{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://pretalx.com/hack-lu-2024/schedule/", "version": "0.56", "base_url": "https://pretalx.com", "conference": {"acronym": "hack-lu-2024", "title": "hack.lu 2024", "start": "2024-10-22", "end": "2024-10-25", "daysCount": 4, "timeslot_duration": "00:05", "time_zone_name": "Europe/Luxembourg", "colors": {"primary": "#353535"}, "rooms": [{"name": "Europe - Main Room", "slug": "3492-europe-main-room", "guid": "9d6e8719-8307-5181-b294-e12282cd00e4", "description": null, "capacity": 440}, {"name": "Schengen 1 & 2", "slug": "3493-schengen-1-2", "guid": "ae872792-8282-567a-9ed0-ff004a9d9fa7", "description": null, "capacity": 100}, {"name": "Echternach & Diekirch", "slug": "3494-echternach-diekirch", "guid": "ee6ea1f0-9de9-5741-868e-7f864838a948", "description": null, "capacity": 30}, {"name": "Hollenfels", "slug": "3495-hollenfels", "guid": "88d44223-e88d-506d-a438-20dba5a9f3da", "description": null, "capacity": 100}, {"name": "Vianden & Wiltz", "slug": "3496-vianden-wiltz", "guid": "c099a96a-62b8-51f6-939c-530656416574", "description": null, "capacity": 60}], "tracks": [{"name": "hack.lu lightning talk", "slug": "4863-hacklu-lightning-talk", "color": "#8F8A1D"}, {"name": "cti-summit lightning talk", "slug": "4864-cti-summit-lightning-talk", "color": "#9F7E7E"}, {"name": "topic: CTI", "slug": "4861-topic-cti", "color": "#2071D0"}, {"name": "topic: hack.lu", "slug": "4862-topic-hacklu", "color": "#D52E2E"}], "days": [{"index": 1, "date": "2024-10-22", "day_start": "2024-10-22T04:00:00+02:00", "day_end": "2024-10-23T03:59:00+02:00", "rooms": {"Europe - Main Room": [{"guid": "c3030571-383c-5f76-89e8-fcda7865e482", "code": "LGQTXM", "id": 51710, "logo": null, "date": "2024-10-22T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51710-insights-from-modern-botnets", "url": "https://pretalx.com/hack-lu-2024/talk/LGQTXM/", "title": "Insights from Modern Botnets", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Botnets have managed to stay relevant in a number of ways, from the incorporation of phishing in their attack chains to a subscription service model. Their adaptability has proved that botnets indeed still represent an effective way to launch devastating attacks. In this talk, we will present a comprehensive overview of our latest research on new groups, delving into their organizational structures, codebases, and tactics. We will explore how these malicious actors share information, select their targets, and offer their services. By sharing our findings, we hope to raise awareness and facilitate a better understanding of these threats, ultimately contributing to the development of more effective countermeasures.", "description": "Botnets represent a significant and evolving threat in the cybersecurity landscape. This presentation aims to shed light on the inner workings of these networks based on extensive research and real-world examples. Attendees will gain insights into:\r\n\r\n* Organization and Structure: Understanding how modern botnets are set up and managed.\r\n* Code Analysis: A deep dive into the types of code used by botnet operators.\r\n* Information Sharing: Exploring whether and how these networks share data amongst themselves.\r\n* Victim Selection: Analyzing the criteria and methods used to choose targets.\r\n\r\nOur aim is to provide a global view of the current state of botnets, offering valuable knowledge that can aid in the detection, analysis, and mitigation of these threats. This talk is designed for security professionals, researchers, and anyone interested in understanding the complexities and dangers posed by botnets in today's digital world.", "recording_license": "", "do_not_record": true, "persons": [{"code": "YAWMUQ", "name": "Miguel", "avatar": "https://pretalx.com/media/avatars/YAWMUQ_1tUO4Kl.webp", "biography": "Miguel Hern\u00e1ndez, Sr. Threat Research Engineer at Sysdig, is a lifelong learner with a passion for innovation. Over the past decade, Miguel has honed his expertise in security research, leaving his mark at prominent tech companies and fostering a spirit of collaboration through personal open-source initiatives. Miguel has been a featured speaker at cybersecurity conferences such as HITB, HIP, CCN-CERT, RootedCon, TheStandoff, Bsides Barcelona, and Codemotion, among others.", "public_name": "Miguel", "guid": "61d0b823-cf78-524d-8c9b-0fd18873aeb3", "url": "https://pretalx.com/hack-lu-2024/speaker/YAWMUQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/LGQTXM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/LGQTXM/", "attachments": [{"title": "SLIDES HACKLU 2024 - Insights from Modern Botnets", "url": "/media/hack-lu-2024/submissions/LGQTXM/resources/Shared_Exter_qJ7xnN6.pdf", "type": "related"}]}, {"guid": "b815eb75-1cef-5c4b-a22e-de67c3a45159", "code": "JJVXKP", "id": 56366, "logo": null, "date": "2024-10-22T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-56366-neurocti-a-custom-llm-for-cti-benchmarking-successes-failures-and-lessons-learned-updates", "url": "https://pretalx.com/hack-lu-2024/talk/JJVXKP/", "title": "NeuroCTI - a custom LLM for CTI - benchmarking, successes, failures and lessons learned (updates)", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "LLMs turn out to be highly practical for summarising and extracting information from unstructured Cyber Threat Intelligence (CTI) reports. However, most models were not trained specifically for understanding CTI. We will present a custom LLM, fine-tuned for CTI purposes. But of course, that only makes sense with a CTI text benchmark dataset. Creating these two systems is a challenging journey. Set-backs guaranteed. We will share our findings.", "description": "(This is an update from the FIRSTCON24 talk)\r\n\r\nMany CTI practitioners and companies experimented with LLMs for extracting information from unstructured CTI reports in the last year. Often, the dream is to automate the analyst's job to correctly identify, copy & paste TTPs, threat actors and relationships from the report and to convert it into STIX. \r\n\r\nAlas, off-the-shelf LLMs often fail at this task (GPT-4-turbo being already pretty good at the submission time). But there is another caveat: the requirements for IT security often demand that data remains on-premise or at least in a virtual server which is fully and only under the control of the organisation's IT team. For that we need local LLMs (as opposed to cloud bases SaaS/FaaS solutions such as openai.com's API). But how to achieve good results with local LLMs ? Can we beat openai?\r\n\r\n\r\nTo address the CTI text summarisation and information extraction problem, we \r\n\r\n1. propose an open source CTI LLM benchmark dataset which can be used to compare different LLMs and prompts \r\n2. a fine-tuned custom CTI LLM model (\"neuroCTI\") and\r\n3. evaluate it (as well as other LLMs) against the benchmark dataset and\r\n4. finally, integrate serving the model via ollama and MISP integration.\r\n\r\nThe model is freely available for local deployments.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CE8DBB", "name": "Aaron Kaplan", "avatar": "https://pretalx.com/media/avatars/CE8DBB_1LIHnzd.webp", "biography": "Aaron likes to be at the forefront of tech developments because he feels it's important to understand trends and tech on a deep level in order to anticipate changes and form and guide them into a positive direction which serves humanity. Less dystopia, more positive utopia, please.\r\nIn a past life, he was working at the national CERT of Austria, CERT.at. He was doing mesh networks, and medical AI.", "public_name": "Aaron Kaplan", "guid": "d68e6a94-e2c3-597b-a6e3-5d2081b8a77a", "url": "https://pretalx.com/hack-lu-2024/speaker/CE8DBB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JJVXKP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JJVXKP/", "attachments": [{"title": "slides", "url": "/media/hack-lu-2024/submissions/JJVXKP/resources/2024-hacklu-_4qIRZe0.pptx", "type": "related"}]}, {"guid": "4185479e-4e32-51ce-b475-ef6ae5ab166a", "code": "W9G3B8", "id": 55699, "logo": null, "date": "2024-10-22T10:15:00+02:00", "start": "10:15", "duration": "00:45", "room": "Europe - Main Room", "slug": "hack-lu-2024-55699-tales-of-the-future-past", "url": "https://pretalx.com/hack-lu-2024/talk/W9G3B8/", "title": "Tales of the Future Past", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "In \u2018Tales of the Future Past\u2019, Sa\u00e2d Kadhi, the Director of CERT-EU, invites you to embark on a time-travelling odyssey.\r\n \r\nThe journey commences with a retrospective dive into the past, where attendees will glean insights from CERT-EU\u2019s unique vantage point on the threat landscape, hovering over noteworthy developments the Cybersecurity Service for the Union entities had been observing.\r\n \r\nAs the time machine propels us into the future, the presentation demystifies the complexities of Artificial Intelligence, shedding light on AI\u2019s burgeoning role in cyber threats. It offers foresight and thoughtful projections on potential AI-powered dangers, equipping the audience with the knowledge to anticipate and navigate future challenges.\r\n \r\nThe expedition culminates with a return to the present where Sa\u00e2d will share his ideas on how to fortify our defences against the cyber threats of today and tomorrow.\r\n \r\nDesigned for a diverse audience, \u2018Tales of the Future Past\u2019 promises to be an enlightening journey, offering a unique blend of historical wisdom, futuristic insights, and practical, present-day solutions.", "description": "In \u2018Tales of the Future Past\u2019, Sa\u00e2d Kadhi, the Director of CERT-EU, invites you to embark on a time-travelling odyssey.\r\n\r\nThe journey commences with a retrospective dive into the past, where attendees will glean insights from CERT-EU\u2019s unique vantage point on the threat landscape, hovering over noteworthy developments the Cybersecurity Service for the Union entities had been observing.\r\n\r\nAs the time machine propels us into the future, the presentation demystifies the complexities of Artificial Intelligence, shedding light on AI\u2019s burgeoning role in cyber threats. It offers foresight and thoughtful projections on potential AI-powered dangers, equipping the audience with the knowledge to anticipate and navigate future challenges.\r\n\r\nThe expedition culminates with a return to the present where Sa\u00e2d will share his ideas on how to fortify our defences against the cyber threats of today and tomorrow.\r\n\r\nDesigned for a diverse audience, \u2018Tales of the Future Past\u2019 promises to be an enlightening journey, offering a unique blend of historical wisdom, futuristic insights, and practical, present-day solutions.", "recording_license": "", "do_not_record": true, "persons": [{"code": "YYXKHZ", "name": "Sa\u00e2d Kadhi", "avatar": "https://pretalx.com/media/avatars/YYXKHZ_dprgryQ.webp", "biography": "An engineer by training, Sa\u00e2d has more than 25 years of cybersecurity experience. Thriving in action, Sa\u00e2d successfully dealt with several major incidents and large-scale cyber crises during his long-standing career.\r\n\r\nLeading CERT-EU since 2019, he reshaped the Cybersecurity Service for the European Union institutions, bodies, offices and agencies into a highly regarded and equally trusted inter-institutional provider of cybersecurity services to all the European Union entities.\r\n \r\nBefore that, Sa\u00e2d built and managed the CSIRT of a French multinational food products corporation covering more than 120.000 employees worldwide and worked at the CERT of one of the major banking groups to fight against cybercrime and respond to cyberattacks. He also created CERT-BDF, the CSIRT of Banque de France, making it one of the most advanced central bank CSIRTs.\r\n \r\nSa\u00e2d is regularly invited to share his insights and present in various forums and events.", "public_name": "Sa\u00e2d Kadhi", "guid": "0e08a986-7ac4-5450-978e-1869e31ba0b4", "url": "https://pretalx.com/hack-lu-2024/speaker/YYXKHZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/W9G3B8/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/W9G3B8/", "attachments": []}, {"guid": "68e52a6c-08be-5225-9db5-cae62111bdde", "code": "KGFZHF", "id": 57126, "logo": null, "date": "2024-10-22T11:00:00+02:00", "start": "11:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-57126-integrating-new-tools-in-your-workflows-within-minutes-in-misp", "url": "https://pretalx.com/hack-lu-2024/talk/KGFZHF/", "title": "Integrating New Tools in Your Workflows Within Minutes in MISP", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "This session will walk you through how easy and powerful it can be to integrate new tools into your existing cybersecurity workflows in MISP. You'll learn the practical steps of plugging in external tools using misp-modules and misp-workflows, see a live demo of the process, discuss common integration challenges, and understand how automation with MISP can significantly reduce time to respond to threats and improve efficiency.", "description": "This session will walk you through how easy and powerful it can be to integrate new tools into your existing cybersecurity workflows in MISP. You'll learn the practical steps of plugging in external tools using misp-modules and misp-workflows, see a live demo of the process, discuss common integration challenges, and understand how automation with MISP can significantly reduce time to respond to threats and improve efficiency.", "recording_license": "", "do_not_record": false, "persons": [{"code": "97JCN3", "name": "Sami Mokaddem", "avatar": "https://pretalx.com/media/avatars/97JCN3_QhVvyTt.webp", "biography": "Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.", "public_name": "Sami Mokaddem", "guid": "e8a5efd6-252b-5c4f-8c87-e7d6da882ab1", "url": "https://pretalx.com/hack-lu-2024/speaker/97JCN3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/KGFZHF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/KGFZHF/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/KGFZHF/resources/Integrating_New_Tools_in_Your_Workflows_Within_FehuEX0.pdf", "type": "related"}]}, {"guid": "79abbd48-e0c7-5db6-80fa-b3d808204a44", "code": "MMNTPT", "id": 53784, "logo": null, "date": "2024-10-22T11:30:00+02:00", "start": "11:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-53784-lessons-learned-from-almost-8-years-of-sigma-development", "url": "https://pretalx.com/hack-lu-2024/talk/MMNTPT/", "title": "Lessons Learned from (almost) 8 Years of Sigma Development", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Maintaining an open source security project for almost 8 years gives lots of opportunity for collecting experiences...good and bad ones. Time for sharing the experience from maintaining [Sigma](https://sigmahq.io/)!", "description": "Development of Sigma started in the end of 2016 as proof-of-concept of an idea to create a language for detections and developed into an open standard widely used by lots of organizations. In between it took a journey from PoC-grade code that people started to use in production, a complete rewrite of the toolchain and growing from a project maintained by few individuals to multiple projects maintained by a community.\r\n\r\nIn this talk I will share the experience from my perspective as a core maintainer of the [Sigma project](https://sigmahq.io/). Some of the topics are:\r\n\r\n* Organizing and structuring a growing open source security project.\r\n* Ensuring quality.\r\n* Keeping to maintain existing code *vs* full rewrite.\r\n* Contributions, trust and handing over control.\r\n* Staying motivated and handling stress and exhaustion.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TD3QYA", "name": "Thomas Patzke", "avatar": "https://pretalx.com/media/avatars/TD3QYA_d7RyBv6.webp", "biography": "Thomas has 18 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open source toolchain (pySigma/Sigma CLI).", "public_name": "Thomas Patzke", "guid": "b1b9c18e-616b-525e-b72c-dca645a5188d", "url": "https://pretalx.com/hack-lu-2024/speaker/TD3QYA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/MMNTPT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/MMNTPT/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/MMNTPT/resources/Lessons_Learn_NzXKIVE.pdf", "type": "related"}]}, {"guid": "ef7395b4-57de-5d57-90d7-922f0797db0a", "code": "PELM7F", "id": 57056, "logo": null, "date": "2024-10-22T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57056-catching-phish-using-publicly-accessible-information", "url": "https://pretalx.com/hack-lu-2024/talk/PELM7F/", "title": "Catching Phish Using Publicly Accessible Information", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Phishing attacks continue to be among the most effective and pervasive cyber threats. This session will provide actionable insights into how publicly available data can help bolster defences against phishing schemes.", "description": "The talk will explore how open-source intelligence (OSINT) can be used to identify phishing infrastructure. Whether you're a cybersecurity professional or just looking to protect yourself better, this session offers practical strategies for leveraging public data to catch phishing threats.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YVSSCG", "name": "Aurimas Rudinskis", "avatar": "https://pretalx.com/media/avatars/YVSSCG_hjzPwgH.webp", "biography": "Aurimas Rudinskis is an Engineering Manager who leads the Vinted Cyber Defence team. He focuses on Threat Intelligence, security operations, and detection engineering that can automate and scale detection capabilities. Aurimas specializes in advanced threat-hunting techniques and human-driven cyber operations.\r\n\r\nHe firmly believes that cyber security is a community, and we can only succeed by helping and learning from one another.", "public_name": "Aurimas Rudinskis", "guid": "36be4db3-2a0f-5c97-8a4e-c668075c3f48", "url": "https://pretalx.com/hack-lu-2024/speaker/YVSSCG/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/PELM7F/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/PELM7F/", "attachments": [{"title": "Slidedeck", "url": "/media/hack-lu-2024/submissions/PELM7F/resources/Catching_Phish_Using_Publicly_Accessible_Infor_CslHJ19.pdf", "type": "related"}]}, {"guid": "9246ab91-04ef-5334-a65a-9018993aed53", "code": "7TBNCY", "id": 57109, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/7TBNCY/logo_4UeGWEO.jpg", "date": "2024-10-22T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57109-cyrus-the-story-of-no-cloud", "url": "https://pretalx.com/hack-lu-2024/talk/7TBNCY/", "title": "Cyrus - The story of no cloud", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "It\u2019s the story of a research project that is now becoming something more.\r\nIt has nothing to do with cloud computing but everything to do with helping penetration testers doing their job in specific contexts.", "description": "We are 2 researchers in cybersecurity from a belgian research center and we will present to you what Cyrus is. And because we only have 5 minutes let\u2019s explain it to you the quick and fun way.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YCQWWL", "name": "Guillaume Ginis", "avatar": "https://pretalx.com/media/avatars/YCQWWL_o8eaeKP.webp", "biography": "I'm an engineer in electronics. \r\nI worked for multiple years in the railway domain, mainly ensuring safety. \r\nI then changed to the defense domain where I switched from safety to cybersecurity and as I wanted to develop my skills and go further on that topic, I finally joined a research center in Belgium as senior researcher.\r\nI'm now working on multiple project with a focus on red teaming and how to make it easier.", "public_name": "Guillaume Ginis", "guid": "8b7a48fa-d7fb-51af-a15a-14e6f9143d5b", "url": "https://pretalx.com/hack-lu-2024/speaker/YCQWWL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/7TBNCY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/7TBNCY/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/7TBNCY/resources/Hack.lu_lightning_talk_4Fz9hII.pdf", "type": "related"}]}, {"guid": "49f7dceb-2015-5b31-a988-5d9b85677ec9", "code": "KW9S7Z", "id": 57266, "logo": null, "date": "2024-10-22T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57266-latest-updates-on-kunai", "url": "https://pretalx.com/hack-lu-2024/talk/KW9S7Z/", "title": "Latest Updates on Kunai", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Kunai is a security monitoring tool for Linux. In this talk, I'll cover the most important updates since last year\u2019s presentation at hack.lu, including the detection and filtering rule engine, IoC-based detections, file scanning with YARA rules, log storage with rotation, and more.", "description": "Kunai is a security monitoring tool for Linux. In this talk, I'll cover the most important updates since last year\u2019s presentation at hack.lu, including the detection and filtering rule engine, IoC-based detections, file scanning with YARA rules, log storage with rotation, and more.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3JVRZM", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_2Q2w1d8.webp", "biography": "Writing Open-Source software at CIRCL", "public_name": "Quentin JEROME", "guid": "775f7c83-b07b-598c-8857-80bb24aebcb1", "url": "https://pretalx.com/hack-lu-2024/speaker/3JVRZM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/KW9S7Z/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/KW9S7Z/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/KW9S7Z/resources/slides_juryNcS.pdf", "type": "related"}]}, {"guid": "90479754-012f-541e-8bb9-588465b4a13a", "code": "SLW7CQ", "id": 57320, "logo": null, "date": "2024-10-22T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57320-hacking-ev-charging-points-for-fun-and-fixing-the-firmware", "url": "https://pretalx.com/hack-lu-2024/talk/SLW7CQ/", "title": "Hacking EV Charging Points, for fun... and fixing the firmware", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "This lightning talk will develop the context and reasons that led to the discovery and disclosure of vulnerabilities in an Electric Vehicle Smart Charging Point (CVE-2024-5313 and CVE-2024-8070).\r\nWe will discover a specific product, how it works, how it is supposed to be provisioned and some mistakes that were made that enabled the speaker to elevate his privileges.", "description": "Sunday, October 29th 2023, like every Winter, Europe switched to daylight saving time... but my EV Smart Charing Point did not.