities needs to result in a completely different approach to security assessment, not simply because of the potential impact of downtime on a given system, but because the priorities of the test are completely different. A simple adaptation of a typical IT testing methodology isn’t enough; For this reason, security testing of OT systems provides a growth area for specialized companies as they are frequently the most able to make the shift away from a dedicated IT testing methodology.

In addition to the difference in the core concerns of stakeholders between OT and IT systems, the security community also needs to acknowledge that the threat actors in play, and their methods and resources, are going to differ vastly. This needs to be considered in conjunction with a realistic view on what security measures should and could be implemented on OT systems; in a system where downtime potentially costs millions of pounds per minute patching is never going to be considered a priority, and neither are time-consuming or complicated procedures which interfere with a user’s ability to monitor the system in a potentially time-sensitive environment (such as two-factor authentication for operator login).

Without taking the above factors into consideration mistakes will be made by security professionals conducting security testing of OT systems. These may take the form of inadvertent downtime, costing the client in terms of money or even lives (depending on the target system), or may result in the actual security profile of the system being overlooked due to the focus remaining data-centric, as is standard with IT systems. While this presentation does not claim to have all the answers, the intention is to create methodology as a basis for discussion to help move the industry forward, resulting in a higher standard of testing and increased confidence in the security status of OT systems.

avatar for Katherine Abercrombie

Katherine Abercrombie

I've been working in the Security Industry for nearly eight years, initially part-time alongside studying for a medical degree and then moving on to fulltime work when I decided to change to an MSc in Information Security at Royal Holloway. From there I started work in InfoSec writing... Read More →

Thursday October 10, 2019 14:00 - 15:00 CEST
02. Westmalle University

15:00 CEST

I'm unique, just like you: Human side-channels and their implications for security and privacy
Almost everything about us – our handwriting, DNA, faces, voices, fingerprints, even our eyes – can be used to distinguish us from the seven billion other people on the planet. These physical identifiers can allow law enforcement to trace back real-world crimes to offenders, and enable biometric authentication mechanisms. However, such identifiers are often irrelevant when it comes to attempting to track or disrupt threat actors.

In this talk, I will discuss, explore, and explain identifiers which are unintentional, non-physical, and generated as a result of human behaviours and activities, but which can still be used to uniquely identify and/or track individual users in the digital realm. I call these identifiers "human side-channels", and will explore how they work; how they can be used for both attack and defence; and how they can be countered.

I'll examine three human side-channels in particular: forensic linguistics; behavioural signatures; and cultural references. I will start by exploring the theories underpinning these side-channels, which are rooted in personality psychology and the concepts of consistency and distinctiveness as a result of our unique experiences, training, and feedback. I'll then explore how they work; walk through case studies and examples/demos of using them practically in security contexts; and discuss how they could be practically applied to investigate and track threat actors, in situations ranging from hostile social media profiles to post-compromise exfiltration and privilege escalation.

I'll also examine the privacy implications of each technique, and how such characteristics – which are much harder to recognise, obfuscate, or spoof – could be used to erode privacy. I'll go into detail regarding possible countermeasures to disguise your own human side-channels, and I'll wrap up by outlining some ideas for future research in these areas.

avatar for Matt Wixey

Matt Wixey

Matt leads technical research for the PwC Cyber Security practice in the UK and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies... Read More →

Thursday October 10, 2019 15:00 - 16:00 CEST
01. Westvleteren University

16:00 CEST

Coffee Break
Thursday October 10, 2019 16:00 - 16:30 CEST
00. Lounge University

16:30 CEST

Catching WMI lateral movement in an enterprise network
Soc analysts face a tough job every day to keep their detection capabilities up with  latest vulnerabilities and threats.
What to start looking for? Where in the network? What about risk of False positives? How frustrating if we missed an attack!

It’s not just about catching the latest, though. For example Windows management instrumentation (WMI). It ’s built right into Windows for years and has become more and more prevalent to attackers. Many administrators and attacker’s love WMI.
Much can be found on its use, however very little seems to be documented on how to detect it on a network level. We gave it a shot.

