{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://pretalx.com/hack-lu-2023/schedule/", "version": "0.56", "base_url": "https://pretalx.com", "conference": {"acronym": "hack-lu-2023", "title": "hack.lu 2023", "start": "2023-10-16", "end": "2023-10-19", "daysCount": 4, "timeslot_duration": "00:05", "time_zone_name": "Europe/Luxembourg", "colors": {"primary": "#353535"}, "rooms": [{"name": "Salle Europe", "slug": "2462-salle-europe", "guid": "35387336-37c6-58b1-9a3d-ac1fd8440000", "description": "Main conference room", "capacity": 400}, {"name": "Vianden&Wiltz", "slug": "2466-viandenwiltz", "guid": "2853ced2-73b7-5174-a7a8-a912ba66bc94", "description": "Workshop room", "capacity": 60}, {"name": "Schengen 1 and 2", "slug": "2463-schengen-1-and-2", "guid": "571d569d-98a1-5b1b-8f38-4763cb023c8b", "description": "Workshop room", "capacity": 100}, {"name": "Echternach&Diekirch", "slug": "2464-echternachdiekirch", "guid": "c95aa59c-349d-5ec5-8e20-8d0460cb91e0", "description": "Workshop room", "capacity": 30}, {"name": "Hollenfels", "slug": "2465-hollenfels", "guid": "88018140-88fe-5962-ae2a-edaee5881455", "description": "Workshop room", "capacity": 100}], "tracks": [{"name": "cti-summit", "slug": "3687-cti-summit", "color": "#2071D0"}, {"name": "hack.lu", "slug": "3688-hacklu", "color": "#D52E2E"}, {"name": "hack.lu lightning talk", "slug": "4048-hacklu-lightning-talk", "color": "#8F8A1D"}, {"name": "cti-summit lightning talk", "slug": "4049-cti-summit-lightning-talk", "color": "#9F7E7E"}], "days": [{"index": 1, "date": "2023-10-16", "day_start": "2023-10-16T04:00:00+02:00", "day_end": "2023-10-17T03:59:00+02:00", "rooms": {"Salle Europe": [{"guid": "a415b306-a566-512c-a46c-0c7c38889236", "code": "H9HAEZ", "id": 31201, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/H9HAEZ/Sbud_v4_preview_ZapIMue.png", "date": "2023-10-16T11:00:00+02:00", "start": "11:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-31201-sbud-infovis-in-infosec", "url": "https://pretalx.com/hack-lu-2023/talk/H9HAEZ/", "title": "Sbud: infovis in infosec", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Visualisations in Infosec tend to be moonshots: shiny but mostly one-shots.\nWhat about something simpler, but useful on a daily basis ?", "description": "Have you ever taken the screenshot of a hex viewer or a text editor, then you wanted to add annotations, highlights, descriptions?\nEver tried to update someone else's visualisation?\n\nSbud is a set of visualisation renderers driven by text.\nOffline, no framework, no dependency. Themes and fonts are supported. MIT licence.\nSave as SVG, PDF, PNG... Text is kept, still selectable, still updatable.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QAMB7A", "name": "Ange Albertini", "avatar": "https://pretalx.com/media/avatars/QAMB7A_jxJSOM4.webp", "biography": "Ange is mostly known for his weird files: extreme, ambiguous, polyglots, hash collisions...\nReverse engineer since the 80s, malware analyst professionally since 2005, \nhe is currently an infosec engineer in the Mandiant Flare team at Google.", "public_name": "Ange Albertini", "guid": "edf8835c-23bc-5e29-a8cf-23a7b45bdd53", "url": "https://pretalx.com/hack-lu-2023/speaker/QAMB7A/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/H9HAEZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/H9HAEZ/", "attachments": []}, {"guid": "c8f286fa-1026-57ef-99fb-6778bfddcd87", "code": "XZPCVE", "id": 36588, "logo": null, "date": "2023-10-16T11:30:00+02:00", "start": "11:30", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-36588-detecting-vpns-proxies-by-analyzing-their-attack-patterns-over-time", "url": "https://pretalx.com/hack-lu-2023/talk/XZPCVE/", "title": "Detecting VPNs/proxies by analyzing their attack patterns over time", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "At Crowdsec we receive a lot of signals of users detecting attacks using our open source intrusion prevention system. We used these signals to detect whether attackers are behind anonymization services such as proxies or VPNs. We show that by monitoring changes in attack behavior over time we can reliably detect proxies and VPNs and use this data to improve our threat intelligence.", "description": "Crowdsec is an open source intrusion detection system which uses a crowdsourcing approach to collect threat intelligence from the community and to return a distilled version of the resulting data as an ip blocklist that is relevant and up to date to the community. \nRecently, we have started improving our threat intelligence by enriching it with various additional information on malicious ips. One of these projects involved setting up a machine learning system that detects whether a given attacker is using an anonymization service such as a proxy or a vpn. In this talk we show:\n* How we define attack patterns for each ip\n* How we monitor the evolution of attack patterns over time and how we can use this to detect anonymization. \n\nWe also present other findings that we discovered on the way and hope that our results could help threat researchers even if they don't have access to data as exhaustive as the crowdsec CTI.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9UABYJ", "name": "Emanuel Seemann", "avatar": "https://pretalx.com/media/avatars/9UABYJ_igzIbNt.webp", "biography": "My name is Emanuel Seemann and I have been working as a Data Scientist at Crowdsec since 2022.\nI have a degree in pure mathematics from ETH Z\u00fcrich and got into programming by writing minecraft mods as a kid. Since then I have been hacking away at various coding projects in a variety of different languages. When I'm not behind my computer you can sometimes find me on the lake in a sailing boat.", "public_name": "Emanuel Seemann", "guid": "92e46203-49d8-5ec9-aff9-c50671cfda0a", "url": "https://pretalx.com/hack-lu-2023/speaker/9UABYJ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/XZPCVE/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/XZPCVE/", "attachments": []}, {"guid": "2d538ca4-75c1-5ef5-a236-d65b2ee4303e", "code": "PUXBQ8", "id": 36252, "logo": null, "date": "2023-10-16T11:50:00+02:00", "start": "11:50", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-36252-sboms-are-they-a-threat-or-a-menace", "url": "https://pretalx.com/hack-lu-2023/talk/PUXBQ8/", "title": "SBOMs: are they a threat or a menace?", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "If you have not noticed the hype about ABOUT (Software Bill of Material) you must been living in a cave. They have been touted as the next best thing after sliced bread and the cure-it-all to all our security problems of the past many years. Join me to break through the hype and review the good, the bad and the ugly and determine if, how and when they may useful and when not.", "description": "SBOMs are discussed everywhere. What are they? How do you create one (using open source tools of course)? What do you do with one if you have it? How to break through the hype and ensure that they contain useful data? How can you use these for red team and blue team ops support? \n\nI am a co-founder of SPDX, an active contributor to CycloneDX and the creator of Package URL (PURL) which is a standard to identify packages in these SBOMS as well VEX (Vulnerability Exploitability Exchange) specs such as CSAF and OpenVex. PURL are also used by many SCA tools and vulnerability databases as the key id to search for package vulnerabilities.\n\nI am unwillingly part of the hype around SBOM, yet I am also uniquely positioned to deliver a constructive critique and help you cut through this hype so you get the essential inside information to decide what to do with SBOMs (or do nothing!)", "recording_license": "", "do_not_record": false, "persons": [{"code": "JLACEF", "name": "Philippe Ombredanne", "avatar": "https://pretalx.com/media/avatars/JLACEF_BXUgb9X.webp", "biography": "I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at https://aboutcode.org\n\nI am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.", "public_name": "Philippe Ombredanne", "guid": "895d664f-7b0d-5f0d-8aa7-9089acbdc41c", "url": "https://pretalx.com/hack-lu-2023/speaker/JLACEF/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/PUXBQ8/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/PUXBQ8/", "attachments": [{"title": "Slide presentation", "url": "/media/hack-lu-2023/submissions/PUXBQ8/resources/hack.lu-CTI-SBOM-threat-or-menace-2023-10-16-s_E5IB58L.pdf", "type": "related"}]}, {"guid": "a7a672fe-48b3-5936-a154-77fb48f30d9a", "code": "RMTECU", "id": 37928, "logo": null, "date": "2023-10-16T14:00:00+02:00", "start": "14:00", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-37928-token-smart-contract-analyzer", "url": "https://pretalx.com/hack-lu-2023/talk/RMTECU/", "title": "Token Smart Contract Analyzer", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain", "description": "Hi!\nWe have received your proposal \"Token Smart Contract Analyzer\" to hack.lu. We will notify you once we have had time to consider all proposals, but until then you can see and edit your proposal at https://pretalx.com/hack-lu-2023/me/submissions/NN9AHG/.\nPlease do not hesitate to contact us if you have any questions!\nThe hack.lu organisers\n________________________________________\nFull proposal content:\nProposal title: Token Smart Contract Analyzer\nAbstract: A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain\nDescription: Smart contracts have demonstrated new ways to manage and trade digital assets, conduct financial transactions, and transform business processes. Several concepts have emerged to enable investors to own or trade digital assets. Trading platforms relying entirely on decentralized, known as decentralized exchanges, allow unrestricted financial transactions to exchange digital assets. Beyond the opportunities offered, using the decentralized environment remains complex to understand by most of its users, consequently giving adversaries opportunities to benefit from investors based on scamming schemes. The cryptocurrency market is damaged by malicious actors that aim to drain investor funds via scamming token smart contracts. This research paper initially highlights related problems with fraudulent token contracts. Further, it proposes a solution for identifying several fraudulent schemas in the crypto ecosystem via a dynamic algorithmic solution supported by the SC Analyzer tool based on real-time data.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7LSVCM", "name": "TGrandjean", "avatar": null, "biography": "https://www.linkedin.com/in/thierrygrandjean/", "public_name": "TGrandjean", "guid": "81f32b9e-2aa7-57dc-9ccf-8f35ff373d7f", "url": "https://pretalx.com/hack-lu-2023/speaker/7LSVCM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/RMTECU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/RMTECU/", "attachments": []}, {"guid": "d588d684-fe68-5dc3-850b-1acb91c3e7fb", "code": "7WUYKM", "id": 38140, "logo": null, "date": "2023-10-16T14:05:00+02:00", "start": "14:05", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38140-cloaking-malicious-web-content-delivery", "url": "https://pretalx.com/hack-lu-2023/talk/7WUYKM/", "title": "Cloaking malicious web content delivery", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Website cloaking is a technique that enables websites to deliver different content to\ndifferent clients, with the goal of hiding particular content from certain clients. Website\ncloaking is based on client detection, which is achieved via browser fingerprinting. In an\nattempt to hide their malicious web pages from detection, cyber criminals (can) use cloaking.\nThey use vulnerability detection to only target clients that seem vulnerable. On top\nof that, they (can) also provide benign content in case they suspect someone or something is\ntrying to detect them. In this talk I quickly go over what cloaking is, how it works, and why I think it deserves some more attention from the cyber community.", "description": "Very short introduction into browser fingerprinting, cloaking and CTI related to it.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EZTTJY", "name": "Jeroen Pinoy", "avatar": null, "biography": "I am a computer scientist with a background in software testing (automation), incident handling and threat intelligence sharing.", "public_name": "Jeroen Pinoy", "guid": "6d0e382e-8f94-50ac-a0f3-5f576fc4c2fa", "url": "https://pretalx.com/hack-lu-2023/speaker/EZTTJY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/7WUYKM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/7WUYKM/", "attachments": []}, {"guid": "cc3ee821-171e-51ef-a672-fc5fd832b285", "code": "MNCC3H", "id": 38158, "logo": null, "date": "2023-10-16T14:10:00+02:00", "start": "14:10", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38158-the-composition-analysis-of-binary-java-elf-go-and-javascript-apps", "url": "https://pretalx.com/hack-lu-2023/talk/MNCC3H/", "title": "The composition analysis of binary Java, ELF, Go, and JavaScript apps", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "The composition binary analysis of apps and libraries can be a complex thing mixing multiple techniques. Let's review the techniques and FOSS tools to automate this analysis for binary formats such as bytecode, native Go and C/C++ ELFs and minified JavaScript.", "description": "I routinely analyze large app and system binaries to find out what they are made of and if they contain unknown software or vulnerable code.\n\nI will highlight some useful FOSS tools such Lief, BANG, ScanCode.io, Elf inspector tools to support this short talk.\n\nJoin me to discover how you can determine what software goes into a binary to get back to its corresponding source (in a white box context).", "recording_license": "", "do_not_record": false, "persons": [{"code": "JLACEF", "name": "Philippe Ombredanne", "avatar": "https://pretalx.com/media/avatars/JLACEF_BXUgb9X.webp", "biography": "I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at https://aboutcode.org\n\nI am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.", "public_name": "Philippe Ombredanne", "guid": "895d664f-7b0d-5f0d-8aa7-9089acbdc41c", "url": "https://pretalx.com/hack-lu-2023/speaker/JLACEF/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MNCC3H/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MNCC3H/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/MNCC3H/resources/hack.lu-CTI-SCA-Binaries-2023-10-16-slides-v1_WqoC0MD.pdf", "type": "related"}]}, {"guid": "ad4c5eed-01e5-52f1-bbd8-a80d0d54d32c", "code": "XREWCZ", "id": 38173, "logo": null, "date": "2023-10-16T14:15:00+02:00", "start": "14:15", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38173-case-management", "url": "https://pretalx.com/hack-lu-2023/talk/XREWCZ/", "title": "Case Management", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "A Flexible case management", "description": "A flexible case management that can be used for forensic, threat intel... Work with different organization, follow tasks of your team, make report...", "recording_license": "", "do_not_record": false, "persons": [{"code": "QLCDR9", "name": "Cruciani David", "avatar": "https://pretalx.com/media/avatars/QLCDR9_UaQCNdl.webp", "biography": "Security researcher at CIRCL", "public_name": "Cruciani David", "guid": "25b1542d-8290-5cd0-9ad9-65b94f810b26", "url": "https://pretalx.com/hack-lu-2023/speaker/QLCDR9/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/XREWCZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/XREWCZ/", "attachments": []}, {"guid": "650bef3f-9c41-5f9b-9363-eb794dcbd319", "code": "JBPW3R", "id": 38177, "logo": null, "date": "2023-10-16T14:20:00+02:00", "start": "14:20", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38177-geoopen-and-mmdb-server-a-comprehensive-open-source-solution-for-ip-address-geolocation", "url": "https://pretalx.com/hack-lu-2023/talk/JBPW3R/", "title": "GeoOpen and mmdb-server: A Comprehensive Open Source Solution for IP Address Geolocation", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "GeoOpen and mmdb-server: A Comprehensive Open Source Solution for IP Address Geolocation", "description": "https://hdoc.csirt-tooling.org/OgdCNqHYQpukzRKN0T2hmg?both", "recording_license": "", "do_not_record": false, "persons": [{"code": "NR9TLH", "name": "Alexandre Dulaunoy", "avatar": "https://pretalx.com/media/avatars/NR9TLH_JWTVpkQ.webp", "biography": "Enjoy when humans are using machines in unexpected ways. \nI break stuff and I do stuff.", "public_name": "Alexandre Dulaunoy", "guid": "0e062b2b-c5e2-51e4-8ddc-ce449d0fc12d", "url": "https://pretalx.com/hack-lu-2023/speaker/NR9TLH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/JBPW3R/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/JBPW3R/", "attachments": []}, {"guid": "f6dd7abe-e6a1-5f76-95dd-535ed5b18939", "code": "YL9AAY", "id": 34025, "logo": null, "date": "2023-10-16T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-34025-cti-is-dead-long-live-cti", "url": "https://pretalx.com/hack-lu-2023/talk/YL9AAY/", "title": "CTI is dead, long live CTI!", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Recently a CSIRT colleague said: \"CTI is dead\" which made us wonder and ponder.", "description": "The Cyber Threat Intelligence (CTI) remains a bit of a buzzword. What a CTI team does, for who it does it and how, are still covered in mystery or a maintained artistic blur.\n\nOften CTI is regarded as retrieving threat reports, digesting them or researching a malware or infrastructure to make a report. Other teams then retrieve, digest, extract IOCs and or TTPs and then implement mitigations or write another internal presentation. While this may help protect from certain attacks, many reports do not directly concern our constituencies. And more to the point, the reports may not be timely when an incident is being handled by a CSIRT.\n\nA complementary approach, could be to identify, collect and analyze the data that we already \"have\" but sometimes tend to forget. We will present a more constituency centric approach and some of the challenges we face as an MSSP. \n\nBy combining these complementary approaches, an outward looking and inward knowing, we could revive CTI in a more long term, less buzzword way, and more importantly better protect our constituency.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NMMMHT", "name": "David", "avatar": "https://pretalx.com/media/avatars/NMMMHT_Ty5KpKo.webp", "biography": "David Rufenacht is senior threat intelligence analyst at InfoGuard. Previously, David worked for the Swiss National Cyber Security Center providing threat assessments to critical infrastructure. He holds a master degree in international relations as well as in social anthropology.", "public_name": "David", "guid": "4ec0f9a3-5e50-547d-b6d0-c28e52f62bcf", "url": "https://pretalx.com/hack-lu-2023/speaker/NMMMHT/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/YL9AAY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/YL9AAY/", "attachments": []}, {"guid": "a2f791d9-732c-5c89-a8da-880067fd7332", "code": "WVZVZH", "id": 33832, "logo": null, "date": "2023-10-16T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33832-fosstering-an-isac-enabling-a-community-with-open-source-tools", "url": "https://pretalx.com/hack-lu-2023/talk/WVZVZH/", "title": "FOSStering an ISAC: Enabling a Community with Open-Source Tools", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Defending against the latest threats requires timely, actionable intelligence. In an active sharing community that has members of varying maturity, resources, and team staffing, you need a way to collect, normalize, enrich, and vet the shared intelligence at scale. Most will have different intelligence requirements, so flexibility is demanded to tailor to the disparate use-cases and existing workflows they may have. This presentation shows how the Retail & Hospitality ISAC leverages MISP as a community instance for their members and incorporates other free and open-source software to address these topics and more!", "description": "\u2022 Brief overview of MISP architecture\n\u2022 RH-ISAC custom taxonomy\n o Categorizing intelligence:\n \u25aa Source where intelligence was shared\n \u25aa Sector of member who shared intelligence\n \u25aa Threat type (e.g., ATO, info stealer, credential harvester, etc.)\n\u2022 RH-ISAC custom galaxy \n o Threat actor profiles/clusters\n \u25aa Prioritizing threat actors\n \u25aa Data sources\n \u25aa Custom cluster elements\n\u2022 Intel Sharing and Normalization\n o mail2misp\n o Sharing templates\n o MISP objects\n o PDF/video documentation resources\n\u2022 Enriching and vetting attributes\n o Automating enrichment with PyOTI\n o Enrichment services\n o Enrichment tags\n o Vetted attributes \u201cfeed\u201d\n\u2022 Intel Interoperability\n o RH-ISAC developed integrations\n o Existing 3rd party integrations\n o MISP Sync\n\u2022 What\u2019s next!", "recording_license": "", "do_not_record": false, "persons": [{"code": "V7QHL8", "name": "JJ Josing", "avatar": "https://pretalx.com/media/avatars/V7QHL8_0hvAg1i.webp", "biography": "JJ Josing is the Principal Threat Researcher at the Retail & Hospitality ISAC. Over the last 5 years in the retail space he has had a strong focus on automation and tool development with Python and using free and open source software to assist in his research. He likes to design networks, automate the tools and break all the things. Author of PyOTI - the python open threat intelligence library.", "public_name": "JJ Josing", "guid": "aa43f10b-5534-5f0e-a5bc-711d81983f22", "url": "https://pretalx.com/hack-lu-2023/speaker/V7QHL8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/WVZVZH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/WVZVZH/", "attachments": []}, {"guid": "aadbb375-b815-5967-bee3-2cb28c9abc88", "code": "MGMYZA", "id": 33919, "logo": null, "date": "2023-10-16T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33919-0-kunai-your-new-threat-hunting-tool-for-linux", "url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/", "title": "Kunai: your new Threat Hunting tool for Linux", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.", "description": "This presentation aims to introduce the community to Kunai, a new Threat Hunting tool designed specifically for Linux Systems.\n\nI'll start by discussing the project's origin and my motivations for initiating it, followed by an exploration of the tool's inner workings and implementation details. This section will conclude with an overview of the challenges encountered during the tool's development.\n\nNext, I will highlight its key features, emphasizing how it differs from existing tools. The latter part of this section will explore practical Threat Hunting scenarios that can be realized with the tool.\n\nIn conclusion, I will summarize the key takeaways from this tool and share our future plans for its development.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3JVRZM", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_2Q2w1d8.webp", "biography": "Quentin has been working as an incident responder for several years before focusing on endpoint threat detection. He recently dedicated all his time developing several open-source projects. His main topics of interest are ranging from threat detection to bug hunting but what he likes the most is to develop tools and open-source them when he judges it is relevant enough to do so.", "public_name": "Quentin JEROME", "guid": "76a359a8-f57d-5e2c-b37b-4a2747e28a87", "url": "https://pretalx.com/hack-lu-2023/speaker/3JVRZM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/", "attachments": []}, {"guid": "b7ac769a-6d0c-56db-a996-71f9f8ee6ac4", "code": "L7UC9M", "id": 33556, "logo": null, "date": "2023-10-16T16:00:00+02:00", "start": "16:00", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-33556-why-does-the-cti-industry-struggle-with-communicating-uncertainties", "url": "https://pretalx.com/hack-lu-2023/talk/L7UC9M/", "title": "Why does the CTI industry struggle with communicating uncertainties?", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Even reputable vendors sometimes have a hard time consistently communicating uncertainties in a single report. This talk will highlight the challenge at the individual analyst level of working with uncertainties and communicating them. Words of Estimative Probability (WEP) and confidence levels, which address intelligence gaps, assumptions, and conclusions, may appear abstract and difficult to grasp for individuals with technical backgrounds who have transitioned to CTI from working with concrete facts. The presentation will explore various approaches to communicating uncertainties, showcasing their respective advantages and disadvantages for different types of threat report consumers.", "description": "This talk will present a comparative study of how security vendors utilize Words of Estimative Probability (WEP) and confidence levels, which are tools used in intelligence analysis to convey uncertainties. It aims to shed light on the varying approaches used in the industry.\n\nWhile the talk will not exhaustively explain why some vendors struggle in this area at an industry level, it will emphasize that working with uncertainties and effectively communicating them can also be challenging for individual analysts. \n\nWEP and confidence levels might appear difficult to grasp. To bridge this gap, the talk will translate these abstract concepts into language that resonates with the technical audience. It will provide practical guidelines for utilizing WEP and offer specific steps to differentiate terms such as \"likely\" and \"highly likely.\" Additionally, the presentation will explore various approaches to communicating uncertainties, highlighting their respective advantages and disadvantages for different types of threat report consumers.\n\nSome logical approaches that effectively combine WEP and confidence levels may be complex for untrained readers to comprehend. However, alternative methods that deviate from standard intelligence analysis tradecraft could be viable in certain cases. Regardless of the chosen approach, transparency and consistency are essential considerations for any CTI team, including security vendors.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CJE38L", "name": "Ondra Rojcik", "avatar": "https://pretalx.com/media/avatars/CJE38L_rFViW7Z.webp", "biography": "Ondra Rojcik is a Senior Cyber Threat Intelligence Analyst at Red Hat CTI team. He is providing intelligence analysis and strategic perspective to the Red Hat\u2019s CTI program and its analytical production. Previously he worked for the Czech National Cyber and Information Security Agency (NUKIB) as a Deputy-Director of Department and Head of Strategic Analysis Unit which he co-founded.", "public_name": "Ondra Rojcik", "guid": "4fcbf709-682c-5165-9ba8-e2720bdbe658", "url": "https://pretalx.com/hack-lu-2023/speaker/CJE38L/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/L7UC9M/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/L7UC9M/", "attachments": []}, {"guid": "05bde156-0c00-54d0-923a-e24302937ecc", "code": "YV8H3B", "id": 33942, "logo": null, "date": "2023-10-16T16:30:00+02:00", "start": "16:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33942-ensuring-ioc-quality-at-cert-fr", "url": "https://pretalx.com/hack-lu-2023/talk/YV8H3B/", "title": "Ensuring IoC quality at CERT-FR", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Keeping IoCs usable and the base where they are stored clean over time is an important challenge. ANSSI/CERT-FR will present the tooling developed internally and used by CTI analysts in order to verify their quality and normalization before they are pushed into MISP.", "description": "Thanks to its central position in the French cybersecurity ecosystem, CERT-FR has access to a lot of information and thus, a lot of IoCs. For internal usage and further sharing, these IoCs must reach a certain level of quality and remain usable over time. In order to manage this, CERT-FR provides its analysts with a library and a set of Python scripts. Analysts have to use these scripts in order to push data into the production MISP instance. \n\nThe tools are based on an internal library, itself based on pymisp. It provides a set of functions, superseding pymisp\u2019s ones, to create, update and delete attributes and tags in MISP. It does so both to apply more verification in order to guarantee their quality and to ensure that the input of the different types of IoCs will be consistent over time. This consistency is also essential for further automated exploitation by other internal tools. Thus, the scripts used by the analysts ensure that the data in IoC is normalized, following CERT-FR standards and that the tools consuming it will have access to the necessary data. It also ensures that the IoC lifecycle is correctly followed limiting analyst errors. \n\nThe presentation will first cover what we call a quality IoC at CERT-FR. Then we will detail the normalization we apply to the data and the rules that need to be applied on IoCs before they can be pushed into MISP and why we need to apply these rules. \n\nFinally the internal library will be presented, to show some of the provided functions. Analysts can rely on these functions in their own tools or they can use the set of tools provided with the library to push their IoC into MISP. This set of tools will be also presented, in order to show how the normalization and rules are applied at CERT-FR. We will also give a brief feedback on how we want to improve the tools, following (constructive) criticism we have from analysts and other works we are currently carrying out regarding normalization and storing of technical IoCs. \n\nIn a nutshell, this presentation will provide a feedback on the challenges encountered by CERT-FR on its IoCs usage and the solutions developed to keep the base as clean as possible over time.