\r\nIn this lightning talk, I will explain how I moved from the willingness have a correct a timezone on my charging point, to a full compromise of the appliance.\r\nI'll develop the whole process that brought me from a regular user with no access, to root of the charging point, including full disclosure to the company that (partially) developed the product.", "recording_license": "", "do_not_record": true, "persons": [{"code": "7A7UXT", "name": "Simon Petitjean", "avatar": "https://pretalx.com/media/avatars/7A7UXT_6PUeMWh.webp", "biography": "Cybersecurity Director at PwC Luxembourg\r\nOffensive Security & Red Team Leader\r\nTrainer | Speaker | Sworn Judicial Expert", "public_name": "Simon Petitjean", "guid": "9aec8422-cecb-52e6-9130-b763a1c5b2e9", "url": "https://pretalx.com/hack-lu-2024/speaker/7A7UXT/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/SLW7CQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/SLW7CQ/", "attachments": []}, {"guid": "1ba100fe-7fff-595b-8d52-f2e4370510cf", "code": "STA7SL", "id": 57169, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/STA7SL/skillaegis-logo_9mTZIHD.png", "date": "2024-10-22T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57169-running-exercises-with-skillaegis", "url": "https://pretalx.com/hack-lu-2024/talk/STA7SL/", "title": "Running Exercises with SkillAegis", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "SkillAegis is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. This short session will show you the tool and what it can do.", "description": "SkillAegis is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. This short session will show you the tool and what it can do.", "recording_license": "", "do_not_record": false, "persons": [{"code": "97JCN3", "name": "Sami Mokaddem", "avatar": "https://pretalx.com/media/avatars/97JCN3_QhVvyTt.webp", "biography": "Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.", "public_name": "Sami Mokaddem", "guid": "e8a5efd6-252b-5c4f-8c87-e7d6da882ab1", "url": "https://pretalx.com/hack-lu-2024/speaker/97JCN3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/STA7SL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/STA7SL/", "attachments": []}, {"guid": "e41331e9-37d5-57d7-9a46-93682c7032e3", "code": "EMPW3K", "id": 57143, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/EMPW3K/ronaqci_logo_ivcsU9O.png", "date": "2024-10-22T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57143-qkd-is-it-worth-it", "url": "https://pretalx.com/hack-lu-2024/talk/EMPW3K/", "title": "QKD - is it worth it?", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "QKD networks are a tabu subject between different states of the world. Is QKD technology safe? Is it worth the money? How hard is to integrate classical communication networks with QKD?", "description": "QKD networks have a special interest specifically in Europe since the EuroQCI initiative was signed. Currently across Europe there are more than 20 national QKD projects under development, where in the US NIST is looking at the quantum resistant algorithms. Which is the way to go?", "recording_license": "", "do_not_record": true, "persons": [{"code": "7BXDXN", "name": "Mihai Carabas", "avatar": null, "biography": "Mihai Carabas is a profesor at University POLITEHNICA  Bucharest in the area of systems, networking, grid and cloud computing. He is leading the national QKD project RoNaQCI part or EuroQCI which is architecting and building the national QKD network together with advanced use-cases and trainings.", "public_name": "Mihai Carabas", "guid": "186d9c7e-577a-5803-8ff4-27e991ad3d29", "url": "https://pretalx.com/hack-lu-2024/speaker/7BXDXN/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/EMPW3K/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/EMPW3K/", "attachments": [{"title": "QKD - is it worth it? (slides)", "url": "/media/hack-lu-2024/submissions/EMPW3K/resources/QKD-is-it-worth-Hack-Lu-2024_AMQU8wN.pdf", "type": "related"}]}, {"guid": "44d53825-2092-5e07-aeca-a2ca4842e666", "code": "VKE3K8", "id": 54378, "logo": null, "date": "2024-10-22T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54378-nothing-to-see-here-on-the-awareness-of-and-preparedness-and-defenses-against-cloaking-malicious-web-content-delivery", "url": "https://pretalx.com/hack-lu-2024/talk/VKE3K8/", "title": "Nothing to see here! On the awareness of and preparedness and defenses against cloaking malicious web content delivery", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "Website cloaking is a technique that enables websites to deliver different content to\r\ndifferent clients, with the goal of hiding particular content from certain clients. Website cloaking is based on client detection, which is achieved via browser fingerprinting. In an\r\nattempt to hide their malicious web pages from detection, cyber criminals (can) use cloaking.\r\nThey use vulnerability detection to only target clients that seem vulnerable. On top\r\nof that, they (can) also provide benign content in case they suspect someone or something is\r\ntrying to detect them.\r\n\r\nIn this work, we investigated to what extent security web crawlers can be detected\r\nby browser fingerprinting techniques, and provided some suggestions for how to improve them\r\nto be able to bypass those techniques. We surveyed security analysts and analyzed a set of\r\nthreat intelligence sharing communities, to gauge awareness of cloaking as an available\r\ndetection evasion method for cybercriminals. Finally, we investigated one final technique,\r\nthe use of Cache-Control: no-store, which an attacker can use to thwart\r\nforensic analysis.", "description": "In this talk I present part of my master thesis research in this space, explaining how browser fingerprinting works, and why I think it deserves some more attention from the cyber community and CTI community in particular.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EZTTJY", "name": "Jeroen Pinoy", "avatar": null, "biography": "I am a computer scientist with a background in software testing (automation), incident handling and threat intelligence sharing.", "public_name": "Jeroen Pinoy", "guid": "56ab13f8-d200-5c7d-a869-e2f51d767e97", "url": "https://pretalx.com/hack-lu-2024/speaker/EZTTJY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VKE3K8/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VKE3K8/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/VKE3K8/resources/Nothing_to_se_tl7ZW0Y.pdf", "type": "related"}]}, {"guid": "85eb0e8d-691e-5ee8-a512-51c94e7f6583", "code": "AEV77X", "id": 52738, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/AEV77X/breachforums_SpFcROt.png", "date": "2024-10-22T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52738-automating-dark-web-cti-reports-with-rag-insight-for-misp-sharing", "url": "https://pretalx.com/hack-lu-2024/talk/AEV77X/", "title": "Automating Dark Web CTI Reports \u200b with RAG Insight for MISP Sharing", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "In the current digital landscape, organizations often do not become aware immediately when their data is compromised and sold online. Our objective is to minimize the duration between the exposure of data on the internet and its detection by the public. The dark web serves as a primary marketplace for the trade of personal information, accessible safely only through the use of the Tor browser. This paper focuses on monitoring significant trading forums on the dark web and demonstrates the method of web scraping specifically designed for dark web sites. Utilizing data harvested from these sites, we have trained a BERT classification model to categorize transaction posts into five distinct types of data leaks, enabling rapid identification of the leak type associated with each post.\r\n\r\nFurther, we employ the Retrieval-Augmented Generation (RAG) technique to vectorize dark web data, maintaining privacy while leveraging mainstream large language models to address concerns pertinent to cybersecurity analysts. This approach allows researchers to analyze dark web data effectively. Ultimately, the data collected from the dark web is formatted into STIX (Structured Threat Information Expression) and integrated into the MISP (Malware Information Sharing Platform) system to automate the generation of Cyber Threat Intelligence (CTI) reports. This methodology not only enhances the timeliness and accuracy of threat detection but also contributes to more efficient and proactive cybersecurity management.", "description": "This talk will include the following topic:\r\nIntroduce dark web forums\r\nDark web crawler\r\nBERT classification\r\nretrieval augmented generation introduction and application\r\nDark web CTI case study\r\nSTIX format CTI\r\nMISP for sharing CTI", "recording_license": "", "do_not_record": false, "persons": [{"code": "XTTKN8", "name": "Shing-Li Hung", "avatar": "https://pretalx.com/media/avatars/XTTKN8_yQHbNEq.webp", "biography": "Shing-Li (Yuki) Hung is currently a cybersecurity researcher at CyCraft and he is graduated from National Tsing Hua University, Taiwan. His research primarily focuses on the analysis of dark web intelligence, applying deep learning models within the cybersecurity field. He has also conducted visiting research at the National Institute of Information and Communications Technology (NICT) in Japan. Yuki's research findings have been presented at prestigious platforms such as HITCON and PyCon TW. Additionally, he is a co-author for the cybersecurity resource website [https://sectools.tw](https://sectools.tw).", "public_name": "Shing-Li Hung", "guid": "d5d3a7d5-73ed-586d-a58e-6632ef181e43", "url": "https://pretalx.com/hack-lu-2024/speaker/XTTKN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/AEV77X/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/AEV77X/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/AEV77X/resources/slides_Y3NsF5v.zip", "type": "related"}]}, {"guid": "c004ff18-f180-53bc-9324-4a09145e8819", "code": "QFMBPR", "id": 52096, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/QFMBPR/santi_y44i60C.jpg", "date": "2024-10-22T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52096-dredge-an-open-source-framework-for-cloud-incident-response", "url": "https://pretalx.com/hack-lu-2024/talk/QFMBPR/", "title": "Dredge: An Open Source Framework for Cloud Incident Response", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "Cloud incident response can be daunting, requiring a plethora of tools and skills, while most Cloud Based Startups can\u2019t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked. That\u2019s why we created Dredge, an Open Source framework designed to streamline cloud incident investigations, allowing engineers to execute non-trivial cloud incident response tasks easily.", "description": "Working in the SolidarityLabs CSIRT, we help small organizations in Latin America to overcome cybersecurity incidents. Doing so, we found that Cloud incident response can be daunting, requiring a plethora of (expensive)  tools and skills, while most Cloud Based companies can\u2019t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked, specially knowing how hard it is to find (And retain) a security engineer with cloud based skills and incident response mindset.\r\n\r\nThat\u2019s why we created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics.\r\n\r\nThe main idea is to empower Engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn\u2019t know they had.\r\n\r\nSome Key Features that differentiate Dredge from existing tooling:\r\n- Python-based CLI\r\n- Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure.\r\n- Take action: whether it's blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.\r\n- Identify tactical misconfigurations that can be exploited by an attacker.\r\n- Execute Threat Hunting Techniques\r\n- Create an attack  timeline based on IOCs.\r\n- Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.\r\n- Cloud Incident Response Guidelines for companies to embrace and build their playbooks.\r\n\r\nRepo: https://github.com/solidarity-labs/dredge-mvp", "recording_license": "", "do_not_record": false, "persons": [{"code": "WJWN3S", "name": "Santi Abastante", "avatar": "https://pretalx.com/media/avatars/WJWN3S_6vTFBNt.webp", "biography": "Ex-Police Officer and Cloud Incident Responder with 10+ years of IT experience. During the course of my career, I\u2019ve worn many different hats, being able to intervene in incidents of multiple magnitudes in both the private and public sector, from bank robberies to cybersecurity breaches to confidential information leaks.", "public_name": "Santi Abastante", "guid": "fc3538ca-826f-541c-89db-c6dd78b0e04b", "url": "https://pretalx.com/hack-lu-2024/speaker/WJWN3S/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/QFMBPR/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/QFMBPR/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/QFMBPR/resources/SolidarityLab_HafWGwZ.pdf", "type": "related"}]}, {"guid": "38b3aa71-16df-5331-8389-cf40e7cfbb1b", "code": "ZTXHFU", "id": 54437, "logo": null, "date": "2024-10-22T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54437-you-just-got-a-cti-program-funded-now-what", "url": "https://pretalx.com/hack-lu-2024/talk/ZTXHFU/", "title": "You just got a CTI program funded - now what?", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "An MSSP SOC presents how after a complete change of team and processes - a CTI program was restarted from (nearly) scratch, thanks to an EU-supported project. The SOC Technical Product Manager/CTI project manager will share how plans don't always come to fruition, issues faced with starting a CTI process. By sharing lessons learnt and plans for improvement - we propose some basic but wholistic steps to start a CTI program.", "description": "After COVID, and with an almost completely new SOC team \u2013 some processes got left behind, some tools forgotten. What happens when your SOC completely falls outside of the CTI process? Where should you start when your CTI process doesn\u2019t even exist? While CTI is understood to be expensive even for internal SOCs - as an MSSP SOC - we need to fund something that we cannot sell to customers. NRD CS was awarded a grant to build out their cyber threat intelligence maturity, but how does that actually work?\r\n\r\nAfter a few months with a fancy new title, but still performing your old duties - you're finally handing off all your clients to your replacement, and are getting ready to jump into your new role. And then, here comes your CEO and SOC manager with news that they've just secured a public grant for a CTI program, and they want you to lead it. Part-time.\r\n\r\nThis talk explores managing every aspect of starting a CTI program from (nearly) scratch, where a completely new SOC team takes over old processes and tools. Where do you start when your CTI program doesn't even exist? \r\n\r\nOur CTI development has already gone from being a CTI consumer with no practical application for the CTI, to a CTI consumer AND producer with standardized production, in addition to being a sharing community administrator. We will also present plans on increasing automation, quality of output, and more.\r\n\r\nWe'll present various challenged faced in kick-starting a CTI program, from what do when your MISP is full of false-positives, how to motivate analysts to contribute to the program, how to build a 'team' when you don't have dedicated staff. We also explore technical issues faced, from connecting separate SIEMs into a central location, impact of infrastructure changes to development work, just how hard hiring dedicated CTI specialists can be, JIRA automation pricing changes completely ruining our initial plans, and more.\r\n\r\nIn the end, we propose a basic plan comprised of a few simple steps and procedures that nearly anyone can implement to get a basic CTI program going.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CKJ9FP", "name": "Lukas Vytautas Dagilis", "avatar": "https://pretalx.com/media/avatars/CKJ9FP_AC5jhJr.webp", "biography": "Lukas V. Dagilis is a professionally trained artist, turned Cyber Security expert. At NRD Cyber Security, he works as a Technical Product Manager at the CyberSOC department - the largest MSSP in Lithuania. His job functions include continuous process improvement, data engineering and analysis, JIRA owner, EU-funded CTI project manager, CTI program lead, and more.", "public_name": "Lukas Vytautas Dagilis", "guid": "5770bc58-0804-5c1e-a273-732ebd3af815", "url": "https://pretalx.com/hack-lu-2024/speaker/CKJ9FP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ZTXHFU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ZTXHFU/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/ZTXHFU/resources/You_Just_Got_a_CTI_program_Funded_-_Now_What_-_qn1KY9r.pdf", "type": "related"}]}, {"guid": "11f043e5-d06a-555b-a5d8-2daa95943294", "code": "XAYHMK", "id": 54199, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/XAYHMK/2024-05-06_22-26_vCAV2A0.png", "date": "2024-10-22T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54199-malware-and-hunting-for-persistence-how-adversaries-exploit-your-windows", "url": "https://pretalx.com/hack-lu-2024/talk/XAYHMK/", "title": "Malware and Hunting for Persistence: How Adversaries Exploit Your Windows?", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "This presentation explores my discovery of unconventional malware persistence techniques through registry modifications and DLL hijacking vulnerabilities. We'll delve into cases involving Windows Internet Explorer, Win32API cryptographic features, Windows Troubleshooting, Microsoft Teams (patched), and Process Hacker 2 (patched in v3). The research highlights the exploitation of legitimate Windows resources for persistence and compares these methods with traditional techniques employed by APT groups and ransomware authors.", "description": "This presentation explores my discovery of unconventional malware persistence techniques through registry modifications and DLL hijacking vulnerabilities. We'll delve into cases involving Windows Internet Explorer, Win32API cryptographic features, Windows Troubleshooting, Microsoft Teams (patched), and Process Hacker 2 (patched in v3). The research highlights the exploitation of legitimate Windows resources for persistence and compares these methods with traditional techniques employed by APT groups and ransomware authors.\r\nDetailed Proposal:\r\n\r\nWhat is Malware Persistence?\r\nAn introduction to malware persistence, explaining how it allows malicious software to maintain a foothold on a compromised system.\r\n\r\nUser Privileged Techniques:\r\nExploring persistence methods that require only user-level privileges, such as registry modifications and leveraging user-specific settings.\r\n\r\nAdmin Privileged Techniques:\r\nInvestigating persistence techniques that need administrative privileges, including advanced registry modifications and system-level changes.\r\n\r\nWinAPI Cryptography Features for Persistence:\r\nAnalyzing how Windows cryptographic APIs can be misused for maintaining persistence.\r\n\r\nVulnerability in Process Hacker 2:\r\nA case study on exploiting a vulnerability in Process Hacker 2 for persistence, and the subsequent fix in Process Hacker 3.\r\n\r\nUsing Legitimate URLs for Bypassing and Persistence:\r\nExamining the use of legitimate URLs and online services to bypass detection and maintain persistence.\r\n\r\nHunting for Persistence: From Zero to Hero:\r\nA practical guide on hunting for and identifying new persistence techniques, with step-by-step methodologies and real-world examples.\r\n\r\nComparison with Classical Techniques:\r\nComparing these new methods with classical persistence techniques used by APT groups and ransomware authors, highlighting their effectiveness and stealthiness.\r\n\r\nExplore the integration of machine learning models to predict and identify new persistence techniques. Investigate the potential for automated malware persistence using AI to adapt to and evade AV/EDR solutions dynamically.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EFXL9W", "name": "cocomelonc", "avatar": "https://pretalx.com/media/avatars/EFXL9W_lXdpDO4.webp", "biography": "Cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:\r\nMD MZ Malware Development book (2022)\r\nMALWILD: Malware in the Wild book (2023)\r\nAuthor and tech reviewer at Packt\r\nAuthor of Malware Development for Ethical Hackers book by Packt (2024)\r\nCo founder of MSSP Research LAB, author of many cybersecurity blogs, HVCK magazine\r\nMalpedia contributor\r\nSpeaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Standoff, etc conferences", "public_name": "cocomelonc", "guid": "f30e2acf-1aad-5428-b435-083886fb9b86", "url": "https://pretalx.com/hack-lu-2024/speaker/EFXL9W/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/XAYHMK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/XAYHMK/", "attachments": [{"title": "Malware and Hunting for Persistence", "url": "/media/hack-lu-2024/submissions/XAYHMK/resources/hackLU-2024-cocomelonc_6Xr8XXf.pptx", "type": "related"}]}, {"guid": "9ca7383a-9340-5b70-a67a-e9efae72eca6", "code": "ZCBUU9", "id": 52926, "logo": null, "date": "2024-10-22T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52926-trying-gateway-bugs-breaking-industrial-protocol-translation-devices-before-the-research-begins", "url": "https://pretalx.com/hack-lu-2024/talk/ZCBUU9/", "title": "Trying Gateway Bugs: Breaking industrial protocol translation devices before the research begins", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Inside operational systems (OT), industrial devices communicating over IP could use a wide range of field-specific, manufacturer-dependent or association-promoted industrial network protocols. To understand each other, they sometimes require an additional component as a gateway to make the translation between protocols. These nearly invisible devices play a crucial role in the industrial process: if the translation stops, the communication stops and possibly operations as well. From an attacker's perspective, this means that targeting them may have significant consequences. With this in mind, I assessed the security of a gateway model I often encounter during penetration tests on OT and I discovered several vulnerabilities that have been reported to the manufacturer. Months later, I would like to discuss the many concerns raised by the vulnerabilities themselves and the disclosure process. This tells us a lot about the current situation, issues and threats faced by such gateways, how they are and can be addressed, and what it means for OT cybersecurity.", "description": "After introducing the very particular world of industrial network protocols and what they are used for, I will go through a vulnerability research process on a protocol gateway, from discovery to disclosure. Three first vulnerabilities discovered on the device tested will be explained and discussed considering common industrial operations, manufacturers' response,  customers' remediation and global OT cybersecurity research.