In this talk, we will have a quick overview on Windows management instrumentation (WMI), our first naive approach to detect it’s usage, the challenges we faced, lessons learned and results.

Part of the results are custom IDS (snort) fingerprints, with some tweaking, could fit your environment. As next step we would like to share it with you. So let’s improve together!

avatar for Jaco Blokker

Jaco Blokker

Educated as chemical engineer and witnessed a huge explosion at a chemical plant on the last day at his internship 23 years ago,  Blokker opted for a more secure life within KPN’s ISP’s operational and development teams as system administrator and security officer.  Six years... Read More →

Thursday October 10, 2019 16:30 - 17:30 CEST
01. Westvleteren University

16:30 CEST

New Protocol Findings, Engineers At Risk
One of the reasons Industrial Devices have been coming into security news is the general lack of any security measures present on those devices.
A lot of the vendors have no default security embedded in their protocols. This talk will take a look at one vendor that uses security from the start.
Tijl Deneut from the IC4 research group (ic4.be) will perform a short dive into a very famous industrial protocol called TwinCAT.
We will walk through the security measures and why they are not sufficient. We will end with a demo of pwning a *completely* up-to-date Windows Engineering Laptop.

avatar for Tijl Deneut

Tijl Deneut

Tijl Deneut has over 5 years of experience in the IT security sector and is, amongst others, a Certified Ethical Hacker and an active EC-Council Certified Instructor. Tijl also teaches security classes at both the Howest University College and the Ghent University, where he also leads... Read More →

Thursday October 10, 2019 16:30 - 17:30 CEST
02. Westmalle University

17:30 CEST

Automated adversary emulation using Caldera
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator and Caldera facilitate corporate adoption and allow for a holistic overview on attack techniques and how organizations are preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Some more information on Caldera from the official documentation (https://github.com/mitre/caldera):

"CALDERA is an automated adversary emulation system that performs post-compromise adversarial behaviour within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behaviour, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions."

MITRE recently released Caldera 2.0 (end of April 2019), which includes a larger focus on "extendibility". During this talk, we will leverage these features for maximum effect. We will highlight some interesting improvement opportunities in Caldera and we will focus on how we developed additional plugins & features. To make this a bit more concrete:

-How can we improve Caldera's reporting engine? (It's currently not possible to get an easy ATT&CK coverage report / deliverable out of the tool). This is of great use if we want to increase usability of the tool and ATT&CK overall!
-How can we build additional plugins for MITRE Caldera to increase the ATT&CK coverage of the tool?
-How can we adapt Caldera to work around common security controls in place at organizations (e.g. Windows 10 security features such as ExploitGuard and AMSI, which hinder Caldera's PowerShell scripting).

This talk will arm infosec professionals with the required skills to further extend their adversary emulation options without breaking the bank for a commercial tool! As our main focus is to increase Caldera adoption and help the community, we will also publicly release developed plugins!

We will go into the nitty-gritty details of our development efforts and will also include several technical demo's that will help transfer knowledge to the audience and encourage their own development efforts!

Note that this is currently work-in-progress, thus the paper that was added to this submission covers what we set out to do, but not the full result. It is in fact the internal NVISO R&D charter that was approved to start our development activities.

It is worth mentioning that the task set out is feasible and we have already successfully adapted our own internal Caldera with additional functionality (e.g. the AMSI bypass was implemented). We are now working on further optimising, stabilising and documenting our work!

We will be able to provide additional details on our results and status around summer time.

avatar for Erik Van Buggenhout

Erik Van Buggenhout

Erik has built 10+ years of experience in cyber security topics. Initially focused on penetration testing and red teaming he pivoted to the blue side of things a few years back. His current main focus is on adversary emulation, with the ultimate goal of improving how organisations... Read More →

Thursday October 10, 2019 17:30 - 18:30 CEST
01. Westvleteren University

19:00 CEST

Limited Capacity seats available

Are you justr starting out in the InfoSec Industry or in need of some good tips and tricks?

Then you HAVE to come to BruCON's third Mentor/Mentee Google Sponsored Program!

All details are in the booklet, check it out now!