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HMQCSB", "name": "Barrault Victor", "avatar": "https://pretalx.com/media/avatars/HMQCSB_hM9H1EE.webp", "biography": "Working at the French Cybersecurity Agency (ANSSI) in the IOC management unit.", "public_name": "Barrault Victor", "guid": "b1c965ea-9558-5285-a8a9-2ed657846ade", "url": "https://pretalx.com/hack-lu-2023/speaker/HMQCSB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/YV8H3B/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/YV8H3B/", "attachments": []}, {"guid": "62c78f8e-816a-5f08-ad3b-0cce483ba4d1", "code": "KTDHFU", "id": 38169, "logo": null, "date": "2023-10-16T17:00:00+02:00", "start": "17:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-38169-misp-updates", "url": "https://pretalx.com/hack-lu-2023/talk/KTDHFU/", "title": "MISP updates", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Another year has passed since the last CTI Summit, with MISP having gone through a long list of changes and extensions - this talk aims to summarise what has happened since October 2022 as well as giving a glimpse into what the core team has in store for the community in the near future.", "description": "Another year has passed since the last CTI Summit, with MISP having gone through a long list of changes and extensions - this talk aims to summarise what has happened since October 2022 as well as giving a glimpse into what the core team has in store for the community in the near future.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HTRJN8", "name": "Andras Iklody", "avatar": null, "biography": null, "public_name": "Andras Iklody", "guid": "79bf620f-a22a-5a48-b9a9-d00f73b63d2a", "url": "https://pretalx.com/hack-lu-2023/speaker/HTRJN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/KTDHFU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/KTDHFU/", "attachments": []}, {"guid": "d87e0a9c-6490-518d-a7c9-4eb3ca8db5bb", "code": "RGZCBL", "id": 35433, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/RGZCBL/2023-06-09_23-58_AcZH20e.png", "date": "2023-10-16T17:30:00+02:00", "start": "17:30", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-35433-malware-av-evasion-tricks-cryptography-in-malware", "url": "https://pretalx.com/hack-lu-2023/talk/RGZCBL/", "title": "Malware AV evasion tricks. Cryptography in malware", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Research in the field of bypassing AV solutions and the role of cryptography in malware development. Application of classical\ncryptographic algorithms for payload and C2 communicate encryption. Practical research has been carried out: the results of\nusing Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed. The\napplication of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection\nscore and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware.\nBypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases.\nReverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, etc. Discover new tricks from Russian APT29 related malware.", "description": "Practical implementation and simulation of APT attack with using non popular cryptography algorithms. Using Hemming and\nReed-Solomon codes to check integrity of the payload and C2 connections", "recording_license": "", "do_not_record": false, "persons": [{"code": "EFXL9W", "name": "cocomelonc", "avatar": "https://pretalx.com/media/avatars/EFXL9W_lXdpDO4.webp", "biography": "Software developer, ethical hacker and cyber security enthusiast, mathematician. Contributor of the malpedia\nproject. Love my wife and kids.\nAuthor of popular malware development MD MZ book: https://cocomelonc.github.io/book/2022/07/16/mybook.html\nFounder of MSSP LAB - https://mssplab.github.io/\nAuthor of Websec B.V. blog - https://websec.nl/blog\nHVCK magazine contributor - https://hvck-magazine.github.io/\nMosse Cyber Security Institute lib contributor - https://library.mosse-institute.com", "public_name": "cocomelonc", "guid": "fefa8427-b192-5347-8254-d8100a0b4e6a", "url": "https://pretalx.com/hack-lu-2023/speaker/EFXL9W/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/RGZCBL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/RGZCBL/", "attachments": []}]}}, {"index": 2, "date": "2023-10-17", "day_start": "2023-10-17T04:00:00+02:00", "day_end": "2023-10-18T03:59:00+02:00", "rooms": {"Salle Europe": [{"guid": "e6ccc7f8-216c-585f-ab2c-3fc837f06b86", "code": "CHCVTP", "id": 34476, "logo": null, "date": "2023-10-17T09:00:00+02:00", "start": "09:00", "duration": "00:25", "room": "Salle Europe", "slug": "hack-lu-2023-34476-cratos-use-your-bloody-indicators", "url": "https://pretalx.com/hack-lu-2023/talk/CHCVTP/", "title": "Cratos - Use your bloody indicators", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "MISP is an amazing platform for collecting and maintaining your CTI data and context, but is can also be useful in daily hunting engagements, incident repone cases, standard SecOps and other scenarios; without giving your infrastructure, outsourcing partners access access to context from MISP.", "description": "In this talk we will walk through some use cases and releasing and open-source project Cratos an FastAPI application that allows integrating your MISP data into your security infrastructure, minimizing the risk of leaking your contextual data while still automating the tasks, and also allowing to cache data.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YXBWJY", "name": "Dennis Rand", "avatar": null, "biography": null, "public_name": "Dennis Rand", "guid": "815f4ea7-4e1b-5177-9de4-e0f1064d64f4", "url": "https://pretalx.com/hack-lu-2023/speaker/YXBWJY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/CHCVTP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/CHCVTP/", "attachments": []}, {"guid": "9f9f49ac-5f75-534e-a638-fa6038d687ef", "code": "UDEXYV", "id": 35277, "logo": null, "date": "2023-10-17T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-35277-ipfs-unveiled-exploring-data-collection-analysis-and-security", "url": "https://pretalx.com/hack-lu-2023/talk/UDEXYV/", "title": "IPFS Unveiled: Exploring Data Collection, Analysis, and Security", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "In this talk, we will dive into exclusive data collection and analysis techniques specific to this decentralized network. We'll also take a quick tour of IPFS's wide range of applications and provide practical tips and tricks to help you secure your organization.", "description": "Join us for an in-depth exploration of IPFS, where we'll uncover its inner workings and dive into exclusive data collection and analysis techniques specific to this decentralized network. We'll also take a quick tour of IPFS's wide range of applications, including both everyday uses and those that may involve questionable or risky activities, giving you a comprehensive understanding of its capabilities.\nIn addition, we will try to help you fortify your organization against any potential misuse or harm facilitated through IPFS. We will provide practical tips and tricks during our talk, empowering you to strengthen your security measures.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DCZQNF", "name": "Patrick Ventuzelo", "avatar": "https://pretalx.com/media/avatars/DCZQNF_q1eYA29.webp", "biography": "Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.", "public_name": "Patrick Ventuzelo", "guid": "268befcc-acd6-5351-9f70-64e8f12ac2fb", "url": "https://pretalx.com/hack-lu-2023/speaker/DCZQNF/"}, {"code": "DE9JWZ", "name": "Tanguy Laucournet", "avatar": "https://pretalx.com/media/avatars/DE9JWZ_Px4NuZ2.webp", "biography": "Tanguy is a security engineer currently working as a Blockchain/OSINT expert at FuzzingLabs. He has four years of hands-on experience in blockchain technology, gained through multiple projects at leading tech companies and French research institutions. In addition to his expertise in blockchain, Tanguy possesses a deep knowledge of OSINT. At FuzzingLabs, he focuses on developing tools to facilitate investigations, profiling, and de-anonymization related to blockchains. Tanguy is also exploring the use of new Web3 protocols such as IPFS, with the aim of deepening our understanding of these emerging technologies.", "public_name": "Tanguy Laucournet", "guid": "e0a1753c-27f1-5eb8-ad70-c2b34e8f7902", "url": "https://pretalx.com/hack-lu-2023/speaker/DE9JWZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDEXYV/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDEXYV/", "attachments": []}, {"guid": "558ae0cc-f448-5c58-92ab-b018834ff35b", "code": "QWNF3T", "id": 33969, "logo": null, "date": "2023-10-17T10:15:00+02:00", "start": "10:15", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33969-he-is-everywhere-a-tale-of-lazarus-and-his-family", "url": "https://pretalx.com/hack-lu-2023/talk/QWNF3T/", "title": "He is everywhere: A tale of Lazarus and his family", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "The threat groups from North Korea, known as Lazarus, are highly active and pose a significant danger to various industries worldwide. With over 20 years of experience in cybersecurity, I have focused on investigating incidents and providing detailed reports to my clients. Through my extensive research, I have accumulated a vast knowledge base concerning their TTPs and aliases.\n\nSince the early 2000s, they have been primarily targeting South Korea and gained global recognition in 2014 during Operation Blockbuster. From 2015 onwards, they expanded their scope to focus on the financial and cryptocurrency sectors, carrying out large-scale ransomware attacks and extortion campaigns. Additionally, they have pursued sensitive information by targeting industries such as nuclear, defense, and aerospace. They exhibit exceptional skills in compromising supply chains, executing drive-by download attacks, exploiting remote services, and conducting phishing campaigns. They possess a remarkable ability to quickly adapt and optimize their attacks for specific targets.\n\nThe cybersecurity community, including myself, maintains a vigilant watch over their activities. As a supplementary initiative, I maintain a website(https://lazarus.day) that catalogs their various aliases and posts related to them. Since 2009, there have been over 1500 posts authored by almost 300. He is everywhere.", "description": "Discuss the threat groups behind North Korea and summarize their relationships, which cluster as Lazarus, Kimsuky, ScarCruft, BlueNoroff, Andariel, and Konni. We'll also look at the incidents they've been responsible for since 2009 and identify their favorite Techniques.", "recording_license": "", "do_not_record": false, "persons": [{"code": "F7NSFZ", "name": "JeongGak Lyu, @lazarusholic", "avatar": null, "biography": "He works at the Financial Security Institute in South Korea. FSI serves as an ISAC and CERT in the financial sector, offering a range of services to financial institutions. With over 20 years of experience, he has been involved in various tasks such as security operations, vulnerability assessments, and incident response.", "public_name": "JeongGak Lyu, @lazarusholic", "guid": "53328d3e-53e4-59d8-bf71-de0bcd1d26e6", "url": "https://pretalx.com/hack-lu-2023/speaker/F7NSFZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/QWNF3T/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/QWNF3T/", "attachments": []}, {"guid": "0b080ff6-61e9-5bfc-9a3f-938e20f6fe5c", "code": "8R8JUA", "id": 38182, "logo": null, "date": "2023-10-17T10:45:00+02:00", "start": "10:45", "duration": "00:15", "room": "Salle Europe", "slug": "hack-lu-2023-38182-cerebrate-learning-to-run", "url": "https://pretalx.com/hack-lu-2023/talk/8R8JUA/", "title": "Cerebrate - learning to run", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Cerebrate is just about to turn 2, since it\u2019s 1.0 release in 2021 October. As most two year olds, it is finally free to roam around the living room and have a lasting impact on its surroundings.\n\nHaving undertaken a journey of transformation and becoming operational in most aspects it was originally intended, this talk aims to walk participants through the changes as well as giving some insights into how Cerebrate is changing how we manage our communities.", "description": "Having undertaken a journey of transformation and becoming operational in most aspects it was originally intended, this talk aims to walk participants through the changes as well as giving some insights into how Cerebrate is changing how we manage our communities.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HTRJN8", "name": "Andras Iklody", "avatar": null, "biography": null, "public_name": "Andras Iklody", "guid": "79bf620f-a22a-5a48-b9a9-d00f73b63d2a", "url": "https://pretalx.com/hack-lu-2023/speaker/HTRJN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/8R8JUA/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/8R8JUA/", "attachments": []}, {"guid": "2ac8ba28-c9ab-516c-9ca7-bf4dc3c90e9b", "code": "SMDFBC", "id": 33981, "logo": null, "date": "2023-10-17T11:00:00+02:00", "start": "11:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33981-digital-tug-of-war-unraveling-the-cyber-battle-between-ukraine-and-russia", "url": "https://pretalx.com/hack-lu-2023/talk/SMDFBC/", "title": "Digital Tug of War: Unraveling the Cyber Battle Between Ukraine and Russia", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "In this presentation, we will delve into the interesting Ukraine-Russia conflict over the past year and uncover the emerging challenges in cyber threat intelligence and its critical importance to detection engineering, validation, and organizational resilience. Explore the impact of cyber warfare on global security dynamics and gain valuable insights into the intersection of geopolitics and cybersecurity. Join us for a brief but enlightening journey through this evolving landscape.", "description": "Embark on a fascinating journey to uncover the multifaceted narrative of the protracted conflict between Ukraine and Russia that has captivated the world for over a year. This presentation aims to provide a comprehensive summary of the significant events, key moments and complex dynamics that have shaped this ongoing geopolitical saga.\n\nAmidst this turbulent backdrop, the realm of cyber threat intelligence has become a critical battleground, adding an unprecedented layer of complexity to an already volatile situation. We will delve into the myriad challenges that have emerged in the context of cyber threat intelligence and explore how they have shaped the course of the conflict and influenced the dynamics of global security.\n\nOne of the main objectives of our discussion will be the intrinsic value and indispensability of threat intelligence in current conflict scenarios. Threat Intelligence serves as a beacon of foresight, equipping organizations and nations with the knowledge and tools necessary to proactively defend against cyber threats. By analyzing evolving tactics, techniques, and procedures used by adversaries, threat intelligence enables the identification of potential vulnerabilities, allowing stakeholders to strengthen their defenses and increase overall resilience.\n\nIn addition, we will explore the complex interplay between threat intelligence and critical organizational processes. Detection engineering, the art of developing robust systems and mechanisms to identify and neutralize cyber threats, increasingly relies on timely and accurate threat intelligence. The synergy between detection engineering and threat intelligence supports the creation of sophisticated and proactive defense strategies that provide a more secure digital environment for organizations of all sizes.\n\nValidation, another key aspect in cyber threat intelligence, is becoming increasingly important in the context of the Ukraine-Russia conflict. Validating the authenticity and reliability of threat data is essential to distinguish real threats from false alarms. By implementing robust verification procedures, organizations can distinguish between genuine cyber threats and misleading or deceptive information, thereby optimizing resource allocation and response efforts.\n\nFinally, our presentation will underscore the importance of organizational resilience in the face of persistent cyber threats. Threat intelligence acts as a critical foundation upon which resilience strategies are built. By leveraging threat intelligence, organizations can develop comprehensive response plans, identify potential attack vectors, and implement proactive measures to mitigate risks and minimize the impact of cyber incidents.\n\nJoin us as we embark on this thought-provoking exploration of the Ukraine-Russia conflict, where the convergence of geopolitical tensions and cyber threat intelligence makes for a compelling narrative. Prepare to gain invaluable insights into the complex interplay between these domains and emerge equipped with a deeper understanding of the evolving landscape of contemporary warfare.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YJBQR9", "name": "Ondrej Nekovar", "avatar": "https://pretalx.com/media/avatars/YJBQR9_6lbyEj5.webp", "biography": "Ondrej Nekovar (Th30ne) currently works as a CISO at some state company, where he and his team provides cyber security for the national data centre and eGovernment cloud (critical information infrastructure). His other role is Chief Deception Officer, where he is responsible for the strategic development of active measures elements and adversary engagement and its use. He also specializes in cybersecurity legislation and Active Cyber Defense (ACD) issues like its use by private organizations. \n\nWith his esteemed colleague and co-speaker Jan, They created a modernized Active Cyber Defense Gray Zone and its taxonomy, a few MISP addons for ACD, ACD loop, custom Alerting and Detection Strategy with ACD use and Adversary emulation Lab. They set up a DEF CON GROUP for the Czech Republic (DCG420) which organizes meetups of cyber and ACD enthusiasts, custom R&D (open methodologies, addons, tools) and trips with kids. They are a frequent speakers at conferences such as BlackHat, Qubit and others.", "public_name": "Ondrej Nekovar", "guid": "d61f50f2-b715-5275-b2a4-f747559645f3", "url": "https://pretalx.com/hack-lu-2023/speaker/YJBQR9/"}, {"code": "RXAMF3", "name": "Jan", "avatar": null, "biography": null, "public_name": "Jan", "guid": "4d725307-4873-5c29-af5c-cd9fce16c0dc", "url": "https://pretalx.com/hack-lu-2023/speaker/RXAMF3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/SMDFBC/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/SMDFBC/", "attachments": []}, {"guid": "143c506e-a7c5-517b-ada4-f7a3d5286cd3", "code": "UXXCXQ", "id": 33993, "logo": null, "date": "2023-10-17T11:30:00+02:00", "start": "11:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33993-how-to-operationalize-cti-a-real-world-example", "url": "https://pretalx.com/hack-lu-2023/talk/UXXCXQ/", "title": "How to operationalize CTI - A real world example", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "In this talk we invite you to follow our journey from a small virtual team of CTI enthusiasts with other responsibilities to an established CTI function in a cyber defense organization of a large company.", "description": "While the journey is still ongoing, we want to highlight what worked so far and what not so much. \nFrom building and maintaining collections to the daily business of a CTI analyst of providing relevant information to our stakeholders without becoming a news clipping service.", "recording_license": "", "do_not_record": true, "persons": [{"code": "PTWXE8", "name": "Melanie Niethammer", "avatar": "https://pretalx.com/media/avatars/PTWXE8_ozx9dhb.webp", "biography": "Melanie is a cyber threat intelligence (CTI) analyst and responsible for the development of the CTI function at Bosch. Due to previous roles at the Bosch Group she has experience in Incident Response and Industrial Security Research. She holds a Master of Science degree in Computer and Information Science from the University of Konstanz.", "public_name": "Melanie Niethammer", "guid": "7666179d-20ee-5409-ab4e-6eac2ab33007", "url": "https://pretalx.com/hack-lu-2023/speaker/PTWXE8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UXXCXQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UXXCXQ/", "attachments": []}, {"guid": "6e3221d4-b123-5c65-8d0d-9639c96b2abb", "code": "KML7KQ", "id": 38181, "logo": null, "date": "2023-10-17T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38181-liberate-the-csam-hashsets", "url": "https://pretalx.com/hack-lu-2023/talk/KML7KQ/", "title": "Liberate the CSAM hashsets!", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Where are the CSAM hashsets?", "description": "Where are the CSAM hashsets?", "recording_license": "", "do_not_record": false, "persons": [{"code": "HTRJN8", "name": "Andras Iklody", "avatar": null, "biography": null, "public_name": "Andras Iklody", "guid": "79bf620f-a22a-5a48-b9a9-d00f73b63d2a", "url": "https://pretalx.com/hack-lu-2023/speaker/HTRJN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/KML7KQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/KML7KQ/", "attachments": []}, {"guid": "e63b472d-4944-55a3-ac1c-d931aaaecaf9", "code": "MESUKB", "id": 38150, "logo": null, "date": "2023-10-17T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38150-cobalt-striked", "url": "https://pretalx.com/hack-lu-2023/talk/MESUKB/", "title": "Cobalt Striked?", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Cobalt Strike v 4.9 was released mid September, but leaked less than a month later. Let s dive into this presumed blow to the vendor.", "description": "I ll detail the timeline of this event, what is and is not in the leak, and what message the leaker left to us, analysts.", "recording_license": "", "do_not_record": false, "persons": [{"code": "XD3YES", "name": "Vincent Hinderer", "avatar": null, "biography": "CTI team manager at CERT Orange Cyberdefense\nPreviously at CERT Lexsi, acquired by Orange", "public_name": "Vincent Hinderer", "guid": "11e79e71-ba5c-5c48-8148-e664b13f9852", "url": "https://pretalx.com/hack-lu-2023/speaker/XD3YES/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MESUKB/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MESUKB/", "attachments": []}, {"guid": "f982c4fe-06c1-5da0-9a3f-a1c6d622ae41", "code": "NGU8KF", "id": 38188, "logo": null, "date": "2023-10-17T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38188-are-leaked-credentials-dumps-used-by-attackers", "url": "https://pretalx.com/hack-lu-2023/talk/NGU8KF/", "title": "Are Leaked Credentials Dumps Used by Attackers?", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "With all the leaked credentials found in the wild, most of them are outdated or just a compilation of smaller dumps. Are they really used against you?", "description": "I searched for some old credentials with my domain \u00ab\u00a0root shell.be\u00a0\u00bb and checked if they were used in brute-force attacks\u2026.", "recording_license": "", "do_not_record": true, "persons": [{"code": "REMFJE", "name": "Xavier Mertens", "avatar": "https://pretalx.com/media/avatars/REMFJE_ny40ywh.webp", "biography": "Xavier Mertens is a freelance security consultant. His day job focuses on protecting his customers' assets by providing services like incident handling, malware analysis, forensic investigations, log management, security visualisation, and OSINT). Besides his day job, Xavier is also a Senior Handler at the SANS Internet Storm Center, Certified SANS Instructor (FOR610/FOR710), security blogger and co-organiser of the BruCON security conference.", "public_name": "Xavier Mertens", "guid": "7f64e4e5-038c-5a63-bfbc-21bf66c4a2df", "url": "https://pretalx.com/hack-lu-2023/speaker/REMFJE/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/NGU8KF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/NGU8KF/", "attachments": []}, {"guid": "d3885f7c-7ced-5039-ab83-6df62237fa78", "code": "MNNLZP", "id": 38202, "logo": null, "date": "2023-10-17T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38202-lessons-learned-from-sharing-intel-about-potential-fraud-compromise", "url": "https://pretalx.com/hack-lu-2023/talk/MNNLZP/", "title": "Lessons learned from sharing intel about potential fraud / compromise", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Some lessons learned and anecdotes from spending several years sharing threat intelligence related to potential fraud / compromise.", "description": "Some lessons learned and anecdotes from spending several years sharing threat intelligence related to potential fraud / compromise.\n\nBased on experiences with both 'real' and 'simulated' scenarios.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EZTTJY", "name": "Jeroen Pinoy", "avatar": null, "biography": "I am a computer scientist with a background in software testing (automation), incident handling and threat intelligence sharing.", "public_name": "Jeroen Pinoy", "guid": "6d0e382e-8f94-50ac-a0f3-5f576fc4c2fa", "url": "https://pretalx.com/hack-lu-2023/speaker/EZTTJY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MNNLZP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MNNLZP/", "attachments": []}, {"guid": "f7a04a4a-c2df-5fe0-afc7-8e58bc89ea9a", "code": "9X7V8Y", "id": 38199, "logo": null, "date": "2023-10-17T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38199-sigma-project-news", "url": "https://pretalx.com/hack-lu-2023/talk/9X7V8Y/", "title": "Sigma Project News", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Recently Sigma got a bunch of updates, time to keep you updated!", "description": "Sigma got recently some updates:\n\n* the new [SigmaHQ website](https://sigmahq.io).\n* Sigma blog\n* Rule packages\n* Query post-processing\n* ...\n\nThis talk gives a short overview about these news.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TD3QYA", "name": "Thomas Patzke", "avatar": "https://pretalx.com/media/avatars/TD3QYA_d7RyBv6.webp", "biography": "Thomas has more than 15 years experience in various areas of information security. He started as consultant, then developed into offensive security and switched to defensive topics. Now he's incident responder, threat hunter and does some threat intelligence at the Evonik Cyber Defense Team.\n\nThomas doesn't holds a single infosec certification, so no list of three-to-four-upper-cased-letter-combinations here. Instead he focuses on building [open source security tools](https://github.com/thomaspatzke) and is one of the co-founders and a core maintainer of the [Sigma project](https://github.com/SigmaHQ).", "public_name": "Thomas Patzke", "guid": "664f8989-2826-59a3-ae2a-67949ae6fd8f", "url": "https://pretalx.com/hack-lu-2023/speaker/TD3QYA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/9X7V8Y/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/9X7V8Y/", "attachments": []}, {"guid": "2e68498f-a2f8-5f89-8b6b-19aff7de969f", "code": "AHNLUP", "id": 38210, "logo": null, "date": "2023-10-17T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38210-do-we-consider-this-as-a-risks-already", "url": "https://pretalx.com/hack-lu-2023/talk/AHNLUP/", "title": "Do we consider this as a risks already", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Risks of some new precious connected devices", "description": "What else people should consider in the threat models", "recording_license": "", "do_not_record": true, "persons": [{"code": "QMTPZP", "name": "Vladimir Kropotov", "avatar": "https://pretalx.com/media/avatars/QMTPZP_XOtgW7d.webp", "biography": "Vladimir Kropotov is a researcher with the Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a master's degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations.", "public_name": "Vladimir Kropotov", "guid": "7c1dd671-a013-5608-be22-01ea4e6a75db", "url": "https://pretalx.com/hack-lu-2023/speaker/QMTPZP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/AHNLUP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/AHNLUP/", "attachments": []}, {"guid": "37be246b-7dab-59c3-a40b-c8e782d1877a", "code": "LHDBVE", "id": 35091, "logo": null, "date": "2023-10-17T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-35091-jtan-data-sharing-network", "url": "https://pretalx.com/hack-lu-2023/talk/LHDBVE/", "title": "JTAN - data sharing network", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "CIRCL, CERT.PL and other JTAN poject partners will present a data sharing network built in the JTAN project. The talk will showcase open source tools used as a backbone of the network and the operational value of the data exchanged.", "description": "Details TBC.