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PNPXCL", "name": "Claire Vacherot", "avatar": "https://pretalx.com/media/avatars/PNPXCL_L1IvZng.webp", "biography": "Claire\u202fVacherot\u202fis a pentester and\u202fresearcher\u202fat Orange\u202fCyberdefense France. She likes to test systems and devices that interact with the real world and her activity consists in switching between penetration testing industrial systems and playing with industrial network protocols. Sometimes, she also speaks about all of this at conferences such as GreHack, Defcon or Pass the Salt. As a former software developer, she never misses a chance to write scripts and tools.", "public_name": "Claire Vacherot", "guid": "854755ce-4c13-5d30-8af6-7193bb2479fc", "url": "https://pretalx.com/hack-lu-2024/speaker/PNPXCL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ZCBUU9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ZCBUU9/", "attachments": [{"title": "Claire Vacherot - Trying Gateway Bugs - Presentation", "url": "/media/hack-lu-2024/submissions/ZCBUU9/resources/Claire_Vacherot_-_Trying_Gateway_Bugs_TMqqq1N.pdf", "type": "related"}]}, {"guid": "f8b73aa5-5cf2-51fd-a9e5-815d900756c1", "code": "UWJCEE", "id": 53358, "logo": null, "date": "2024-10-22T17:15:00+02:00", "start": "17:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-53358-in-depth-study-of-linux-rootkits-evolution-detection-and-defense", "url": "https://pretalx.com/hack-lu-2024/talk/UWJCEE/", "title": "In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "This talk, \"In-Depth Study of Linux Rootkits,\" will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.", "description": "1. Introduction to Linux Rootkits\r\n\r\n- Overview of Linux rootkit capabilities\r\n\r\n2. A History of Linux Rootkits\r\n\r\n- Early rootkits: origins and initial capabilities\r\n- Evolution of rootkit techniques over time\r\n\r\n3. Advanced Rootkits: Techniques and Analysis\r\n\r\n- Kernel-level rootkits:\r\n    - Techniques for hooking and modifying kernel functions\r\n- User-mode rootkits:\r\n    - Methods for intercepting and manipulating user-space processes\r\n- Hybrid rootkits:\r\n    - Combining kernel and user-space techniques\r\n- Rootkit persistence mechanisms and stealth techniques\r\n\r\n4. Detection Strategies for Linux Rootkits\r\n\r\n- Signature-based detection:\r\n    - Tools and techniques for identifying known rootkits\r\n    - Limitations of signature-based methods\r\n- Behavioral analysis:\r\n    - Monitoring system behavior for anomalies\r\n    - Case studies of successful behavioral detection\r\n- Integrity checking:\r\n    - Verifying the integrity of system files and binaries\r\n    - Challenges in maintaining accurate baselines\r\n- Advanced detection tools and frameworks:\r\n    - Overview of popular rootkit detection tools\r\n    - Demonstration of practical detection techniques", "recording_license": "", "do_not_record": false, "persons": [{"code": "C7AHN8", "name": "Stephan Berger", "avatar": "https://pretalx.com/media/avatars/C7AHN8_XZLjJO1.webp", "biography": "Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.", "public_name": "Stephan Berger", "guid": "698cb298-5b68-5675-9e3e-3de45ac23fff", "url": "https://pretalx.com/hack-lu-2024/speaker/C7AHN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/UWJCEE/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/UWJCEE/", "attachments": []}, {"guid": "86c2970c-c461-5417-8d30-98d1d4450f5b", "code": "LGTEXR", "id": 51506, "logo": null, "date": "2024-10-22T17:45:00+02:00", "start": "17:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51506-decoding-galah-an-llm-powered-web-honeypot", "url": "https://pretalx.com/hack-lu-2024/talk/LGTEXR/", "title": "Decoding Galah: an LLM powered web honeypot", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Honeypots are invaluable tools for monitoring internet-wide scans and understanding attackers' techniques. Traditional low-interaction web honeypots use manual methods to emulate various applications or vulnerabilities. Introducing Galah, an LLM-powered web honeypot that mimics diverse applications with a single prompt. This honeypot dynamically crafts relevant HTTP responses, including headers and body content, to various HTTP requests, effectively simulating multiple web applications. In this talk, I will share lessons learned from building and deploying Galah and address two key questions: How do different large language models perform in generating HTTP messages? Does delivering authentic-looking HTTP responses increase attackers\u2019 engagement with the honeypot?", "description": "In this talk, I will explore the limitations of traditional web honeypots and introduce Galah, an innovative LLM-powered solution designed to dynamically generate realistic HTTP responses. By evaluating the performance of different LLMs, we aim to determine their effectiveness in mimicking web applications and enhancing honeypot authenticity. I will share insights into the development process, including how to structure prompts, generate JSON outputs, and overcome common challenges. Additionally, I will present evaluation results, comparing various large language models to highlight their strengths and weaknesses. The talk will also feature interesting examples of LLM-generated HTTP responses. Finally, I will discuss practical insights and broader applications of LLMs beyond honeypots, offering valuable takeaways for attendees interested in leveraging LLMs for diverse use cases.", "recording_license": "", "do_not_record": false, "persons": [{"code": "W3APHA", "name": "Adel Karimi", "avatar": "https://pretalx.com/media/avatars/W3APHA_wzdVmOF.webp", "biography": "Adel Karimi is a senior security engineer with a keen interest in threat detection, honeypots, and network traffic fingerprinting. He recently joined a \u201cchatbot startup\u201d after a decade of working on detection and response at companies such as Google, Salesforce, and Niantic. Adel is passionate about developing open-source projects like Galah and Venator, and in his free time, he enjoys capturing stunning images of the night sky.", "public_name": "Adel Karimi", "guid": "d0c54c5b-a97b-5de7-9317-26efe3273114", "url": "https://pretalx.com/hack-lu-2024/speaker/W3APHA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/LGTEXR/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/LGTEXR/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/LGTEXR/resources/decoding_gala_BuuKhyO.pdf", "type": "related"}]}], "Schengen 1 & 2": [{"guid": "3c4cc372-2f89-51a6-8bdb-62ba67ccf3f8", "code": "YJYZFT", "id": 51940, "logo": null, "date": "2024-10-22T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-51940-rop-on-arm64-a-hands-on-tutorial", "url": "https://pretalx.com/hack-lu-2024/talk/YJYZFT/", "title": "ROP on ARM64 - a hands-on tutorial", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Return Oriented Programming (ROP) has been an essential part of exploit development since over a decade. The ROP landscape on ARM64 is bleak, thanks to severe restrictions laid down in the ARM64 ISA. This workshop provides a hands-on tutorial for starting out with ARM64 ROP gadgets and practical ROP chains. No prior knowledge of ARM64 assembly is required.", "description": "### Part 1 - Introduction to essential ARM64 assembly\r\n- Introducing ARM64\r\n- Registers and their behaviour on ARM64\r\n- ARM64 vs ARM32 architecture and assembly language\r\n- A few ARM64 assembly instructions\r\n- Restrictions on operand usage\r\n\r\n### Part 2 - ROP Gadgets on ARM64\r\n- Commonly found ROP gadgets on ARM64\r\n- Where to look for ARM64 ROP gadgets\r\n- Practical Ret2System ROP chain on ARM64\r\n\r\n### Hands-On Workshop Requirements\r\n- Working Laptop running Docker\r\n- Linux or macOS preferred as the base OS.\r\n\r\nParticipants will be provided with an ARM64 emulator docker container for use during and after the workshop.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EFQREF", "name": "Saumil Shah", "avatar": "https://pretalx.com/media/avatars/EFQREF_kGZtCvF.webp", "biography": "Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-Box, Deepsec and others. He has authored two books titled \"Web Hacking: Attacks and Defense\" and \"The Anti-Virus Book\".\r\n\r\nSaumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world, and taking pictures.", "public_name": "Saumil Shah", "guid": "a8191e78-9c84-5fde-9e1f-fa174f0e509e", "url": "https://pretalx.com/hack-lu-2024/speaker/EFQREF/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/YJYZFT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/YJYZFT/", "attachments": []}], "Echternach & Diekirch": [{"guid": "4b720838-0009-597e-9a7a-9ac3d74854b0", "code": "XEUUFC", "id": 55202, "logo": null, "date": "2024-10-22T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-55202-dissecting-the-threat-a-practical-approach-to-reverse-engineering-malicious-code-for-beginners", "url": "https://pretalx.com/hack-lu-2024/talk/XEUUFC/", "title": "Dissecting the Threat: A Practical Approach to Reverse Engineering Malicious Code for Beginners", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "In the evolving cyber threat landscape, reverse engineering is crucial for understanding and mitigating malicious attacks. This session covers the essentials of reverse engineering, including assembly language, binary code, and key tools like disassemblers and debuggers. Participants will explore practical techniques for analyzing malware, learning to identify and dissect various types through real-world examples. The session includes a hands-on demonstration using tools like x32dbg and Ghidra, focusing on unpacking, disassembly, and extracting Indicators of Compromise (IOCs). Additionally, best practices and strategies to overcome common challenges in reverse engineering will be discussed, equipping security professionals with the skills to effectively defend against cyber threats.", "description": "My session is focused on a deep analysis of malicious threats and what could be an imaginable practical approach to reverse engineer these threats (malware) in a controlled environment.\r\n\r\nHere is a small breakdown of my session:\r\nIntroduction:\r\nReverse engineering plays a critical role in understanding and mitigating these threats by providing insights into the inner workings of malicious code. In this session, we will delve into the fundamentals of reverse engineering and explore practical approaches to dissecting malicious code effectively.\r\n\r\nFundamentals of Reverse Engineering:\r\nReverse engineering is the process of analyzing software or hardware to understand its design, functionality, and operation. Before diving into the analysis of malicious code, it's essential to grasp the foundational concepts and terminology of reverse engineering. This includes understanding assembly language, binary code, and the role of tools such as disassemblers, debuggers, and decompilers. Participants will gain insights into how these tools are used to examine executable files and extract valuable information from them.\r\n\r\nUnderstanding Malicious Code:\r\nMalicious code comes in various forms, each with its own set of functionalities and objectives. From viruses and worms to Trojans and ransomware, the threat landscape is diverse and constantly evolving. Through real-world examples, participants will learn to identify different types of malware and understand their behaviors. By gaining insight into the tactics employed by threat actors, security professionals can better prepare for and defend against cyber attacks.\r\n\r\nPractical Approach to Reverse Engineering:\r\nA practical approach to reverse engineering involves a systematic and methodical analysis of malicious code. During this segment, participants will be guided through a step-by-step demonstration of how to dissect a sample of malicious code. This will include techniques such as unpacking, disassembly, and code analysis. By leveraging tools like Ghidra, and OllyDbg, attendees will learn to navigate through the intricate layers of obfuscation employed by malware authors.\r\n\r\nTechniques for Extracting Indicators of Compromise (IOCs):\r\nIn addition to understanding the inner workings of malicious code, reverse engineering can also help extract valuable indicators of compromise (IOCs). These IOCs include file hashes, IP addresses, domain names, and patterns of behavior that can be used to detect and mitigate threats. Participants will learn techniques for identifying and extracting IOCs from malware samples, thereby enhancing their ability to detect and respond to cyber attacks.\r\n\r\nBest Practices and Pitfalls:\r\nWhile reverse engineering is a powerful tool for analyzing malicious code, it is not without its challenges. Participants will gain insights into common pitfalls encountered during the analysis process and learn best practices for overcoming them. This includes strategies for handling obfuscated code, managing complex malware samples, and ensuring the integrity of analysis environments. By adhering to these best practices, security professionals can maximize the effectiveness of their reverse engineering efforts.\r\n\r\nConclusion:\r\nIn conclusion, reverse engineering is a vital skill for security professionals seeking to understand and mitigate cyber threats. By mastering the practical approaches and techniques discussed in this session, participants will be better equipped to dissect malicious code, extract valuable insights, and defend against cyber attacks. As the threat landscape continues to evolve, the ability to reverse engineer malware effectively will remain a critical component of any cybersecurity strategy.", "recording_license": "", "do_not_record": true, "persons": [{"code": "FNVHS8", "name": "Ankshita Maunthrooa", "avatar": "https://pretalx.com/media/avatars/FNVHS8_BHR4h9o.webp", "biography": "Ankshita is currently working as a security engineer and has previously worked as a cybersecurity consultant in the paradise island of Mauritius, helping the biggest firms around the world implement strategic cybersecurity best practices and comply with the required standards. Before joining consultancy, she has worked in cybersecurity for approximately two years as a SOC analyst.\r\n\r\nAnkshita has presented her cyber blue teaming skills at Apres Trainings in Park City, Utah and at Developer and Google Devfest Mauritius. She recently also spoke about redefining DevSecOps at the Apres Cyber Trainings and at the Devcon24 Mauritius.\r\n\r\nComing from a diverse background in Information Technology, Ankshita is familiar with development and programming in Java, Python, Javascript and Solidity.\r\n\r\nDuring university years, Ankshita has also represented the Google Developers Student Clubs on her campus at the University of Mauritius and was Huawei Campus Ambassador.", "public_name": "Ankshita Maunthrooa", "guid": "e0ad8d3d-2b02-5c20-9640-3f09b5eab561", "url": "https://pretalx.com/hack-lu-2024/speaker/FNVHS8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/XEUUFC/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/XEUUFC/", "attachments": [{"title": "Presentation Slides", "url": "/media/hack-lu-2024/submissions/XEUUFC/resources/Reverse_Engin_sYd9WWi.pdf", "type": "related"}]}, {"guid": "434d4874-7292-5b1f-9e8f-32340defdb2c", "code": "DSHQJ7", "id": 54285, "logo": null, "date": "2024-10-22T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-54285-lookyloo-pandora-and-all-the-bells-and-whistles-to-go-with-them", "url": "https://pretalx.com/hack-lu-2024/talk/DSHQJ7/", "title": "Lookyloo, Pandora, and all the bells and whistles to go with them.", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "The goal of the tool suite is to make it easier to handle suspicious contents reported by your users, friends or constituents. It empowers them to check URLs, emails, or files they receive and take educated decisions without relying on you all the time.\r\n\r\nThis workshop will go in depth on how you can configure Lookyloo and Pandora, and all the other tools that make it a complete tool suite usable in your organization with minimal manual work. We will also look at the correlation features to pivot across captures to find phishing campaigns in the 4+ millions captures gathered across the years on the CIRCL Lookyloo instance.", "description": "[Lookyloo](https://github.com/Lookyloo/lookyloo) is an analysis tool to investigate URLs, [Pandora](https://github.com/pandora-analysis/pandora) is a static file analyzer. They both have public demo interfaces ([1](https://lookyloo.circl.lu/), [2](https://pandora.circl.lu/submit)) and I presented them at [last year pass the salt](https://passthesalt.ubicast.tv/videos/2023-analyse-your-weird-urls-the-easy-way/) (and demo effect is still [a thing](https://passthesalt.ubicast.tv/videos/2023-rump-lookyloo-the-missing-demo-from-the-morning/)).\r\n\r\nI invite you to watch the videos before attending the workshop so we're all on the same page: this workshop will be very dense as we will cover many tools, so we will start with a quick introduction but we will also assume you have a rough idea of what the tools are.\r\n\r\nThis workshop will be similar to the one we gave at [Pass the Salt 2024](https://cfp.pass-the-salt.org/pts2024/talk/9HQ9VQ/), but with new features and improvements.\r\n\r\nThe main tools we will use are the following:\r\n\r\n* Lookyloo (to analyze URLs)\r\n* Pandora (to analyze files)\r\n* Lacus (optionally, to capture the URLs when you have a lot of them)\r\n* An URL monitoring interface (to compare a specific URL over time)\r\n* Phishtank Lookup (to check if a URL is known or not)\r\n\r\nWe will also have a look at what a capture means for Lookyloo, and a deep dive in the settings you can pass when you're triggering one.\r\n\r\nDue to time constraints, won't have much time to troubleshoot sysadmin issues on your own machines. Do not worry though, there are pre-configured instances of all the tools you'll be able to play with during the session, and use their APIs. If you want to install the tools on your machine, you'll need admin right on a recent linux box, preferably Ubuntu 24.04.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GLQ9T3", "name": "Rapha\u00ebl Vinot", "avatar": "https://pretalx.com/media/avatars/GLQ9T3_gQscSBO.webp", "biography": "Formerly member of CIRCL, I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a whole bunch of tools there. Some say it is too many, we disagree.", "public_name": "Rapha\u00ebl Vinot", "guid": "54abe03e-5ba8-58e2-8893-be6c3c6a406d", "url": "https://pretalx.com/hack-lu-2024/speaker/GLQ9T3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/DSHQJ7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/DSHQJ7/", "attachments": []}], "Hollenfels": [{"guid": "dd89a6bb-8383-5a0f-92ee-40feb1258b8e", "code": "3UBBJQ", "id": 50649, "logo": null, "date": "2024-10-22T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Hollenfels", "slug": "hack-lu-2024-50649-exploring-openssh-hands-on-workshop-for-beginners", "url": "https://pretalx.com/hack-lu-2024/talk/3UBBJQ/", "title": "Exploring OpenSSH: Hands-On Workshop for Beginners", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "During this workshop, you will learn how to use the various tools from the\r\nOpenSSH suite. We will start with a presentation of the problems that are solved\r\nby OpenSSH, then we will dive into the details of its most important and useful\r\nfeatures.\r\nAmong the topics covered, we will discuss about remote host authentication,\r\npassword and public key client authentication, key generation, local and remote\r\nport forwarding, forward and reverse SOCKS proxying, X11 forwarding, jumphosts, connection to legacy systems, and more.\r\n\r\nHands-on exercises will be proposed throughout the exploration of the tool suite\r\nusing real-life scenarios. There will be space for questions and discussion.\r\n\r\nThis workshop is intended for beginners who wants to improve their practical\r\nknowledge and experience with OpenSSH.\r\n\r\nBasic networking and Linux shell knowledge are required in order to follow this\r\nworkshop. Each participant will need a Linux machine (on which they have root access) with Docker pre-installed and Internet access.", "description": "Most beginners only use the *ssh* command from OpenSSH to reach a shell on\r\nremote machines, and that's it. They don't really know how to deal with\r\nfeatures like port forwarding in order to ease their work.\r\nThis workshop is designed to help them level up their skills with OpenSSH.\r\n\r\nThis workshop is intended for beginners who want to improve their practical\r\nknowledge of the OpenSSH tool suite.\r\n\r\nKnowledge prerequisites:\r\n- Basic networking: IP, TCP/UDP, DNS, tcpdump/Wireshark \r\n- Classical Linux shell usage: command execution, redirections, pipes, sudo, basic package management, etc\r\n- Basic usage knowledge of OpenSSH", "recording_license": "", "do_not_record": true, "persons": [{"code": "WHXH3Q", "name": "William Robinet", "avatar": "https://pretalx.com/media/avatars/WHXH3Q_Q8FkSnu.webp", "biography": "William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg.  He\u2019s been working in cybersecurity using free and opensource software on a daily basis for more than 25 years. Recently, he presented his ASN.1 templating tool at Pass the SALT 2023 in Lille.  He contributed to the cleanup and enhancement efforts done on ssldump lately.  He particularly enjoys tinkering with open (and not so open) hardware. Currently he likes playing around with new tools in the current ML scene, building, hopefully, useful systems for fun and, maybe, profit.  