Thursday October 10, 2019 19:00 - 21:00 CEST
Novotel Novotel

21:30 CEST

BruCON Party
Le Bateau, 1 Muinkkai, 9000 Gent

Thursday October 10, 2019 21:30 - 23:59 CEST
The Boat Le Bateau, 1 Muinkaai, 9000 Gent
Friday, October 11

07:30 CEST

Hacker Run (10K)
What better way is there to start the second conference day than running 10km with a bunch of hackers?

Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30.

We’ll be back in time to freshen up and attend the first presentation of the day.

Word is that it’s also a good way to get rid of a hangover!

Friday October 11, 2019 07:30 - 08:30 CEST
Novotel Novotel

08:30 CEST

Registration & Breakfast
Friday October 11, 2019 08:30 - 10:00 CEST
00. Lounge University

10:00 CEST

It takes a village..
It takes a village... is a discussion about the challenges we face building security teams and strategies to alleviate our hiring bottlenecks. In a field riddled with unconscious bias, the community must work together to explore alternative recruiting strategies, expand hunting grounds for talent, and actively seek out folks with varied backgrounds and experiences who bring fresh perspectives to our projects and teams. Kimber will discuss mentorship programs and how to retain talent through professional development. She'll also provide some tips for jobseekers who've had a non-traditional path to security and ways to improve visibility and marketability to recruiters and potential employers. Whether searching for talent or seeking new opportunities, the landscape is rapidly changing and the security industry needs new approaches to recruiting and hiring if we're going to Secure All The Things™. 

avatar for Kimber Dowsett

Kimber Dowsett

Kimber Dowsett is the Director of Security Engineering at Truss, a software infrastructure consulting firm based out of San Francisco, California. She joined Truss after serving at 18F, an office of U.S. federal employees that collaborates with other agencies to improve how government... Read More →

Friday October 11, 2019 10:00 - 11:00 CEST
01. Westvleteren University

10:00 CEST

ICS and IoT Village
Friday October 11, 2019 10:00 - 18:00 CEST
02. Westmalle University

10:30 CEST

Digital Forensic Investigations with Tsurugi Linux
Limited Capacity full

During this workshop an introduction of the new Tsurugi Linux open source project will be done and several DFIR investigations will be performed.

Memory dump, network behaviors, malware analysis, disk image investigations and much more will be treated in the time-slot.

Attendee's need to download and install a Tsurugi linux VM for this workshop. They can download the required files from: https://tsurugi-linux.org/downloads.php

avatar for Giovanni Rattaro

Giovanni Rattaro

Giovanni is a senior cyber security expert and manager based in Paris, old Italian Backtrack Linux ambassador/staff and ex DEFT Linux developer, now is the Tsurugi Linux core developer. DFIR instructor in his free time, he has spokenin several security conferences and he is passionate... Read More →
avatar for Marco Giorgi

Marco Giorgi

Marco is a digital forensics examiner and computer forensics analyst. Digital forensics expert with interests in mobile forensics, malware analysis, security, deep/dark web. Teacher for forensic trainings for Law Enforcements and professionals. Core team member of Tsurugi Linux and... Read More →

Friday October 11, 2019 10:30 - 12:30 CEST
04. Orval Novotel

10:30 CEST

Introduction to Osquery
Limited Capacity filling up

Maintaining real-time insight into the current state of your endpoint infrastructure is crucial.  It is very important from operational, continuous security monitoring, and incident response perspective.  Created by Facebook in 2014, osquery is an open-source instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD operating systems.  

Osquery exposes the operating system as a relational database and allows you to write SQL queries to explore system data. The generic SQL tables represent running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, etc. These SQL tables are implemented via an easy to extend API and several tables already exist and more are being written. The main advantage of osquery is that it allows you to use one platform for monitoring complex operating system state across an entire infrastructure. It has a high-performance and low-footprint distributed host monitoring daemon, osquery and also an interactive query console, called osqueryi.

During this two-hour workshop, we will learn about osquery's capabilities and cover the following topics:
- Osquery basics (installation, osqueryi, osqueryd, osquery schema);
- SQL refresher (SELECT, FROM, WHERE, LIKE, JOIN, etc.);
- Osquery configuration (flagfile, packs, schedule, logging, file integrity monitoring, etc.);
- Fleet management (Kolide Fleet, Doorman, SGT, etc.);
- Osquery extensions.