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NR9TLH", "name": "Alexandre Dulaunoy", "avatar": "https://pretalx.com/media/avatars/NR9TLH_JWTVpkQ.webp", "biography": "Enjoy when humans are using machines in unexpected ways. \nI break stuff and I do stuff.", "public_name": "Alexandre Dulaunoy", "guid": "0e062b2b-c5e2-51e4-8ddc-ce449d0fc12d", "url": "https://pretalx.com/hack-lu-2023/speaker/NR9TLH/"}, {"code": "WTMZ7G", "name": "Pawe\u0142 Pawli\u0144ski", "avatar": "https://pretalx.com/media/avatars/WTMZ7G_sAm6WK2.webp", "biography": "Building things at [CERT.PL](https://www.cert.pl/).", "public_name": "Pawe\u0142 Pawli\u0144ski", "guid": "2614601b-df64-5dd9-91bd-d5fac1cf63c2", "url": "https://pretalx.com/hack-lu-2023/speaker/WTMZ7G/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/LHDBVE/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/LHDBVE/", "attachments": []}, {"guid": "53051537-70c2-5944-a1ec-d504fc325469", "code": "NMLPHG", "id": 34622, "logo": null, "date": "2023-10-17T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-34622-turbocharging-ioc-validation-become-a-more-efficient-cti-analyst", "url": "https://pretalx.com/hack-lu-2023/talk/NMLPHG/", "title": "Turbocharging IOC validation: Become a more efficient CTI analyst", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Cyber threat intelligence (CTI) analysts are inundated daily with new Indicators of Compromise \n(IOC)s to analyze. Due to the ephemeral nature of IOCs, analysts must analyze IOCs promptly to \nunderstand if an IOC is usable.\nIOC validation is one of the most time-consuming and frustrating aspects of analyzing an IOC. \nBy optimizing IOC validation, an analyst can produce much more timely intelligence.\nIn this session, you will learn first-hand how to turbocharge the validation of IOCs, thus saving \nyou precious time and helping you prioritize your time to focus on high-value IOCs and creating \nboth timely and actionable intelligence.", "description": "The session is based on real-world experience and will cover:\n- Intro to Low-Regret Model. \n- Scenarios which will take you down a rabbit hole and how to avoid them\n- When you, as a CTI analyst, should stop enriching an IOC\n- How to conduct IOC associations and linkage \n- A live demonstration of a highly efficient and automated method to gain optimal results \nand improve the IOC validation process using Low-Regret Model.\n\nThe session will also provide participants with valuable sources to aid them in effectively \nvalidating IOCs in their role as a CTI analyst.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZCKVRH", "name": "Arwa Alomari", "avatar": "https://pretalx.com/media/avatars/ZCKVRH_uQofJTc.webp", "biography": "Arwa Alomari is an experienced cyber threat intelligence leader working for a leading\ncybersecurity provider in Saudi Arabia. She leads the threat intelligence unit for her employer.\n\nArwa started her cybersecurity journey as a penetration tester before turning blue, working in a\nSOC, and then moving on to performing IR. She now focuses on CTI and leads the delivery of\nservices for clients.", "public_name": "Arwa Alomari", "guid": "04768397-176c-575e-82d4-8fb34e3ea9fa", "url": "https://pretalx.com/hack-lu-2023/speaker/ZCKVRH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/NMLPHG/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/NMLPHG/", "attachments": []}, {"guid": "fb6009c1-9f30-547e-a0de-a024635f5cda", "code": "GVL7FM", "id": 36025, "logo": null, "date": "2023-10-17T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-36025-modern-iocs-matching-with-suricata", "url": "https://pretalx.com/hack-lu-2023/talk/GVL7FM/", "title": "Modern IOCs matching with Suricata", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "This talk will present how Suricata, an open source IDS and NSM engine can provide high performance matching of IOCs on live traffic using a feature named dataset. It will also cover how the produced NSM events can be used to do IOC matching on past traffic data and will present the IOCMite tool that link Suricata and MISP.", "description": "Suricata is an high performance open source IDS and NSM engine that exist since 2009. The IDS function has evolved over the years and ,among other features, the dataset one has been developed to be able to match on a list of elements.\n\nWe will present how the feature is designed and how it is really convenient to do matching of IOCs on the live network traffic as well as building network wide patient zero database for metadata. We will also cover how the NSM produced data can be used to do matching on past traffic when new IOCs are added.\n\nAnd finally we will present IOCMite an open source tool linking MISP and Suricata in both direction using the dynamic nature of dataset.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UREGS8", "name": "Eric Leblond", "avatar": "https://pretalx.com/media/avatars/UREGS8_lAVeWOo.webp", "biography": "\u00c9ric Leblond is the co-founder and chief technology officer (CTO) at Stamus Networks. He sits on the board of directors at Open Network Security Foundation (OISF). \u00c9ric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata \u2013 the open-source network threat detection engine \u2013 since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is a respected expert and speaker on all things network security.", "public_name": "Eric Leblond", "guid": "5fe02908-a326-51fe-b668-cb092dbf45a3", "url": "https://pretalx.com/hack-lu-2023/speaker/UREGS8/"}, {"code": "8CQHJC", "name": "Peter Manev", "avatar": "https://pretalx.com/media/avatars/8CQHJC_MLZwSGE.webp", "biography": "Peter Manev is the co-founder and chief strategy officer (CSO) of Stamus Networks and a member of the executive team at Open Information Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software. He is responsible for training as well as quality assurance and testing on the development team of Suricata \u2013 the open-source threat detection engine. Peter is also the lead developer of SELKS, the popular turnkey open-source implementation of Suricata. Peter is a regular speaker and educator on open-source security, threat hunting, and network security.\n\nPeter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead. He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.\n\n[SELKS](https://github.com/StamusNetworks/SELKS) maintainer - turn-key Suricata-based IDS/IPS/NSM. A frequent contributor to and user of innovative open source security software, Peter maintains several online repositories for Suricata-related information: https://github.com/pevma , https://github.com/orgs/StamusNetworks/repositories and https://twitter.com/pevma.\n\nPeter Manev is a co-author of the [The Security Analyst\u2019s Guide to Suricata book](https://www.stamus-networks.com/suricata-4-analysts) written with Eric Leblond.\n\nAdditionally, Peter is one of the founders of Stamus Networks, a company providing commercial and open-source network detection and response solutions based on Suricata. Peter often engages in private or public training events in the area of advanced deployment and threat hunting at conferences, workshops or live-fire cyber exercises such as Crossed Swords, DeepSec, Troopers, DefCon, Suricon, SharkFest, RSA, Flocon, MIT Lincoln Lab and others", "public_name": "Peter Manev", "guid": "9d6ab25f-b70a-5d66-83e0-af8e03e3e0dd", "url": "https://pretalx.com/hack-lu-2023/speaker/8CQHJC/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GVL7FM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GVL7FM/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/GVL7FM/resources/Modern_IOCs_matching_with_Suricata_4_9g4IcRF.pdf", "type": "related"}]}, {"guid": "dc5eaae6-7708-5ff3-97d0-23edbd13e865", "code": "HNAUGB", "id": 32667, "logo": null, "date": "2023-10-17T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-32667-pxf-x-a-modular-python-framework-to-hunt-extract-and-enrich-post-exploitation-framework-artifacts", "url": "https://pretalx.com/hack-lu-2023/talk/HNAUGB/", "title": "PXF-X - A modular python framework to hunt, extract and enrich Post-Exploitation Framework artifacts", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Post Exploitation Frameworks are not only the swiss army knife for Red Teamers, but also in heavy use by cybercriminals and even state actors. Many artifacts, like Beacons/Badgers or Stage Loaders end up on platforms like VirusTotal.\nTired of the many manual process steps needed to get decent insights about these hunted artifacts the PXF-X framework was born.", "description": "PXF-X should fully automate all the required analysis steps. In essence, this means: 1) artifacts are hunted with VirusTotal Livehunting YARA rules, 2) the samples are then obtained and analyzed in several ways, 3) the extracted information is then enriched by different intelligence sources and reconnaissance methods.\nPXF-X is designed in a modular way. The intention is that various modules can be integrated sucessively. Currently three different Frameworks are supported: Meterpreter, Cobalt Strike and Brute Ratel C4. A bunch of others are in the makings.", "recording_license": "", "do_not_record": true, "persons": [{"code": "KCYHTX", "name": "Joel Doenne", "avatar": "https://pretalx.com/media/avatars/KCYHTX_WXaM6z7.webp", "biography": "Joel Doenne is a Cyber Security Analyst at ATRUVIA AG with preferences for CTI, Reverse Engineering and Digital Forensics.", "public_name": "Joel Doenne", "guid": "c2090ea4-ab62-5f5c-ace3-bbe97d6a8beb", "url": "https://pretalx.com/hack-lu-2023/speaker/KCYHTX/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/HNAUGB/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/HNAUGB/", "attachments": []}, {"guid": "9f77826e-2c9c-5b0d-9177-c5406a469185", "code": "WVFPNK", "id": 35391, "logo": null, "date": "2023-10-17T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-35391-pyrrha-navigate-easily-into-your-system-binaries", "url": "https://pretalx.com/hack-lu-2023/talk/WVFPNK/", "title": "Pyrrha: navigate easily into your system binaries", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Nowadays structured firmwares can be a complete OS with thousands of files. It usually requires several hours to find the links between some components, and it is easy to get lost in this mass of information.\nThis talk will introduce how we have combined and extended already existing open-source solutions to solve this issue and help reversers in their daily tasks. The resulting tool, Pyrrha, allows users to visualize the different binaries and libraries of the firmware and their interactions in the form of several dependency graphs.", "description": "Pyrrha is an extension of Sourcetrail [1] an open-source code source explorer (for c/cpp, Python, and Java). This extension uses LIEF [2] to analyze imports and exports of each library and binary of the firmware and create links between them. The result is exported as a sourcetrail database. Thanks to Sourcetrail UI, the user will be able to navigate and search in the resulting firmware mapping.\n\nPyrrha has been open-sourced and is available on GitHub: https://github.com/quarkslab/pyrrha\n\n[1] https://github.com/CoatiSoftware/Sourcetrail\n[2] https://lief-project.github.io/", "recording_license": "", "do_not_record": false, "persons": [{"code": "KWKKNB", "name": "Elo\u00efse Brocas", "avatar": "https://pretalx.com/media/avatars/KWKKNB_bNwPcnF.webp", "biography": "Elo\u00efse Brocas is a security researcher and reverse engineer at Quarkslab. She is also organizing Pass the Salt a conference about open-source and security.", "public_name": "Elo\u00efse Brocas", "guid": "944d47b7-46a4-55b1-a44f-d6eebdf2775c", "url": "https://pretalx.com/hack-lu-2023/speaker/KWKKNB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/WVFPNK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/WVFPNK/", "attachments": []}, {"guid": "6c327778-859a-5e24-a557-d1a0f741fee7", "code": "P8KXTK", "id": 33889, "logo": null, "date": "2023-10-17T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33889-threat-actors-surveillance-companies-targeting-telecom-operators", "url": "https://pretalx.com/hack-lu-2023/talk/P8KXTK/", "title": "Threat actors & surveillance companies targeting telecom operators", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Telecom operators are at the heart of our societies, and all the citizens have a mobile phone today, which makes the operators an ideal target. This presentation will get more in depth into specific threat actors which are supporting the work of global surveillance companies.", "description": "Telecom operators are at the heart of our societies, and all the citizens have a mobile phone today, which makes the operators an ideal target. This presentation will get more in depth into specific threat actors which are supporting the work of global surveillance companies and attacking all operators around the world. We will go over the investigations we have conducted on attacks targeting the operators of many countries across the globe and the impact for the populations and national security of these countries.", "recording_license": "", "do_not_record": true, "persons": [{"code": "RFCMEH", "name": "Alexandre de Oliveira", "avatar": null, "biography": "Passionate about Telecom Networks and their security, I explore since more than 10years critical infrastructures around the world. I work today at POST Luxembourg in the Cyberforce Labs & Innovation aiming to improve the global telecom threat intelligence community and creating security solutions for mobile operators. \nI had the chance to talk and give trainings at Hack.lu, HITB, Troopers, CCC, GSMA FASG, ENISA Telecom Security Forum, BSIDES Luxembourg & ETIS, sharing core network and protocol vulnerabilities among the community.", "public_name": "Alexandre de Oliveira", "guid": "03c32305-08ee-588d-9666-6382e7181a2e", "url": "https://pretalx.com/hack-lu-2023/speaker/RFCMEH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/P8KXTK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/P8KXTK/", "attachments": []}, {"guid": "8fcb2300-68d8-5325-942a-cf1856b6e592", "code": "XHLVWG", "id": 36575, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/XHLVWG/CrowdSecx280_fRMMTFn.png", "date": "2023-10-17T17:15:00+02:00", "start": "17:15", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-36575-how-crowdsec-is-building-a-collaborative-trustable-and-crowdsourced-cti-to-change-the-cybersecurity-landscape", "url": "https://pretalx.com/hack-lu-2023/talk/XHLVWG/", "title": "How Crowdsec is building a collaborative, trustable, and crowdsourced CTI to change the cybersecurity landscape", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Crowdsec is building the largest CTI, crowdsourced by an open source security engine solution. With the help of machine learning algorithms, we analyze this data to detect and classify cyber threats in near real time.", "description": "Over the past years CTI has evolved from a simple blocklist to a more end-to-end approach.\nLearn about the crowdsourced approach to achieving this CTI thanks to using an open-source security engine that detects & blocks more than 150 behaviors across a network of 60k nodes spread all over the globe, ensuring that the CTI system is continually updated with the latest information & can respond quickly to new threats. You will also get insights on the data that builds this next-generation CTI & see examples of DDOS events, CVEs blocked, & a description of malicious actors reported on the Internet. \nTo conclude you will get insights of machine learning applications to classify IP addresses based on their behavior.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UVSPQU", "name": "Matthieu Mazzolini", "avatar": "https://pretalx.com/media/avatars/UVSPQU_5cgzcbj.webp", "biography": "I am passionate about analyzing large datasets to solve complex problems. If data are unique, it\u2019s an even higher source of motivation. I joined CrowdSec in September 2021 to make sense of the datalake and add machine learning to the solution.\n\nMy background is mostly applied mathematics and machine learning, which I gained studying in Paris-Dauphine University and Ecole Normale Sup\u00e9rieure de Cachan.\nPrior CrowdSec, I experienced 4 years working in a Satellite images company as a Data Scientist, where I contributed to major research projects related to methane emissions mitigation. \nOutside working hours you will most likely see me bouldering or hiking outdoor.", "public_name": "Matthieu Mazzolini", "guid": "4bd9bd6f-c700-500a-8536-c35b4bfeb246", "url": "https://pretalx.com/hack-lu-2023/speaker/UVSPQU/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/XHLVWG/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/XHLVWG/", "attachments": []}, {"guid": "23dfe06e-f66c-5f62-832e-e4365ee04299", "code": "99YBB9", "id": 35046, "logo": null, "date": "2023-10-17T17:35:00+02:00", "start": "17:35", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-35046-misp42-connecting-cti-and-soc-teams", "url": "https://pretalx.com/hack-lu-2023/talk/99YBB9/", "title": "MISP42: connecting CTI and SOC teams", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "In cybersecurity, CTI and SOC teams often seat next to each other. The CTI team accumulates impressive amount of threat intelligence including technical IOCs. On SOC side even more impressive amount of data is collected in data lakes even now data oceans (logs, telemetry, network flow or traffic, etc.).\nMISP has been available for years as a Threat Intelligence platform and had highly facilitated sharing across the security community, mainly between CTI teams. In particular, MISP allows an organisation to have IOC data set ready to be used.\nStill SOC teams rather often struggle to consume those IOCs into their monitoring and detection platforms and event more to feed back into MISP for new findings or sightings from the alerts or retro searches run on the SOC platforms.\nMISP42 is an open-source app developed to help SOC teams using Splunk platform to make the use of IOCs in MISP an easy workflow that can be automated.", "description": "The presentation will present the challenges CTI and SOC team may have in using in an actionable way IOCs on the monitoring and detection platforms to introduce why MISP42 was developed for Splunk (it was the main platform of the SOC at the time).\n\nThen the 2 main use cases will be detailed with practical examples\n- use MISP IOC into Splunk for hunting, retrosearch, threat activity or detection enrichment.\n- use findings/matches on Splunk to create new events or increment sightings factors\nand finally illustrate the swiss-knife concept of MISP42 (one command designed to be a wrapper of MISP REST API)", "recording_license": "", "do_not_record": false, "persons": [{"code": "KFACCC", "name": "Remi Seguy", "avatar": "https://pretalx.com/media/avatars/KFACCC_prpEQpg.webp", "biography": "I work in cybersecurity for more than 15 years mainly in Blue teams but I am interested to foster purple teaming. I fully support Libre software and try to contribute to the open source community.", "public_name": "Remi Seguy", "guid": "577a933a-d242-5152-816d-883b40b543f5", "url": "https://pretalx.com/hack-lu-2023/speaker/KFACCC/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/99YBB9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/99YBB9/", "attachments": []}, {"guid": "f90bf6a1-e27f-5089-a38c-02e40d185829", "code": "JAKAKS", "id": 33639, "logo": null, "date": "2023-10-17T17:55:00+02:00", "start": "17:55", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33639-yeti-old-dog-new-tricks", "url": "https://pretalx.com/hack-lu-2023/talk/JAKAKS/", "title": "Yeti - old dog, new tricks", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "[Yeti](https://github.com/yeti-platform/yeti) is an opensource platform dedicated to the curation and management of operational threat intelligence,\ngeared towards incident responders and forensic practitioners. It's written in Python and maintained since ~2017.\n\nIt consists of several modules:\n\n- a graph database & search engine\n- a threat feed ingestion engine\n- a data enrichment module (e.g. sandbox information, domain resolution, IOC extraction...)\n- Signature management (YARA, Sigma, etc.)\n- High-level entity management (Threat actors, TTPs, Campaigns) to tie everything together in a neat graph database.\n\nYeti has existed since 2017, and is used both in industry and academia, and has\nrecently been undergoing several big changes, which we would like to present at\nCTI-Summit 2023:", "description": "We are going to tell the story of Yeti, why it was created, where it's now, and about all the friends we made along the way.\n\nBesides the new DFIR twist we want to give Yeti, we'll highlight some of the major changes in the codebase:\n - Total revamp of the Web UI using VueJS.\n - Backend migration to ArangoDB (graph database)\n - Code health: Python typing, e2e tests, making development faster and more\n reliable, and making community contributions much easier.\n - Production and development Docker images\n - Integration with third-party OSS tools such as Timesketch and Turbinia.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MMJXP7", "name": "Thomas Chopitea", "avatar": "https://pretalx.com/media/avatars/MMJXP7_6atuyJn.webp", "biography": "Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US", "public_name": "Thomas Chopitea", "guid": "8506ec53-3b08-55eb-b774-6f5d14b6bfb4", "url": "https://pretalx.com/hack-lu-2023/speaker/MMJXP7/"}, {"code": "7S7N3Z", "name": "S\u00e9bastien Larinier", "avatar": "https://pretalx.com/media/avatars/7S7N3Z_o2UR7Jx.webp", "biography": "A lecturer and researcher at ESIEA and an independent consultant in Threat Intelligence, he contributes to numerous open source projects such as MISP and Yeti. He is also the author of numerous articles, an international speaker and lecturer on malware analysis, digital forensics and Cyber Threat Intelligence at ESIEA, and co-author of the book \"Cybers\u00e9curit\u00e9 et Malwares\nD\u00e9tection, analyse et Threat Intelligence (4e \u00e9dition)\".", "public_name": "S\u00e9bastien Larinier", "guid": "562334ce-ad75-5991-9c69-2bc9aa64b5e1", "url": "https://pretalx.com/hack-lu-2023/speaker/7S7N3Z/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/JAKAKS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/JAKAKS/", "attachments": [{"title": "paper", "url": "/media/hack-lu-2023/submissions/JAKAKS/resources/CTI_Summit_2023_vPjjGyQ.pdf", "type": "related"}]}], "Schengen 1 and 2": [{"guid": "aff3f96f-4e5d-56a2-894c-26fae2f0dd03", "code": "UCRUZT", "id": 35420, "logo": null, "date": "2023-10-17T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-35420-0-managing-spam-phishing-and-other-boring-tasks-with-your-users-and-constituents", "url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/", "title": "Managing spam, phishing and other boring tasks with your users and constituents", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.\n\nIn this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.", "description": "Please make sure before attending this workshop that you can install python 3 software on your device, and your device should preferably be running Ubuntu 22.04 or more recent. As the workshop is relatively short and depending on how many people will attend, we may not have time to do a lot of sysadmin work during the workshop.\n\nThe tools we will use are the following:\n\n* Lookyloo (to analyze URLs)\n* Pandora (to analyze files)\n* Lacus (optionally, to capture the URLs when you have a lot of them)\n* An URL monitoring interface (to compare a specific URL over time)\n* Phishtank Lookup (to check if a URL is known or not)\n\nWe will also see how to integrate Lookyloo and Pandora to handle the cases where the URL points to a file, and where the file is a web document, or it contains URLs.\n\nIntegration with 3rd party services:\n\n* MISP (to share the indicators)\n* Ticketing system (to manage interactions with other entities, typically take down requests)\n* Validate if URL is known with VirusTotal, PhishtankLookup, URLScan, URLHaus\n* Validate if a file is known with Virustotal, ManwareBazaar, HybridAnalysis, MwDB, JoeSandbox\n* Add contextual information with SaneJS, uWhoisd, Hashlookup", "recording_license": "", "do_not_record": false, "persons": [{"code": "GLQ9T3", "name": "Rapha\u00ebl Vinot", "avatar": "https://pretalx.com/media/avatars/GLQ9T3_gQscSBO.webp", "biography": "Formerly member of CIRCL, I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a whole bunch of tools there. Some say it is too many, we disagree.", "public_name": "Rapha\u00ebl Vinot", "guid": "3564062f-5330-54a0-b816-fc31003c64af", "url": "https://pretalx.com/hack-lu-2023/speaker/GLQ9T3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/", "attachments": []}, {"guid": "bb1a0040-d351-52f6-83d5-3614f69935a1", "code": "7KYDJW", "id": 35259, "logo": null, "date": "2023-10-17T16:30:00+02:00", "start": "16:30", "duration": "02:00", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-35259-cryptocurrency-web3-osint-workshop", "url": "https://pretalx.com/hack-lu-2023/talk/7KYDJW/", "title": "Cryptocurrency & Web3 OSINT Workshop", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "This workshop offers an introduction to Blockchain/Web3 OSINT, including extracting and analyzing on-chain and off-chain data.", "description": "This workshop offers a practical understanding of Blockchain, Smart Contracts, DApps, and NFTs. Participants will learn the basics of Web3 OSINT, including extracting and analyzing on-chain and off-chain data. The workshop also provides a guide to important websites and tools, with a focus on the process of linking and verifying information. It's an opportunity to enhance your skills within the realm of cryptocurrency and Web3.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DCZQNF", "name": "Patrick Ventuzelo", "avatar": "https://pretalx.com/media/avatars/DCZQNF_q1eYA29.webp", "biography": "Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.", "public_name": "Patrick Ventuzelo", "guid": "268befcc-acd6-5351-9f70-64e8f12ac2fb", "url": "https://pretalx.com/hack-lu-2023/speaker/DCZQNF/"}, {"code": "DE9JWZ", "name": "Tanguy Laucournet", "avatar": "https://pretalx.com/media/avatars/DE9JWZ_Px4NuZ2.webp", "biography": "Tanguy is a security engineer currently working as a Blockchain/OSINT expert at FuzzingLabs. He has four years of hands-on experience in blockchain technology, gained through multiple projects at leading tech companies and French research institutions. In addition to his expertise in blockchain, Tanguy possesses a deep knowledge of OSINT. At FuzzingLabs, he focuses on developing tools to facilitate investigations, profiling, and de-anonymization related to blockchains. Tanguy is also exploring the use of new Web3 protocols such as IPFS, with the aim of deepening our understanding of these emerging technologies.", "public_name": "Tanguy Laucournet", "guid": "e0a1753c-27f1-5eb8-ad70-c2b34e8f7902", "url": "https://pretalx.com/hack-lu-2023/speaker/DE9JWZ/"}, {"code": "UDHBEK", "name": "Mohammed Benhelli", "avatar": "https://pretalx.com/media/avatars/UDHBEK_uI0q0X4.webp", "biography": "Intern at FuzzingLabs and student at 2600.", "public_name": "Mohammed Benhelli", "guid": "d75917b2-70e8-54ba-9dc9-6c9bbd194b0c", "url": "https://pretalx.com/hack-lu-2023/speaker/UDHBEK/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/7KYDJW/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/7KYDJW/", "attachments": []}], "Echternach&Diekirch": [{"guid": "373038a0-8a3c-5ab2-bf75-3ffb9bb76b9a", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-17T10:30:00+02:00", "start": "10:30", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-0-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "93c48ccc-b582-589f-82d7-506f8ff5e684", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-17T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-1-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "ecc9f035-3006-557d-acd6-f030d3ff1c03", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-17T16:30:00+02:00", "start": "16:30", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-2-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}], "Hollenfels": [{"guid": "efb44180-16bc-53ae-8057-15a6466f4cc1", "code": "UUS37B", "id": 33988, "logo": null, "date": "2023-10-17T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Hollenfels", "slug": "hack-lu-2023-33988-three-ways-to-reverse-engineering-cryptographic-functions", "url": "https://pretalx.com/hack-lu-2023/talk/UUS37B/", "title": "Three Ways to Reverse-Engineering Cryptographic Functions", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "On basis of a proprietary crypto library that was used for \"securely\" storing medical history, I like to give an introduction into reverse engineering cryptographic functions by three different approaches: Blackbox, dynamic instrumentation with Frida and static analysis with Ghidra.", "description": "Outline:\n\n 0. Environment: We have an encryption tool, some libraries an already encrypted, secret file.