When not behind an intelligent wannabe machine, he's doing analog music with his band of humans.", "public_name": "William Robinet", "guid": "3b84b965-4ff5-5894-a6a3-2d779304a6d1", "url": "https://pretalx.com/hack-lu-2024/speaker/WHXH3Q/"}], "links": [{"title": "Support repository", "url": "https://github.com/wllm-rbnt/hacklu-2024-openssh-workshop", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/3UBBJQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/3UBBJQ/", "attachments": [{"title": "Slide deck", "url": "/media/hack-lu-2024/submissions/3UBBJQ/resources/hacklu-2024-o_bxYov0q.pdf", "type": "related"}]}], "Vianden & Wiltz": [{"guid": "bbf34709-1266-5c9d-befc-493b60a52df6", "code": "UJAWVW", "id": 53779, "logo": null, "date": "2024-10-22T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-53779-operationalization-of-sigma-rules-with-processing-pipelines", "url": "https://pretalx.com/hack-lu-2024/talk/UJAWVW/", "title": "Operationalization of Sigma Rules with Processing Pipelines", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Log events appear differently in SIEMs. There are plenty of different taxonomies, possibilities for customization or just migration scenarios that make it challenging to generate queries from Sigma rules that match on events in given log repositories. Processing pipelines are a feature of the open source Sigma toolchain that offer a solution for these challenges and this session is about some real-world use cases for them.", "description": "The [Sigma project](https://sigmahq.io/) offers thousands of open source detection rules that can be used to conduct threat hunting and detection. But before this can be done the conversion tool has to be configured properly to generate queries that match on the given data model in the used SIEM or EDR. [pySigma processing pipelines](https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070) offer a feature-rich YAML-based language for this purpose that allows a wide range of transformations like:\r\n\r\n* simple field mappings\r\n* value transformation with regular expressions\r\n* Addition of conditions\r\n* Handling of placeholders\r\n* conditional Jinja2-based templating\r\n\r\nTransformations can be applied conditionally to rules with specific attributes or detection items that match a given pattern.\r\n\r\nIn this hands-on session you will learn some common use cases for processing pipelines and have the opportunity to discuss real-world challenges you encountered while operationalization of Sigma rules in your environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TD3QYA", "name": "Thomas Patzke", "avatar": "https://pretalx.com/media/avatars/TD3QYA_d7RyBv6.webp", "biography": "Thomas has 18 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open source toolchain (pySigma/Sigma CLI).", "public_name": "Thomas Patzke", "guid": "b1b9c18e-616b-525e-b72c-dca645a5188d", "url": "https://pretalx.com/hack-lu-2024/speaker/TD3QYA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/UJAWVW/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/UJAWVW/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/UJAWVW/resources/Operationali_oU8e0Cl.pptx", "type": "related"}]}, {"guid": "e3b2fdf7-fe73-5d4d-8892-2b50b55dfad0", "code": "JDM9V7", "id": 54476, "logo": null, "date": "2024-10-22T16:15:00+02:00", "start": "16:15", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-54476-0-hands-on-kubernetes-security-with-kubehound-purple-teaming", "url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/", "title": "Hands-on Kubernetes security with KubeHound (purple teaming)", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Join us for an immersive hands-on workshop where we'll dive into KubeHound, a Tool for building Kubernetes attack paths. Participants will play the role of an attacker, but we think the best defense is a good offense. With concrete scenarios and a live environment,  attendees will learn to leverage KubHound to identify attack paths in Kubernetes clusters at scale with no hustle.", "description": "There\u2019s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling.\r\n\r\nIn this workshop we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the custom KubeHound DSL to demonstrate its power to identify some of the most interesting and common attack primitives living in your Kubernetes cluster. If the DSL is not enough, we will cover the basics of Gremlin, the language used by our graph technology so you can find relevant attack paths that matter to you.\r\n\r\nAs attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So in this workshop we will cover some of the usual attack paths and exploit them. This way you will see by yourself, the difficulty (or not) to fully compromise a Kubernetes cluster (#DontDoThisAtHome).\r\n\r\nAt last, is this workshop we will also demonstrate two ways of using KubeHound:\r\n* As a standalone tool that can be run from a laptop\r\n* Or deployed  as a service in your own Kubernetes clusters (KubeHound as a Service)\r\n\r\nThe main goal of this workshop is to show how defenders can find and eliminate the most dangerous attack paths and how attackers can have a treasure map to fully compromise a Kubernetes cluster by using the free and open source version of KubeHound.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HEDAYL", "name": "Julien", "avatar": "https://pretalx.com/media/avatars/HEDAYL_hjx2x7z.webp", "biography": "Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack (custom mimikatz), Lycos (share hunter), ExploitPack (privilege escalation framework), IAMBuster (AD auditing framework).\r\n\r\nHe led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.", "public_name": "Julien", "guid": "2d574067-579d-5819-9e1e-738b8db3b1f8", "url": "https://pretalx.com/hack-lu-2024/speaker/HEDAYL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/", "attachments": []}]}}, {"index": 2, "date": "2024-10-23", "day_start": "2024-10-23T04:00:00+02:00", "day_end": "2024-10-24T03:59:00+02:00", "rooms": {"Europe - Main Room": [{"guid": "7bcd8e6a-9636-52f1-a121-4cf1c8ed709c", "code": "8FR7FH", "id": 54209, "logo": null, "date": "2024-10-23T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54209-csirt-and-the-chocolate-factory", "url": "https://pretalx.com/hack-lu-2024/talk/8FR7FH/", "title": "CSIRT and the Chocolate Factory", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Discussing a ransomware sample that contains inherent flaws in its cryptographic design. Although well-established cryptographic primitives are used (like AES), they are used in a flawed way and introduce vulnerabilities that when exploited, lead to the decryption of ransomed files without knowing the encryption password and/or key.", "description": "Our CSIRT team responded to a ransomware attack at a small company specialized in the production of chocolate machines. All their documentation (technical, commercial, administration, \u2026) was ransomed, and they would go out of business if they could not recover their documentation soon. To prevent this, they paid the ransom and obtained a decryption tool and a key, but it malfunctioned. The files were still ransomed. At this point, our CSIRT was called in and successfully decrypted the ransomed documentation. It turned out that, due to some malfunction, the original ransomware did not encrypt the original files (just changed their extension and added ransomware metadata), while the decryptor then actually encrypted the files (and restored the original extension and removed the ransomware metadata).\r\n\r\nAfter this success, research into the algorithms implemented in this ransomware strain started. It became clear that this sample contains inherent flaws in its cryptographic design. Although well-established cryptographic primitives are used (like AES), they are used in a flawed way and introduce vulnerabilities that when exploited, lead to the decryption of ransomed files without knowing the encryption password and/or key.\r\n\r\nThe vulnerabilities are caused by the combination of 1) the use of AES CTR (counter) mode, 2) partial encryption of ransomed files, and 3) reuse of encryption keys across same and different ransomed files.\r\n\r\nThese vulnerabilities enabled our CSIRT to develop decryptor scripts that can decrypt ransomed files in most cases. For example, the redundancy in ransomed ZIP files (like .docx, .xlsx, \u2026) can be used to decrypt a collection of these files. The more ransomed ZIP files available, the better for this decryption method. We will cover different decryption methods during the presentation.\r\n\r\nFinally, during this presentation, we will demo and share YARA rules to detect this ransomware and new variants (associated with Scarab/Spacecolon), together with our decryption scripts.", "recording_license": "", "do_not_record": true, "persons": [{"code": "UY3X3H", "name": "Didier Stevens", "avatar": "https://pretalx.com/media/avatars/UY3X3H_9zuIVU6.webp", "biography": "Didier Stevens (SANS ISC Handler, ...) is a Senior Analyst working at NVISO. Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT security related blog http://blog.DidierStevens.com", "public_name": "Didier Stevens", "guid": "d2d02961-a2a7-514e-9edd-6402e97ffde4", "url": "https://pretalx.com/hack-lu-2024/speaker/UY3X3H/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/8FR7FH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/8FR7FH/", "attachments": []}, {"guid": "0c18fa6e-b184-596f-bb93-e47a8c6e3c6c", "code": "GMEUXG", "id": 54298, "logo": null, "date": "2024-10-23T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54298-the-gist-of-hundreds-of-incident-response-cases", "url": "https://pretalx.com/hack-lu-2024/talk/GMEUXG/", "title": "The Gist of Hundreds of Incident Response Cases", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "How to become an Incident Response Rockstar?\r\n\r\nAfter conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder \u2013 which also holds true in digital forensics.\r\n\r\nAs a bonus, we will discuss less-known artifacts like MPLogs and the bitmap cache.\r\nBy attending this talk, participants will be better and more efficient Incident Responders as they can focus on key aspects of an investigation.\r\n\r\nAfter this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more.\r\n\r\nThis discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time.\r\n\r\nAs one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred.\r\n\r\nAt the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database.", "description": "After this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more.\r\n\r\nThis discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time.\r\n\r\nSpeaking of essential event logs, we will discuss the importance of PowerShell event logs and logging, as these are still up to date and frequently used by ransomware groups and APTs.\r\n\r\nWe will showcase how to find suspicious files, which might point out a staging directory from the attacker, as well as the importance of checking the antivirus logs carefully (which is always my first step into a new investigation).\r\n\r\nOn the other hand, we will discuss other important forensics concepts like Shellbags and how you can present them to the customer in which directories the threat actor(s) roamed around.\r\n\r\nAs one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred.\r\n\r\nAt the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database.", "recording_license": "", "do_not_record": false, "persons": [{"code": "C7AHN8", "name": "Stephan Berger", "avatar": "https://pretalx.com/media/avatars/C7AHN8_XZLjJO1.webp", "biography": "Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.", "public_name": "Stephan Berger", "guid": "698cb298-5b68-5675-9e3e-3de45ac23fff", "url": "https://pretalx.com/hack-lu-2024/speaker/C7AHN8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/GMEUXG/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/GMEUXG/", "attachments": []}, {"guid": "a2aed1c7-936a-5bc0-ac15-1e6345b889c8", "code": "QJAJJK", "id": 51802, "logo": null, "date": "2024-10-23T10:15:00+02:00", "start": "10:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51802-iot-hacks-humans-unexpected-angles-of-human-process-compromise", "url": "https://pretalx.com/hack-lu-2024/talk/QJAJJK/", "title": "IoT hacks humans - unexpected angles of Human Process Compromise", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Hacking humans with IoT? It is happening now and will only scale. The rapid evolution of AI technologies, mass development and production of IoT equipment which is interconnected and can be orchestrated on backend by massive AI platforms which are sourcing, processing and cross-correlating personal and sensitive data completely changes human vs computer paradigm. No chip implant is needed to control a human, unlike it may be commonly believed. As long as enough biometric and behavioral information is collected on human beings, they and their social contacts can be completely manipulated in predictable manner. The environment of connected society is a perfect stage, where the humans are exposing their harvestable biometric and behavior profiles, by publishing content in social media or giving up the IoT devices around the things which they are reluctant to share with their closest friends. This is the new battle ground where our digital identities are appearing and exposing our strengths and weaknesses at the same time.  Those identities can be created, stolen, or replicated without our consent by criminals and state sponsored actors, appear in the places we are not aware, and leveraged to target our digital presence and physical life. \r\n\r\nBy connecting the dots between generative AI,  predatory advertisement companies, biometric data harvesting and Human - IoT interactions \u2013 we demonstrate the significant expansion of the attack surface against humans and social groups. Disinformation, public opinion manipulation, virtual kidnapping, exploitation of human digital identities are the fruits of the same tree. The data collected and processed in the IoT based smart environments is a gold mine for criminals and state sponsored actors to manipulate humans the way and at the scale which was impossible before.\r\n\r\nThe presentation is focusing on the attack scenarios and case studies of targeted individuals, social groups that we either have observed or to observe in the wild, including election campaigns in social media, assets take over, extortion. The consequences of attacks lead to behavior changes and actions in both, physical and digital world including changing the decisions, social engineering, exfiltration of sensitive information, choosing most vulnerable targets to attack high security environments, swaying opinions, affecting elections and other critical events, that may change the history. We will also cover both, defense options and choke points related to the expanded attack surface.", "description": "1. Introduction (4m)\r\n- Human Process Compromise is Business Process Compromise moved one step closer to the human.\r\n-- Why Human Process Compromise is a fragile chain under Business Process Compromise umbrella\r\n-- How HPCs completely bypass this entire classes of security measures.\r\n- IoT angle of HPC - What IoT knows about humans.\r\n- Technology enablers for attacks\r\n- Techniques to manipulate humans and public opinions.\r\n2. Tools and technologies used (6m)\r\n- Use of the connected world data to choose appropriate targets.\r\n-- Profiling humans for criminal monetization attacks\r\n-- Choosing a targets for espionage operations\r\n-- Affecting critical events, like elections\r\n- Weaponization - extracting human, social groups and society habits and weaknesses to target\r\n- Actions on target - empowering and boosting manipulation techniques with IoT and connected world data.\r\n-- Boosting Fake News and Opinion manipulation campaigns with IoT data\r\n-- Reshaping Identity linked attack surface like bank account MFA, voice authentication, SIM card based identities using HPC.\r\n-- Targeting physical events.\r\n- Required knowledge, technologies and cost of operations.\r\n3. Connecting the dots: Attack scenarios and cases studies (15 m)\r\n- Underground actors approach and criminal monetization\r\n-- Services and Technologies: use and abuse of big data, generative AI, Biometrics, PII, voice, face, source phone number substitution, IoT and cloud IoT technologies and credentials market.\r\n-- Typical targets (victims) and attack scenarios\r\n-- Criminal business processes and monetization options\r\n- State sponsored attack scenarios\r\n-- Espionage with HPC\r\n-- Forced and disruptive physical actions against critical assets\r\n-- Manipulations of negotiations outcomes\r\n-- Manipulating the crowds and societies attack scenarios.\r\n- Privacy breaches scenarios which leverage IoT connectivity(4m)\r\nHow to deal with it (3m)\r\nConclusion(2m)", "recording_license": "", "do_not_record": false, "persons": [{"code": "QMTPZP", "name": "Vladimir Kropotov", "avatar": "https://pretalx.com/media/avatars/QMTPZP_XOtgW7d.webp", "biography": "Vladimir Kropotov is an Advisor and Sr. Researcher with the Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a master's degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations.", "public_name": "Vladimir Kropotov", "guid": "af5db526-94d6-5d4a-9eea-49acfda85975", "url": "https://pretalx.com/hack-lu-2024/speaker/QMTPZP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/QJAJJK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/QJAJJK/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/QJAJJK/resources/IoT-hacks-humans-unexpected_angles_of_Human_Pr_mJ5FFiU.pdf", "type": "related"}]}, {"guid": "99e89f52-251a-52ce-bead-8f395ad82b76", "code": "HWDZGZ", "id": 54478, "logo": null, "date": "2024-10-23T10:45:00+02:00", "start": "10:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54478-kubehound-identifying-attack-paths-in-kubernetes-clusters-at-scale-with-no-hustle", "url": "https://pretalx.com/hack-lu-2024/talk/HWDZGZ/", "title": "KubeHound: Identifying attack paths in Kubernetes clusters at scale with no hustle", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "In this talk, we'll dive into KubeHound, a Tool for building Kubernetes attack paths. We will present the genesis of the project and what answers regarding your Kubernetes cluster security it might bring to you. We will cover how KubeHound bring you offensive mindset on a silver platter because we think the best defense is a good offense. Live demos of KubeHound from the defender\u2019s and attacker\u2019s point of view will be performed during the talk.", "description": "There\u2019s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems.  Understanding interdependencies in a Kubernetes cluster, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. But all misconfigurations are not equal, some are not a big deal, but some can lead to the full take of an entire Kubernetes cluster. This illustrates the well-known adage: \"Defenders think in lists, attackers think in graphs; as long as this is true, attackers win\". \r\n\r\nIn this talk we will introduce how KubeHound, an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog, can help you pinpoint the most critical attack within your Kubernetes cluster: \r\nFrom a defender\u2019s point of view, it means how to prioritize which security initiative is more important built on concrete Security KPI.\r\nFrom an attacker\u2019s point of view, it means finding the lowest effort attack path that will lead to his goal, usually full take over of the entire cluster. Having a treasure map saves a ton of time for the attacker.\r\n\r\nIn short, single point security findings have little traction either for an attacker or defender. So we will demonstrate how KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.\r\n\r\nAt the end of the talk, we will leave you with an open-source version of KubeHound designed to be run from a laptop to evaluate the attack paths within a single cluster from an attacker or defender point of view. Finally, we will discuss the approach and challenges of implementing a distributed, large-scale version of the tool at Datadog and how you might implement a similar solution in your own environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HEDAYL", "name": "Julien", "avatar": "https://pretalx.com/media/avatars/HEDAYL_hjx2x7z.webp", "biography": "Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack (custom mimikatz), Lycos (share hunter), ExploitPack (privilege escalation framework), IAMBuster (AD auditing framework).\r\n\r\nHe led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.", "public_name": "Julien", "guid": "2d574067-579d-5819-9e1e-738b8db3b1f8", "url": "https://pretalx.com/hack-lu-2024/speaker/HEDAYL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/HWDZGZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/HWDZGZ/", "attachments": []}, {"guid": "99852302-d0b0-5a6b-8de1-4b5a074ba0fe", "code": "9SSSTW", "id": 50655, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/9SSSTW/Session-pic_oqtTuNK.png", "date": "2024-10-23T11:15:00+02:00", "start": "11:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-50655-the-web-of-cognitive-warfare", "url": "https://pretalx.com/hack-lu-2024/talk/9SSSTW/", "title": "The Web of cognitive warfare", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "In an era where cognitive warfare has become a pivotal battleground, the strategic manipulation of information to influence public perception and decision-making processes poses significant threats to global security and stability. This multifaceted domain exploits digital interconnectedness, leveraging psychological vulnerabilities and technological platforms to achieve its objectives. The complexity of cognitive warfare necessitates advanced strategies that incorporate cyber threat hunting, open-source intelligence (OSINT), and ethical hacking. These methodologies are critical in identifying, understanding, and mitigating the sophisticated tactics employed by adversaries in the digital landscape.", "description": "In this talk, I use CTI methods to analyse influence operations and cognitive warfare to showcase the ongoing operation done by the threat actor in their new modus operandi - use of paid adds based targeting, combination with finance scams and vast data collection on social networks.\r\nThe OPSEC of the actor allows for long term campaigns with low levels of detection, even by the AI.