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

avatar for David Szili

David Szili

David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. David is also an instructor at SANS Institute, teaching FOR572: Advanced Network Forensics. He has more than eight years of professional experience in penetration testing... Read More →

Friday October 11, 2019 10:30 - 12:30 CEST
03. Chimay Novotel

10:30 CEST

Privilege Escalation in AWS
Limited Capacity filling up

This workshop will help users with some AWS experience to understand how to exploit AWS IAM (Identity and Access Management) configuration weaknesses in order to obtain elevated privileges. During this hand on workshop, we will cover:

- Overview of AWS security model and how IAM works
- How users, roles, groups and policies are used by organisations to give permissions to AWS resources
- Common security weaknesses and misconfigurations that could allow privilege escalation
- How to identify and exploit these weaknesses
- Tools and resources to assist with the process

avatar for Jay Kalsi

Jay Kalsi

Jay Kalsi a Principal Security Consultant at one of Asia Pacific's biggest financial organisations, who has focused on penetration testing of Cloud, Containerisation and Big Data deployments.

Friday October 11, 2019 10:30 - 13:30 CEST
05. La Trappe Novotel

11:00 CEST

Defeating Bluetooth Low Energy 5 PRNG for fun and jamming
Bluetooth Low energy version 5 has been published in late 2016, but we still have
no sniffer supporting this specific version (and not that much compatible devices
as well). The problem is this new version introduces a new channel hopping algorithm
that renders previous sniffing tools useless as devices can no longer be attacked
and connections analyzed. This new algorithm is based on a brand new pseudo-random
number generator (PRNG) to provide better collision avoidance while kicking out
all of our good old sniffing tools.

Unless some random hacker manages to break this not-that-strong PRNG and upgrades
his BLE sniffing tool to support this algorithm ;). In this talk, we will explain
why this PRNG is vulnerable and how it can be easily defeated to sniff and jam
communications between two BLE 5 devices. A new version of BtleJack will be
released during this talk, providing an efficient way to sniff BLE 5 connections
to our fellow IoT hacker family.

avatar for Damien Cauquil

Damien Cauquil

Damien is a senior security researcher who joined Digital Security in 2015 asthe head of research and development. He discovered how wireless protocols canbe fun to hack and quickly developed BtleJuice, one of the first Bluetooth LowEnergy MitM framework, and BtleJack, a BLE swiss-army... Read More →

Friday October 11, 2019 11:00 - 12:00 CEST
01. Westvleteren University

12:00 CEST

Weaknesses in WPA3's Dragonfly Handshake
Recently we discovered weaknesses in the Dragonfly handshake of WPA3. But how serious are these issues in practice? In this presentation we will explain the attacks we discovered, and discuss whether they pose a practical risk or not.

In our research, we analysed the security of WPA3. This certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws. Most prominently, we show that WPA3's Dragonfly handshake is affected by password partitioning attacks. These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method. The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances. We also discuss backwards-compatible countermeasures against all attacks.

Although all attacks can be mitigated with software changes, our conclusion is that WPA3 does not meet the standards of a modern security protocol. Especially on devices with lightweight processors, vendors may not implement all the costly side-channel countermeasures. This would allow an adversary to perform dictionary attacks even when WPA3 is used.

avatar for Mathy Vanhoef

Mathy Vanhoef

Mathy Vanhoef is a postdoctoral researcher at New York University Abu Dhabi. He is most well known for his KRACK attack against WPA2, and the RC4 NOMORE attack against RC4. His research interest is in computer security with a focus on network security, wireless security (e.g., Wi-Fi... Read More →

Friday October 11, 2019 12:00 - 13:00 CEST
01. Westvleteren University

13:00 CEST

Friday October 11, 2019 13:00 - 14:00 CEST
00. Lounge University

13:30 CEST

RFID Workshop
Limited Capacity full

During this workshop we will discuss RFID implementations such as access cards and badges. We will start some theory (about 20 minutes) describing different RFID based products and security solutions and their inherent problems. To demonstrate the workings of RFID badges and dongles, each student will receive a package containing an Arduino clone, an RFID reader/writer and several badges to play around with.