\n\n 1. Black box: Just by using the encryption tool, what can we infer about the used primitives, keys, IVs etc.? Misusing the issues and stream cipher properties, we can even get parts of the keystream and start decrypting content.\n \n 2. Dynamic analysis with Frida: By hooking the right OLE functions, we understand what library calls are used and what the obfuscated static passphrase is, that the application uses.\n \n 3. Static analysis with Ghidra: To confirm our assumptions about the primitives and to understand the key derivation, we dive into the libraries with Ghidra, detect indicators for common crypto and reconstruct what they do.\n \n 4. In the end, we can implement a version of the cryptographic function including the key derivation in python, and reverse it to decrypt the secret file.\n\n\nTarget audience: People interested in reverse engineering with some prior understanding but no required experience in the field. Some programming experience assumed (C++ or similar for understanding objects in ghidra, python for the script at the end, JavaScript for Frida).\n\n\nSoftware requirements: Windows (VM) with admin rights, python, Frida and Ghidra installed\n -- or --\nVirtualBox and about 50 GB of free space to use a provided VM", "recording_license": "", "do_not_record": true, "persons": [{"code": "B3VXYE", "name": "Finn Steglich", "avatar": "https://pretalx.com/media/avatars/B3VXYE_Jkj5dwT.webp", "biography": "Finn Steglich works as penetration tester for 12 years now, currently with ETAS (Bosch Group) in Stuttgart, Germany for Bosch in-house projects. He is usually working on mobile apps, Windows privilege escalation, strange binary protocols and very old client applications in an attempt to decrypt company secrets. He did live hacking presentations on several not-so-technical events, held some corporate workshops about AD and Windows security and likes to do actual live demos a lot. When he started with reverse engineering, he really would have preferred to have attended a workshop like this but couldn't find any.", "public_name": "Finn Steglich", "guid": "fd66173e-4529-59da-b4d1-1d9c31ac7bfc", "url": "https://pretalx.com/hack-lu-2023/speaker/B3VXYE/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UUS37B/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UUS37B/", "attachments": []}, {"guid": "f7c4657d-6fa4-52b6-9883-c57d0c9ffe80", "code": "GAKCQP", "id": 37541, "logo": null, "date": "2023-10-17T14:00:00+02:00", "start": "14:00", "duration": "04:00", "room": "Hollenfels", "slug": "hack-lu-2023-37541-customize-your-own-command-control-design-and-code-your-own-implant-in-a-real-infrastructure", "url": "https://pretalx.com/hack-lu-2023/talk/GAKCQP/", "title": "Customize Your Own Command & Control: Design and Code Your Own Implant in a Real Infrastructure", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "Command & Control is a cornerstone of any attacker's infrastructure, whether they are affiliated with state actors (APTs), cybercriminals, or legitimate Red Team operators.\n\n\"Customize Your Own C&C\" is a 4-hour workshop designed for those interested in quickly diving into the world of Command & Control design and architecture, and learning how to develop their own implant using a well-known open-source framework.\n\nIn this bring-your-own-laptop workshop, participants will have the opportunity to learn about the architecture and design of a well-known open-source framework as an example. They will also receive a comprehensive, hands-on introduction to designing a simple custom implant. This will involve working with two already prepared virtual machines and culminating in the creation of their own integrated x64 implant (utilizing a C++/Python wrapper)", "description": "Command & Control is a cornerstone of any attacker's infrastructure, whether they are affiliated with state actors (APTs), cybercriminals, or legitimate Red Team operators.\n\n\"Customize Your Own C&C\" is a 4-hour workshop designed for those interested in quickly diving into the world of Command & Control design and architecture, and learning how to develop their own implant using a well-known open-source framework.\n\nIn this bring-your-own-laptop workshop, participants will have the opportunity to learn about the architecture and design of a well-known open-source framework as an example. They will also receive a comprehensive, hands-on introduction to designing a simple custom implant. This will involve working with two already prepared virtual machines and culminating in the creation of their own integrated x64 implant (utilizing a C++/Python wrapper)", "recording_license": "", "do_not_record": true, "persons": [{"code": "VUVGSV", "name": "Guillaume Prigent", "avatar": "https://pretalx.com/media/avatars/VUVGSV_B0P0d7s.webp", "biography": "Guillaume is a digital freethinker and an expert in cyber security. Co-founder of DIATEAM, Guillaume started out as an engineer in information systems security, and has been working in the digital security for 25 years now. He has developed many \"proofs of concept\" and some tools like netglub, ipmorph, hynesim and also gives talks and classes in many engineering schools (ENIB, ENSIETA, ESM Saint-Cyr, ...). Guillaume is the author of several papers on security, and is a frequent speaker and/or attendee at security and testing conferences such as SSTIC, HITB, HACK.LU, FRHACK, ...", "public_name": "Guillaume Prigent", "guid": "ea162996-2913-5948-8035-c6c3e78b8cc8", "url": "https://pretalx.com/hack-lu-2023/speaker/VUVGSV/"}, {"code": "ZBCGZM", "name": "Adrien Barchapt-Perrot", "avatar": "https://pretalx.com/media/avatars/ZBCGZM_Eysjrn6.webp", "biography": "Adrien BARCHAPT-PERROT is the RedTeam leader at DIATEAM. Working in the field of offensive cybersecurity for 10 years, he is particularly interested and involved in the development of customized implants and the bypassing of defense systems.", "public_name": "Adrien Barchapt-Perrot", "guid": "0625e87f-1283-5e40-ade6-6c3ddd9cf17c", "url": "https://pretalx.com/hack-lu-2023/speaker/ZBCGZM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GAKCQP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GAKCQP/", "attachments": []}], "Vianden&Wiltz": [{"guid": "c572768d-a6b4-53e3-86eb-560e87c0f6bf", "code": "XTDTNH", "id": 31688, "logo": null, "date": "2023-10-17T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Vianden&Wiltz", "slug": "hack-lu-2023-31688-an-introduction-to-arm64-assembly-and-shellcode", "url": "https://pretalx.com/hack-lu-2023/talk/XTDTNH/", "title": "An Introduction to ARM64 Assembly and Shellcode", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "An Introduction to ARM64 Assembly and Shellcode is a workshop for those interested in getting a quick start into the world of 64-bit ARM binary exploitation. ARM64 is in several ways vastly different than ARM32.\n\nIn this bring-your-own-laptop workshop, participants will get to learn the key differences between ARM32 and ARM64 from an assembly language perspective, get some hands-on introduction to writing simple ARM64 assembly code, working with a debugging environment and concluding with writing their own ARM64 shellcode.", "description": "AN INTRODUCTION TO ARM64 ASSEMBLY AND SHELLCODE\n\nWORKSHOP AGENDA\n- An introduction to ARM64 architecture and assembly\n- Working with an emulated ARM64 instance\n- Fundamental differences between ARM32 and ARM64 assembly\n- The 64-bit process memory layout and addressing\n- The ARM64 debugging environment\n- Exploring memory corruption bugs on ARM64\n- Practical ARM64 shellcode\n\nTo participate interactively in this hands-on workshop, please bring with you:\n- A Linux/macOS system with Docker installed and running\n\nTo make the most out of the workshop, it would be awesome if you have:\n- Familiarity with Intel x86 or ARM32 Assembly Language\n- Basic experience with disassembly and reverse engineering\n- A working knowledge of GDB\n- The ability to write simple Python scripts", "recording_license": "", "do_not_record": false, "persons": [{"code": "EFQREF", "name": "Saumil Shah", "avatar": "https://pretalx.com/media/avatars/EFQREF_kGZtCvF.webp", "biography": "Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-Box, Deepsec, No Hat and others. He has authored two books titled \u201cWeb Hacking: Attacks and Defense\u201d and \u201cThe Anti-Virus Book\u201d.\n\nSaumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world, and taking pictures", "public_name": "Saumil Shah", "guid": "761298a0-ecc5-5218-9993-befa88300221", "url": "https://pretalx.com/hack-lu-2023/speaker/EFQREF/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/XTDTNH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/XTDTNH/", "attachments": []}, {"guid": "3e028446-70e6-5510-beda-384fba47cb12", "code": "GL99GV", "id": 33995, "logo": null, "date": "2023-10-17T16:30:00+02:00", "start": "16:30", "duration": "02:00", "room": "Vianden&Wiltz", "slug": "hack-lu-2023-33995-using-systematic-code-reuse-analysis-to-create-robust-yara-rules", "url": "https://pretalx.com/hack-lu-2023/talk/GL99GV/", "title": "Using systematic code reuse analysis to create robust YARA rules", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code.\nThere are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules.\nThis approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.\nIn this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.", "description": "**Required prior knowledge**\n\nThis workshop is tailored to cybersecurity practitioners that either actively create\nmalware detection and identification rules with YARA or intend to start doing so.\nParticipants must be familiar with:\n\n- Basic understanding of YARA rules\n- Basic knowledge of static binary analysis with disassemblers\n- Basic knowledge of the x86/x64 instruction set\n\n**Required system setup**\n- Recommended OS: Ubuntu\n- CPU Arch: Intel 32/64-bit (ARM not supported)\n- Minimum of 8GB RAM, 16GB recommended\n- Minimum of 100GB free disk space, 150GB recommended\n\n**Background**\n\nYARA is a commonly used tool to detect and identify malware. There are roughly two\ntypes of YARA rules used on binary files: 1) based on metadata and strings and 2)\nbased on code / instruction sequences.\nThere are benefits by basing YARA rules on code. Since code reuse is frequent\namongst binaries of a malware family, it offers plenty of options to base a YARA rule\non. If the chosen code is stable across multiple variants of a malware, then it can\nresult in very robust rules.\nThis approach comes with certain challenges. A key aspect is being able to find\nstable / heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-\nconsuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.\nAddressing these challenges and adding some automation along the way, enables\nthe creation of robust YARA rules with less manual effort.\n\n**Workshop content**\n\nThe goal of this workshop is to create robust YARA rules for a handful of malware\nfamilies based on automatically identifying shared code between many binaries of a\nfamily.\n\nThe approach includes the following parts:\n\n- Study a set of good and bad examples of existing YARA rules to provide\nsome background.\n- Pre-process a set of malware binaries, as well as goodware binaries to make\ntheir code searchable on the granularity of a function.\n- We automatically identify which functions are reused frequently for a malware\nfamily.\n- We need to exclude functions that are part of compilers, libraries or other\nmalware families to avoid creating false positives.\n- From the set of reused functions, we will extract instruction sequences to\ncreate YARA rules with.\n- We will vet our new rules against the corpus of binaries to check for false\npositives and adjust the rule creation accordingly.\n\nWe will look at the following real-world challenges:\n\n- All binaries share library code from the compiler or 3rd party libraries. This\ncode is not useful for malware identification and will need to be filtered out\nduring the process.\n- How to reliably generate a YARA rule from a set of instruction sequences.\n- We need to make choices on how many and which instructions of a function\nand how many functions in total we want to consider building a Yara rule. A\ngood balance has to be found.\n- The quality of the function similarity algorithm is crucial in finding the right\nmatches. Especially since compiler versions, compiler optimization flags and\ninstruction set differences have to be considered.\n- The quality of the disassembler in detecting functions and their content\nstrongly influences the quality of results.\n\nDuring the workshop, we will be exclusively using open source tools and a set of\npublicly available binaries in unpacked form.\n\nThe takeaways for the participants of this workshop are:\n\n- Understanding the differences between good and bad YARA rules, be it\nbased on code or based on strings/metadata.\n- Understanding the code reuse approach to YARA rules writing, with its\nbenefits and challenges.\n- Understanding of the tooling required to identify code reuse over many\nbinaries.\n- Understanding how to apply this process to real-world malware.", "recording_license": "", "do_not_record": true, "persons": [{"code": "D7HLMR", "name": "Jonas Wagner", "avatar": "https://pretalx.com/media/avatars/D7HLMR_xfG6bqw.webp", "biography": "Jonas Wagner is the founder and CTO of Threatray and has built the technological foundation of its code search engine based on years of research and development. He holds a Masters Degree in Cybersecurity from the Bern University of Applied Sciences. He has previously spoken at botconf, FIRST CTI, BSides Z\u00fcrich, DFRWS and many private events.", "public_name": "Jonas Wagner", "guid": "3b92a526-b899-51e0-ad4f-f1497294ad2a", "url": "https://pretalx.com/hack-lu-2023/speaker/D7HLMR/"}, {"code": "D9KRG8", "name": "Carlos Rubio Ricote", "avatar": null, "biography": "Carlos Rubio Ricote is a malware researcher at Threatray, where he is mainly responsible for reverse engineering malware to automate the detection process of new threats. In addition to researching new applications for code reuse technology that can help in different areas such as threat hunting, incident response, tracking the evolution of malware families, among others. He previously worked on reverse-engineering malware at Blueliv, S21sec Counter Threat Intelligence Unit and in the Panda Security Adaptive Defense team. He has previously spoken at Botconf (2022, 2019), BSides Z\u00fcrich 2022, Virus Bulletin localhost 2020, as well as many closed-door private conferences.", "public_name": "Carlos Rubio Ricote", "guid": "883d1b97-d5f5-59c1-8877-63a69f19d38a", "url": "https://pretalx.com/hack-lu-2023/speaker/D9KRG8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GL99GV/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GL99GV/", "attachments": []}]}}, {"index": 3, "date": "2023-10-18", "day_start": "2023-10-18T04:00:00+02:00", "day_end": "2023-10-19T03:59:00+02:00", "rooms": {"Salle Europe": [{"guid": "84d0172b-cd6b-5c1c-a89c-cb7ae923dffe", "code": "TEUHBF", "id": 37540, "logo": null, "date": "2023-10-18T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-37540-how-digital-technologies-are-redefining-warfare-and-why-it-matters", "url": "https://pretalx.com/hack-lu-2023/talk/TEUHBF/", "title": "How Digital Technologies are Redefining Warfare and Why It Matters", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Cyber capabilities have been used for military purposes for more than two decades. But the digital operational area of States is no longer limited to cyber operations. In line with the global trend toward digitalization of our societies, armed forces around the world are developing innovative strategies to exploit the digital sphere in more complex ways than ever before. As a result of these developments, the line between civilians and combatants as well as between civilian objects and military targets, is in danger of becoming blurred. In particular, it is now easier than ever to involve civilians in military cyber operations and to harm them using these means. And the more the military is relying on cables, satellites or clouds that are originally designed for civilian use, the more likely it becomes that this infrastructure will be exposed to harm during armed conflicts, with significant adverse consequences on civilians.", "description": "Cyber capabilities have been used for military purposes for more than two decades. But the digital operational area of States is no longer limited to cyber operations. In line with the global trend toward digitalization of our societies, armed forces around the world are developing innovative strategies to exploit the digital sphere in more complex ways than ever before. As a result of these developments, the line between civilians and combatants as well as between civilian objects and military targets, is in danger of becoming blurred. In particular, it is now easier than ever to involve civilians in military cyber operations and to harm them using these means. And the more the military is relying on cables, satellites or clouds that are originally designed for civilian use, the more likely it becomes that this infrastructure will be exposed to harm during armed conflicts, with significant adverse consequences on civilians.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JJXZEU", "name": "Mauro Vignati", "avatar": "https://pretalx.com/media/avatars/JJXZEU_7HxoD2o.webp", "biography": "In 2003 Mauro Vignati started working at the first unit of the Swiss Federal Police fighting cybercrime. Later on, he collaborated to the establishment of MELANI, Switzerland's first centre for public-private partnership on cybersecurity for critical infrastructure. Back in 2013, he set up and led the Cyber Threat Intelligence Division within the Department of Defence in Bern. In 2021, he was tasked to create the Vulnerability Management unit within the National Cyber Security Centre NCSC.ch, established to manage vulnerabilities, and lead several projects testing the security of the government infrastructure. He then joined the International Committee of the Red Cross one year later, as advisor on new digital technologies of warfare.", "public_name": "Mauro Vignati", "guid": "03503d2a-c05b-52da-95b8-746b55b7ede8", "url": "https://pretalx.com/hack-lu-2023/speaker/JJXZEU/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/TEUHBF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/TEUHBF/", "attachments": []}, {"guid": "ee658f98-3fe1-5c5d-ac20-310d2b6df9c7", "code": "ZBRV3J", "id": 33828, "logo": null, "date": "2023-10-18T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33828-ongoing-evileye-campaigns-targeting-ccp-adversaries", "url": "https://pretalx.com/hack-lu-2023/talk/ZBRV3J/", "title": "Ongoing EvilEye Campaigns Targeting CCP Adversaries", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the \u201cFive Poisons\u201d. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity's research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020. \nThe ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.\nThis presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor's command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.", "description": "Everything is in the abstract.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9D8VMP", "name": "Rascagneres Paul", "avatar": "https://pretalx.com/media/avatars/9D8VMP_w8IconQ.webp", "biography": "Paul Rascagneres is a principal threat researcher at Volexity. He performs investigations to identify new threats. He has presented his findings in several publications and at international security conferences. He has been involved in security research for 10 years, mainly focusing on malware analysis, malware hunting, and more specifically on advanced persistent threat (APT) campaigns and rootkit capabilities.", "public_name": "Rascagneres Paul", "guid": "8ee457e1-e607-5ac3-a374-136f21c91897", "url": "https://pretalx.com/hack-lu-2023/speaker/9D8VMP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/ZBRV3J/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/ZBRV3J/", "attachments": []}, {"guid": "814585c4-50dd-5368-af81-34e0f8fcfcaa", "code": "JXGQJJ", "id": 31837, "logo": null, "date": "2023-10-18T10:00:00+02:00", "start": "10:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-31837-defeating-vpn-always-on", "url": "https://pretalx.com/hack-lu-2023/talk/JXGQJJ/", "title": "Defeating VPN Always-On", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.\n\nWe will review the relevant Windows API, the practicalities of this feature, look at popular VPN software ; we will then consider ridiculously complex exfil methods and... finally bypass it with unexpectedly trivial tricks. We will exploit design, implementation and configuration issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.", "description": "This talk is more than just the outcome of my technical research against one particular network security feature. It is an attempt to fully embrace the hacker spirit through the revolt against Control, the unreasonable time trying to understand the technological subtleties and finally the sharing of beautifully simple techniques to break free.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7RVWWZ", "name": "Maxime Clementz", "avatar": "https://pretalx.com/media/avatars/7RVWWZ_Qyxeh1w.webp", "biography": "Maxime Clementz is a Senior Manager within the Cybersecurity Advisory team of PwC Luxembourg. He develops his ethical hacker skills by committing himself to various assignments for big companies, banks and European institutions. As a technical specialist, he leads penetration tests, red-teaming, digital forensics and incident response missions.\nHe contributes to the development of the team\u2019s hacking capabilities by sharing the results of his technology watch and R&D and is now leading the CSIRT and Threat Intelligence initiatives of PwC Luxembourg. He especially enjoys sharing knowledge by presenting the results of each mission or by giving talks (Hack.lu 2012, 2015, 2017) and training courses. Maxime teaches IT security at a French engineering school and organizes a Capture the Flag event for the students.", "public_name": "Maxime Clementz", "guid": "87203f2c-fc50-5441-912b-1720a1ddcc02", "url": "https://pretalx.com/hack-lu-2023/speaker/7RVWWZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/JXGQJJ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/JXGQJJ/", "attachments": []}, {"guid": "4fdf3ed0-4bfe-5973-ab02-bb9f05b4580f", "code": "JTAB9A", "id": 33819, "logo": null, "date": "2023-10-18T10:30:00+02:00", "start": "10:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33819-the-renaissance-of-cyber-physical-offensive-capabilities", "url": "https://pretalx.com/hack-lu-2023/talk/JTAB9A/", "title": "The Renaissance of Cyber Physical Offensive Capabilities", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Since the beginning of the Ukrainian invasion, we have seen a renaissance of innovation making threats to operational technology (OT) systems more streamlined than ever before. Such activity is reflected in a quick turnaround in the development of malware and capabilities to target OT systems. In this talk, I will provide an overview of the evolution of OT threats since the eve of Ukraine\u2019s invasion and discuss its implications for defenders. Among other topics, I will share recent findings about documentation hinting on Russia\u2019s development of OT cyber capabilities, and newly disclosed OT malware families such as INCONTROLLER, INDUSTROYER.V2 and COSMICENERGY.", "description": "For the last ten years we have seen a fast evolving operational technology (OT) security community learning about cyber physical attacks and how to defend against them. However, since the beginning of the conflict in Ukraine, we have seen a twist in the OT threat landscape. A renaissance or breakthrough period of innovation is making threats to cyber physical systems more streamlined and common than ever before.\n\nDuring the conflict, we have observed the intensification of threat activity coming from different fronts, including criminals, hacktivists, and nation-states. Such activity has resulted in a quick turnaround in the development of malware and capabilities to target OT systems. In this talk, I will provide an overview of the evolution of OT threats focusing primarily on new capabilities we have observed since the eve of Ukraine\u2019s invasion. \n\nAmong other things, I will discuss recent leaked documents hinting on Russia\u2019s development of OT cyber capabilities, and the recent disclosure of highly specialized malware including INDUSTROYER2, INCONTROLLER, and most recently COSMICENERGY. Using our findings, I will also discuss the implications for defenders in the light of this new era of discovery of cyber physical offensive capabilities.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UBEEEP", "name": "Daniel Kapellmann Zafra", "avatar": "https://pretalx.com/media/avatars/UBEEEP_xHOmMco.webp", "biography": "Analysis Manager for Google Mandiant where he oversees the strategic coverage of cyber physical threat intelligence and information operations. He also coordinates the development of solutions to collect and analyze data. He is a frequent speaker on ICS/OT topics at international conferences and collaborates as international liaison for the ICS Joint Working Group Steering Team from CISA. As a former Fulbright scholar from Mexico, he holds a master\u2019s degree from the University of Washington specialized in Information Security and Risk Management. In 2017, he was awarded first place at Kaspersky Academy Talent Lab's competition for designing an application to address security beyond anti-virus.", "public_name": "Daniel Kapellmann Zafra", "guid": "6150c829-e7e9-58e6-8277-1d195184de91", "url": "https://pretalx.com/hack-lu-2023/speaker/UBEEEP/"}], "links": [{"title": "COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises", "url": "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response", "type": "related"}, {"title": "Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan", "url": "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/JTAB9A/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/JTAB9A/", "attachments": []}, {"guid": "f6fb5ecb-794f-575f-bb6e-d1d5d847c334", "code": "QYPDSN", "id": 31211, "logo": null, "date": "2023-10-18T11:00:00+02:00", "start": "11:00", "duration": "00:45", "room": "Salle Europe", "slug": "hack-lu-2023-31211-introduction-to-cyberwarfare-theory-and-practice", "url": "https://pretalx.com/hack-lu-2023/talk/QYPDSN/", "title": "Introduction to cyberwarfare: theory and practice", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "This talk presents a strict analysis of technology, policy, international law, and cyberwarfare, focusing on the realities of armed conflict in cyberspace. Ukraine and other events in Central Eastern Europe will provide food for thoughts and a case study. The main premise is grounded in sound analysis of rules, strategies, and the mechanics of conflicts. \n\nSome relevant points to consider follow. What\u2019s the relevance to the armed conflict areas? What\u2019s the relevance to the countries non-neutral in a conflict? Should companies prepare in any way, and if so, how? Are there particular risk to IT companies, IT administrators, developers, software engineers, security engineers?", "description": "This talk presents a strict analysis of technology, policy, international law, and cyberwarfare, focusing on the realities of armed conflict in cyberspace. Ukraine and other events in Central Eastern Europe will provide food for thoughts and a case study. The main premise is grounded in sound analysis of rules, strategies, and the mechanics of conflicts. \n\nSome relevant points to consider follow. What\u2019s the relevance to the armed conflict areas? What\u2019s the relevance to the countries non-neutral in a conflict? Should companies prepare in any way, and if so, how? Are there particular risk to IT companies, IT administrators, developers, software engineers, security engineers?\n\nUkraine war highlights the importance of cyberware. Yet, the reality may appear different from prior conceptions or expectations.", "recording_license": "", "do_not_record": true, "persons": [{"code": "MCMFZQ", "name": "Lukasz Olejnik", "avatar": "https://pretalx.com/media/avatars/MCMFZQ_VRhtyhg.webp", "biography": "Dr Lukasz\u00a0Olejnik\u00a0is an independent cybersecurity and privacy researcher and consultant, and a fellow of Geneva Academy of\u00a0International\u00a0Humanitarian Law and Human Rights.