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8AAUGQ", "name": "Jindrich Karasek", "avatar": "https://pretalx.com/media/avatars/8AAUGQ_ZwdCFNs.webp", "biography": "Jind\u0159ich is a Senior Cyber Threat Researcher. His research work focuses on the domains of cognitive warfare, cyber espionage, and cyber threat intelligence. You might also recognise him as the security data scientist known as 4n6strider.", "public_name": "Jindrich Karasek", "guid": "892bfc4a-da47-5860-875f-c2b33e0bb891", "url": "https://pretalx.com/hack-lu-2024/speaker/8AAUGQ/"}], "links": [{"title": "My other work:", "url": "https://linktr.ee/4n6strider", "type": "related"}, {"title": "My LinkedIn profile:", "url": "https://www.linkedin.com/in/jindrichkarasek/", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/9SSSTW/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/9SSSTW/", "attachments": [{"title": "Slides - The Web of Cognitive Warfare", "url": "/media/hack-lu-2024/submissions/9SSSTW/resources/2024-sharing-_9L0pDTB.pdf", "type": "related"}]}, {"guid": "bc943d1f-c9c4-50c8-b6f6-25ed8de86b13", "code": "DNBRHN", "id": 57506, "logo": null, "date": "2024-10-23T11:45:00+02:00", "start": "11:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-57506-it-has-been-0-days-since-the-last-edge-device-security-incident", "url": "https://pretalx.com/hack-lu-2024/talk/DNBRHN/", "title": "It Has Been [0] Days Since the Last Edge-Device Security Incident", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "Over the past 12 months, Volexity has identified two security incidents in customer environments caused by zero-day exploits: CVE-2023-46805 & CVE-2024-21887 (Ivanti Connect Secure), and CVE-2024-3400 (Palo Alto Networks Global Protect). This talk will explore why security issues affecting edge devices remain a persistent problem, examine common detection approaches used by Volexity to identify such incidents, and outline methods organisations can employ to detect similar incidents within their own environments.", "description": "Over the past 12 months, Volexity has identified two security incidents in customer environments caused by zero-day exploits: CVE-2023-46805 & CVE-2024-21887 (Ivanti Connect Secure), and CVE-2024-3400 (Palo Alto Networks Global Protect). This talk will explore why security issues affecting edge devices remain a persistent problem, examine common detection approaches used by Volexity to identify such incidents, and outline methods organisations can employ to detect similar incidents within their own environments.", "recording_license": "", "do_not_record": true, "persons": [{"code": "TCLCCY", "name": "Rascagneres", "avatar": null, "biography": "Paul Rascagneres is a principal threat researcher at Volexity. He performs investigations to identify new threats, and he has presented his findings in several publications and at international security conferences.", "public_name": "Rascagneres", "guid": "f8574b02-ec4d-5585-8b7a-ca6c82152aa3", "url": "https://pretalx.com/hack-lu-2024/speaker/TCLCCY/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/DNBRHN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/DNBRHN/", "attachments": []}, {"guid": "11b56fea-7816-5ee6-b8cf-00efb297216e", "code": "NXFR3H", "id": 57051, "logo": null, "date": "2024-10-23T13:30:00+02:00", "start": "13:30", "duration": "00:10", "room": "Europe - Main Room", "slug": "hack-lu-2024-57051-a-quick-monologue-on-global-inefficiency", "url": "https://pretalx.com/hack-lu-2024/talk/NXFR3H/", "title": "A quick monologue on global inefficiency", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "We need to reduce the inefficiency of each SOC analyzing and countering threats on their own with little to no efficient, actionable knowledge sharing, globally speaking", "description": "A new threat emerges. This could be new malware, new exploitation techniques, new types/classes of vulnerabilities, new cloud attack vectors, whatever it is - the new threats leave every SOC globally, and individually, struggling to understand the threat in order to mitigate and detect\r\n\r\nThis is horribly inefficient. We need something that scales better! I want point out this global inefficiency in order to explain why we need to issue a call for action.\r\n\r\nWhat's being done today is that researchers are trying to document their work researching malware, or forensically following the traces of attackers in networks/clouds, or detection teams sharing detections they built to address MITRE ATT&CK techniques. But they're sharing without a standard methodology or framework or even approach, and it also does not scale very well and the shared knowledge is never incorporated into a global body of knowledge.", "recording_license": "", "do_not_record": false, "persons": [{"code": "VZUHEN", "name": "Claus", "avatar": "https://pretalx.com/media/avatars/VZUHEN_c8A4tum.webp", "biography": "Infosec Librarian.", "public_name": "Claus", "guid": "a36568c5-2e4a-5937-87a2-4412520e8044", "url": "https://pretalx.com/hack-lu-2024/speaker/VZUHEN/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/NXFR3H/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/NXFR3H/", "attachments": []}, {"guid": "4bd80069-36a4-51d0-8c4e-7c645c270534", "code": "ZBCZDB", "id": 57325, "logo": null, "date": "2024-10-23T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57325-flowintel-flow-your-management", "url": "https://pretalx.com/hack-lu-2024/talk/ZBCZDB/", "title": "Flowintel - flow your management", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "An open source platform to support analysts to organise their case and tasks", "description": "Quick presentation of the tool and main features.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QLCDR9", "name": "Cruciani David", "avatar": "https://pretalx.com/media/avatars/QLCDR9_UaQCNdl.webp", "biography": "Security researcher at CIRCL since 2021.\r\nThe one that make jokes on Alexandre age.", "public_name": "Cruciani David", "guid": "a411ab00-a883-521f-b866-aafbfced7592", "url": "https://pretalx.com/hack-lu-2024/speaker/QLCDR9/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ZBCZDB/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ZBCZDB/", "attachments": []}, {"guid": "4dcb4e74-24d1-5dd3-a6bf-5cc6001fc331", "code": "WDD9BU", "id": 57274, "logo": null, "date": "2024-10-23T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57274-how-i-learned-to-stop-worrying-and-love-the-nlf", "url": "https://pretalx.com/hack-lu-2024/talk/WDD9BU/", "title": "How I Learned to Stop Worrying and Love the NLF", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "The CRA in 2 slides.", "description": "This lightning talk aims at summarising upcoming EU product and service regulations and how they relate.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QAXK3M", "name": "fukami", "avatar": "https://pretalx.com/media/avatars/QAXK3M_2jx2lqb.webp", "biography": "fukami works for the OpenSSF in Brussels and supports public, private and community partners to make technology more secure.", "public_name": "fukami", "guid": "5ed9bcbf-3e22-585f-9d83-60402d3ca705", "url": "https://pretalx.com/hack-lu-2024/speaker/QAXK3M/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/WDD9BU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/WDD9BU/", "attachments": [{"title": "Slides Lightning Talk \"How I Learned to Stop Worrying and Love the NLF\"", "url": "/media/hack-lu-2024/submissions/WDD9BU/resources/CRA_LT_hack.lu_2024_boZQWoj.pdf", "type": "related"}]}, {"guid": "360dd99a-6bad-5efb-8fe6-28f75577248e", "code": "TQZPPU", "id": 57497, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/TQZPPU/97e1z2_nLSHCg8.jpg", "date": "2024-10-23T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57497-any-sufficiently-advanced-technology-is-indistinguishable-from-01-january-1970", "url": "https://pretalx.com/hack-lu-2024/talk/TQZPPU/", "title": "Any sufficiently advanced technology is indistinguishable from 01 January 1970", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "The 2038 problem will soon start to get picked up by the popular press, which will lead to significant public pressure to do something before our technology stack crashes. However our technology stack is getting so complex with abstraction layers that by 2038 it might positively unmanageable. This presents us with an opportunity to refit our social tech stack with something not only \"secure-by-design\" but also maintainable-by-future-generations-by-design. Behind all this drama lurks the challenge that as 19 January 2038 draws closer, ever more hands from around the globe will be frantically reaching for increasingly scarce components from one hotly contested island off the coast of the PRC. This is the truly hard problem which lies before us today.", "description": "The 2038 problem will soon start to get picked up by the popular press, which will lead to significant public pressure to do something before our technology stack crashes. However our technology stack is getting so complex with abstraction layers that by 2038 it might positively unmanageable. This presents us with an opportunity to refit our social tech stack with something not only \"secure-by-design\" but also maintainable-by-future-generations-by-design. Behind all this drama lurks the challenge that as 19 January 2038 draws closer, ever more hands from around the globe will be frantically reaching for increasingly scarce components from one hotly contested island off the coast of the PRC. This is the truly hard problem which lies before us today.", "recording_license": "", "do_not_record": false, "persons": [{"code": "X9LU3W", "name": "Trey Darley", "avatar": "https://pretalx.com/media/avatars/X9LU3W_VRdATOr.webp", "biography": "Trey Darley works at Accenture Security in Brussels, where he is setting up a security testing lab of sorts, and trying to do some good for the world. Trey has been a long-standing member of the FIRST community, and has served a variety of volunteer roles, including a term on the FIRST board, during which he co-founded the FIRST standards committee. Trey is well known for his work on open cybersecurity standards like STIX/TAXII and others. He's also been aligned with the Langsec faction for many years. Trey's patron saints are Grace Hopper and Paul Erd\u00f6s.", "public_name": "Trey Darley", "guid": "a64a5b41-9e1d-5dc0-a247-5dd2be0db01a", "url": "https://pretalx.com/hack-lu-2024/speaker/X9LU3W/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TQZPPU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TQZPPU/", "attachments": []}, {"guid": "8102b8e7-4286-574d-b999-52421a39e0c9", "code": "HGC9ZR", "id": 57446, "logo": null, "date": "2024-10-23T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57446-how-much-time-we-had-for-ipv6-preparation", "url": "https://pretalx.com/hack-lu-2024/talk/HGC9ZR/", "title": "How much time we had for IPv6 preparation?", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "This lightning talk will bring us to the little overview of the IPv4 exhaustion and time, which we had for being IPv6 ready with our skillsets.", "description": "The movement to the IPv6 is not only something, what will happen in the future. It has already happened and we often see that crazy thing in logs. How come, that it has happened so fast? Why we have not been prepared? Well, in fact... :)", "recording_license": "", "do_not_record": false, "persons": [{"code": "KVTNEQ", "name": "Nicol Dankova", "avatar": "https://pretalx.com/media/avatars/KVTNEQ_SHHr3Se.webp", "biography": "CyberBattleground Warchief @ Henkel & Desperate Coffee Drinker @ Tomas Bata University in Zlin", "public_name": "Nicol Dankova", "guid": "3310fe1d-6c5d-5a9a-84e6-868e2816fff3", "url": "https://pretalx.com/hack-lu-2024/speaker/KVTNEQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/HGC9ZR/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/HGC9ZR/", "attachments": []}, {"guid": "1439d49a-08c9-5d7a-986e-a3934dc922a6", "code": "WM93CN", "id": 52472, "logo": null, "date": "2024-10-23T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52472-i-need-access-exploit-password-management-software-to-obtain-credential-from-memory", "url": "https://pretalx.com/hack-lu-2024/talk/WM93CN/", "title": "I Need Access: Exploit Password Management Software To Obtain Credential From Memory", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Passwords have long been a foundational element of cybersecurity, but they remain vulnerable to various attacks aimed at acquiring user credentials. Password management software (PM) has emerged as a key defense, yet misconfigurations and user errors can still result in data leaks. This presentation introduces a new red teaming tool, Pandora, capable of extracting credentials from 18 popular PM implementations, including desktop applications, browsers, and browser plugins. Pandora requires the PM to be active to dump its processes and analyzing them for user credentials.  Although this vulnerability is not new, Pandora represents the first public tool to exploit it, emphasizing the need for the pentesting community to advocate for stronger protections from vendors to secure user credentials. Additionally, only two vendors have acknowledged the problem, with one CVE ID (CVE-2023-23349) reserved for Kaspersky.", "description": "Passwords have long been a fundamental aspect of cybersecurity, with numerous attacks targeting the covert acquisition of user passwords. Password management software (PM) has emerged as a crucial defense mechanism against such attacks. Despite the security measures embedded in these applications, misconfigurations and user errors can still result in sensitive data breaches.\r\n\r\nIn this context, the current presentation introduces a newly developed red teaming tool called Pandora (https://github.com/efchatz/pandora). Pandora is capable of extracting end-user credentials from 18 widely-used PM implementations, including MS Windows 10 desktop applications and browser plugins. The sole requirement for Pandora to function is for the PM to be active, enabling the tool to dump the PM\u2019s processes. Through experimentation, it was found that only 1Password necessitates high integrity privileges for an attacker to dump the relevant processes. Once executed on a host machine, Pandora will dump the PM\u2019s processes, analyze them, and extract any user credentials it finds. The tool offers various modes to support penetration testers and can provide an additional attack vector in red team engagements, given the widespread use of PMs today.\r\n\r\nMethodologically, Pandora operates based on the specific implementation of each PM. Many PMs store their entries or master credentials in plaintext format within the corresponding memory processes. Consequently, Pandora consists of different autonomous scripts tailored to each PM implementation.\r\n\r\nFollowing a Coordinated Vulnerability Disclosure (CVD) process, most vendors responded that these issues fall outside their scope, as the attacker requires local access, or the antivirus/endpoint detection and response (AV/EDR) systems might prevent such attacks. To date, only two vendors have acknowledged the problem, with one already reserving a CVE ID: CVE-2023-23349 (Kaspersky).\r\n\r\nIt is important to note that this issue is not entirely new. It has long been recognized that there is no foolproof method for desktop applications to be protected against such attacks. However, to the best of our knowledge, this is the first time such a tool has been publicly discussed and made available. Since various PMs use different encryption and obfuscation methods, it is up to the pentesting community to encourage vendors to implement protections that will safeguard user credentials.", "recording_license": "", "do_not_record": false, "persons": [{"code": "R9TNBR", "name": "Efstratios Chatzoglou", "avatar": "https://pretalx.com/media/avatars/R9TNBR_xjDyHfq.webp", "biography": "Efstratios Chatzoglou received the M.Sc. degree in Security of Information and Communication Systems from the University of the Aegean, Samos, Greece. He has worked for more than 3 years in the field of cybersecurity. Currently, he is a Penetration Tester with Memorandum, and a PhD candidate at the University of the Aegean. He has identified more than 25 different CVE IDs from well-known vendors, like ASUS, MediaTek, Netgear, Huawei, LiteSpeed, etc. The most recent one is the CVE-2023-23349 from Kaspersky. He has published more than 15 research papers in well-known conferences and academic journals.", "public_name": "Efstratios Chatzoglou", "guid": "8002cf36-f097-5794-812a-5163517d89e9", "url": "https://pretalx.com/hack-lu-2024/speaker/R9TNBR/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/WM93CN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/WM93CN/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/WM93CN/resources/hack_lu_2024_wabZQPv.pdf", "type": "related"}]}, {"guid": "38c7bdab-fb92-590f-8fc1-990f0feccce0", "code": "YYCNKP", "id": 52366, "logo": null, "date": "2024-10-23T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52366-empowering-cybersecurity-outreach-and-learning-through-collaborative-challenge-building-sharing-and-execution", "url": "https://pretalx.com/hack-lu-2024/talk/YYCNKP/", "title": "Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "In the dynamic landscape of cybersecurity, continuous skill development is paramount. This presentation, titled \"Empowering Cybersecurity Outreach and Learning through Collaborative Challenge Building, Sharing, and Execution,\" delves into innovative approaches to enhance outreach and learning in the field.\r\n\r\nFocused on the creation, sharing, and execution of challenges, particularly through platforms like Capture The Flag (CTF), the session aims to illustrate the transformative impact of hands-on experiences with the FIRST.org challenges.\r\n\r\nThe discussion will also outline how it has grown, offering a wide variety of knowledge fields and strong collaboration between the volunteers and their supporting organisation.", "description": "## Outline\r\n\r\n1. Why a CTF at FIRST and Its Specificities?\r\n2. How Gamification Supports Spreading Knowledge?\r\n3. Are CTFs the Sole Approach?\r\n4. Pitfalls and Points of Attention\r\n5. Statistics and Figures\r\n6. Conclusion\r\n\r\n## Why Have a CTF at FIRST and Its Specificities?\r\n\r\nThe FIRST.org CTF is designed to reinforce the FIRST community, spread knowledge, and foster trust and collaboration. The focus is placed on defensive and constructive aspects rather than offensive ones. Players are strongly encouraged to participate in teams. Tools are provided to help find potential teammates, resulting in teams composed of players who have not previously worked together. An interesting example was observed at the latest FIRST annual conference, where the team holding the 1st position for most of the week was formed in this manner.\r\n\r\nThis section will, therefore, cover how a CTF, using the FIRST event as an example, is an effective way to contribute to establishing vibrant communities.\r\n\r\n## How Gamification Supports Spreading Knowledge?\r\n\r\nThrough challenges, players encounter intellectual hurdles designed for learning. Each challenge is built to ensure that the player learns by doing. Participation motivates players to strive and solve as many puzzles as possible. Working in teams encourages players to contribute to the collective effort and collaborate to maximize their results. A CTF combines rewards for collaborative efforts with a learn-by-doing approach. The CTF team itself demonstrates how organizations that might not typically collaborate can unite efforts toward a common goal.\r\n\r\n## Are Only CTFs Useful for Gamification of Training?\r\n\r\nWhile CTFs are perhaps the most obvious technique, we will discuss an alternative option that could be offered to communities: [hackathons](https://en.wikipedia.org/wiki/Hackathon).\r\n\r\nAs previously stated, the FIRST CTF is built with a constructive approach: players defend and are not rewarded for breaking things. Hackathons extend this concept further. A group of people collaborates on a dedicated task during a limited time, producing something that yields actual results. This might range from contributing to an existing tool to creating a proof of concept for a new tool.\r\n\r\n## Pitfalls and Points of Attention\r\n\r\nIn this section, we will discuss the challenges we encountered and the lessons learned. These encompass various aspects such as addressing cheating, providing on-site assistance, and aligning diverse expectations...\r\n\r\n## Statistics and Figures\r\n\r\nIn this section, we will revisit a decade of CTF at FIRST and compile notable statistics.\r\n\r\nIt is particularly significant to highlight the considerable effort required to construct a high-quality CTF and illustrate how this effort is rewarded by robust participation at the conference.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NR9TLH", "name": "Alexandre Dulaunoy", "avatar": "https://pretalx.com/media/avatars/NR9TLH_JWTVpkQ.webp", "biography": "Enjoy when human are using machines in unexpected ways. I break stuff and I do stuff.", "public_name": "Alexandre Dulaunoy", "guid": "c9201d6b-2483-50e7-a2e7-e01c13c44465", "url": "https://pretalx.com/hack-lu-2024/speaker/NR9TLH/"}, {"code": "PKXHJG", "name": "David Durvaux", "avatar": "https://pretalx.com/media/avatars/PKXHJG_cbtcfW2.webp", "biography": "David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented in numerous conferences including hack.lu.", "public_name": "David Durvaux", "guid": "989e5a58-e832-5827-b7f5-5b12aafe19d7", "url": "https://pretalx.com/hack-lu-2024/speaker/PKXHJG/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/YYCNKP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/YYCNKP/", "attachments": []}, {"guid": "5a03c9a3-e5f7-5641-b2d8-5cb54e1579de", "code": "88DSDM", "id": 52106, "logo": null, "date": "2024-10-23T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52106-artemis-how-cert-pl-improves-the-security-of-the-polish-internet", "url": "https://pretalx.com/hack-lu-2024/talk/88DSDM/", "title": "Artemis: how CERT PL improves the security of the Polish internet", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "How to scan more than 500 thousand domains and subdomains and identify almost 300 thousand vulnerabilities and misconfigurations, ranging from minor (lack of proper SSL or DMARC configuration), to critical (SQL Injections or RCEs)?", "description": "Since the beginning of 2023, CERT PL has been periodically scanning more than 500 thousand domains and subdomains of universities, hospitals, government institutions, schools, banks and other organizations, and detecting hundreds of thousands of issues (including high-severity ones, such as SQL Injection, in important entities).