We will help the students set up their environment and show them different ways to read and write RFID badges (13,56 Mhz). Several exercises will be performed; each student will be able to try while we (myself and 1 colleague) help them out. For each we will of course also provide a sample solution. These exercises are interrupted with some extra theory before so each student realizes what he is trying to achieve.

We are going to show demo's using RFID shields (125KHz and 13.56 MHz) with an Arduino and/or Raspberry Pi as well as at least one ready-made product to clone 13.56MHz badges.

The exercises with the students will be on 13.56MHz only but we provide the hardware for them to use (they can keep this afterward). We will first show them how to read the cards and then break any protection / encryption present and write a new card that can be used. For some exercises we will look at Salto locks, some custom implementations we have encountered during red teaming, ISO standards 14443 (on which MIFARE is built) and 15693 (on which the HID products are built). We will try to stay away from theory since that would take us too long. We had the idea to focus on MIFARE since we encounter that the most but since we operate mostly in Belgium this might be different for an international audience, in that case, we are more than willing to change our focus.

Some of the exercises are:
- installing the development environment
- reading a badge
- writing data to a badge
- cloning a badge
- cracking a MiFare implementation

avatar for Steven Wierckx

Steven Wierckx

Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing... Read More →
avatar for Alexander Hensels

Alexander Hensels

Alexander Hensels is a young Security Consultant with experience as a pentester for customers in the public and private sector. He performed external intrusion tests for hosting and managed service providers and has expertise in testing the security of IoT devices for an international... Read More →

Friday October 11, 2019 13:30 - 17:30 CEST
05. La Trappe Novotel

13:30 CEST

Limited Capacity full

The workshop aims towards making beginners aware and comfortable with various facets of Scapy and its real time usages in various task of penetration testing.

The flow of workshop will be as under:
1. Scapy basics
2. TCP Basics
3. DHCP server
4. DHCP server flooder || DNS/MDNS
5. Crafting a layer using Scapy
6. Fuzzing protocols with Scapy
7. Covert channel using Scapy
8. Scapy-radio

Key takeaways for attendees:
- sending/receiving/displaying/modifying packets with Scapy
- implementing custom layers in Scapy
- implement answerMachines in Scapy
- to construct tools implementing some real life examples
- simple fuzzing through Scapy and generators
- to decode live traffic with an implemented protocol

Working in Scapy consequently attendees will learn:
- TCP basics
- DHCP/DNS/MDNS basics
- AJP13 protocol
- fuzzing
- Scapy-radio

Prebuilt VM containing all scripts and dependencies in place.
An ISO in progress can be found at:
(/root contains install script. /src contains scripts. python-netaddr dependency needs to be installed manually as of now with apt.)

avatar for Rushikesh D. Nandedkar

Rushikesh D. Nandedkar

Rushikesh: is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at BruCON 2018, Blackhat Arsenal 2018, DEFCON 26, x33fcon... Read More →
avatar for Hugo Trovao

Hugo Trovao

A researcher by passion, consultant by job, and a penetration tester by heart. Hugo finds himself at peace while poking holes in application/networks/systems, while writing security tools tailored to the assessments requirement and indeed while meditating.

Friday October 11, 2019 13:30 - 17:30 CEST
03. Chimay Novotel

13:30 CEST

Wavestone ICS pentesting workshop
Limited Capacity full

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?

Well, even if ICS are more and more interconnected, we can probably say yes for network segmentation, as well as patching. And it is mostly true for critical infrastructures that must comply with multiple laws around the world. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a well-known legacy protocol, Modbus, as well as an open source protocol considered as the future of ICS communications, OPC-UA. And to do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, as well as explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers (PLCs), and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let's discuss how to secure ICS communications.