\n\nHe holds a Computer Science PhD at INRIA (France). He worked at CERN (European Organisation for Nuclear Research), and was a research associate at University College London. He was associated with Princeton's Center for Information Technology\u00a0Policy, with Oxford's Centre for Technology and Global\u00a0Affairs. Former cyberwarfare advisor at the\u00a0International\u00a0Committee of the Red Cross in Geneva, where he worked on the humanitarian consequences of cyber attacks. He authored scientific articles, op-eds, and a book. Former member of the W3C Technical Architecture Group.\n\nHis comments appeared in places such as Financial Times,\u00a0Washington\u00a0Post, New York Times, Wall Street Journal, Sueddeutsche Zeitung, El Pais, or Le Monde. He authored scientific publications, and opinion articles in venues like Wired or\u00a0Foreign\u00a0Policy.", "public_name": "Lukasz Olejnik", "guid": "3d7d5b96-5b6a-542f-8ff8-d685d0066cf6", "url": "https://pretalx.com/hack-lu-2023/speaker/MCMFZQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/QYPDSN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/QYPDSN/", "attachments": []}, {"guid": "a9a1bcd9-0161-56ef-8f3e-eaf90efea3d1", "code": "GRKRS9", "id": 38142, "logo": null, "date": "2023-10-18T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38142-you-can-learn-anything", "url": "https://pretalx.com/hack-lu-2023/talk/GRKRS9/", "title": "You can learn anything.", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "It's made possible by today's open-source community, and a vast number of people are now rethinking the way we learn. Let's engage with this!", "description": "Lightening", "recording_license": "", "do_not_record": false, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Cookie has spent a long-time fixing languages and bikes with very little money and great ingenuity, squatting university benches and corrupting teachers for beer. Working for the past four years as a Threat Analyst, she is also a trained linguist and former teacher who brings a unique perspective to her work by exploring and exploiting threats through criminology, social anthropology, philosophy, and psychology. She actively participates in the open-source community and promotes defensive security practices by training industry practitioners.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "10de69af-653f-5e8e-bb87-6e0959bc187e", "url": "https://pretalx.com/hack-lu-2023/speaker/3LW9XQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GRKRS9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GRKRS9/", "attachments": []}, {"guid": "7a243f26-2c9d-5eb1-9f08-90a4f836cca0", "code": "DZKRNU", "id": 38148, "logo": null, "date": "2023-10-18T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38148-velocity-raptor-accelerating-velociraptor-hunting-with-tenzir-pipelines", "url": "https://pretalx.com/hack-lu-2023/talk/DZKRNU/", "title": "Velocity Raptor: Accelerating Velociraptor Hunting with Tenzir Pipelines", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "In this talk we showcase how to interact with a Velociraptor server from Tenzir pipelines, speeding up DFIR work by flexibly processing the output of hunts.", "description": "In this talk we showcase how to interact with a Velociraptor server from Tenzir pipelines, speeding up DFIR work by flexibly processing the output of hunts", "recording_license": "", "do_not_record": false, "persons": [{"code": "JE8PYG", "name": "Matthias Vallentin", "avatar": "https://pretalx.com/media/avatars/JE8PYG_V4399kY.webp", "biography": "Founder of Tenzir, building open source security data pipelines empowering threat hunters, detection engineers, and SOC analysts.", "public_name": "Matthias Vallentin", "guid": "5d66306d-7883-508b-9441-6d4483118504", "url": "https://pretalx.com/hack-lu-2023/speaker/JE8PYG/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/DZKRNU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/DZKRNU/", "attachments": []}, {"guid": "4e17b74a-d54b-5985-b184-57e91d206540", "code": "XNQD37", "id": 38147, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/XNQD37/Screenshot_2023-10-15_151051_yv8fpwf.png", "date": "2023-10-18T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38147-tidemec-a-detection-engineering-platform-homegrown-at-the-european-commission", "url": "https://pretalx.com/hack-lu-2023/talk/XNQD37/", "title": "TIDeMEC : A Detection Engineering platform homegrown at the European Commission", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Introducing \ud83c\udf0a**TIDeMEC** : _Threat Informed Detection Modelling and Engineering as Code_ , the platform powering DIGIT S2 CATCH Detection Engineering operations planned to go open source for the benefit of the European and beyond SOC community.", "description": "TIDeMEC is a platform that has been built for the better part of the past 2 years at the EC, and builds on top of years of astute observations of what goes **wrong** in the detection engineering field. It is an opinionated end-to-end platform, data model, framework and solution built on top of DevOps and as-code principles, with an emphasis on traceability, consistency, safety and automation. The data model of TIDeMEC scales from the input of a threat intelligence signal to the deployment of a detection rule whilst maintaining programmatic relations between actors, threat, detection objectives, and rules. We will also lay the plans for TIDeX , a potential exchange built on top of the TIDeMEC data objects with the vision to connect SOCs with precise and actionable knowledge objects.", "recording_license": "", "do_not_record": true, "persons": [{"code": "889AFY", "name": "Amine Besson", "avatar": "https://pretalx.com/media/avatars/889AFY_FIVaODL.webp", "biography": "Amine is a private contractor focused on designing and engineering large scalable detection systems for his clients, with a track record of innovative solutions deployed in critical sectors and challenging environments.", "public_name": "Amine Besson", "guid": "b0a27001-c8cf-5bab-b169-396d279c787a", "url": "https://pretalx.com/hack-lu-2023/speaker/889AFY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/XNQD37/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/XNQD37/", "attachments": []}, {"guid": "99dd660b-8cad-5ba4-9f12-b25a9613817c", "code": "39NCZQ", "id": 38143, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/39NCZQ/oie_transparent_8e3prkk.png", "date": "2023-10-18T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38143-deming-isms-open-source", "url": "https://pretalx.com/hack-lu-2023/talk/39NCZQ/", "title": "Deming - ISMS Open Source", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Deming is a tool for managing, planning, tracking and reporting the effectiveness of security controls.", "description": "Deming is an Open Source tool designed to help CISOs set up and maintain their information security management system. Using this application, CISOs can easily plan and track the implementation of security controls and the continuous improvement cycle required by ISO 27001. The application is designed to be easy to use and customize, with a intuitive user interface.", "recording_license": "", "do_not_record": false, "persons": [{"code": "F7ZBE7", "name": "Didier Barzin", "avatar": "https://pretalx.com/media/avatars/F7ZBE7_Bc65boE.webp", "biography": "Hi there, I'm Didier, a technology and information security enthusiast. I started my career as an information security Ninja, defending information systems against cyber threats using my Jedi skills. However, I also have another side to me that comes out at night, that of a benevolent hacker. I love using my skills to support the values of open source and firmly believe in them.", "public_name": "Didier Barzin", "guid": "d3a118b3-643b-5ff4-af7b-60610d893983", "url": "https://pretalx.com/hack-lu-2023/speaker/F7ZBE7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/39NCZQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/39NCZQ/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/39NCZQ/resources/Hack.lu_Deming_2023_hxymp1k.pdf", "type": "related"}]}, {"guid": "59e84d55-bf32-5f79-a612-72e7e8f750df", "code": "BNJJVZ", "id": 38139, "logo": null, "date": "2023-10-18T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38139-belgian-cyber-reserve-forces", "url": "https://pretalx.com/hack-lu-2023/talk/BNJJVZ/", "title": "Belgian Cyber Reserve Forces", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Lightning Talk - A quick intro of the Belgian Military Cyber Reserve.", "description": "A quick intro of the Belgian Military Cyber Reserve.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UCQ7F7", "name": "Christophe Vandeplas", "avatar": "https://pretalx.com/media/avatars/UCQ7F7_3WPCR8y.webp", "biography": "Christophe Vandeplas has multiple hats: a day job as incident responder at the NATO Cyber Security Centre, a side activity as Belgian Cyber Reservist and contributor to open source projects such as the MISP Threat Sharing Platform. His main contributions to the community were the creation of MISP, MISP-maltego, pystemon and the organisation of the FOSDEM conference for many years.\nHe also loves hiking, climbing on rocks and mountains, sailing the sea and enjoying the beauty of our nature.", "public_name": "Christophe Vandeplas", "guid": "4b7f0405-0e6f-508e-a9e8-f31db22506f2", "url": "https://pretalx.com/hack-lu-2023/speaker/UCQ7F7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/BNJJVZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/BNJJVZ/", "attachments": []}, {"guid": "e7e0eb74-7519-5d4e-a589-10066133a464", "code": "Z7UP7B", "id": 38156, "logo": null, "date": "2023-10-18T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38156-non-vulnerable-package-dependency-resolution", "url": "https://pretalx.com/hack-lu-2023/talk/Z7UP7B/", "title": "Non vulnerable package dependency resolution", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Until now, two worlds have mostly ignored each others: the resolution of a software package dependency tree or graph to meet functional constraints and the search for package versions are not subject to known, published vulnerabilities (aka. CVEs) . What if we could combine the functional version range constraints from software developers with the known vulnerable version ranges from security specialist?", "description": "Software package ecosystems such as Maven, npm and PyPI as well as Linux distros define rich conventions to document package metadata and dependency relationships and constraints.\n\nVulnerability databases define which range of a package versions are subject to a known vulnerability.\n\nUntil now, these contexts have been considered separately. \n- package management tools resolve the version expression of the dependent package of a package to resolved versions in order to install the selected versions. \n- security tools check if resolved package versions are affected by known vulnerabilities (even when integrated in a package management tool)\n\nThis leads to duplicated efforts and either to the resolution of a vulnerable dependency graph; or vulnerability remediation that ignore functional constraints and may demand significant code refactoring.\n\nWe propose a new approach to resolve software package vulnerable version ranges and dependency version constraints together.\n\nThe obvious benefit is that you get both at once: non-vulnerable code and up-to-date code, and this is something that is not currently done by software package managers nor by security check tools. \n\nThis is made possible because of a universal syntax to identify packages called Package URL, a universal notation for version ranges that support equally the functional constraints and the vulnerable ranges, and an on-demand dependency resolver that can use these as inputs. And also a vulnerability database that is keyed by Package URLs.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JLACEF", "name": "Philippe Ombredanne", "avatar": "https://pretalx.com/media/avatars/JLACEF_BXUgb9X.webp", "biography": "I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at https://aboutcode.org\n\nI am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.", "public_name": "Philippe Ombredanne", "guid": "895d664f-7b0d-5f0d-8aa7-9089acbdc41c", "url": "https://pretalx.com/hack-lu-2023/speaker/JLACEF/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/Z7UP7B/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/Z7UP7B/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/Z7UP7B/resources/hack.lu-CTI-NVDR-2023-10-18-slides-v1_rglWLvZ.pdf", "type": "related"}]}, {"guid": "84b0c522-f23c-5936-a38d-97b4512afc43", "code": "JGQCU3", "id": 35678, "logo": null, "date": "2023-10-18T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-35678-embedded-threats-a-deep-dive-into-the-esim-world", "url": "https://pretalx.com/hack-lu-2023/talk/JGQCU3/", "title": "Embedded Threats: A Deep Dive into the eSIM World", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "With the increasing adoption of the embedded SIM (eSIM) or embedded Universal Integrated Circuit Card (eUICC), new connectivity opportunities and conveniences are emerging for users. However, with these advances emerge new potential vulnerabilities and security implications. This presentation will shed light on the yet unexplored attack surface of eSIM technology and highlight the potential risks and challenges of this now widely deployed technology. Support for eSIM is now available in modern mobile phones and also in popular desktop devices such as Lenovo Thinkpads running Microsoft Windows 10 and 11. By exploring the intricacies of eSIM security, we aim to raise awareness to the potential for offensive operations serving as technology but also in terms of post compromise situations.", "description": "This talk is posed to be the 2023 continuation of a talk called \"Mobile Authentication Subspace Travel\"[^1] given in 2015 at different security conferences. The main point of this talk was to implement what is nowadays\ncalled an eSIM by patching the baseband of popular MediaTek phones and to explore the relation of mobile\nnetwork security, SIM card modules, and the baseband attack surface they pose.\nFast-foward to 2023, eSIMs are now a featured standard by the GSMA and present in all modern devices.\nOn top of this, they are now present on Desktop systems such as Microsoft Windows as well. \n\nThe talk will highlight the security aspects of eSIMs by covering the following topics:\n\n1. Overview of the eSIM attack surface in desktop systems and a comparison with mobile operating systems:\n\nWe will begin the talk with a comprehensive overview of the attack surface of eSIM technology in desktop systems, addressing the differences and similarities with mobile operating systems. This analysis will address the unique challenges and vulnerabilities that arise from the rather complex architecture and implementation of eSIMs on desktop and mobile platforms, and highlight the need for a comprehensive understanding of the potential risks in both environments. Especially the risks in a multi-user Enterprise environment will be covered.\n\n2. Secure deployment of eSIM profiles (from SM-DP+ to hardware eSIM):\n\nSecure deployment of eSIM profiles is a critical component of maintaining the overall security of the mobile networks, but also of the actual hardware devices as well as operating systmes. We will discuss the process from the Subscription Manager - Data Preparation Plus (SM-DP+) server and how the profiles are dployed to the hardware eSIM. By examining key security measures and best practices to ensure the confidentiality, integrity, and availability of eSIM profiles throughout the deployment lifecycle, we will show potential risks arising from profiles originally intended for debugging purposes only and also test if the security mitigations intended by the GSMA to keep control over the eSIM ecosystem are actually effective..\n\n3. Attack surface on Windows and the Local Profile Assistant (LPA) service in the light of privilege escalation attacks:\n\nTo investigate security implicatoins on Windows Desktop systems, we will examine the local attack surface, focusing on the Local Profile Assistant (LPA) service and its potential role in privilege escalation attacks both in an organization and on the local system. We will outline the potential vulnerabilities and attack vectors that can be exploited by attackers to gain unauthorized access and elevated privileges within the system, emphasizing the importance of securing the LPA service and its associated components.\n\n4. Use of eSIMs in offensive red-teaming operations:\n\nFinally, we will explore the innovative ways in which eSIM technology can be used in offensive red-teaming operations to simulate sophisticated cyber threats and assess an organization's overall security posture. This section will present real-world examples and scenarios that demonstrate how eSIMs can be used to circumvent traditional security measures, exfiltrate sensitive data, and compromise network infrastructures.\n\n\nIn summary, the rapid adoption of eSIM technology offers a host of new opportunities and conveniences, but also introduces a number of potential vulnerabilities and security issues. By comprehensively examining the attack surface associated with eSIMs and discussing secure deployment practices, local attack vectors, and red-teaming applications, this presentation aims to inspire a proactive approach to securing eSIM technology. It is critical that the cybersecurity community come together and develop robust strategies to mitigate risks and ensure the continued security and reliability of this breakthrough innovation to ultimately promote a more secure and connected world.\n\n[1] https://conference.hitb.org/hitbsecconf2015ams/materials/D1T1%20-%20Markus%20Vervier%20-%20Mobile%20Authentication%", "recording_license": "", "do_not_record": false, "persons": [{"code": "CTWDWV", "name": "Markus Vervier", "avatar": null, "biography": "During the last 18 years Markus collected professional experience in offensive IT security working as a security researcher, code auditor, and penetration tester. He likes to do review code, reverse engineer the unknown, and to discover vulnerability in applications on various platforms and architectures. \nSome of his notable accomplishments include conducting security analysis and reverse engineering of embedded firmware for mobile devices, discovering vulnerabilities in the Signal Private Messenger in collaboration with JP Aumasson, and finding a remote vulnerability in libOTR.", "public_name": "Markus Vervier", "guid": "26484fa3-4b4f-5b49-ba82-b221854efe03", "url": "https://pretalx.com/hack-lu-2023/speaker/CTWDWV/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/JGQCU3/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/JGQCU3/", "attachments": []}, {"guid": "bdb46785-7849-5828-8edd-0791d922f03a", "code": "CUKBTG", "id": 36175, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/CUKBTG/IMG_0132_VYzVw2Y.jpg", "date": "2023-10-18T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-36175-building-an-evil-phone-charging-station", "url": "https://pretalx.com/hack-lu-2023/talk/CUKBTG/", "title": "Building an evil phone charging station.", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "An investigation of the risks of public charging stations, including a POC that charges a phone, mirrors HDMI, and extracts passwords being typed on the mobile device.", "description": "In April 2023, multiple news articles got published stating, quote, \"the FBI warns consumers not to use public phone charging stations\". This lead to quite some interesting discussion online. With experts divided on the risks involved.\n\nWe will briefly go over older attacks (HID devices, usb-ethernet dongles) and how feasable these are, however the main focus of this presentation is investigating the risks of HDMI (and displayport) mirroring, and building a POC to automatically extract data from the video output.\n\nWe will also release the code for this research project, we hope you can build on top of it!", "recording_license": "", "do_not_record": false, "persons": [{"code": "ADZH8L", "name": "Stef van Dop", "avatar": "https://pretalx.com/media/avatars/ADZH8L_wEeChhy.webp", "biography": "\"Ooh what does this button do?\"\n\nSenior Ethical Hacker at the internal REDteam of KPN. One of the founders of Techinc (Amsterdam Hackerspace). I used to organise the hacker villages at HITB, and generally enjoy helping as orga or volunteering at hacker cons.", "public_name": "Stef van Dop", "guid": "c881c0d7-f71b-507a-a841-d2e87d106163", "url": "https://pretalx.com/hack-lu-2023/speaker/ADZH8L/"}, {"code": "F7UJVX", "name": "Tom\u00e1s Philippart", "avatar": "https://pretalx.com/media/avatars/F7UJVX_i9M1AJB.webp", "biography": "MSc Security and Network Engineering, University of Amsterdam", "public_name": "Tom\u00e1s Philippart", "guid": "23ee9af3-8613-5d2f-b750-fbf05f3dff01", "url": "https://pretalx.com/hack-lu-2023/speaker/F7UJVX/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/CUKBTG/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/CUKBTG/", "attachments": []}, {"guid": "078d0419-7551-59f6-9955-265f60ad8c79", "code": "SVEQQ3", "id": 31194, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/SVEQQ3/File_formats__Dos_and_donts_x0zi7Br.png", "date": "2023-10-18T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-31194-do-s-and-don-ts-in-file-formats", "url": "https://pretalx.com/hack-lu-2023/talk/SVEQQ3/", "title": "Do's and don'ts in file formats", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Many file formats (like MP3) were designed around a great idea but a very bad format, leading to many hurdles, headaches and mistakes.\nThis talk will introducing the typical mistakes when conceiving a file format, and during its evolution.", "description": "Having dissected [hundreds](https://github.com/corkami/pics/blob/master/binary/README.md) of file formats and come up with many different kinds of abuses, whether they are design-based (polyglots, hash collision...) or parser-based (insert your typical fuzzing crash here), the author is familiar with looking at the typical mistakes when exploring specifications, designing a format, or assessing the security of a parser.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QAMB7A", "name": "Ange Albertini", "avatar": "https://pretalx.com/media/avatars/QAMB7A_jxJSOM4.webp", "biography": "Ange is mostly known for his weird files: extreme, ambiguous, polyglots, hash collisions...\nReverse engineer since the 80s, malware analyst professionally since 2005, \nhe is currently an infosec engineer in the Mandiant Flare team at Google.", "public_name": "Ange Albertini", "guid": "edf8835c-23bc-5e29-a8cf-23a7b45bdd53", "url": "https://pretalx.com/hack-lu-2023/speaker/QAMB7A/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/SVEQQ3/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/SVEQQ3/", "attachments": []}, {"guid": "7798fd43-84bd-5ae1-b800-a42bcfe76391", "code": "Q9JHXM", "id": 36013, "logo": null, "date": "2023-10-18T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-36013-acme-benefits-of-deploying-an-internet-security-protocol-inside-your-corporate-network", "url": "https://pretalx.com/hack-lu-2023/talk/Q9JHXM/", "title": "ACME: benefits of deploying an Internet Security protocol inside your corporate network", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA). I will explain the caveats of our private CA setup and why we decided to add ACME to our corporate CA architecture. I will then expose the expected (and unexpected!) benefits of using this Internet Security protocol inside your corporate network. Finally, some new opportunities proposed by the industry and relying on ACME used inside corporate networks will be covered.", "description": "This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA) in a corporate network. \n\nI will expose:\n- our analysis of the shortcomings of our current CA setup (slowness, heaviness, not so robust security controls),\n- our search to improve our architecture,\n- why we look at the Internet CA landscape,\n- why we choose ACME.\n\nI will then detailed to the audience:\n- the expected benefits of having an ACME service inside your corporate ecosystem like robustness or automation opportunities \n- but also the unexpected ones like non anticipated uses cases provided directly by our IT users or massive ACME appropriation by a wide variety of IT professionals in the company that were not regular users of our original CA setup.\n \nAnd, finally, I will end speaking about new ACME use cases in private networks provided by the IT security industry like the new ACME challenge, device-attest-01, proposed by Google [1] and used by Apple in its Managed Device Attestation [2] solution used to enrolled new corporate private iOS/MacOS/iPadOS devices.\n\n[1] https://www.ietf.org/id/draft-acme-device-attest-01.html\n[2] https://support.apple.com/guide/deployment/managed-device-attestation-dep28afbde6a/web", "recording_license": "", "do_not_record": false, "persons": [{"code": "ERWRGW", "name": "Christophe Brocas", "avatar": "https://pretalx.com/media/avatars/ERWRGW_M5ckut5.webp", "biography": "- **Security engineer @ Assurance Maladie** (French public HealthCare insurance) with a particular focus on R&D in the field of security and network protocols such as Certificate Transparency, ACME or DNS.\n- **Co founder and organizer of Pass the SALT**, a conference dedicated to Security & Free Software : https://www.pass-the-salt.org/\n- Contact & more: https://www.brocas.org/", "public_name": "Christophe Brocas", "guid": "0f4d0299-3b68-59b9-a095-318ded87a6d7", "url": "https://pretalx.com/hack-lu-2023/speaker/ERWRGW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/Q9JHXM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/Q9JHXM/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/Q9JHXM/resources/Hack.lu_2023_ACME_benefits_of_deploying_an_Int_ptnhH6x.pdf", "type": "related"}]}, {"guid": "97b746f4-48d2-5406-b3e6-a8855f38c3ff", "code": "VKSLBY", "id": 33830, "logo": null, "date": "2023-10-18T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33830-your-unknown-twins-identity-in-the-era-of-deepfakes-ai-and-mass-biometrics-exposure", "url": "https://pretalx.com/hack-lu-2023/talk/VKSLBY/", "title": "Your unknown Twins: Identity in the era of Deepfakes, AI and mass Biometrics exposure", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "With the growth of modern media and AI technologies, have you ever wondered what damage could be done if a picture of your eyes ends up in the hands of a malicious user?\n\nIn this presentation we dive into threats of exposed biometric data, show how the data can be obtained and abused by malicious users, and what damage can be done once their data is exposed. Such compromised identities are already used in financial crimes, to bypass modern security systems and procedures and also in public opinion manipulation campaigns - which can include critical events, street protests, and elections. But the impact of our exposed data is set to go beyond these in the coming years, and in this talk we discuss the difficulties and work-arounds for these emerging threats.", "description": "This presentation includes use cases of face, fingerprint and retina biometric exposure, including recordings of live experiments. Finally, we demonstrate how emerging AI technologies can drastically accelerate the ability for criminal users to build a complete identity theft enterprise - where robust digital twins of everyone unfortunate enough to have leaked details are available for all to buy.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QMTPZP", "name": "Vladimir Kropotov", "avatar": "https://pretalx.com/media/avatars/QMTPZP_XOtgW7d.webp", "biography": "Vladimir Kropotov is a researcher with the Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a master's degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations.", "public_name": "Vladimir Kropotov", "guid": "7c1dd671-a013-5608-be22-01ea4e6a75db", "url": "https://pretalx.com/hack-lu-2023/speaker/QMTPZP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/VKSLBY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/VKSLBY/", "attachments": []}, {"guid": "4fdaf0b8-0d5a-5d7c-b3bc-30680d7fc558", "code": "PL3P7Y", "id": 33754, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/PL3P7Y/prepend_character8_iboDRDB.png", "date": "2023-10-18T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33754-php-filter-chains-how-to-use-it", "url": "https://pretalx.com/hack-lu-2023/talk/PL3P7Y/", "title": "PHP filter chains: How to use it", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Local file inclusion methods in PHP evolved through time, there are 2 main objectives when exploiting them:\n - Getting a remote code execution by including files containing PHP via include() or require() functions.\n - Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.\n \nIn the past, the following requirements had to be met to exploit a local file inclusion.\n To exploit a remote code execution you could inject information in log files and include them, or control a variable in your PHP session to poison the session file. But in most cases, you needed to be able to upload a file on the system.