\r\n\r\nFor that task we built a custom tool: Artemis (https://github.com/CERT-Polska/Artemis). It checks various aspects of website security and builds easy-to-read messages informing organizations about the scanning results.\r\n\r\nDuring the presentation, I will describe the way Artemis works, what we are looking for, and most significantly - lessons we've learned during our large-scale scanning project. As the tool is open-source, I will touch upon how to set up your own scanning pipeline.", "recording_license": "", "do_not_record": false, "persons": [{"code": "T9P3CK", "name": "Krzysztof Zaj\u0105c", "avatar": "https://pretalx.com/media/avatars/T9P3CK_lLRw6ch.webp", "biography": "Senior Threat Analysis Specialist at CERT PL, currently working on automated vulnerability discovery techniques. Before becoming a security specialist, he's been a software engineer for more than ten years. Teaches offensive security at the University of Warsaw. Formerly a CTF player, playing with the p4 CTF team. Likes cats and bad puns.", "public_name": "Krzysztof Zaj\u0105c", "guid": "e7b026cd-2e2d-549f-90b9-a55085ac1533", "url": "https://pretalx.com/hack-lu-2024/speaker/T9P3CK/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/88DSDM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/88DSDM/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/88DSDM/resources/Artemis___hac_Q4Ib02l.pdf", "type": "related"}]}, {"guid": "87ca5067-3e99-560c-974b-13c8fe25c418", "code": "JU3CXK", "id": 54147, "logo": null, "date": "2024-10-23T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54147-spicy-generating-robust-parsers-for-protocols-file-formats", "url": "https://pretalx.com/hack-lu-2024/talk/JU3CXK/", "title": "Spicy \u2014 Generating Robust Parsers for Protocols & File Formats", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "This talk gives a practical overview and introduction of the [Spicy](https://docs.zeek.org/projects/spicy/en/latest/) parser generator for protocols and file formats.", "description": "[Spicy](https://docs.zeek.org/projects/spicy/en/latest/) is a parser generator that makes it easy to create robust parsers for network protocols, file formats and more. Spicy is a bit like a \"yacc for protocols\", but it is much more than that: It is an all-in-one system enabling developers to write attributed grammars that describe both syntax and semantics of an input format using a single, unified language. Think of Spicy as a domain-specific scripting language for all your parsing needs.\r\n\r\nIn the last couple of years we have evolved and used Spicy as a tool in the [Zeek network monitoring ecosystem](https://zeek.org/) to make it easier for researchers and domain experts to surface information transmitted live over the network. Spicy includes dedicated support to work with lossy captures or malformed traffic. By providing an API Spicy can be embedded into other projects (like Zeek embeds Spicy).\r\n\r\nThis talk gives a practical overview and introduction of Spicy.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CKWUZD", "name": "Benjamin Bannier", "avatar": "https://pretalx.com/media/avatars/CKWUZD_W6vHD3j.webp", "biography": "Benjamin works as a Senior Open Source Developer at Corelight where he spends most of his time maintaining and evolving Spicy and its integration into the Zeek ecosystem. He previously worked on containerization and workload orchestration with Apache Mesos, and distributed columnar data stores. He holds a PhD in Physics from Stony Brook University.", "public_name": "Benjamin Bannier", "guid": "60fb6e06-a8a2-5554-a643-61cbd6ff431a", "url": "https://pretalx.com/hack-lu-2024/speaker/CKWUZD/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JU3CXK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JU3CXK/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/JU3CXK/resources/slides_VoIV0Vw.pdf", "type": "related"}]}, {"guid": "e3dcd424-2cf4-5de5-b9d8-20b5b24c0fef", "code": "NUZYZK", "id": 54387, "logo": null, "date": "2024-10-23T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54387-securing-the-stars-comprehensive-analysis-of-modern-satellite-vulnerabilities-and-emerging-attack-surfaces", "url": "https://pretalx.com/hack-lu-2024/talk/NUZYZK/", "title": "Securing the Stars: Comprehensive Analysis of Modern Satellite Vulnerabilities and Emerging Attack Surfaces", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "This talk provides an extensive overview of security challenges in satellite systems. It covers vulnerabilities across space, ground, link, and user segments, using real-world examples in the past security research and the Viasat incident. By analyzing various attack methods from software vulnerabilities to radio frequency interference, this talk offers crucial insights for protecting current satellite infrastructures and anticipating future security challenges in the rapidly evolving field of satellite technology.In addition, the open community cubesat projects are growing.Vulnerabilities in these projects could also be a new threat.There will be 1 case study and new found vulnerabilities sharing for open project and a special case study of ground-station system in this talk.", "description": "In the past, due to the high costs of satellite manufacturing, design, and launch, as well as regulatory restrictions, satellite research and production were closely linked to government agencies, research institutions, and military defense. In recent years, with the small size and light weight of small satellites, the widespread use of commercial components, and the significant reduction in satellite launch costs, the development and extensive use of small satellites have emerged. As a result, there has been a substantial increase in projects involving self-developed open-source satellite protocols and DIY small satellites. This article will share classic vulnerabilities from past satellite-related attacks and discuss new security vulnerabilities in open-source satellite protocols.\r\nThe case studies include three vulnerabilities related to CAN bus transmission in the open-source library SPACECAN, which is used for internal satellite communication in the LibreCube project, an open-source satellite project. It also covers issues with libcsp, an open-source satellite communication protocol with a 10-year history that has been used by several satellites, including those of the European Space Agency (ESA). Additionally, the article includes a special case study of a ground station-like system, analyzing the process and implications of achieving remote code execution (RCE) and affecting satellites.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HWKECN", "name": "Vic Huang", "avatar": null, "biography": "Vic Huang\r\nIndependent researcher / Security engineer\r\nMember @ UCCU Hacker \r\nWorking on Web/Mobile/ICS/Privacy domain\r\nHe shared his research on several cybersecurity conference such as HITB,CODE BLUE,Ekoparty,ROOTCON,REDxBLUE pill,HITCON, CYBERSEC,DEFCON.", "public_name": "Vic Huang", "guid": "a4d73132-737a-507c-b1f1-23993914417a", "url": "https://pretalx.com/hack-lu-2024/speaker/HWKECN/"}], "links": [{"title": "slides", "url": "https://drive.google.com/file/d/1uWFQn-Rrqmhly3O8pwAfE26z0xQOjYto/view?usp=sharing", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/NUZYZK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/NUZYZK/", "attachments": []}, {"guid": "c80cecab-194f-51f0-b004-6573a292a20a", "code": "MLBVAR", "id": 54464, "logo": null, "date": "2024-10-23T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54464-dfiq-codifying-digital-forensic-intelligence", "url": "https://pretalx.com/hack-lu-2024/talk/MLBVAR/", "title": "DFIQ - Codifying digital forensic intelligence", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "CTI practitioners have threat intelligence databases; what about digital forensics practitioners? How can they organize knowledge and ensure that investigations are carried out in a repeatable manner? In the same way that threat intelligence describes attackers, capabilities, and infrastructure, Digital Forensics Intelligence describes the relationship between systems, questions, and investigation techniques. \r\n\r\nEnter DFIQ (Digital Forensics Investigative Questions; https://dfiq.org/): a framework used to model scenarios, questions and approaches in digital forensics investigations. This talk will take a deeper dive into the DFIQ model, and more importantly the different ways it is practically used to facilitate forensic investigators' day-to-day activities, ensure repeatable conclusions of investigations, and knowledge sharing among analysts. We'll discuss how DFIQ is stored in Yeti, used in Timesketch, and can be used to leverage end-to-end collection and analysis workflows to accelerate and structure investigations in large enterprise environments.", "description": "High level talk overview:\r\n\r\n* DFIQ - in theory\r\n  * DFIQ objects: Scenarios, Facets, Questions, and Approaches\r\n    * Codifying a common scenario with DFIQ objects\r\n\r\n* DFIQ - in practice\r\n  * open source challengesDFIQ Schema evolution, \r\n  * Implementation\r\n    * Storing, editing, building a DFIQ graph in Yeti\r\n    * Using DFIQ to structure an investigation in Timesketch\r\n    * Examples of full end-to-end evidence collection and analysis workflows with dfTimewolf, GRR / Velociraptor, Plaso, Timesketch", "recording_license": "", "do_not_record": false, "persons": [{"code": "MMJXP7", "name": "Thomas Chopitea", "avatar": "https://pretalx.com/media/avatars/MMJXP7_6atuyJn.webp", "biography": "Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.", "public_name": "Thomas Chopitea", "guid": "3f23a2f2-6fd7-5a98-b7c5-fb0323b0b24d", "url": "https://pretalx.com/hack-lu-2024/speaker/MMJXP7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/MLBVAR/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/MLBVAR/", "attachments": [{"title": "DFIQ - Codifying digital forensics intelligence", "url": "/media/hack-lu-2024/submissions/MLBVAR/resources/DFIQ_-_Codify_apAhdXb.pdf", "type": "related"}]}, {"guid": "6b8bce0d-b0b3-53da-944f-68cd53924d4f", "code": "FZ3WJ9", "id": 54237, "logo": null, "date": "2024-10-23T17:15:00+02:00", "start": "17:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54237-cyber-threats-to-advanced-intelligent-connected-vehicle-systems", "url": "https://pretalx.com/hack-lu-2024/talk/FZ3WJ9/", "title": "Cyber Threats to Advanced Intelligent Connected Vehicle Systems", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "This paper examines Intelligent Connected Vehicles (ICVs) by focusing on their architecture, capabilities, and security vulnerabilities.", "description": "To begin with, we analyze vehicle systems and assess hardware such as the T-Box and IVI for shell access. Furthermore, we detail methods for gaining elevated permissions within ICV systems, which include collecting network configurations and accessing critical components like the Driver Monitoring System (DMS) and Main Camera System (MCS). Our file analysis of nine ICV systems reveals significant information leaks, including certificates and private keys, while also identifying vulnerabilities in communication logic and memory management. Notably, key threats arise from remote operation risks via compromised T-Boxes and the potential exploitation of the Controller Area Network (CAN) interface, which could allow manipulation of vehicle control systems. Overall, this research underscores the urgent need for enhanced security measures in the design and implementation of ICVs.", "recording_license": "", "do_not_record": true, "persons": [{"code": "FQFKPL", "name": "Shihao Xue", "avatar": "https://pretalx.com/media/avatars/FQFKPL_1yGATA9.svg", "biography": "SHIHAO XUE is  Engineer of CATARC Automotive Data of China Co., Ltd.He mainly engages in research on communication protocols for automotive components, focusing on vehicle protocol technologies such as Ethernet and CAN networks.\r\nIn recent years, he has supported key industry enterprises in conducting research related to communication software testing.", "public_name": "Shihao Xue", "guid": "f728539d-9628-50f7-b64c-1e41522c1f49", "url": "https://pretalx.com/hack-lu-2024/speaker/FQFKPL/"}, {"code": "AGNV8T", "name": "Yuqiao Ning", "avatar": null, "biography": "YUQIAO NING is the Technical Director of CATARC Automotive Data of China Co., Ltd. He has extensive experience in computer systems and software security research. In his current role, he is primarily responsible for pioneering research in automotive penetration technology and the development of automated detection tools.His work focuses on analyzing security risks within automotive open-source software, with a particular emphasis on understanding the critical intersection of automotive security vulnerabilities and functional safety. He has played a pivotal role in organizing numerous automotive information security attack and defense challenges, contributing significantly to the advancement of safer and more secure automotive technologies.Furthermore, He has played an instrumental role in shaping national automotive information security standards, contributing to the drafting of several key national standards.", "public_name": "Yuqiao Ning", "guid": "492d4664-07d5-545f-ba74-79e1a487f079", "url": "https://pretalx.com/hack-lu-2024/speaker/AGNV8T/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/FZ3WJ9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/FZ3WJ9/", "attachments": []}, {"guid": "91804a75-1a0c-5905-bf1d-8b286eb8368a", "code": "HFN9BP", "id": 52991, "logo": null, "date": "2024-10-23T17:45:00+02:00", "start": "17:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52991-apt28-following-bear-tracks-back-to-the-cave", "url": "https://pretalx.com/hack-lu-2024/talk/HFN9BP/", "title": "APT28: Following bear tracks back to the cave", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "In May 2024, the NATO publicly condemned cyber espionage operations carried out by a Russian state-sponsored group against targets in Germany and Czechia. We track this group as ITG05 sharing overlaps with APT28, UAC-0028, Forest Blizzard and Fancy Bear. In addition to Germany and Czechia, a large number of NATO member states as well as the Ukraine have been subject to long-term intelligence gathering missions executed by ITG05. ITG05 is also linked to the hack of the German Bundestag in 2015 as well as the attacks targeting the 2016 US presidential elections.", "description": "In this talk we will cover all aspects of ITG05's most recent campaigns, carefully following the timeline of evolving TTPs resulting from shifts in priorities and resources. The most recent lures are indicative of high-profile targets across the globe, and the continuous improvement of malware deployment and capabilities are evidence of the significant threat posed by ITG05. The audience will experience an in-depth analysis tracing malware such as Headlace, Masepie and Oceanmap back to its origins. Finally, we will take a quick peek into the crystal ball and discuss what the future might hold.", "recording_license": "", "do_not_record": true, "persons": [{"code": "CKCQP8", "name": "Golo M\u00fchr", "avatar": "https://pretalx.com/media/avatars/CKCQP8_HAA3yTG.webp", "biography": "Golo is a malware reverse engineer and threat researcher with IBM X-Force, where he spends his time digging into the dark arts of cybercrime. With a passion for tracking threats he's developed expertise in analyzing and reporting on a wide variety of maliciousness, ranging from banking trojans and botnets to high-profile ransomware and nation state actors. He is dedicated to sharing his research to help others stay ahead of emerging threats.", "public_name": "Golo M\u00fchr", "guid": "027f3b67-ff27-5ee6-be86-2fa70e5c03b2", "url": "https://pretalx.com/hack-lu-2024/speaker/CKCQP8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/HFN9BP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/HFN9BP/", "attachments": []}], "Schengen 1 & 2": [{"guid": "7c391f79-8f83-5451-b4d8-ea3d29e4f71f", "code": "L7UTNJ", "id": 50949, "logo": null, "date": "2024-10-23T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-50949-misp-kickstart", "url": "https://pretalx.com/hack-lu-2024/talk/L7UTNJ/", "title": "MISP Kickstart", "subtitle": "", "track": "topic: CTI", "type": "Training", "language": "en", "abstract": "MISP Kickstart provides a comprehensive introduction to the popular Open Source Threat Intelligence and Sharing Platform, \"MISP.\"\r\nThe course will establish a foundational understanding of the practical applications of MISP in cyber threat intelligence.\r\nThis course follows a real-world scenario where participants will set up a local MISP instance, configure an organisation and users, and create events and information based on the threat profile of an organisation and its industry vertical. Participants will develop an understanding of the common use cases for MISP, learn how to set up and manage sharing communities, select relevant threat feeds (and also not what to turn on) and see how MISP automation workflows can be utilised.", "description": "In this training session we'll cover setting up your own test or development instance of MISP, working through configuration, understanding the security and diagnostics. After that we'll cover everything you'll need to know about events, communities, and feeds. We'll also look at some practical use cases for MISP, whether you're a SOC analyst, intel analyst, or IR consultant.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KV3XGK", "name": "Shanna Daly", "avatar": "https://pretalx.com/media/avatars/KV3XGK_cLDW7ae.webp", "biography": "Shanna Daly has over 20 years experience across the information security industry. Shanna\u2019s expertise has been called upon during countless data breach investigations, giving her an in-depth understanding of the security implementations that work, and the ones that don\u2019t. Shanna continues to share her knowledge with the industry and has built and managed consulting teams of industry experts responding to all types of intrusions and breaches.", "public_name": "Shanna Daly", "guid": "5ef33888-ef52-5648-8d45-38139ba25129", "url": "https://pretalx.com/hack-lu-2024/speaker/KV3XGK/"}, {"code": "PYAEYN", "name": "James Garratt", "avatar": "https://pretalx.com/media/avatars/PYAEYN_g3GrRN5.webp", "biography": "James Garratt is a Senior Security Consultant at Cosive, with over 20 years of experience spanning IT operations, software engineering, and security. Based in Melbourne, Australia, he specializes in cloud engineering and security, providing expert consulting to enhance organizations' infrastructure. Prior to joining Cosive, James held technical leadership roles at Connexity, Inc. and Experian, where he led engineering teams in deploying scalable, cloud-native solutions. His broad expertise across IT operations, systems administration, software development, and security makes him a versatile professional in the evolving field of cybersecurity.", "public_name": "James Garratt", "guid": "72a45bb5-ef1b-5d20-959c-585d084c1740", "url": "https://pretalx.com/hack-lu-2024/speaker/PYAEYN/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/L7UTNJ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/L7UTNJ/", "attachments": []}, {"guid": "de34fb6c-d7d9-5478-af5c-09e99e88ce0c", "code": "PTAEB8", "id": 53959, "logo": null, "date": "2024-10-23T16:15:00+02:00", "start": "16:15", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-53959-malware-development-and-persistence", "url": "https://pretalx.com/hack-lu-2024/talk/PTAEB8/", "title": "Malware Development and Persistence", "subtitle": "", "track": "topic: CTI", "type": "Training", "language": "en", "abstract": "Malware Development and Persistence Techniques.\r\nThe course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.\r\nThe course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.\r\n\r\nThe course is divided into four logical sections:\r\n- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)\r\n- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)\r\n- Persistence techniques\r\n- Cryptographic functions in malware development (exclusive)", "description": "Whether you are a Red Team or Blue Team specialist, learning the techniques and tricks of malware development gives you the most complete picture of advanced attacks. Also, due to the fact that most (classic) malwares are written under Windows, as a rule, this gives you tangible knowledge of developing under Windows. \r\n\r\nThe course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.\r\nThe course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.\r\n\r\nThe course is divided into four logical sections:\r\n- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)\r\n- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)\r\n- Persistence techniques\r\n- Cryptographic functions in malware development (exclusive)\r\n\r\nMost of the example in this course require a entry-level understanding of the Python\r\nand C/C++ programming languages.\r\n\r\nKnowledge of assembly language basics is not required but will be an advantage", "recording_license": "", "do_not_record": false, "persons": [{"code": "EFXL9W", "name": "cocomelonc", "avatar": "https://pretalx.com/media/avatars/EFXL9W_lXdpDO4.webp", "biography": "Cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:\r\nMD MZ Malware Development book (2022)\r\nMALWILD: Malware in the Wild book (2023)\r\nAuthor and tech reviewer at Packt\r\nAuthor of Malware Development for Ethical Hackers book by Packt (2024)\r\nCo founder of MSSP Research LAB, author of many cybersecurity blogs, HVCK magazine\r\nMalpedia contributor\r\nSpeaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Standoff, etc conferences", "public_name": "cocomelonc", "guid": "f30e2acf-1aad-5428-b435-083886fb9b86", "url": "https://pretalx.com/hack-lu-2024/speaker/EFXL9W/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/PTAEB8/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/PTAEB8/", "attachments": []}, {"guid": "dbf71213-a96b-5f97-bb43-7f8b57e7c823", "code": "3X7WPD", "id": 57475, "logo": null, "date": "2024-10-23T19:00:00+02:00", "start": "19:00", "duration": "00:05", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-57475-a-new-free-internet-listener-in-town", "url": "https://pretalx.com/hack-lu-2024/talk/3X7WPD/", "title": "A New (free) Internet Listener in Town", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Seika.io is an Internet listener service which provides threat intelligence context. This 5 minutes talk will briefly expose the use cases and the roadmap.