Prerequisites: A computer with 4gb of RAM, 30GB disk space and Virtualbox. We will provide a Virtual Machine for attendees.

avatar for Antoine Guillot

Antoine Guillot

Antoine Guillot is a consultant at Wavestone, where he conducts security audits, including on ICS environments. He worked on several PLCs to test their vulnerability and developed a dedicated tool to scan and interact with OPC-UA servers. In addition, he has carried out several risk... Read More →
avatar for Arnaud Soullié

Arnaud Soullié

Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences... Read More →

Friday October 11, 2019 13:30 - 17:30 CEST
04. Orval Novotel

14:00 CEST

Incident response in the cloud: foggy with a ray of sunshine
Over the past few years we have seen organizations move a part of, or even their entire infrastructure to the cloud. With on-premise infrastructure it used to be clear that the security needed to be taken care of by the organization itself. With cloud infrastructure there is quite some confusion about who takes care of which security controls. This confusion has led to several painful incident response cases where we were called in only to discover we hardly had any data to work with. In general, we observe 3 common problems with incident response in the cloud:

1. Lack of knowledge about the different logging options within cloud environments. What is enabled by default and what is not?
2. Increased response times due to the lack of visibility and security knowledge about the cloud environments.
3. Lack of resources available to respond to the incidents, most organizations are not capable due to the limited amount of people and tools to respond timely.

This presentation consists of three key parts highlighting incident response challenges in the cloud, but also how we can purposely use what cloud providers offer us to improve our security operations.

The first section includes some key examples of what went wrong during incidents in cloud environments and lists some key challenges that we face as an incident response team to investigate security incidents in depth.

A second section in the presentation describes the overview of critical logs that are required to do incident response. These logs and settings are mapped on the 2 main cloud providers; Amazon AWS and Microsoft Azure. This will allow you to understand which logs are there by default and which logs should be activated for incident response and forensic investigations.

A 3rd section will introduce automated response, by explaining a use case were a system gets infected, server-less code will be executed to protect other systems and enable advanced analytics on the compromised system. This example is based on Microsoft Azure Security Center and applogic to enforce actions in case a specific alert is triggered.

avatar for Jeroen Vandeleur

Jeroen Vandeleur

Jeroen is the security architecture team lead and incident manager at NVISO where he specializes in security architecture, cloud security, and continuous security monitoring. By using his pragmatic and analytical skills, Jeroen assists clients in solving day-to-day security issues... Read More →

Friday October 11, 2019 14:00 - 15:00 CEST
01. Westvleteren University

14:00 CEST

The Past and Future of Integrity-Based Attacks in ICS Environments
Industrial control system (ICS) attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.

Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.

This presentation will explore these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.

avatar for Joe Slowik

Joe Slowik

Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. In this role, Joe provides time-sensitive, actionable threat intelligence to enable ICS asset owners and defenders... Read More →

Friday October 11, 2019 14:00 - 15:00 CEST
02. Westmalle University

15:00 CEST

Atomic Threat Coverage: being Threat Centric
We will present our project — Atomic Threat Coverage framework (https://github.com/krakow2600/atomic-threat-coverage), which allows to automatically generate actionable analytics, designed to combat threats (based on the MITRE ATT&CK adversary model) from Detection, Response, Mitigation and Simulation perspectives. This way Atomic Threat Coverage represents a Core of Security Operations Center, creating analytics database with all entities, mapped to all meaningful, actionable metrics, ready to use, ready to share and show to leadership, customers and colleagues.

There are plenty decent projects that provide analytics (or functionality) to counter cyberthreats (Sigma, Atomic Red Team, MITRE CAR). All of them have one weakness — they exist in the vacuum of their area. In reality everything is tightly connected: data for alerts doesn't come from nowhere, and generated alerts don't go nowhere. Data collection, security systems administration, threat detection, incident response etc are parts of bigger and more comprehensive process which requires close collaboration of various departments.

Sometimes problems of one function could be solved by methods of other function in a cheaper, simpler and more efficient way. Most of the tasks couldn't be solved by one function at all. Each function is based on abilities and quality of others. There is no efficient way to detect and respond to threats without proper data collection and enrichment. There is no efficient way to respond to threats without understanding of which technologies/systems/measures could be used to block specific threat. There is no reason to conduct penetration test or Red Team exercise without understanding of abilities of processes, systems and personal to combat cyber threats. All of these require tight collaboration and mutual understanding of multiple departments.