\n \n To leak local files, it was required to either fully control the path pointing to the file to leak, or to have a path traversal to go up in the file tree. Most importantly, it was mandatory for the server to send you back its content in the response.\n \nIn both cases, the affected functions support several wrappers, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php://filter can be passed on these methods and for example it was well known to allow leaking PHP sources by base64 encoding them (ex : php://filter/convert.base64-encode/resource=index.php). \n\n In a 2021 CTF write-up by loknop , this wrapper was actually proven to be much more useful. Indeed, it allows setting the encoding of contents passing through it, and most importantly to chain an infinite number of encodings leading to the generation of arbitrary data at the start of a file. In this presentation, the full process will be explained with examples allowing, for instance, to generate interesting prefixes to a file content, such as '', therefore removing the need to have a file upload when exploiting include() or require() functions to get remote code execution (if the full path is controlled).\n \nIn 2022, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in many built-in functions, such as file_get_contents(). Its method chains encodings that will make the content size of a file exponential, triggering a PHP memory_limit exhaustion. By using other filters, the first character of the file content can also be determined. By using other encodings it is also possible to rotate the chain order to retrieve characters that are located further away in the content.\n\n Using this error-based oracle, it is therefore possible to leak the entire file content without having PHP to serve it in a server response.", "description": "This technical talk aims to introduce local file inclusion vulnerabilities on PHP applications. To show why PHP filters chain exploitation can be useful to know during an audit.\n\nTo illustrate it, we will show vulnerable code samples and ways to patch them.\n\nTwo tools were developed to exploit it and will also be presented :\n - https://github.com/synacktiv/php_filter_chain_generator\n - https://github.com/synacktiv/php_filter_chains_oracle_exploit", "recording_license": "", "do_not_record": false, "persons": [{"code": "GDCJDQ", "name": "R\u00e9mi Matasse", "avatar": "https://pretalx.com/media/avatars/GDCJDQ_Hlut92s.webp", "biography": "Pentester @Synacktiv", "public_name": "R\u00e9mi Matasse", "guid": "6773789c-3d97-5190-8d3c-5f9631cd3784", "url": "https://pretalx.com/hack-lu-2023/speaker/GDCJDQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/PL3P7Y/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/PL3P7Y/", "attachments": []}], "Schengen 1 and 2": [{"guid": "b97f80cc-4ed3-50ba-8afc-760ba0191741", "code": "UCRUZT", "id": 35420, "logo": null, "date": "2023-10-18T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-35420-1-managing-spam-phishing-and-other-boring-tasks-with-your-users-and-constituents", "url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/", "title": "Managing spam, phishing and other boring tasks with your users and constituents", "subtitle": "", "track": "cti-summit", "type": "Training", "language": "en", "abstract": "It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.\n\nIn this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.", "description": "Please make sure before attending this workshop that you can install python 3 software on your device, and your device should preferably be running Ubuntu 22.04 or more recent. As the workshop is relatively short and depending on how many people will attend, we may not have time to do a lot of sysadmin work during the workshop.\n\nThe tools we will use are the following:\n\n* Lookyloo (to analyze URLs)\n* Pandora (to analyze files)\n* Lacus (optionally, to capture the URLs when you have a lot of them)\n* An URL monitoring interface (to compare a specific URL over time)\n* Phishtank Lookup (to check if a URL is known or not)\n\nWe will also see how to integrate Lookyloo and Pandora to handle the cases where the URL points to a file, and where the file is a web document, or it contains URLs.\n\nIntegration with 3rd party services:\n\n* MISP (to share the indicators)\n* Ticketing system (to manage interactions with other entities, typically take down requests)\n* Validate if URL is known with VirusTotal, PhishtankLookup, URLScan, URLHaus\n* Validate if a file is known with Virustotal, ManwareBazaar, HybridAnalysis, MwDB, JoeSandbox\n* Add contextual information with SaneJS, uWhoisd, Hashlookup", "recording_license": "", "do_not_record": false, "persons": [{"code": "GLQ9T3", "name": "Rapha\u00ebl Vinot", "avatar": "https://pretalx.com/media/avatars/GLQ9T3_gQscSBO.webp", "biography": "Formerly member of CIRCL, I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a whole bunch of tools there. Some say it is too many, we disagree.", "public_name": "Rapha\u00ebl Vinot", "guid": "3564062f-5330-54a0-b816-fc31003c64af", "url": "https://pretalx.com/hack-lu-2023/speaker/GLQ9T3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UCRUZT/", "attachments": []}, {"guid": "01d5d84b-d98e-55b3-9c8b-4547fffe9b8f", "code": "GHS8XH", "id": 34026, "logo": null, "date": "2023-10-18T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-34026-non-state-actors-cyber-activity-in-armed-conflict-impact-implications-and-remediation", "url": "https://pretalx.com/hack-lu-2023/talk/GHS8XH/", "title": "Non-state actors\u2019 cyber activity in Armed Conflict: impact, implications and remediation", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "A modern armed conflict has an increasingly elaborate cyber dimension substituting or complementing conventional military operations and originating from both state and non-state parties. Often non-state groups are engaging alongside (and including on behalf of) states in international conflicts without sufficient knowledge of the international law designed to avoid unnecessary harm to civilians and often become victims themselves as de facto parties in a given conflict. They may also deliberately ignore the rules due to sufficiently plausible deniability. Yet, the results of their action to support any of the officially combatant parties, especially targeting civilian objects (including hospitals, schools, community centres etc) might lead to unnecessary casualties as well as otherwise undesirable escalation of the conflict. \nWith a rich choice of examples of such activities in the current conflict in Europe, it seems an important moment to discuss the understanding of ethical limits to non-state actor behaviour in the use of ICTs to ultimately reduce the activity targeting civilians and the chances of undesirable escalation.", "description": "This session will aim to:\n- Raise awareness and build knowledge in the community about the potential unwanted consequences of non-state cyber activities and the underlying legal context;\n- Discuss together with the participants the observed specific TTPs typically used by non-state actors engaged in the cyber dimension of a conflict and the evolving underlying strategies;\n- Potential mitigation and (self-)restraint measures to avoid civilian targets, unnecessary injury or suffering. E.g. See 8 suggested rules for \"civilian hackers\" proposed by https://blogs.icrc.org/law-and-policy/2023/10/04/8-rules-civilian-hackers-war-4-obligations-states-restrain-them/\n- Long-term effects of the non-state actor engagement \u2018banalisation\u2019 - i.e. potential post-conflict consequences of a laissez-faire attitude to the increasingly militarised broader cyber community", "recording_license": "", "do_not_record": true, "persons": [{"code": "YHTEUK", "name": "Deleted User", "avatar": null, "biography": "", "public_name": "Deleted User", "guid": "613561cf-95da-50c9-b3ec-31171f404f3a", "url": "https://pretalx.com/hack-lu-2023/speaker/YHTEUK/"}, {"code": "JJXZEU", "name": "Mauro Vignati", "avatar": "https://pretalx.com/media/avatars/JJXZEU_7HxoD2o.webp", "biography": "In 2003 Mauro Vignati started working at the first unit of the Swiss Federal Police fighting cybercrime. Later on, he collaborated to the establishment of MELANI, Switzerland's first centre for public-private partnership on cybersecurity for critical infrastructure. Back in 2013, he set up and led the Cyber Threat Intelligence Division within the Department of Defence in Bern. In 2021, he was tasked to create the Vulnerability Management unit within the National Cyber Security Centre NCSC.ch, established to manage vulnerabilities, and lead several projects testing the security of the government infrastructure. He then joined the International Committee of the Red Cross one year later, as advisor on new digital technologies of warfare.", "public_name": "Mauro Vignati", "guid": "03503d2a-c05b-52da-95b8-746b55b7ede8", "url": "https://pretalx.com/hack-lu-2023/speaker/JJXZEU/"}, {"code": "RQZNYS", "name": "Elena R\u00fcckheim", "avatar": null, "biography": "Elena R\u00fcckheim comes from the Geneva-based Centre for Humanitarian Dialogue (HD). As part of HD's cyber programme team, her work focuses on establishing confidence-building measures between adversaries in cyber space through dialogue and mediation. Before joining HD, Elena served as Deputy Head of Unit and Security Analyst at the National IT Situation Centre of the German Federal Office for Information Security (BSI). Prior to moving into operational IT security, she was mainly involved in the drafting of national cybersecurity policies and strategies. This was at the Federal Ministry of Defence, where she was also responsible for managing international bilateral partnerships in the field of cyber defense.", "public_name": "Elena R\u00fcckheim", "guid": "417004cb-63b1-5c35-930f-d950ca78ffb5", "url": "https://pretalx.com/hack-lu-2023/speaker/RQZNYS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GHS8XH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GHS8XH/", "attachments": []}], "Echternach&Diekirch": [{"guid": "b6146c1b-25f2-5f39-8587-0d8a9a73a109", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-18T09:00:00+02:00", "start": "09:00", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-3-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "e3ebdfd0-8dbb-5608-b893-e2240a927dd4", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-18T10:30:00+02:00", "start": "10:30", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-4-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "a5797f10-23e5-55f2-9212-138200570f77", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-18T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-5-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "d1344bd6-c888-57bb-80bf-334837f362ee", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-18T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-6-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}], "Hollenfels": [{"guid": "61da50c3-56db-5a77-83e6-25b40c658054", "code": "KRG3WK", "id": 33431, "logo": null, "date": "2023-10-18T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Hollenfels", "slug": "hack-lu-2023-33431-analyzing-cobalt-strike-beacons-servers-and-traffic", "url": "https://pretalx.com/hack-lu-2023/talk/KRG3WK/", "title": "Analyzing Cobalt Strike Beacons, Servers and Traffic", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.\n\nThere used to be a time, that a blue teamer could say: \"this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test\".\nThat is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.", "description": "Didier has developed tools to extract the configuration of Cobalt Strike beacons, to detect Cobalt Strike beacons and to analyze/decrypt Cobalt Strike network traffic.\n\nThese tools allow you to deal with Cobalt Strike beacons, without having to reverse engineer malicious code.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UY3X3H", "name": "Didier Stevens", "avatar": "https://pretalx.com/media/avatars/UY3X3H_9zuIVU6.webp", "biography": "Didier is Senior Analyst, working for NVISO.\n\nNext to his professional activities, Didier is also a\u00a0Microsoft MVP (2011-2016 awarded MVP Consumer Security,\u00a02016-2023 awarded MVP Windows Insider) and a SANS Internet\u00a0Storm Center Senior Handler.\u00a0\n\nHe is an expert in malicious documents (PDF and Microsoft\u00a0Office), pioneering research into\u00a0maldocsand authoring free,\u00a0open-source analysis tools and private red team tools.", "public_name": "Didier Stevens", "guid": "f86cddce-84b3-5a22-be80-fe7131be41f8", "url": "https://pretalx.com/hack-lu-2023/speaker/UY3X3H/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/KRG3WK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/KRG3WK/", "attachments": []}, {"guid": "88010a93-56ac-5e14-8247-7babd93e9b8d", "code": "M9CWW9", "id": 31911, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/M9CWW9/Sigma_0.3_u9XI4FY.png", "date": "2023-10-18T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Hollenfels", "slug": "hack-lu-2023-31911-the-new-sigma-toolchain", "url": "https://pretalx.com/hack-lu-2023/talk/M9CWW9/", "title": "The new Sigma Toolchain", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "*pySigma* and *Sigma CLI* are complete rewrites of the legacy *sigmatools* and *sigmac* projects, which will be retired at the end of the year. In this workshop you will learn the new concepts introduced and how these new tools can be used and extended by new target query languages.", "description": "This workshop aims to give an introduction to the new Sigma Python toolchain, *pySigma* (the library) and *Sigma CLI* (converter, rule checker, ATT&CK heatmap generator, ...). I will give a brief introduction to some important concepts like plugins, backends and processing pipelines and continue with hands-on exercises:\n\n* Discover and install backends and pipelines required for conversion.\n* Basic conversion of queries.\n* Building own processing pipelines (e.g. field name mappings).\n* Rule checking\n* Creating a MITRE\u2122\ufe0fATT&CK heatmap from a rule set.\n* Creating backends with the cookiecutter template.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TD3QYA", "name": "Thomas Patzke", "avatar": "https://pretalx.com/media/avatars/TD3QYA_d7RyBv6.webp", "biography": "Thomas has more than 15 years experience in various areas of information security. He started as consultant, then developed into offensive security and switched to defensive topics. Now he's incident responder, threat hunter and does some threat intelligence at the Evonik Cyber Defense Team.\n\nThomas doesn't holds a single infosec certification, so no list of three-to-four-upper-cased-letter-combinations here. Instead he focuses on building [open source security tools](https://github.com/thomaspatzke) and is one of the co-founders and a core maintainer of the [Sigma project](https://github.com/SigmaHQ).", "public_name": "Thomas Patzke", "guid": "664f8989-2826-59a3-ae2a-67949ae6fd8f", "url": "https://pretalx.com/hack-lu-2023/speaker/TD3QYA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/M9CWW9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/M9CWW9/", "attachments": []}, {"guid": "d11e54b9-285a-5ca5-a0de-7ddafe545f3b", "code": "GUNJJH", "id": 37976, "logo": null, "date": "2023-10-18T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Hollenfels", "slug": "hack-lu-2023-37976-kunai-workshop-your-new-threat-hunting-tool-for-linux", "url": "https://pretalx.com/hack-lu-2023/talk/GUNJJH/", "title": "Kunai workshop: your new Threat Hunting tool for Linux", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.", "description": "This workshop aims to introduce the community to Kunai, a new Threat Hunting tool designed specifically for Linux Systems, in addition to the hack.lu talk by the same name", "recording_license": "", "do_not_record": false, "persons": [{"code": "3JVRZM", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_2Q2w1d8.webp", "biography": "Quentin has been working as an incident responder for several years before focusing on endpoint threat detection. He recently dedicated all his time developing several open-source projects. His main topics of interest are ranging from threat detection to bug hunting but what he likes the most is to develop tools and open-source them when he judges it is relevant enough to do so.", "public_name": "Quentin JEROME", "guid": "76a359a8-f57d-5e2c-b37b-4a2747e28a87", "url": "https://pretalx.com/hack-lu-2023/speaker/3JVRZM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/GUNJJH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/GUNJJH/", "attachments": []}], "Vianden&Wiltz": [{"guid": "e98e7cfc-f2c7-55e3-bc43-bd1f61653f6b", "code": "3RBM3A", "id": 35089, "logo": null, "date": "2023-10-18T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Vianden&Wiltz", "slug": "hack-lu-2023-35089-build-your-own-malware-analysis-pipeline-using-open-source-tools", "url": "https://pretalx.com/hack-lu-2023/talk/3RBM3A/", "title": "Build your own malware analysis pipeline using open source tools", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.\nThe workshop will provide practical hands-on introduction to all aspects of the platform:\nmwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.\nmwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.\nkarton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.\nmalduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.\nAll components are already available on our GitHub page: https://github.com/CERT-Polska/training-mwdb.", "description": "Hands-on workshop showcasing MWDB, mwdblib, Karton and malduck.\n\nIMPORTANT: please remember to take your laptop with you. You will need to have a working Linux environment, with a docker-compose and Python installed.", "recording_license": "", "do_not_record": false, "persons": [{"code": "VCXGJZ", "name": "Micha\u0142 Praszmo", "avatar": null, "biography": "Security researcher at cert.pl", "public_name": "Micha\u0142 Praszmo", "guid": "a470f7b7-ed28-5f08-aeb0-c23b13c8dcb1", "url": "https://pretalx.com/hack-lu-2023/speaker/VCXGJZ/"}, {"code": "KNMAYT", "name": "psrok1", "avatar": "https://pretalx.com/media/avatars/KNMAYT_OSHxX1T.webp", "biography": "Pawe\u0142 Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Main developer of CERT.pl open-source projects for malware analysis automation: MWDB Core and Karton. Free-time spends on playing CTFs as a p4 team member.", "public_name": "psrok1", "guid": "34418d50-a05c-5080-89c1-d2447ed7a554", "url": "https://pretalx.com/hack-lu-2023/speaker/KNMAYT/"}, {"code": "THHJCB", "name": "Jaros\u0142aw Jedynak", "avatar": null, "biography": null, "public_name": "Jaros\u0142aw Jedynak", "guid": "ba4be383-ad09-5501-8635-b3887a74fbee", "url": "https://pretalx.com/hack-lu-2023/speaker/THHJCB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/3RBM3A/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/3RBM3A/", "attachments": []}]}}, {"index": 4, "date": "2023-10-19", "day_start": "2023-10-19T04:00:00+02:00", "day_end": "2023-10-20T03:59:00+02:00", "rooms": {"Salle Europe": [{"guid": "f0eb5224-e5e2-5356-a670-31cf9f5119d4", "code": "WKYGQN", "id": 37648, "logo": null, "date": "2023-10-19T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-37648-internet-exposure-of-satellite-modems-and-their-vulnerabilities", "url": "https://pretalx.com/hack-lu-2023/talk/WKYGQN/", "title": "Internet exposure of satellite modems, and their vulnerabilities", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "ONYPHE & ESIEA partnered to create an assessment about satellite modems and their current state of vulnerabilities. We will speak about different brands, give some pictures about how many of them are exposed on the Internet, and give some numbers on their vulnerabilities.", "description": "ONYPHE & ESIEA partnered to create an assessment about satellite modems and their current state of vulnerabilities. We will speak about different brands, give some pictures about how many of them are exposed on the Internet, and give some numbers on their vulnerabilities.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EPXVCX", "name": "Patrice Auffret", "avatar": "https://pretalx.com/media/avatars/EPXVCX_qWJqxIj.webp", "biography": null, "public_name": "Patrice Auffret", "guid": "f58d0333-8859-5f75-acfa-ab0515711fcc", "url": "https://pretalx.com/hack-lu-2023/speaker/EPXVCX/"}, {"code": "Q7U7AR", "name": "Arnaud Girault", "avatar": null, "biography": null, "public_name": "Arnaud Girault", "guid": "c8ba10ee-cda4-5552-835d-5aa6362870ee", "url": "https://pretalx.com/hack-lu-2023/speaker/Q7U7AR/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/WKYGQN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/WKYGQN/", "attachments": []}, {"guid": "e368300b-9b20-58cb-8ebe-ecab1655ad11", "code": "USNSEZ", "id": 33264, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/USNSEZ/Thales_LOGO_WHITE_ON_BLUE_RGB_ZyfpUpl.png", "date": "2023-10-19T09:30:00+02:00", "start": "09:30", "duration": "00:25", "room": "Salle Europe", "slug": "hack-lu-2023-33264-almost-2-years-after-log4j-if-your-psirt-has-survived-are-the-lessons-learned-or-not-learned-on-security-incident-vulnerability-management", "url": "https://pretalx.com/hack-lu-2023/talk/USNSEZ/", "title": "Almost 2 years after log4j .. if your PSIRT has survived, Are the Lessons learned or not learned on security incident & vulnerability management ?", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "In Dec 2021, the media and public discovered the \u201cfamous\u201d log4j vulnerability.\nThey realized that for every product or website using software or shared libraries and components , these products can become vulnerable to cyber attack.\n\nCompanies in technology sector producing \u00absoftware\u00a0\u00bb had to face the same \u00ab\u00a0disease or scary movie\u00a0\u00bb. A small library used everywhere has damaged almost all software & websites. \n\nAt this time a part of companies believed they were prepared with a PSIRT or a CSIRT or a CERT, the other part had to \u201cimprovise, resolve and learn\u201d \n\nToday\u2019s main \u00ab\u00a0key\u00a0\u00bb questions which seems of interest:\n\n* Do we all remember (good and bad parts of the experience) ?\n\n* Have we realized it\u2019s a miracle the PSIRT teams survived the experience ?\n\n* Have we learned the lessons of what happened with log4j ? \n\n* Are we now prepare when (\u2018and not if\u2019) a new \u00ab\u00a0vulnerability scary movie\u00a0\u00bb will come back", "description": "In this talk we will try to:\n \n** Review the theory and framework for security operation (detect/respond/recover & lessons learned) in real case scenario log4j\n\n** Highlight that in security incident management : \n\n- PSIRT (when it exists) is not a magic team or heroes\n\n- Full recovery takes time \n\n** Admit that there are no other choices than\n \n- Shift Left (SSDLC)\n- Involve the management and accountable players (CMDB, SBOM, BCP)\n- Collectively align our incident response and vulnerability management approaches and forces", "recording_license": "", "do_not_record": true, "persons": [{"code": "AJMN93", "name": "FrederiqueD, Thales", "avatar": "https://pretalx.com/media/avatars/AJMN93_f0FHtzR.webp", "biography": "Senior Security Engineer in SecOps and Incident Response (PSIRT) in Thales since several years with operational and practical knowledge in audit, vulnerability management , incident response, customer support, system integration. \nActive contributor to standardization security working groups and information sharing communities", "public_name": "FrederiqueD, Thales", "guid": "b358b4d0-bea0-5eb4-ac54-410262f4d7cd", "url": "https://pretalx.com/hack-lu-2023/speaker/AJMN93/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/USNSEZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/USNSEZ/", "attachments": [{"title": "Teaser", "url": "/media/hack-lu-2023/submissions/USNSEZ/resources/HackLU-slidedeck-v02_8ADhMH0.pdf", "type": "related"}, {"title": "SlideDeck", "url": "/media/hack-lu-2023/submissions/USNSEZ/resources/HackLU-slidedeck-v04-light3reduced-Final_c52EhVv.pdf", "type": "related"}]}, {"guid": "97eccfcc-b582-5b3d-a14f-09cddf73ee6f", "code": "J3GJY9", "id": 32705, "logo": null, "date": "2023-10-19T10:00:00+02:00", "start": "10:00", "duration": "00:40", "room": "Salle Europe", "slug": "hack-lu-2023-32705-avoiding-the-basilisk-s-fangs-state-of-the-art-in-ai-llm-detection", "url": "https://pretalx.com/hack-lu-2023/talk/J3GJY9/", "title": "Avoiding the basilisk's fangs: State-of-the-art in AI LLM detection", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, and OpenAI's detector with a novel detector, ZipPy.\nZipPy is a new, open-source LLM text detector developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term.", "description": "Are LLMs going to upend, or just end the world? Will malevolent AIs spread disinformation and FUD to enslave humanity in a world of fear? Will Roko's Basilisk come to pass? In order to help stay these dramatic end-times, LLM detectors are here! We can build safe, AI-free zones to limit the digital \"noise\" that these models can blast out at scale, if only we can reliably detect and classify a content's origin.