\r\n\r\nDisclaimer: this presentation isn't powered by AI", "description": "The mission of Seika.io is to provide context from IP addresses we observed in various context. In addition, we aim at detecting and tracking exploitation of most well-known exposed device. It can be useful combined with a SIEM or a case management (like DFIR IRIS) system for instance.", "recording_license": "", "do_not_record": true, "persons": [{"code": "HC8UYQ", "name": "Mathieu LE CLEACH", "avatar": "https://pretalx.com/media/avatars/HC8UYQ_05PGc6r.webp", "biography": "Mathieu is a member of CERT-EU's Digital Forensics and Incident Response team. He has two hats: respond to security incidents, including significant ones, and engineer CERT-EU's detection strategy. He was a speaker at the 36th Annual FIRST Conference.", "public_name": "Mathieu LE CLEACH", "guid": "468ba8fb-4a99-5970-be8d-e2bc1d6a3bab", "url": "https://pretalx.com/hack-lu-2024/speaker/HC8UYQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/3X7WPD/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/3X7WPD/", "attachments": []}, {"guid": "862eda16-ab1f-5b96-b9b1-05012bb9b565", "code": "JNVUN9", "id": 57461, "logo": null, "date": "2024-10-23T19:05:00+02:00", "start": "19:05", "duration": "00:05", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-57461-unlocking-beam-s-pandora-s-box-security-pitfalls-in-distributed-erlang-and-elixir-systems", "url": "https://pretalx.com/hack-lu-2024/talk/JNVUN9/", "title": "Unlocking BEAM's Pandora's Box: Security Pitfalls in Distributed Erlang and Elixir Systems", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "In this lightning talk, we show inherent security risks of running BEAM virtual machines that power Erlang and Elixir applications. We'll demonstrate how easily nodes can be interconnected and exploited to execute arbitrary code, create reverse shells, and compromise entire clusters. Through live terminal sessions, attendees will witness how attackers can run code on host machines, replace running code, and even infect other nodes\u2014all leveraging BEAM's distributed capabilities. This talk aims to raise awareness about these critical security issues and provide insights on mitigating risks in production environments.", "description": "Key Demonstrations depending on time and preparation -_-:\r\n\r\n- Show how easily nodes can be connected, and how one can execute code on remote nodes (it's a feature, not a bug)\r\n- Show how to use :erlang.term_to_binary and Base.url_encode64 to serialize and transmit malicious functions.\r\n- Show basics Reverse Shells running on the BEAM\r\n- Show how one can replace Modules using Code.compile_string/1 and hot code swapping.\r\n- Show what the BEAM can do with SSH (an attacker can start an SSH server inside the BEAM VM, and also initiate SSH connections to further exploit remote systems.)\r\n- Illustrate how to spread malicious code to connected nodes using spawn and rpc:cast.\r\n- Discuss the risk of connecting to a unknown remote node", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JNVUN9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JNVUN9/", "attachments": [{"title": "Slides for BEAM Virtual Machine shenanigans ligthning talk", "url": "/media/hack-lu-2024/submissions/JNVUN9/resources/BEAM_Virtual_Machine_shenanigans_fGLyq8l.pdf", "type": "related"}]}, {"guid": "adfb47ce-421b-5b90-a35c-f2dce880eea0", "code": "LYXZQN", "id": 57503, "logo": null, "date": "2024-10-23T19:10:00+02:00", "start": "19:10", "duration": "00:05", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-57503-sharing-ioc-wrong-answers-only", "url": "https://pretalx.com/hack-lu-2024/talk/LYXZQN/", "title": "Sharing IoC - Wrong Answers Only", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "The best way to share IoC with people (Definitely not) - Based on true events", "description": "Quick presentation of the worst sharing methods I came across while looking at OSINT reports.", "recording_license": "", "do_not_record": false, "persons": [{"code": "87LHMZ", "name": "Deborah Servili", "avatar": null, "biography": "The female quota of the CIRCL team, and part-time Human IoC Parser", "public_name": "Deborah Servili", "guid": "783751c2-d4c2-56da-a31e-d0bafa927e55", "url": "https://pretalx.com/hack-lu-2024/speaker/87LHMZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/LYXZQN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/LYXZQN/", "attachments": []}], "Echternach & Diekirch": [{"guid": "4dd73bbe-f9e1-5193-ad59-1abdfb6da3bc", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-23T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-0-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}, {"guid": "35037633-54c8-52f2-aecc-7ff65c3b4986", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-23T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-1-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}, {"guid": "b3493a56-6072-5a79-83e5-966e242375c8", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-23T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-2-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}], "Hollenfels": [{"guid": "f3995bdc-1433-5efa-9f4c-a48eb5963314", "code": "HXTFKM", "id": 52125, "logo": null, "date": "2024-10-23T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Hollenfels", "slug": "hack-lu-2024-52125-defeating-encryption-by-using-unicorn-engine", "url": "https://pretalx.com/hack-lu-2024/talk/HXTFKM/", "title": "Defeating Encryption By Using Unicorn Engine", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Software Reverse-Engineering (SRE) is often considered black magic, but with the right tools and knowledge, its processes can be significantly accelerated. Unicorn Engine is a powerful framework that allows you to execute code platform-independently, which can greatly enhance your SRE skills. Why not learn it?", "description": "Applications, binaries, and frameworks often contain complex functionalities like encryption and decryption methods that are hidden from the user. Reverse-engineering these can be difficult and time-consuming, especially when they involve non-standard, proprietary or non-documented cryptographic functions. This is where Unicorn Engine comes in. It enables us to execute code dynamically without the need for the proper environment or hardware. By emulating the execution, we can analyse and understand the underlying operations, making the reverse-engineering process more effective.\r\n\r\nWith Unicorn Engine, you can dissect and manipulate code in a controlled environment. Whether you are dealing with malware analysis, software debugging, or vulnerability research, Unicorn Engine is an awesome tool in your reverse-engineering toolkit.\r\n\r\nThis training will focus on reverse-engineering one or more binaries with Ghidra. Participants will identify various encryption or obfuscation functions and write code for Unicorn Engine in Python to utilise these functions without ever executing the binary.\r\n\r\nNo special knowledge is required, but familiarity with Python, Ghidra, and assembly would be beneficial. The training will introduce Unicorn Engine to the audience and explain it in depth.", "recording_license": "", "do_not_record": false, "persons": [{"code": "FUY9TP", "name": "Balazs Bucsay", "avatar": "https://pretalx.com/media/avatars/FUY9TP_dujDP7Z.webp", "biography": "Balazs Bucsay is the founder & CEO of Mantra Information Security that offers a variety of consultancy services in the field of IT Security. With decades of offensive security experience, he is focusing his time mainly on research in various fields including red teaming, reverse engineering, embedded devices, firmware emulation and cloud. He gave multiple talks around the globe (Singapore, London, Melbourne, Honolulu) on different advanced topics and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares it with his peers. Because of his passion for technology, he starts the second shift right after work to do some research to find new vulnerabilities.", "public_name": "Balazs Bucsay", "guid": "331b660d-8799-5e9d-8155-543ebcf14ed5", "url": "https://pretalx.com/hack-lu-2024/speaker/FUY9TP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/HXTFKM/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/HXTFKM/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/HXTFKM/resources/Mantra-Unicor_wpLPDc5.pdf", "type": "related"}]}, {"guid": "9fa21fa1-0f3c-593a-8020-849d4ea224ce", "code": "UXQXUT", "id": 53082, "logo": null, "date": "2024-10-23T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Hollenfels", "slug": "hack-lu-2024-53082-unleashing-the-power-of-purple-teaming-with-opentide", "url": "https://pretalx.com/hack-lu-2024/talk/UXQXUT/", "title": "Unleashing the power of purple teaming with OpenTIDE", "subtitle": "", "track": "topic: CTI", "type": "Workshop", "language": "en", "abstract": "With OpenTIDE the Threat-Informed Detection Engineering framework, Cyber Threat Intelligence and Detection Engineering teams can work together to model the threat vectors (aka attack scenarios) in a structured, actionable and automation-ready object which become at the centre of a knowledge graph. With that framework, Cyber Threat Intelligence teams can prioritise to expand the threat detection coverage while the Detection Engineering teams can measure and report on the current threat coverage", "description": "### Workshop objectives\r\n\r\nThis workshop will introduce the opensource Threat-Informed Detection Engineering framework [OpenTIDE](https://code.europa.eu/ec-digit-s2/opentide) and how it can support collaborative work between the Cyber Threat Intelligence and Detection Engineering teams.\r\nThe workshop will use a repository on gitlab.com and participants will have the opportunity to develop some models using Visual Studio code.\r\n\r\nFrom some example of CTI reports and research, we will showcase how to develop the chained Threat Vector Models (TVMs) that capture the key points of the procedure followed by an attacker to conduct the attack with the granularity required below the kill chain stage and the ATTACK (sub-)techniques to steer the work of the Detection Engineering team in defining the detection objectives resulting from that knowledge gain on the attacker.\r\n\r\nThe workshop should allow to see in practice the benefit of having structured and machine-ready models to automatically build the knowledge graph to maintain over time the detection coverage (and also the threat coverage).\r\nIn particular, we will demonstrate how to deduplicate the information received from the TI PDF reports,  often in PDF, or blog\r\n\r\n### Agenda\r\n- Introduction to DetectionOps with OpenTIDE with Q&A\r\n- Setup \u2013 see below\r\n- From Intelligence to OpenTIDE \u2013 Drafting & Reviewing Threat Vector Models\r\n- From TVMs to detection - Building and Deploying detections\r\n- Wrap-Up\r\n\r\n### Preparation if you plan to attend the workshop\r\nYou are more than welcome to join this workhop. For a good experience, please read below:\r\n\r\n* We provide a **private project** on Gitlab.com [Hack.lu OpenTIDE Workshop](https://gitlab.com/moloch_project/hack.lu-opentide-workshop)\r\n* Create/Prepare a free **account on [gitlab.com](https://gitlab.com/users/sign_up)** that we will add to the project. Please mention the handle on this [pad](https://hebdo.framapad.org/p/l0z8x0iwps-aaq8?lang=en) it is public.\r\n* [Visual Studio Code](https://code.visualstudio.com/) is the main editor we will refer to and use during the workshop; any other IDE you are familiar with should work provided you can easily git clone, commit and push to the gitlab project. \r\n\r\n* Interest in making CTI actionable / in Detection Engineering\r\n   - We will propose some CTI reports to turn into Threat Vector Models\r\n   - You are more than welcome to come with some reports you would like to integrate into OpenTIDE framework.\r\n\r\n### Resources\r\n* [Main OpenTIDE repository](https://code.europa.eu/ec-digit-s2/opentide) including presentations and other supporting documentation\r\n* [Github repository for active development on CoreTIDE](https://github.com/EC-DIGIT-CSIRC/CoreTIDE) including raising issues and proposing pull requests.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KFACCC", "name": "Remi Seguy", "avatar": "https://pretalx.com/media/avatars/KFACCC_prpEQpg.webp", "biography": "I work in Cyber Security for 25 years . At the European Commission I lead the Threat Hunting and Detection Engineering team. Anytime I apply \"Sharing is caring\" principle and I support and participate to several open source projects. OpenTIDE is the framework developed by the team to support our work and has been opensourced in March 2024", "public_name": "Remi Seguy", "guid": "098a0446-dced-5c06-9883-253dfc1cbe3d", "url": "https://pretalx.com/hack-lu-2024/speaker/KFACCC/"}, {"code": "ZCCTKN", "name": "Amine Besson", "avatar": "https://pretalx.com/media/avatars/ZCCTKN_BD1WFWq.webp", "biography": "I am a contractor dedicated to developing advanced Detection and Response Systems, Detection Engineering, Threat Intelligence and Hunting, SIEM/SOAR/EDR/CDR/XDR Systems Engineering and generally everything SOC Automation related. Currently maintaining the OpenTIDE project which condenses years of lessons learned on the floor of SOCs (Internal and Managed) into a streamlined Detection Engineering ecosystem for technical teams. My latest interest lie in the junction between Detection and Response Engineering, especially developing large scale signal and entity aggregation systems.", "public_name": "Amine Besson", "guid": "3aedecec-01ab-54bc-8c21-0c635fbbae70", "url": "https://pretalx.com/hack-lu-2024/speaker/ZCCTKN/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/UXQXUT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/UXQXUT/", "attachments": []}], "Vianden & Wiltz": [{"guid": "a3f36979-2804-55d3-882e-58b73af369d6", "code": "MGZEXX", "id": 54373, "logo": null, "date": "2024-10-23T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-54373-chrome-v8-exploitation-training-for-beginners", "url": "https://pretalx.com/hack-lu-2024/talk/MGZEXX/", "title": "Chrome V8 exploitation training for beginners", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Many Chrome exploits can lead to execution of remote code and most of these exploits started out with a vulnerability in V8. So, many Experts dive into bug bounty to find potentially exploitable vulnerabilities. But, there is a significant lack of publicly available analysis guides for beginners to start, and it is challenging to analyze the technical meanings using only documents.\r\n\r\nWe will share the detailed steps needed for beginners who have yet to experience about V8 exploits. First, we describe the detailed structure (memory, object, etc.) and mechanism. Furthermore, we explore bugs via d8 debugger and explain step-by-step how to write exploit code.\r\n\r\nThe audience will have the opportunity to learn and experience V8 exploit techniques by not only studying the theory but also analyzing the V8 engine through hands-on training. The hands-on training will be conducted through our VDI environment, therefore the audience can access and enjoy it freely with their personal laptops without setting up a practice environment.\r\n\u203b The audience will be able to enjoy interesting and valuable training in a comfortable practice environment.\r\n\r\nWe hope that this workshop will encourage many beginners to dive into V8 vulnerability research.", "description": "<b>Section 1. About V8 Engine</b>\r\nThe first section focuses on the basic theories necessary to analyze vulnerabilities in V8 and perform exploits. V8 is one of the JavaScript engines and uses a JIT compiler. We talk about the JIT compiler and then explain the V8 compiler mechanism including the newest compiler, Maglev.\r\n\r\n<b>Section 2. Let\u2019s Debug</b>\r\nThe second section details how to debug V8 Engine using d8 in the provided VDI environment. We explain the memory structure of V8, the role and operation of the GC (Garbage Collection), and analyze V8 objects via d8. Through this section, the audience will be able to understand the object structure and learn basic V8 debugging techniques.\r\n\r\n<b>Section 3. Exploiting in V8</b>\r\nIn the third section, we exploit V8 after analyzing a bug that was found in V8. \r\n\r\nFirst, we analyze a bug that was found in V8 and perform PoC (Proof of Concept). Then we examine the optimization process via Turbolizer and analyze in detail the point where the bug occurs.\r\n\r\nWe provide a detailed step-by-step explanation of the exploitation process. Then we create an OOB array using a bug and bypass the V8 sandbox to read/write to arbitrary memory. \r\n\r\nEventually, this leads to modifying the RIP to jump to an arbitrary address and executing shellcode.\r\n\r\n<b>[Requirements]</b>\r\n- We provide virtual environments for practice (only need a personal laptop)\r\n- Experience using GDB for debugging\r\n- Basic JavaScript knowledge\r\n- Interest in Browser Exploits", "recording_license": "", "do_not_record": true, "persons": [{"code": "J39MTU", "name": "hoseok Lee", "avatar": "https://pretalx.com/media/avatars/J39MTU_z2P3cKp.webp", "biography": "The team leader of EQST Lab in SK Shieldus,\r\nExecutive Manager of the Ransomware Response Center (KARA-Korean Anti Ransomware Alliance)\r\n\r\n- Researching on new vulnerabilities and Identifying of Cybersecurity Trends\r\n- Managing Cybersecurity Consulting Projects\r\n- Delivered Various presentations on attack threats and ransomware trends\r\n- https://x.com/EQSTLab\r\n- https://www.skshieldus.com/eng/business/insight.do", "public_name": "hoseok Lee", "guid": "2bc46507-c9d1-5f90-8e80-97f5238f2d0d", "url": "https://pretalx.com/hack-lu-2024/speaker/J39MTU/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/MGZEXX/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/MGZEXX/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/MGZEXX/resources/Hack.lu_2024__bRuAasl.pdf", "type": "related"}]}, {"guid": "c090fa8e-e862-5348-a2b1-f3403a08d81d", "code": "JDM9V7", "id": 54476, "logo": null, "date": "2024-10-23T16:15:00+02:00", "start": "16:15", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-54476-1-hands-on-kubernetes-security-with-kubehound-purple-teaming", "url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/", "title": "Hands-on Kubernetes security with KubeHound (purple teaming)", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Join us for an immersive hands-on workshop where we'll dive into KubeHound, a Tool for building Kubernetes attack paths. Participants will play the role of an attacker, but we think the best defense is a good offense. With concrete scenarios and a live environment,  attendees will learn to leverage KubHound to identify attack paths in Kubernetes clusters at scale with no hustle.", "description": "There\u2019s no two ways about it: Kubernetes is a confusing and complex collection of intertwined systems. Finding attack paths in Kubernetes by hand is a frustrating, slow, and tedious process. Defending Kubernetes against those same attack paths is almost impossible without any third party tooling.\r\n\r\nIn this workshop we will present KubeHound - an opinionated, scalable, offensive-minded Kubernetes attack graph tool used by security teams across Datadog. We will cover the custom KubeHound DSL to demonstrate its power to identify some of the most interesting and common attack primitives living in your Kubernetes cluster. If the DSL is not enough, we will cover the basics of Gremlin, the language used by our graph technology so you can find relevant attack paths that matter to you.\r\n\r\nAs attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So in this workshop we will cover some of the usual attack paths and exploit them. This way you will see by yourself, the difficulty (or not) to fully compromise a Kubernetes cluster (#DontDoThisAtHome).\r\n\r\nAt last, is this workshop we will also demonstrate two ways of using KubeHound:\r\n* As a standalone tool that can be run from a laptop\r\n* Or deployed  as a service in your own Kubernetes clusters (KubeHound as a Service)\r\n\r\nThe main goal of this workshop is to show how defenders can find and eliminate the most dangerous attack paths and how attackers can have a treasure map to fully compromise a Kubernetes cluster by using the free and open source version of KubeHound.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HEDAYL", "name": "Julien", "avatar": "https://pretalx.com/media/avatars/HEDAYL_hjx2x7z.webp", "biography": "Julien Terriac a French senior security researcher with a strong background of pentesting with a special taste for Windows authentication, Active Directory inner working and reverse engineering. He developed several offensive tools to automate such as ProtonPack (custom mimikatz), Lycos (share hunter), ExploitPack (privilege escalation framework), IAMBuster (AD auditing framework).\r\n\r\nHe led the R&D department at XMCO for 5 years before joining Datadog as the Team Lead for Adversary Simulation Engineering (ASE) where his team aims at building offensive tools and frameworks that will automate the simulation of real life attacks against Datadog.", "public_name": "Julien", "guid": "2d574067-579d-5819-9e1e-738b8db3b1f8", "url": "https://pretalx.com/hack-lu-2024/speaker/HEDAYL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JDM9V7/", "attachments": []}]}}, {"index": 3, "date": "2024-10-24", "day_start": "2024-10-24T04:00:00+02:00", "day_end": "2024-10-25T03:59:00+02:00", "rooms": {"Europe - Main Room": [{"guid": "0310a9b8-0ea9-5d6e-84d7-d7fcd2aab82f", "code": "SVGPXT", "id": 51818, "logo": null, "date": "2024-10-24T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51818-back-to-the-failure-did-your-physical-security-really-evolve-in-the-last-40-years", "url": "https://pretalx.com/hack-lu-2024/talk/SVGPXT/", "title": "Back to the failure - Did your physical security really evolve in the last 40 years?", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "There was time when computer security was not a thing. A time blessed by wannabe hackers when sensitive facilities were just wide open because, seriously, who would really attempt to hack into a research or a leading industry system ? This was a long time ago... or was it ? What if I tell you there is a whole branch of information security which still happily lives in this stone-age ?", "description": "In this presentation we will see how this mindset still survives nowadays in the physical security realm. We will see how the very same mindset leads to the very same errors, false beliefs, and often very expensive false sense of security. A realm which should be blessed by nowadays hackers as doing tourism in so-called \"highly secured\" data centers and industrial sites is just so fun, and a mindset which should be avoided by the responsible of such sites who actually care about their security.