In practice there are difficulties in collaboration due to:

- Absence of common threat model/classification, common terminology and language to describe threats
- Absence common goals understanding
- Absence of simple and straightforward way to explain specific requirements
- Difference in competence level (from both depth and areas perspectives)

That's why we decided to create Atomic Threat Coverage — project which connects different functions/processes under unified Threat Centric methodology (Lockheed Martin Intelligence Driven Defense® aka MITRE Threat-based Security), threat model (MITRE ATT&CK) and provide security teams an efficient tool for collaboration on one main challenge — combating threats.

avatar for Daniil Yugoslavskiy

Daniil Yugoslavskiy

Daniil is responsible for Threat Detection in Cindicator Security Operations Center (SOC) in Saint Petersburg, Russia. Before that, he was leading Threat Detection team at Tieto SOC in Czech Republic. Daniil spent more than six years in Practical Computer Security and Network Monitoring... Read More →
avatar for Mateusz Wydra

Mateusz Wydra

Mateusz is a former Threat Detection specialist and currently works as Incident Responder in Tieto SOC in Poland, Krakow. Before Tieto, he was working for Cisco SOC as a Security Analyst. He holds GIAC Certified Forensic Analyst (GCFA) and CCNA Cyber Ops certifications and is a member... Read More →

Friday October 11, 2019 15:00 - 16:00 CEST
01. Westvleteren University

16:00 CEST

Coffee Break
Friday October 11, 2019 16:00 - 16:30 CEST
00. Lounge University

16:30 CEST

Internet-Scale analysis of AWS Cognito Security
This talk will show the results of an internet-scale analysis of the security of AWS Cognito configurations. During this research it was possible to identify 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB tables and 1500 Lambda functions.

The talk starts with an introduction to the AWS Cognito service and how it can be configured by the developers to give end-users direct access to AWS resources such as S3 and DynamoDB. Access is restricted by IAM policies which are under the developer's control and, in many cases, do not follow the least privilege principle.

The configuration weakness is first explained step by step for a specific AWS account and Cognito identity pool using a series of demos, the same concepts are then automated to perform an internet-scale analysis of AWS Cognito configurations.

Because Cognito identity pool IDs are UUID4 it was necessary to download thousands of APKs from the Google Play store, decompile them and extract the identifiers. Other sources such as Common Crawl were also used to identify valid identifiers. The tools used to perform these tasks will be made public.

Each Cognito identity pool that was configured with an unauthenticated role was analyzed using an in-depth permission brute-force tool that identifies potential breaches to least privilege principle.

The talk ends with recommendations for developers that want to configure the service in a secure manner, and an analysis of potential reasons for this widespread issue such as poor documentation and examples on AWS site

avatar for Andres Riancho

Andres Riancho

Andrés Riancho is an application and cloud security expert that leads the open source w3af project, and provides high-quality security assessment services to companies around the world.In the research field, he identified new techniques which can be used to escalate privileges in... Read More →

Friday October 11, 2019 16:30 - 17:30 CEST
01. Westvleteren University

17:30 CEST

Tales from professional thieves
We will be bringing our combined decades of experience to teach the most common and effective physical security bypasses we use to enter commercial buildings and combine every technique with a war story. The last ~20m will just be our most enthralling stories from physical security engagements we've performed including some hilarious failures and how we social-engineered our way out of them.

avatar for Dan McInerney

Dan McInerney

 Dan McInerney is a senior pentester and security researcher, former BlackHat instructor and owner of a top 100 Python Github account stuffed with pentesting tools. Justin Wynn is a senior pentester and physical security expert who has broken into everything from heavily guarded... Read More →
avatar for Justin Wynn

Justin Wynn

Justin Wynn is a senior pentester and physical security expert who has broken into everything from heavily guarded New York skyscrapers to national bank headquarters as well as pioneered efforts in 3d printing working master keys.

Friday October 11, 2019 17:30 - 18:30 CEST
01. Westvleteren University

18:30 CEST

BruCON Closing
Friday October 11, 2019 18:30 - 18:45 CEST
01. Westvleteren University
Filter sessions
Apply filters to sessions.