\nThis talk does a deep dive into the leading LLM text detectors, both open-source and commercial, and compares them against a number of different datasets. Next, we throw into the mix ZipPy, a novel open-source detector based on code written in the mid-1980s that outperforms the state-of-the-art in a number of dimensions. ZipPy is simple (less than 200 lines of Python), and it codifies the intuition about a core difference between LLMs and humans that no additional amount of data or training cores can overcome--being unique! Using ZipPy we can walk through the features used to differentiate a text's origins and how with a simple, embedded detector we can build a human-centric world where LLMs are used only to help us rather than subvert us.", "recording_license": "", "do_not_record": false, "persons": [{"code": "U9778S", "name": "Jacob Torrey", "avatar": "https://pretalx.com/media/avatars/U9778S_JoCcEEQ.webp", "biography": "Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote speaker at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more. When not in front of the computer, he enjoys trail running, volunteering as a firefighter/EMT, and hiking with his family.", "public_name": "Jacob Torrey", "guid": "b4dc04ee-1c7f-5523-b17a-d1fd8c23c2aa", "url": "https://pretalx.com/hack-lu-2023/speaker/U9778S/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/J3GJY9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/J3GJY9/", "attachments": []}, {"guid": "5aaeb95c-f568-5850-bda6-3403a6715ed0", "code": "Q89X9U", "id": 31205, "logo": null, "date": "2023-10-19T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "Salle Europe", "slug": "hack-lu-2023-31205-permissionless-universal-overlays", "url": "https://pretalx.com/hack-lu-2023/talk/Q89X9U/", "title": "Permissionless Universal Overlays", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Both Android and iOS operating systems interact with the users using a constrained graphical interface, typically occupied at its majority by one application at a time while many of them can run in the background. That being said, a user must rely on the GUI provided by the application itself to verify its legitimacy. This type of behavior has raised concerns within the security research community that have been proved to be well founded, judging from the fact that multiple malware campaigns use GUI confusion as their main attack vector. \n\nIn this paper we present a novel GUI attack that leverages the fact that an Android activity maintains its graphical state and can receive touches, while it's in the top of the back stack of the device home screen. Whilst most of the techniques that have been introduced so far require the SYSTEM_ALERT_WINDOW permission, the one we present is permissionless and makes use only of the FLAG_NOT_TOUCH_MODAL flag. \n\nBy using this technique, we were able to create overlapping views over system dialogues, luring the user to unintentionally approve dangerous permissions and access to system services. Third party applications are also at risk, as it is possible to garble their UI by projecting fraudulent views that ostensibly belong to the targeted application's context. For the latter to be successful, the PACKAGE_USAGE_STATS permission must be obtained in order to identify the application that is currently in the foreground. \n\nGoogle addressed the issue (CVE-2021-39617) by not dispatching touches to critical decision windows which are fully or partially obscured, but 3rd party applications are still affected.", "description": "Brief Outline: \n- The Android User Interface \n- GUI Confusion Attacks: The story so far \n- A behavior so far unnoticed \n- Attacking System Dialogs \n- Attacking 3rd party applications \n- Defense and Takeaways \n\nDetailed Outline: \n- The presentation starts with an overview of the Android User Interface, focusing on the components that are relative to the attack that I am going to describe. \n- Then I am going to present a brief overview of the GUI Confusion techniques so far, and their mass scale usage as an attack vector from many modern malware campaigns. The objective is to give context to the audience about these attacks as well as to underline their impact and why they should not be underestimated. \n- The next (main) section describes the Android's back stack and focuses on the following behavior: \n -- When a new activity is pushed on the top of the stack, the overlapped one maintains its graphical state as well as the ability to receive touches from the user. The same behavior applies to system dialogues and system menus that are used to enable or disable special permissions. \n -- When a transparent activity is pushed on the top of the stack it literally integrates the GUI of the one that was pushed lower. This creates the illusion that the overlapped activity is the one in the foreground. \n\n- An Android application can create a transparent activity and apply to its window one or a combination of many flags that are defined in the android.view.WindowManager.LayoutParams class. \n- These flags can be used to define how a view reacts to user taps and choose to consume or dispatch them to an underlying view. \n- In the next section I am going to describe my GUI confusion technique which leverages the behavior described in the previous section. \nI first classify my targets as \"Single-Step\" (SS) and \"Multi-Step\" (MS) decision makers, where in the first class belong the dialogs where a single tap suffices to determine a critical permission approval. For the second class the user must be guided to a particular component of a particular screen to approve or decline a special permission (e.g., draw on top of other apps). \n\nSS dialogs (like the ones that belong to Contacts/Camera/Call-Logs etc. permission controllers) can be overlapped using a single specially crafted activity. \nFor MS dialogs I use a trampoline Activity which reforms itself according to a step indexing. \nIn both cases a tap is dispatched to the underlying view as long as the overlapping window carries the FLAG_NOT_TOUCH_MODAL flag. The taps can be tracked without implementing any special technique, since a single tap moves the activity to the PAUSE state. This event can't be interpreted as a signal to: \n-- End the activity for SS dialogs \n-- Respawn a reformed activity for MS dialogs \n-- Hijack the user interaction for 3rd party applications \n\n- Finally, I demonstrate how from zero permissions my application gets dangerous and/or special permissions approved. \n- In the next section I demonstrate how to attack 3rd party Applications using only the PACKAGE_USAGE_STATS permission in order to track the activity that is currently in the foreground. The difference with similar \"App Switch\" attacks is that the overlay integrates the GUI of the victim app regardless of the activity that is currently active. As a show case I demonstrate an approval to a fraudulent bank transaction which without my attack would be rejected by the user. \n- In the last core section, I describe how to defend Android applications from this attack since, even though Google provided a fix for system dialogs, 3rd party applications are still vulnerable. \n- Wrapping up and key takeaways.", "recording_license": "", "do_not_record": false, "persons": [{"code": "C3TJEK", "name": "Dimitrios Valsamaras", "avatar": "https://pretalx.com/media/avatars/C3TJEK_miSqX9P.webp", "biography": "A cybersecurity professional with expertise in mobile, web, and network penetration testing. Dimitrios holds a degree in Computer Science, majoring in Cryptography and Security, and has worked with top companies like Microsoft and Google. He is frequent speaker at prominent security conferences such as BlackHat, Nullcon, Insomni'hack, and Troopers. He is passionate about reverse engineering and was a member of one of Greece's first reverse engineering research groups.", "public_name": "Dimitrios Valsamaras", "guid": "2d825898-2f94-5871-838f-c78b9e4ff800", "url": "https://pretalx.com/hack-lu-2023/speaker/C3TJEK/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/Q89X9U/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/Q89X9U/", "attachments": []}, {"guid": "69729f6c-b6d7-5365-8641-5e79bda1d260", "code": "EMHDSZ", "id": 31407, "logo": null, "date": "2023-10-19T11:20:00+02:00", "start": "11:20", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-31407-raiders-of-the-lost-arts", "url": "https://pretalx.com/hack-lu-2023/talk/EMHDSZ/", "title": "Raiders of the Lost Arts", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Using outdated technologies and old methods to sabotage and engage companies and what can be done about it", "description": "Vintage clothing, computers from the 80s, vinyl and retro-games are all the rage: everything that was once old and outdated is making a comeback. Surely we infosec folk are unaffected by such trends. Aren't we at the bleeding edge of the future, protecting our assets with expensive vendors solution that declare their effectiveness with proper buzzwords; Real-Time, Cloud Based and Always On? \n\nUnfortunately, this does not seem to be the case. Sure, some modern problems have been addressed, but old and sometimes even ancient attacks persist. Some of them don't show up in your logs, and some are difficult to defend against, assuming you are even looking for them. \n\nCan you DDoS a company by sending letters? How much revenue will you lose if the neighboring building receives an unexpected package? Who really gets into trouble when you drop a few USB sticks in the parking lot? \n\nLean back and enjoy an overview of the dangers of unencrypted, unauthenticated protocols, exploitation of human expectations, sabotage and how to spot if someone on the inside is trying to ruin your day without even touching their computer.", "recording_license": "", "do_not_record": false, "persons": [{"code": "AFFLRU", "name": "Stefan Hager", "avatar": "https://pretalx.com/media/avatars/AFFLRU_eXoKRc5.webp", "biography": "Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, producing hacker music and other electronic beats or gardening.", "public_name": "Stefan Hager", "guid": "1b262b2b-2319-5533-b4fa-c736e3586187", "url": "https://pretalx.com/hack-lu-2023/speaker/AFFLRU/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/EMHDSZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/EMHDSZ/", "attachments": []}, {"guid": "c1997c26-6235-573e-b294-6b4402af30e7", "code": "NN9AHG", "id": 37927, "logo": null, "date": "2023-10-19T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-37927-token-smart-contract-analyzer", "url": "https://pretalx.com/hack-lu-2023/talk/NN9AHG/", "title": "Token Smart Contract Analyzer", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "A Tool to Detect Fraudulent Token Contracts on Ethereum Blockchain", "description": "Smart contracts have demonstrated new ways to manage and trade digital assets, conduct financial transactions, and transform business processes. Several concepts have emerged to enable investors to own or trade digital assets. Trading platforms relying entirely on decentralized, known as decentralized exchanges, allow unrestricted financial transactions to exchange digital assets. Beyond the opportunities offered, using the decentralized environment remains complex to understand by most of its users, consequently giving adversaries opportunities to benefit from investors based on scamming schemes. The cryptocurrency market is damaged by malicious actors that aim to drain investor funds via scamming token smart contracts. This research paper initially highlights related problems with fraudulent token contracts. Further, it proposes a solution for identifying several fraudulent schemas in the crypto ecosystem via a dynamic algorithmic solution supported by the SC Analyzer tool based on real-time data.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7LSVCM", "name": "TGrandjean", "avatar": null, "biography": "https://www.linkedin.com/in/thierrygrandjean/", "public_name": "TGrandjean", "guid": "81f32b9e-2aa7-57dc-9ccf-8f35ff373d7f", "url": "https://pretalx.com/hack-lu-2023/speaker/7LSVCM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/NN9AHG/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/NN9AHG/", "attachments": []}, {"guid": "5cac56c0-3eea-5871-8573-b748fb17f494", "code": "VXJJP7", "id": 38184, "logo": null, "date": "2023-10-19T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38184-suricata-language-server", "url": "https://pretalx.com/hack-lu-2023/talk/VXJJP7/", "title": "Suricata Language Server", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Writing Suricata signatures is seen by some as a form of art and my most as a nightmare. This talk will introduce Suricata Language Server that is an implementation of LSP to get syntax checking and performance hints from your IDE when writing Suricata signatures.", "description": "Suricata Language Server (SLS) is released under the GPLv3 license and is known to work on most editors including vim, neovim, emacs, kate and Visual code.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UREGS8", "name": "Eric Leblond", "avatar": "https://pretalx.com/media/avatars/UREGS8_lAVeWOo.webp", "biography": "\u00c9ric Leblond is the co-founder and chief technology officer (CTO) at Stamus Networks. He sits on the board of directors at Open Network Security Foundation (OISF). \u00c9ric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata \u2013 the open-source network threat detection engine \u2013 since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is a respected expert and speaker on all things network security.", "public_name": "Eric Leblond", "guid": "5fe02908-a326-51fe-b668-cb092dbf45a3", "url": "https://pretalx.com/hack-lu-2023/speaker/UREGS8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/VXJJP7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/VXJJP7/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2023/submissions/VXJJP7/resources/Suricata_Language_Server_4_N3hw8zn.pdf", "type": "related"}]}, {"guid": "48314b78-a02d-55d7-b692-6b6b7badc457", "code": "7UTMU8", "id": 38193, "logo": null, "date": "2023-10-19T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38193-wintermute-an-llm-pen-testing-buddy", "url": "https://pretalx.com/hack-lu-2023/talk/7UTMU8/", "title": "Wintermute: an LLM pen-testing buddy", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "The lightning talk will introduce an LLM-guided privilege-escalation tool designed for evaluating different LLMs and prompt strategies against a novel pen-testing benchmark.\n\nTL;DR: you got a new pentesting buddy who can help you hack away.", "description": "We analyze the impact of different prompt designs, benefits\nof in-context learning, and the advantages of offering highlevel guidance to LLMs. We discuss challenging areas for\nLLMs, including maintaining focus during testing, coping\nwith errors, and finally compare them with both stochastic\nparrots as well as with human hackers.\n\nThe research will be published on arxiv.org the week of hack.lu.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CE8DBB", "name": "Aaron Kaplan", "avatar": "https://pretalx.com/media/avatars/CE8DBB_1LIHnzd.webp", "biography": "Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he freelances mostly for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of funkfeuer.at (community wifi mesh network), intelmq.org, a tool for automating the typical tasks of IT security teams. He believes in using automation, open source and machine learning for improving the lives of DFIR folks.", "public_name": "Aaron Kaplan", "guid": "5866648c-53eb-5765-a256-689ee4b41e9f", "url": "https://pretalx.com/hack-lu-2023/speaker/CE8DBB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/7UTMU8/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/7UTMU8/", "attachments": []}, {"guid": "d6b66f75-d9d9-512f-b157-9d0818d6dc89", "code": "YGXGV7", "id": 38207, "logo": null, "date": "2023-10-19T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38207-slp-dos-amplification-someone-is-having-fun", "url": "https://pretalx.com/hack-lu-2023/talk/YGXGV7/", "title": "SLP DoS Amplification - someone is having fun", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "CVE-2023-29552 is a recent high profile vulnerability that allows for one of the most powerful and still working denial of service reflective amplification attack. \nSomeone has been having fun and we can see it.", "description": "CVE-2023-29552 is a recent high profile vulnerability that allows for one of the most powerful and still working denial of service reflective amplification attack. \nSomeone has been having fun and we can see it. \nIn five minutes, will explain what this type of attack is and in particular CVE-2023-29552, who is affected and one of the several creative uses that allows us to see what is going on at the moment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "LT7WAH", "name": "Pedro Umbelino", "avatar": "https://pretalx.com/media/avatars/LT7WAH_Ci5LCR4.webp", "biography": "Pedro is a security researcher and enthusiast for as long as he can remember. He started messing with computers on a Spectrum, watched the bulletin board systems being dropped for the Internet, and still roams around in IRC. Known by the handle [kripthor], he likes all kind of hacks, hardware and software. If it\u2019s security related even better. Currently, he works at Bitsight as a Principal Security Researcher where he has the liberty to work on a wide range of security research topics.", "public_name": "Pedro Umbelino", "guid": "1f3f63c3-7aee-5dbf-938c-eb1411f6cead", "url": "https://pretalx.com/hack-lu-2023/speaker/LT7WAH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/YGXGV7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/YGXGV7/", "attachments": []}, {"guid": "b769035f-892e-5d4f-bda1-7d9e3c817854", "code": "9KSPFC", "id": 38208, "logo": null, "date": "2023-10-19T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38208-der-editing-easy-peasy-with-asn1template", "url": "https://pretalx.com/hack-lu-2023/talk/9KSPFC/", "title": "DER Editing, Easy-Peasy with asn1template", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Edition of DER encoded ASN.1 structures is a pretty tedious work when done manually.\nSolutions to this problem exist. For instance, der-ascii [0] is a tool written in Go that helps with back and forth conversions from/to DER structures to/from a textual representation using a custom defined language.\nI present a somehow short Perl script [1] that leverages the OpenSSL configuration language along with the ASN1_generate_nconf(3) function in order to achieve the same goal with almost no dependencies apart from Perl and OpenSSL.\nThis tool can be used to ease the exploitation of CVE-2022-0778 [2] & [3].\n\n[0] https://github.com/google/der-ascii\n[1] https://github.com/wllm-rbnt/asn1template\n[2] https://www.openssl.org/news/secadv/20220315.txt\n[3] https://github.com/drago-96/CVE-2022-0778#using-asn1-templates", "description": "https://github.com/wllm-rbnt/asn1template/blob/main/README.md", "recording_license": "", "do_not_record": false, "persons": [{"code": "MDGUJJ", "name": "William Robinet", "avatar": null, "biography": "William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg. He\u2019s been working with free and opensource software on a daily basis for more than 25 years. Recently, he presented his ASN.1 templating tool at Pass The SALT 2023 in Lille. He contributed to the cleanup and enhancement efforts done on ssldump lately. He particularly enjoy tinkering with open and, not so open, hardware.", "public_name": "William Robinet", "guid": "075af6f5-73a1-59fa-8e9b-aa7494d1e864", "url": "https://pretalx.com/hack-lu-2023/speaker/MDGUJJ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/9KSPFC/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/9KSPFC/", "attachments": [{"title": "slides", "url": "/media/hack-lu-2023/submissions/9KSPFC/resources/Hack.lu_2023_William_Robinet_DER_Editing_Easy-P_j7AhcR2.md", "type": "related"}]}, {"guid": "7f402b0e-6fc9-5e81-83dd-d7ed333dbe09", "code": "MFUYZL", "id": 38218, "logo": null, "date": "2023-10-19T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Salle Europe", "slug": "hack-lu-2023-38218-supply-chain-resilience-challenges-solutions", "url": "https://pretalx.com/hack-lu-2023/talk/MFUYZL/", "title": "Supply chain resilience: challenges & solutions", "subtitle": "", "track": "cti-summit lightning talk", "type": "Lightning talk", "language": "en", "abstract": "In today\u2019s interconnected world, organisations rely on a complex network of suppliers, providers, and contractors to deliver software, hardware, and services. However, this very interconnectedness poses a significant cybersecurity risk \u2013 supply chain attacks. In this lightning talk, we will share some insights & thoughts on managing and securing an organisation\u2019s supply chain.", "description": "In today\u2019s interconnected world, organisations rely on a complex network of suppliers, providers, and contractors to deliver software, hardware, and services. However, this very interconnectedness poses a significant cybersecurity risk \u2013 supply chain attacks. In this lightning talk, we will share some insights & thoughts on managing and securing an organisation\u2019s supply chain.", "recording_license": "", "do_not_record": true, "persons": [{"code": "YYXKHZ", "name": "Sa\u00e2d Kadhi", "avatar": "https://pretalx.com/media/avatars/YYXKHZ_dprgryQ.webp", "biography": "Sa\u00e2d has over 25 years of cybersecurity experience. An engineer by training, he started working in the fields of cyber threat intelligence, incident response and digital forensics more than a decade ago and never looked back.\n\nStarting from 2008, he built and managed the Computer Security Incident Response Team (CSIRT) of a French multinational food products corporation covering more than 120.000 employees worldwide and worked at the CERT of one of the major banking groups to fight against cybercrime and respond to cyberattacks.\n\nIn 2013, Sa\u00e2d joined Banque de France to create and develop their CERT, making it one of the most advanced central bank CSIRTs. In 2019, he became the Head of CERT-EU, the CERT for all the EU institutions, bodies, and agencies, a key cog of the EU\u2019s cybersecurity landscape and one of the most mature CERTs in the EU.\n\nDuring his long-standing cybersecurity career, Sa\u00e2d dealt with several major incidents and large-scale cyber crises.", "public_name": "Sa\u00e2d Kadhi", "guid": "2c370e49-6bc3-5b76-b4a6-e4e279190422", "url": "https://pretalx.com/hack-lu-2023/speaker/YYXKHZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MFUYZL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MFUYZL/", "attachments": []}, {"guid": "e45fea72-2e3c-56d7-ab81-424e5c9b72dc", "code": "M8VTSS", "id": 31573, "logo": null, "date": "2023-10-19T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-31573-open-wounds-the-last-5-years-have-left-bluetooth-to-bleed", "url": "https://pretalx.com/hack-lu-2023/talk/M8VTSS/", "title": "Open Wounds: The last 5 years have left Bluetooth to bleed", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Over the past 20 years there have been 3 waves of Bluetooth (BT) security research. The first wave peaked in 2004, and rather abruptly ended after 2005. Then for a long time there was very low interest and activity. That began to change around 2011 with the release of BT Low Energy (BLE) and the Ubertooth One. But that wave too petered out around 2015. But we are now living in the 3rd wave, and it's far larger than past ones.\n\nIn this talk I will be releasing a TiddlyWiki-based, semantically-tagged, timeline of BT security research. Talks have been tagged according to authorship, conferences, and dates. But also according to talk type (attack? defense? reverse engineering? overview?), attack surfaces (L2CAP? BLE LL? ACL-C?), execution environments (Android? Windows? Texas Instruments firmware?), etc. This organized data affords us interesting insights into the most important authors, tools, orgs, and attacks.\n\nI will spend the majority of the time talking about some of the extremely critical vulnerabilities (especially protocol-level vulnerabilities) that have been released in the 3rd wave. These are vulnerabilities that, despite ostensibly being patched, in reality mean that anything with infrequent or non-existent firmware updates, are going to remain hackable indefinitely.", "description": ".", "recording_license": "", "do_not_record": false, "persons": [{"code": "97VVUB", "name": "Xeno Kovah", "avatar": "https://pretalx.com/media/avatars/97VVUB_6TUmKY3.webp", "biography": "Prior to working full time on OpenSecurityTraining2 (ost2.fyi), Xeno worked at Apple designing architectural support for firmware security; and code auditing firmware security implementations. A lot of what he did revolved around adding secure boot support to the main and peripheral processors (e.g. the Broadcom Bluetooth chip.) He led the efforts to bring secure boot to Macs, first with T2-based Macs, and then with the massive architectural change of Apple Silicon Macs. Once the M1 Macs shipped, he left Apple to pursue the project he felt would be most impactful: creating free deep-technical online training material and growing the newly created OpenSecurityTraining 501(c)(3) nonprofit.", "public_name": "Xeno Kovah", "guid": "571b5263-4852-5bf1-9f4b-64e0227b8d3a", "url": "https://pretalx.com/hack-lu-2023/speaker/97VVUB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/M8VTSS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/M8VTSS/", "attachments": []}, {"guid": "e83e661b-ce15-5a78-a9b8-4a41f5418842", "code": "WULFLD", "id": 33869, "logo": null, "date": "2023-10-19T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33869-the-rise-of-malicious-msix-file", "url": "https://pretalx.com/hack-lu-2023/talk/WULFLD/", "title": "The rise of malicious MSIX file", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Since February 2023, we have observed an attack campaign using MSIX files. MSIX file is the successor format to MSI file, but many people are unaware of its existence and, needless to say, do not know of any abuse cases.\n\nThis session will first introduce basic information on MSIX file, such as the file format, basic behavior, and the creation method, followed by attack cases of MSIX file abuse. Specifically, we will detail attacks conducted by a financially motivated threat group called SteelClover. In particular, we will delve into the Package Support Framework (PSF). Our session will contribute to your better understanding of the attack flow and the behavior through specific attack cases abusing MSIX files.\n\nFinally, we will discuss detection and defense techniques, including the detection logics available for EDR solutions, against attacks that exploit MSIX files. This session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the specific attack cases and behavior abusing MSIX files and to take concrete countermeasures.", "description": "# Basics of MSIX file\nFirst, we will present a basics of MSIX file, including how it was devised, what features it provides, and its file format and the behavior. We will also cover how to create MSIX files and its third-party builders. In addition, this chapter will provide what the Package Support Framework is and how it can be exploited by threat actors.\n\n# Attack Cases\nIn this chapter, we will detail specific attack cases of MSIX file abuse. In particular, we will share attack cases by an attack group we call SteelClover. SteelClover, also known as DEV-0569 or Water Minyades, is a financially motivated threat group that has been active since around 2019. This attack group delivers malware through Exploit Kit or fake software distribution starting with a malvertising. We have confirmed that they began abusing MSIX files in March 2023. This chapter will briefly offer basic information on SteelClover and victimology, and then share specific attack flows. Additionally, we will show a detailed process tree and our analysis result of how a malicious MSIX file is delivered to a potential victim user, and how it causes a compromise when executed. This gives the audience an in-depth understanding of actual attack cases that exploit MSIX files.\n\n# Defense\nThis chapter will focus on defenses against attacks that exploit MSIX files. For example, it will provide interesting characteristics of file creation, process creation, and other behaviors, along with specific detection logic to detect these behaviors. MSIX files have many characteristic behaviors, and without knowing them, it is extremely difficult to understand the nature of the breach. This chapter will enable the audience to know how to protect your own organization against MSIX file abuses and to take concrete actions.\n\n# Wrap-Up\nFinally, we will wrap up our presentation. Based on specific attack cases of compromise using MSIX files, we will consider defensive measures to protect one's own organization from such threats. This session will help the audience gain a basic overview of an MSIX file and a deeper understanding of attack cases that exploit MSIX files, and to take concrete countermeasures.\n\n# Appendix: IoCs\nWe will list the IoCs of the malicious MSIX files presented in this session.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RFZGDX", "name": "Shogo Hayashi", "avatar": "https://pretalx.com/media/avatars/RFZGDX_abtbFd3.webp", "biography": "Shogo Hayashi is a security analyst at NTT Security Holdings. His main specialization is responding to EDR detections, creating IoCs, analyzing malware and research cyber threat. He is a cofounder of SOCYETI, an organization for sharing threat information and analysis technique to SOC analysts in Japan. He has spoken at JSAC, VB, SAS, CODE BLUE and has written several white papers and blogs.", "public_name": "Shogo Hayashi", "guid": "d258bbf9-6dcc-5d78-862e-8ef6bcbbce36", "url": "https://pretalx.com/hack-lu-2023/speaker/RFZGDX/"}, {"code": "LAFQQS", "name": "Rintaro Koike", "avatar": "https://pretalx.com/media/avatars/LAFQQS_J44qyyR.webp", "biography": "Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is a founder of \"nao_sec\" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, AVAR, Black Hat USA Arsenal and others.", "public_name": "Rintaro Koike", "guid": "462119b6-67b5-54d9-aef1-9a1c16e36d31", "url": "https://pretalx.com/hack-lu-2023/speaker/LAFQQS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/WULFLD/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/WULFLD/", "attachments": []}, {"guid": "1efda451-1a14-5607-84af-0f1dc823640c", "code": "YAQLW9", "id": 36586, "logo": null, "date": "2023-10-19T15:00:00+02:00", "start": "15:00", "duration": "00:20", "room": "Salle Europe", "slug": "hack-lu-2023-36586-reviving-our-oldest-tool-using-bayesian-inference-to-detect-cyber-attacks", "url": "https://pretalx.com/hack-lu-2023/talk/YAQLW9/", "title": "Reviving our oldest Tool - Using Bayesian inference to detect cyber attacks", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "Crowdsec is an open-source IDS/IPS and we recently added a detection capability that is based on Bayesian inference, a technique which has long been used to detect email spam. We show that this old and simple tool is still incredibly powerful and present how other threat analysts can improve their threat detection using Bayesian inference.", "description": "Crowdsec is an open source IPS/IDS that is built on the leaky bucket algorithm. This algorithm can detect a lot of common cyber attack patterns such as bruteforce attacks or exploits with known payload delivery vectors such as log4shell. However it is suboptimal at detecting attacks at the application level. To amend this we created the Bayesian bucket, which uses Bayesian inference internally to determine whether a given user is behaving in fraudulent ways. Bayesian inference has long been used to fight email spam and we show that it is quite adept at fighting other cybercrime. \nIn particular we present:\n* How we implemented the Bayesian bucket\n* How you can train it using our open source toolkit\n* A demo on real world data", "recording_license": "", "do_not_record": false, "persons": [{"code": "9UABYJ", "name": "Emanuel Seemann", "avatar": "https://pretalx.com/media/avatars/9UABYJ_igzIbNt.webp", "biography": "My name is Emanuel Seemann and I have been working as a Data Scientist at Crowdsec since 2022.\nI have a degree in pure mathematics from ETH Z\u00fcrich and got into programming by writing minecraft mods as a kid. Since then I have been hacking away at various coding projects in a variety of different languages. When I'm not behind my computer you can sometimes find me on the lake in a sailing boat.", "public_name": "Emanuel Seemann", "guid": "92e46203-49d8-5ec9-aff9-c50671cfda0a", "url": "https://pretalx.com/hack-lu-2023/speaker/9UABYJ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/YAQLW9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/YAQLW9/", "attachments": []}, {"guid": "e5ef2b2e-1381-5060-94bf-ee351d4671c7", "code": "YXMSQV", "id": 33744, "logo": null, "date": "2023-10-19T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33744-using-apple-sysdiagnose-for-mobile-forensics-and-integrity-checks", "url": "https://pretalx.com/hack-lu-2023/talk/YXMSQV/", "title": "Using Apple Sysdiagnose for mobile forensics and integrity checks", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "The talk will demonstrate how to use\nSysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposes\n\nThe presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.\n\nIncident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.", "description": "Intended audience: Incident handlers and forensic investigators.\n\nIntroduction:\n---------------\nFor a long time, the incident response analysis of iOS devices has been\u2026 essentially challenging.\n\nWhile the analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools only focus on collecting users\u2019 data. Thus they often do not provide what the incident responder was looking for. Furthermore, the usual way to get access to the full device is by jailbreaking the device or using specialised (expensive) tools reserved for law enforcement. Jailbreaking has the downside of breaking the chain of custody and therefore the trust in the final state of the device as well as the immutability of the analysis is put into question.\n\nEnter Sysdiagnose\u2026\n-----------------------\n\nThis talk will focus on repurposing an Apple feature which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops.\nThe Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at.\n\nCollecting Sysdiagnose artefacts\n-----------------------------------\nSysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as:\n- plist configuration files\n- logs and output of commands\n- sqlite databases with application histories etc.\n\nThe result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive.\n\nCollecting Sysdiagnose archives on IOS\n-------------------------------------------\nWhile the process is well described on Apple\u2019s website, we will quickly show how to start the acquisition process on an iPhone and how to retrieve the data via a few different techniques ranging from AirDrop to typical forensic tools.\n\nCollecting Sysdiagnose archives on other Apple devices\n------------------------------------------------------------\nWhile the research motivating this talk is coming from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes:\n- Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac\u2026)\n- Watch OS (Apple Watch)\n- iPad OS (for tablets)\n-TV OS (Apple TV)\n- \u2026\n\nExtracting information from Sysdiagnose archives and building a timeline\n------------------------------------------------------------------------------\nIn this part we will present some Python scripts to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool\n\nSplunk & Timesketch\nIn order to perform investigations on the gathered data, an easy solution is to import it into a dedicated SIEM. In this part, we will present how we standardise the outputs from our scripts to easily import them into tools like Splunk for further forensics analysis. We also developed a re-usable TimeSketch module to import the generated timeline in TimeSketch.\n\nChallenges\n--------------------\nSysdiagnose is calling different tools and commands to generate its output. Unfortunately, all those tools have their own output format, especially regarding timestamps. We will present some specificities of Sysdiagnose\u2019s output and how we handled them.\n\nIdentifying IOS system tampering using Sysdiagnose artefacts\n-------------------------------------------------------------------\nIn this section we show practically how an iOS device can be analysed by using the Sysdiagnose artefacts and their value: applicate update history, running processes, memory mapping\u2026\n\nExamples of investigation\n----------------------------\nIn this section we shows practical examples of analysis with Sysdiagnose. We did a few Sysdiagnose acquisitions on test devices to simulate scenarii and prove the effectivness of this analysis technique.\n\nIssues and limits of Sysdiagnose\n-----------------------------------\nThe Sysdiagnose process raises a few issues and concerns:\n\nThe data is collected by a process which runs on the investigated device. The output can only be trusted as long as it runs normally. Rootkits and binaries alteration could affect the results and lead to wrong conclusions.\n\nThe format of the files included into the archive depends on the version of iOS and running applications. The SQLite DB schema, for instance, can radically change with an application update. Keeping a working toolset therefore requires continuous research, testing and validation.\n\nThe Sysdiagnose output is mostly undocumented. Every single file needs to be manually analysed and understood to correctly interpret the results and avoid wrong conclusions.\n\nAlternative ways to check integrity\n--------------------------------------\nIn this last section we will discuss how integrity can be checked by using more intrusives methods that could be combined with a jailbreak. While those techniques give a full access, they will also question the value of the results from a forensic perspective due to their intrusiveness.\n\nReferences\n------------\nhttps://www.jessesquires.com/blog/how-to-sysdiagnose-ios/\nhttps://www.manpagez.com/man/1/sysdiagnose/\nhttps://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts\nhttps://www.apple.com/business/docs/site/iOS_Security_Guide.pdf\nhttps://developer.apple.com/bug-reporting/profiles-and-logs/\nhttps://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", "recording_license": "", "do_not_record": false, "persons": [{"code": "HNXUYH", "name": "David Durvaux", "avatar": "https://pretalx.com/media/avatars/HNXUYH_8cwZKgA.webp", "biography": "Incident responder for more than a decade, I'm now working for the European Commission since 2015. I'm currently in charge of the \"Situational Awareness, Threat Intelligence and Malware Analysis\" in the European Commission Internal CERT (EC Cybersecurity Operation Centre).", "public_name": "David Durvaux", "guid": "cf7f337c-71ab-546a-9a90-d45508b6ee44", "url": "https://pretalx.com/hack-lu-2023/speaker/HNXUYH/"}, {"code": "CE8DBB", "name": "Aaron Kaplan", "avatar": "https://pretalx.com/media/avatars/CE8DBB_1LIHnzd.webp", "biography": "Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he freelances mostly for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of funkfeuer.at (community wifi mesh network), intelmq.org, a tool for automating the typical tasks of IT security teams. He believes in using automation, open source and machine learning for improving the lives of DFIR folks.", "public_name": "Aaron Kaplan", "guid": "5866648c-53eb-5765-a256-689ee4b41e9f", "url": "https://pretalx.com/hack-lu-2023/speaker/CE8DBB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/YXMSQV/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/YXMSQV/", "attachments": []}, {"guid": "f083481c-9ccb-51c2-975a-e23587d1264e", "code": "FXZEVC", "id": 36566, "logo": null, "date": "2023-10-19T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-36566-a-deep-dive-into-maritime-cybersecurity", "url": "https://pretalx.com/hack-lu-2023/talk/FXZEVC/", "title": "A deep dive into Maritime Cybersecurity.", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "We propose to provide an overview of the maritime sector's cybersecurity, its strengths and weaknesses, the attacks that are taking place and the initiatives being taken to deal with them.", "description": "Although it is still too little known, the maritime and port sector is essential to our modern economies. Ships and ports should now be seen as complex information systems. \nThis increased digitalisation brings with it new risks that must be taken into account by international organisations, administrations, public and private operators, shipowners and shipbuilders.\nWhat are the vulnerabilities? Which incidents happened over the last years?\nAfter a description of the sector for the non-mariners, we will take a deep dive into the maritime systems, and detail the unique incident statistics we compile at the Maritime Computer Emergency Response Team.", "recording_license": "", "do_not_record": true, "persons": [{"code": "GZSUMJ", "name": "JACQ", "avatar": "https://pretalx.com/media/avatars/GZSUMJ_I5zO4d9.webp", "biography": "Olivier JACQ is the Chief Technology Officer of the french non-profit organization France Cyber Maritime.\nFormer senior officer from the French Navy, he now contributes helping the civilian maritime sector to deal with cybersecurity issues on technical and organizational aspects.\nHe holds a PhD from IMT Atlantique, a cybersecurity expert title from the French national cybersecurity agency (ANSSI) and a post-master's degree in cybersecurity from Centrale/Sup\u00e9lec.", "public_name": "JACQ", "guid": "d18a2896-3b0d-547a-88d0-b2d3292589a4", "url": "https://pretalx.com/hack-lu-2023/speaker/GZSUMJ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/FXZEVC/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/FXZEVC/", "attachments": []}, {"guid": "b746cb67-c0c1-5396-bfd8-97012c99d13e", "code": "DCQYBF", "id": 33964, "logo": null, "date": "2023-10-19T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33964-operation-duck-hunt-a-peak-behind-the-curtain-of-ducktail", "url": "https://pretalx.com/hack-lu-2023/talk/DCQYBF/", "title": "Operation Duck Hunt - A peak behind the curtain of DuckTail", "subtitle": "", "track": "hack.lu", "type": "Talk", "language": "en", "abstract": "This talk delves into the captivating story of DuckTail, a notorious infostealer operation that emerged as one of the prominent threats in 2022 and 2023. With a global reach, DuckTail effectively targeted both individuals and organizations, leveraging customized malware and innovative delivery techniques. Thriving in the remote work landscape driven by the COVID pandemic, DuckTail's success did not shield them from committing critical operational security (OPSEC) mistakes. These lapses ultimately led to the complete exposure of their operation and the individuals responsible for it. Join me as we explore the gripping pursuit of these cybercriminals, unraveling their intricate methods and providing an exceptional glimpse into the workings of a criminal enterprise.", "description": "Through an extensive investigation into DuckTail's infrastructure, a critical vulnerability in their exfiltration methodology was uncovered. The exploitation of this flaw resulted in the acquisition of numerous screenshots extracted from the personal machines of the threat actors, exposing glaring deficiencies in operational security (OPSEC) practices.\n\nThese screenshots provide a revealing glimpse into various aspects of DuckTail's operations. Notably, they divulge fragments of the infostealer's source code, reveal the techniques employed by the threat actors to disseminate the malware, and unveil confidential dialogues exchanged among the perpetrators, ultimately leading to their identification.\n\nThis talk will delve into the intricacies of DuckTail's exfiltration infrastructure and its inherent weakness. I will demonstrate the threat actors' methods of infection and delivery. Furthermore, attendees will gain invaluable insights into the clandestine activities that unfolded behind the scenes, providing a comprehensive understanding of the broader context.\n\nIt will shed light on the concealed elements of DuckTail's operations, offering a unique opportunity to deepen your knowledge of the evolving cyber threat landscape, highlighting how modern criminal enterprises operate and infect their targets.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HGKMZE", "name": "Pol Thill", "avatar": "https://pretalx.com/media/avatars/HGKMZE_Arth9I2.webp", "biography": "Pol Thill lives for the hunt! Be it nation-state adversary or eCrime actor, he will explore any means to expose their operations and unmask the individuals hiding behind the digital veil. Drawing upon this expertise, Pol has held different Threat Intelligence positions as well as lead the Luxembourgish cybersecurity team. Cybercriminal investigations are what he thrives for.", "public_name": "Pol Thill", "guid": "5222ecd7-9e31-55f2-8894-b76ed56b5237", "url": "https://pretalx.com/hack-lu-2023/speaker/HGKMZE/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/DCQYBF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/DCQYBF/", "attachments": []}, {"guid": "7c555cff-7e27-5022-a414-13d8800c8d0a", "code": "MGMYZA", "id": 33919, "logo": null, "date": "2023-10-19T17:15:00+02:00", "start": "17:15", "duration": "00:30", "room": "Salle Europe", "slug": "hack-lu-2023-33919-1-kunai-your-new-threat-hunting-tool-for-linux", "url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/", "title": "Kunai: your new Threat Hunting tool for Linux", "subtitle": "", "track": "cti-summit", "type": "Talk", "language": "en", "abstract": "Linux is an open-source OS; however, performing Threat Hunting on Linux using open-source software (OSS) is not easy, as only a few tools are available and maintained. A port of the well-known Sysmon tool, originally developed for MS Windows, has been made for Linux, but it suffers from several issues. In this presentation, I will introduce a brand-new open-source tool I have been working on for several months. This tool aims to be a Sysmon alternative for Linux and provides several features that Sysmon does not offer.", "description": "This presentation aims to introduce the community to Kunai, a new Threat Hunting tool designed specifically for Linux Systems.\n\nI'll start by discussing the project's origin and my motivations for initiating it, followed by an exploration of the tool's inner workings and implementation details. This section will conclude with an overview of the challenges encountered during the tool's development.\n\nNext, I will highlight its key features, emphasizing how it differs from existing tools. The latter part of this section will explore practical Threat Hunting scenarios that can be realized with the tool.\n\nIn conclusion, I will summarize the key takeaways from this tool and share our future plans for its development.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3JVRZM", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_2Q2w1d8.webp", "biography": "Quentin has been working as an incident responder for several years before focusing on endpoint threat detection. He recently dedicated all his time developing several open-source projects. His main topics of interest are ranging from threat detection to bug hunting but what he likes the most is to develop tools and open-source them when he judges it is relevant enough to do so.", "public_name": "Quentin JEROME", "guid": "76a359a8-f57d-5e2c-b37b-4a2747e28a87", "url": "https://pretalx.com/hack-lu-2023/speaker/3JVRZM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MGMYZA/", "attachments": []}], "Schengen 1 and 2": [{"guid": "59acb14b-d5e7-5391-913b-a5ec8e2d2b82", "code": "7G8EKN", "id": 33976, "logo": null, "date": "2023-10-19T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-33976-full-stack-forensics-with-foss", "url": "https://pretalx.com/hack-lu-2023/talk/7G8EKN/", "title": "Full Stack Forensics with FOSS", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "This workshop will showcase a suite of free and open source tools to leverage\nthreat intelligence in DFIR investigations. Participants will be setting up a\nfull forensics pipeline, including collection ([GRR](https://github.com/google/grr)), processing\n([Plaso](https://github.com/log2timeline/plaso)) and analysis ([Timesketch](https://github.com/google/timesketch/)), and orchestration\n([dfTimewolf](https://github.com/log2timeline/dftimewolf)). In addition to that, they'll be using [Yeti](https://github.com/yeti-platform/yeti) to augment\ntheir processing and analysis with threat intelligence.\n\nThw workshop will last two hours and is open for anyone to attend. Experience\ninstalling packages on Linux and using the Linux CLI in general is required.\nExperience running and managing Docker containers would be a nice addition.\n\nParticipants will be given an initial list of Docker containers to pull and set\nup before the workshop\n\n[UPDATE] Here's the list! https://docs.google.com/document/d/1TKqOleH2rdtPjybUt3PYybJ7RrH59kqaHnmywJhRPGk/preview\n\n[UPDATE2] Here's the slides with the links to everything: https://docs.google.com/presentation/d/1_IIhazlZF4Nxa_fn4YJ0SieFPJGzP91OwuAO4LIUWOg/edit#slide=id.g24fcb0d3240_0_70", "description": "- Introduction\n - What to expect of the workshop\n- Quick tour / install / configuration\n - Timesketch\n - Yeti\n- Adding some forensics intelligence to Yeti\n- Your first forensic analysis with Timesketch!\n- Adding threat intelligence to the mix\n\nOptional (if time permits)\n - dfTimewolf\n - Configuring all these tools to work together, triggering a first analysis\n using dfTimewolf.\n - Tweaking Timesketch analyzers", "recording_license": "", "do_not_record": false, "persons": [{"code": "MMJXP7", "name": "Thomas Chopitea", "avatar": "https://pretalx.com/media/avatars/MMJXP7_6atuyJn.webp", "biography": "Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US", "public_name": "Thomas Chopitea", "guid": "8506ec53-3b08-55eb-b774-6f5d14b6bfb4", "url": "https://pretalx.com/hack-lu-2023/speaker/MMJXP7/"}, {"code": "7S7N3Z", "name": "S\u00e9bastien Larinier", "avatar": "https://pretalx.com/media/avatars/7S7N3Z_o2UR7Jx.webp", "biography": "A lecturer and researcher at ESIEA and an independent consultant in Threat Intelligence, he contributes to numerous open source projects such as MISP and Yeti. He is also the author of numerous articles, an international speaker and lecturer on malware analysis, digital forensics and Cyber Threat Intelligence at ESIEA, and co-author of the book \"Cybers\u00e9curit\u00e9 et Malwares\nD\u00e9tection, analyse et Threat Intelligence (4e \u00e9dition)\".", "public_name": "S\u00e9bastien Larinier", "guid": "562334ce-ad75-5991-9c69-2bc9aa64b5e1", "url": "https://pretalx.com/hack-lu-2023/speaker/7S7N3Z/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/7G8EKN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/7G8EKN/", "attachments": []}, {"guid": "ed4ef4bd-3bbe-50a8-803e-cb853f84d59d", "code": "TLTFKF", "id": 37977, "logo": null, "date": "2023-10-19T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Schengen 1 and 2", "slug": "hack-lu-2023-37977-building-your-own-workflows-in-misp-tutorial-and-hands-on", "url": "https://pretalx.com/hack-lu-2023/talk/TLTFKF/", "title": "Building Your Own Workflows in MISP: Tutorial and Hands-on", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts.\nWith the introduction of MISP workflows, this has changed and the workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT\u2019s or SOC\u2019s workflows by using some hands-on examples during the session.", "description": "MISP has been a widely used open source CTI platform for the past decade, with a long list of tools that allow users to customise the data models and contextualisation of the platform, yet true customisation of the actual workflows and processes had to be done externally using custom scripts.\nWith the introduction of MISP workflows, this has changed and the workshop aims to walk the audience through some of the potential ideas of how one could adapt the tool to their own CSIRT\u2019s or SOC\u2019s workflows by using some hands-on examples during the session.", "recording_license": "", "do_not_record": false, "persons": [{"code": "97JCN3", "name": "Sami Mokaddem", "avatar": "https://pretalx.com/media/avatars/97JCN3_QhVvyTt.webp", "biography": "Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.", "public_name": "Sami Mokaddem", "guid": "cd021274-5dce-5ab6-9d82-a8c0ec5653e4", "url": "https://pretalx.com/hack-lu-2023/speaker/97JCN3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/TLTFKF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/TLTFKF/", "attachments": []}], "Echternach&Diekirch": [{"guid": "67f198df-b17a-5318-9f0d-341c686a4fbb", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-19T09:00:00+02:00", "start": "09:00", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-7-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "f2af325c-0450-5273-b5e3-c64540b3959f", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-19T10:30:00+02:00", "start": "10:30", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-8-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}, {"guid": "6b831958-79f8-5502-886c-a01f36de52e2", "code": "UDFFNS", "id": 32590, "logo": null, "date": "2023-10-19T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach&Diekirch", "slug": "hack-lu-2023-32590-9-dismantle-the-bomb", "url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "title": "Dismantle the bomb", "subtitle": "", "track": "hack.lu", "type": "Workshop", "language": "en", "abstract": "Stop the countdown timer and dismantle the bomb by cutting the correct cable.", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timers starts the mission (75 minutes)\nGoal is to stop the countdown timer connected to a bomb fixed on a 10l white paint bucket", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun and security", "public_name": "Stijn Tomme", "guid": "72d4eecd-fd65-583c-ac6c-539924adfa0d", "url": "https://pretalx.com/hack-lu-2023/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/UDFFNS/", "attachments": []}], "Hollenfels": [{"guid": "d3bd9421-519e-5644-9e78-5ff75d00816e", "code": "PFNABT", "id": 33430, "logo": null, "date": "2023-10-19T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Hollenfels", "slug": "hack-lu-2023-33430-cyberchef-enhancing-existing-operations-and-adding-new-operations", "url": "https://pretalx.com/hack-lu-2023/talk/PFNABT/", "title": "CyberChef: Enhancing Existing Operations and Adding New Operations", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "In this 2 hour workshop, Didier will start with a quick intro to CyberChef, with some simple exercises, and then we will setup a development environment for CyberChef.\nIn this environment, we will start with simple exercises (enhancing existing operations) and then move on to creating your own operations from scratch.\nThe operations will focus on blue team activities, like assisting with the analysis of malware.", "description": "Like usual with workshops from Didier Stevens, this will be very hands-on with many exercises.\nThis workshop requires a Linux laptop or a Windows/Linux/Mac laptop with a Linux virtual machine.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UY3X3H", "name": "Didier Stevens", "avatar": "https://pretalx.com/media/avatars/UY3X3H_9zuIVU6.webp", "biography": "Didier is Senior Analyst, working for NVISO.\n\nNext to his professional activities, Didier is also a\u00a0Microsoft MVP (2011-2016 awarded MVP Consumer Security,\u00a02016-2023 awarded MVP Windows Insider) and a SANS Internet\u00a0Storm Center Senior Handler.\u00a0\n\nHe is an expert in malicious documents (PDF and Microsoft\u00a0Office), pioneering research into\u00a0maldocsand authoring free,\u00a0open-source analysis tools and private red team tools.", "public_name": "Didier Stevens", "guid": "f86cddce-84b3-5a22-be80-fe7131be41f8", "url": "https://pretalx.com/hack-lu-2023/speaker/UY3X3H/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/PFNABT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/PFNABT/", "attachments": []}], "Vianden&Wiltz": [{"guid": "836f8f53-24ef-52b2-909b-2cfc58eea32b", "code": "MSZDZD", "id": 33924, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/MSZDZD/dfirtrack_logo_ig5vAHA.png", "date": "2023-10-19T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Vianden&Wiltz", "slug": "hack-lu-2023-33924-dfirtrack-the-incident-response-tracking-application", "url": "https://pretalx.com/hack-lu-2023/talk/MSZDZD/", "title": "DFIRTrack - The Incident Response Tracking Application", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application focused on handling major incidents with many affected systems. This workshop will show you how to use DFIRTrack in an efficient way using the various features.", "description": "Are you an Incident Responder working on large (customer) security incidents? Are you tired of maintaining huge spreadsheets (aka _Spreadsheet of DOOM_)? Do you have to manually create customer system or artifact reports? Then DFIRTrack may be just what you are looking for...\n\nIn this workshop we will show you how to install, configure and use DFIRTrack. We will cover the following features in detail:\n- Installation ( manually and using docker or ansible)\n- Configuration and customization\n- Overview of the main entities (systems, artifacts, tasks, ...)\n- Import, export and manipulation capabilities\n- Automation through scheduled tasks and workflows\n- Roadmap, feedback and feature discussion\n\nMost things will be done through hands-on examples. A notebook is required, ideally with a working Docker setup.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MPKQBJ", "name": "Mathias Stuhlmacher", "avatar": "https://pretalx.com/media/avatars/MPKQBJ_o72huSi.webp", "biography": "Digital Forensics analyst for more than 9 years, Incident Response consultant for more than 7 years, Remediation avoider since forever, initial creator of _DFIRTrack_ and _Awesome Event IDs_.", "public_name": "Mathias Stuhlmacher", "guid": "6584c1e4-beb2-563b-9a5d-335772134027", "url": "https://pretalx.com/hack-lu-2023/speaker/MPKQBJ/"}, {"code": "ACWKJR", "name": "Lionne Stangier", "avatar": null, "biography": "Lionne has 7+ years of experience in the IT security sector. He has been working as an Incident Response Analyst for about 3 years and is a DFIRtrack contributor.", "public_name": "Lionne Stangier", "guid": "1d5e24df-55a0-5b87-b8f7-f7f1bb740841", "url": "https://pretalx.com/hack-lu-2023/speaker/ACWKJR/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/MSZDZD/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/MSZDZD/", "attachments": []}, {"guid": "65b5970a-196a-5533-97b1-9ca5c2818d71", "code": "9ZY9VJ", "id": 32704, "logo": "https://pretalx.com/media/hack-lu-2023/submissions/9ZY9VJ/screen4twitter_AFiwZ7a.png", "date": "2023-10-19T14:00:00+02:00", "start": "14:00", "duration": "03:00", "room": "Vianden&Wiltz", "slug": "hack-lu-2023-32704-as-we-are-many", "url": "https://pretalx.com/hack-lu-2023/talk/9ZY9VJ/", "title": "As We Are Many", "subtitle": "", "track": "hack.lu", "type": "Training", "language": "en", "abstract": "On a Linux system we will prepare an USB stick with 3 little test files like 'test1.txt', 'test2.txt' and 'test3.txt' with some little test content inside. If connecting the spooky USB stick to a Windows based PC (VM guest) the USB stick is mounted and we see three '.txt' files. But the content is different and doesn't match the content we created on the Linux PC.\n\nAnalyzing the stick with different tools leads to confusing results. It does not help to understand what is going wrong here. The idea of this workshop is to provide the students with the knowledge to build their own *spooky* USB stick.", "description": "On a Linux system we will prepare an USB stick with 3 little test files like 'test1.txt', 'test2.txt' and 'test3.txt' with some little test content inside. If connecting the spooky USB stick to a Windows based PC (VM guest) the USB stick is mounted and we see three '.txt' files. But the content is different and doesn't match the content we created on the Linux PC.\n\nAnalyzing the stick with different tools leads to confusing results. It does not help to understand what is going wrong here. The idea of this workshop is to provide the students with the knowledge to build their own *spooky* USB stick.\n\nStudents should bring a Linux alike workstation and an empty USB stick, to build their own *spooky* USB stick.. A VM with a Windows OS guest system would help to test the results.\n\nAttendees should be familiar with the command line interface.", "recording_license": "", "do_not_record": false, "persons": [{"code": "89MNER", "name": "Michael Hamm", "avatar": "https://pretalx.com/media/avatars/89MNER_YoJRQ4I.webp", "biography": "Michael Hamm, Operator and analyst at Computer Incident Response Center Luxembourg (CIRCL), c/o \"Luxembourg House of Cybersecurity\"\n\nMichael Hamm has worked for more than 10 years as Ingenieur-S\u00e9curit\u00e9 in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center \u201cCRP Henri Tudor\u201d in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL \u2013 Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.", "public_name": "Michael Hamm", "guid": "070278ee-5681-547b-ab87-e58dc2c93998", "url": "https://pretalx.com/hack-lu-2023/speaker/89MNER/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2023/talk/9ZY9VJ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2023/talk/9ZY9VJ/", "attachments": []}]}}]}}}