\r\n\r\nA part of our job is to do physical pentest assessments on those \u201csecure\u201d facilities which usually spend huge amounts of money in various security bell and whistles, from the concrete wall surrounded by shiny barb wire up to highly technological access control, intrusion or theft detection systems such as biometric sensors and some mantraps, all this surrounded by hundreds of surveillance cameras and 24/7 on-site security teams. Too often I encounter the same dated mindset, where all these features are actually thought by vendors to impress honest people (starting with the facility owners themselves) without effectively taking offensive mindset into account. The consequences are usually multiple, but usually end up as our teams getting uninvited free access to the targeted most critical area, with just $30 worth of tools, without feeling concerned by all this costly stuff and without being actually noticed by anyone.\r\n\r\nThe real issue here is not money, it is the mindset, the same security mindset that has been built during the last decades in the cyber world and is, more often than not, totally lacking in the physical realm. The goal of this presentation is therefore to raise awareness about this situation, and by comparing obsolete IT habits from the early 2000s with current physical security practices we will see which kind of vulnerabilities can often be encountered, how they could be exploited, and how they should be prevented.", "recording_license": "", "do_not_record": false, "persons": [{"code": "LUPHHA", "name": "Simon Geusebroek", "avatar": "https://pretalx.com/media/avatars/LUPHHA_k4T5HUu.webp", "biography": "Pentester @Synacktiv, I like as much trying to enter into your computers than into your facilities.\r\n\r\nI'm a physical intrusion specialist, and more specifically like the technical aspect of it, as opposed to the social engineering side which I use as a second resort. I'm particularly happy when I manage to demonstrate how the creative use of low cost items may allow to easily circumvent seemingly secure systems: this usually lead people to look at their locks differently, which I consider as one of the goals of my pentester job.\r\n\r\nWhile also doing physical intrusion into offices, industrial sites are often more challenging and have a neat \"urbex\" feeling where you never know what awaits you behind that closed door. A huge difference however is that this activity is not only legal, but also helps to improve the security ecosystem.", "public_name": "Simon Geusebroek", "guid": "17cad447-df7b-5e73-a599-4be710665472", "url": "https://pretalx.com/hack-lu-2024/speaker/LUPHHA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/SVGPXT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/SVGPXT/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/SVGPXT/resources/Back_to_the_f_o8DSRYs.pdf", "type": "related"}]}, {"guid": "4bd0a97e-7ab4-5955-ac2c-2d1cf05e9faf", "code": "V3JMCZ", "id": 55396, "logo": null, "date": "2024-10-24T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-55396-blowing-up-gas-stations-for-fun-and-profit", "url": "https://pretalx.com/hack-lu-2024/talk/V3JMCZ/", "title": "Blowing up Gas Stations for fun and profit", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Since the war(s) broke loose last years, a lot has been said about cyberwarfare, attacks on critical infrastructure, ICS/OT vulnerabilities, you name it. In this talk, we are going to talk about a specific set of ICS: Automated Tank Gauging (ATG) systems. These systems control the safe storage and management of fuel in critical infrastructures like gas stations, military bases, airports and hospitals. \r\nWe will discuss multiple (10) zero-day vulnerabilities that expose these systems to catastrophic risks, from environmental hazards to significant economic losses. Despite past warnings, thousands of ATG systems remain online, unprotected, and vulnerable to exploitation. \r\nThis track will talk about past ATG research, the new vulnerabilities found and their technical details, demonstrating how they can be exploited to gain unauthorized control over ATG systems. In the end, we will dive into our quest to cause physical damage remotely, in hopes of blowing up (our) gas station.", "description": "In the recent years, an increasing number of cyber attacks have been targeting critical infrastructure, especially since the war in Ukraine has started. Automated Tank Gauging (ATG) systems are critical components in the infrastructure of fuel storage and distribution across various sectors, including commercial gas stations, military facilities, and emergency services. These systems monitor fuel levels, detect leaks, and ensure regulatory compliance, but they also present an alarming attack surface when exposed to the Internet and, by their very nature, an interesting target for malicious actors.\r\nThis presentation will cover the findings of both past and recent investigations, which identified multiple critical vulnerabilities in ATG systems from various vendors, as well as our quest to physically damage such systems remotely.\r\nWe will explore how these vulnerabilities can be exploited to alter system behaviors, disrupt fuel supply chains, potentially cause significant physical and environmental damage, as well as other out of the box scenarios. \r\nWe will show global prevalence data from our latest scans, and talk about both our coordination with CISA in order to responsible disclose all these vulnerabilities and our efforts to try to mitigate these risks at a wider scale, in several fronts - one of which is raising awareness within the infosec community.\r\n\r\nThis session is for cybersecurity professionals, industrial system operators, and anyone interested in the security of critical infrastructure. Attendees will leave with a deeper understanding of the risks posed by ATG systems and how to secure them against potential attacks.", "recording_license": "", "do_not_record": false, "persons": [{"code": "LT7WAH", "name": "Pedro Umbelino", "avatar": "https://pretalx.com/media/avatars/LT7WAH_Ci5LCR4.webp", "biography": "Pedro Umbelino currently holds the position of Principal Research Scientist at Bitsight Technologies and brings over a decade of experience in dedicated security research.\r\n\u2064His eclectic curiosity has led to the uncovering of vulnerabilities spanning a gamut of technologies, highlighting critical issues in multiple devices and software, ranging from your everyday smartphone to household smart vacuums, from the intricacies of HTTP servers to the nuances of NFC radio frequencies, from vehicle GPS trackers to protocol-level denial of service attacks.\r\nPedro is committed to advancing cybersecurity knowledge and has shared his findings at prominent conferences, including Bsides Lisbon, DEF CON, Hack.lu and RSA.", "public_name": "Pedro Umbelino", "guid": "5dda896d-c69a-5167-98dd-2008fea1126c", "url": "https://pretalx.com/hack-lu-2024/speaker/LT7WAH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/V3JMCZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/V3JMCZ/", "attachments": []}, {"guid": "f52070b1-165e-54f4-9bac-1d669828e81f", "code": "NNFQ3G", "id": 52886, "logo": null, "date": "2024-10-24T10:15:00+02:00", "start": "10:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52886-the-good-the-bad-and-the-ugly-microsoft-copilot", "url": "https://pretalx.com/hack-lu-2024/talk/NNFQ3G/", "title": "The good, the bad, and the ugly: Microsoft Copilot", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "The good: There's an insider working at your competition, helping you.\r\nThe bad: There's also an insider working at your business, helping the competition.\r\nThe ugly: It's Microsoft Copilot.\r\n\r\nThe race to capture the benefits of GenAI is already at full speed, and everybody is diving head-first into putting corporate data and operations in the hands of AI. The concept of a Copilot has emerged as a way to keep AI tamed and under control. However, while employees rarely cross the lines and become rogue, it turns out that Microsoft Copilot is rogue by design. \r\n\r\nIn this talk, we will show how your Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to material impact on integrity and confidentiality.\r\n\r\nNext, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.\r\n\r\nFinally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft\u2019s platform, and generalized insights on how to build secure and reliable Copilots.", "description": "Outline:\r\n1. Where we are\r\n1.1. Everybody racing to build GenAI applications and not thinking about implications - Microsoft Copilots, Github Copilot, every major security vendor releasing a security Copilot\r\n1.2. Common concerns that are being ignored - prompt injection, circumventing data classification, inherent uncertainty of what applications will choose to do in production\r\n1.3. GenAI is a No Code movement - drag a few boxes and have your GenAI application ready to use\r\n1.4. Distinction between Copilots and Agents - how Copilots aim to address concerns by tying AI actions to user interaction and therefore intentions\r\n2. Intro to Microsoft Copilot Studio\r\n2.1. Explain focus on Microsoft - tied to OpenAI and already built into every enterprise and their enterprise data\r\n2.2. Brief intro to Copilot Studio - the platform that runs Microsoft Copilots and their extendability, and a platform to build your own Copilots on top of enterprise data\r\n2.3. Capabilities - how GenAI gets plugged into enterprise data, with over 1500 data connectors and user impersonation by design\r\n3. Breaking Copilots\r\n3.1. A methodological breakdown of how Copilot Studio works and a threat analysis for Copilots built with that technology\r\n3.2. User access to Copilot - showing how default configuration leads to publicly accessible bots and sharing with your entire organization. These defaults include: bot is Internet facing with no auth (yes, really), bot is shared with the entire organization (why not?), bot can require authentication but not enforce it (indeed), bot shares maker identity with bot users (identity is best when shared).\r\n3.3. Copilot access to data - Microsoft claims that Copilots are secure because they inherit user permissions and controls. In practice this means user impersonation by by design, no way to distinguish between Copilot and user activity, and embedded credentials (including OAuth refresh tokens) leveraged implicitly without user knowledge\r\n3.4. User-isolation breakdown - how one user can get Copilot to act on behalf of another\r\n3.5. Data classification becomes obsolete - how Copilot can read a document classified sensitive and spew it out without the classification label. So long DLP and thanks for all the fish.\r\n4. Exploitation\r\n4.1. Copilot predictable misconfiguration lead to easy enumeration of publicly accessible copilots\r\n4.2. Once you identify a publically accessible Copilot you need to extract data from it. Show how you can fight fire with fire, using GenAI to fuzz the Copilot into spewing sensitive enterprise data\r\n4.3. Dropping CopilotHunter, a red teaming tool that automates all of the above\r\n5. Where do we go now?\r\n5.1. Bad default configuration in Microsoft Copilot Studio and how to avoid it - clear actionable changes to do today\r\n5.2. Generalizing - how do we build secure and reliable Copilots? Separation of control plane and data plane, not putting too much power in the hands of AI, isolation of user-context", "recording_license": "", "do_not_record": false, "persons": [{"code": "MB3QFR", "name": "Inbar Raz", "avatar": "https://pretalx.com/media/avatars/MB3QFR_jHSNyOj.webp", "biography": "Inbar has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 and Reverse Engineering at the age of 14. He spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age.\r\n\r\nInbar specializes in an outside-the-box approach to analyzing security and finding vulnerabilities, using his extensive experience of close to 30 years. Nowadays, Inbar is the VP of Research at Zenity, the leading platform for securing and monitoring Low-Code/No-Code development.", "public_name": "Inbar Raz", "guid": "34d918c0-db91-5826-8f5f-49b915dbe68b", "url": "https://pretalx.com/hack-lu-2024/speaker/MB3QFR/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/NNFQ3G/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/NNFQ3G/", "attachments": []}, {"guid": "fd70e1a5-eeed-588b-b68d-d7b3d6f77659", "code": "PPTEWY", "id": 51946, "logo": null, "date": "2024-10-24T10:45:00+02:00", "start": "10:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51946-scam-as-a-service-powered-by-telegram", "url": "https://pretalx.com/hack-lu-2024/talk/PPTEWY/", "title": "Scam as a Service powered by Telegram", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "In 2022, an insider from one of the scammers' groups switched sides and shared details about the ongoing attacks. This kicked off a multi-year analysis of the underground economy that provides a range of illicit Telegram-based services to facilitate shady activities, offering everything from data breaches and identity theft to financial fraud. The talk will explore how fraudsters leverage platforms' features to launch \"Scam as a Service\" operations.", "description": "The case study explores real-world scenarios where groups of cybercriminals operate as service providers, offering fake invoices, financial fraud, crypto and NFT investment advisement, data breach, escort and blackmailing services. Furthermore, the study investigates the consequences of this \"Scam as a Service\" model on individuals, businesses, and society, emphasizing the financial losses, reputational damage, and regulatory challenges resulting from these activities.\r\n\r\nDuring the talk, I will cover:\r\n- Tactics, techniques and procedures the scammers utilize. Including the recruitment process, what types of services are available, and how the infrastructure is set up.\r\n- Insights backed by findings. I got operating manuals, tools and access to the infrastructure. \r\n- My experience from several years of analyzing these services and lessons learned.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YVSSCG", "name": "Aurimas Rudinskis", "avatar": "https://pretalx.com/media/avatars/YVSSCG_hjzPwgH.webp", "biography": "Aurimas Rudinskis is an Engineering Manager who leads the Vinted Cyber Defence team. He focuses on Threat Intelligence, security operations, and detection engineering that can automate and scale detection capabilities. Aurimas specializes in advanced threat-hunting techniques and human-driven cyber operations.\r\n\r\nHe firmly believes that cyber security is a community, and we can only succeed by helping and learning from one another.", "public_name": "Aurimas Rudinskis", "guid": "36be4db3-2a0f-5c97-8a4e-c668075c3f48", "url": "https://pretalx.com/hack-lu-2024/speaker/YVSSCG/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/PPTEWY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/PPTEWY/", "attachments": []}, {"guid": "d75cb77b-613c-53d1-b2de-73180661a39a", "code": "MAVVT3", "id": 54356, "logo": null, "date": "2024-10-24T11:15:00+02:00", "start": "11:15", "duration": "00:45", "room": "Europe - Main Room", "slug": "hack-lu-2024-54356-from-0-to-millions-protecting-against-aitm-phishing-at-scale", "url": "https://pretalx.com/hack-lu-2024/talk/MAVVT3/", "title": "From 0 to millions: Protecting against AitM phishing at scale", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "Phishing has evolved both in the TTPs of attackers, and their targets. From simple clones of a website trying to get a username/password to reverse-proxying systems that steal sessions even with MFA, the target landscape has changed. Many of the defenses against phishing are started to show their age, between block-lists for domains that appear to be illegitimate, SMS/push MFA, and broken functionality cues that may alert someone to the site not being correct. Modern phishing tools, like EvilGinx, Modlishka, and more handle all of these by hiding the phishing content behind a unique \"lure\" to avoid domain blocking, supporting SMS/push MFA, and seamlessly allowing for login and hand-over once the session has been stolen.\r\n\r\nThis talk is focused on a Canarytoken type that lets you protect a shared-responsibility platforms that are difficult to gain insight into. These include Azure Entra ID, LogTo, and custom sites. The Cloned Site Canarytoken lets you quickly get alerted if someone is mirroring or reverse-proxying a sensitive login page that has any of your users trying to login--you can get alerted about the phishing site's URL before the user has even entered their password!\r\n\r\nAfter a view of the landscape of modern phishing techniques, defenses, we'll dive into our novel defenses, and look at the data of token alerts from millions of logins every day to build a view of real-world phishing attacks and their TTPs. We'll finish off with how to respond to alerts, and some attacks against our Canarytoken. Finally we'll discuss our mental model for sharing this information via networks like MISP.", "description": "After a quick technical overview of the capability, and how it was designed to scale, we'll dive into the data from millions of weekly logins to sites across the web. The token has been deployed to some of the largest Azure tenants out there, large financial sites, and healthcare providers--we'll get to explore phishing data at scale.\r\n\r\nWe'll dive into:\r\n- The scale of AitM phishing\r\n- TTPs of AitM attackers:\r\n    - Time from infrastructure start-up to first alert\r\n    - Domain seasoning\r\n    - Cross-tenant drag-net attacks\r\n\r\nFinally, we'll talk about response to these types of alerts, what attackers can do to disrupt our alerts, and how we can flow some of this data into networks like MISP.", "recording_license": "", "do_not_record": false, "persons": [{"code": "U9778S", "name": "Jacob Torrey", "avatar": "https://pretalx.com/media/avatars/U9778S_JoCcEEQ.webp", "biography": "Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more.", "public_name": "Jacob Torrey", "guid": "bd7c0709-4320-592b-acd7-62e83fb6de45", "url": "https://pretalx.com/hack-lu-2024/speaker/U9778S/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/MAVVT3/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/MAVVT3/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/MAVVT3/resources/HackLU_2024_Slides_ShAEOfh.pdf", "type": "related"}]}, {"guid": "2522ab85-7ab2-59c7-b2f3-c7f8d60e6d38", "code": "PVQXTF", "id": 57173, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/PVQXTF/ta_tool_data_vis_xrcv68A.png", "date": "2024-10-24T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57173-running-circles-around-threat-actor-tooling-using-javascript-data-visualisation", "url": "https://pretalx.com/hack-lu-2024/talk/PVQXTF/", "title": "Running circles around threat actor tooling using Javascript data visualisation", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Let's talk about some design principles for CTI data visualisation around threat actor tooling.", "description": "There's a wealth of data visualisations that are easy to produce using generic frameworks, but often they're an answer in search of a question. In this session, I'll briefly talk about some questions I had around a dataset concerning tools used by Russian threat actors, the data visualisation principles used, how it was built, and the insights gained.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CTZBDZ", "name": "Chris Horsley", "avatar": null, "biography": "Chris Horsley is the CTO and co-founder at Cosive, a consultancy specialising in cyber threat intelligence and security operations. At Cosive, Chris leads the company's threat intelligence sharing and MISP initiatives and is a frequent speaker and trainer at industry conferences and meetups on these topics. Prior to co-founding Cosive, Chris spent many years in the international CSIRT community including working as an incident responder for both AusCERT and JPCERT/CC, the Japanese national CSIRT.", "public_name": "Chris Horsley", "guid": "afbbf9dd-ec5d-5d42-880d-6218c75fe8fa", "url": "https://pretalx.com/hack-lu-2024/speaker/CTZBDZ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/PVQXTF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/PVQXTF/", "attachments": []}, {"guid": "234c621e-1a9a-53aa-bde7-406b215cad46", "code": "YVZXTW", "id": 57125, "logo": null, "date": "2024-10-24T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57125-using-llm-locally", "url": "https://pretalx.com/hack-lu-2024/talk/YVZXTW/", "title": "Using LLM locally", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Using LLM isn't limited only to online services (and often paid services); you can run LLM for free by utilizing open-source models and applications.", "description": "It has become easy and convenient to use LLM locally on your machine, even for a couple of gigabytes of RAM. Usage includes: text generation, summarization, question-answering, even local design RAGs. All this is available for free and open-source, with minimal setup.\r\n\r\nThis talk will show a quick demo of some tools and provide references to help you set up your own LLM app.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Pauline's focus gravitates towards offensive cybersecurity, artificial intelligence, and programming culture. She has a background with experience in various fields including linguistics, criminology, cybersecurity, computer engineering, and education. By blending together approaches from humanities and deep technical insight, she provides a unique lens on cyber threats and their evolution. She provides these days AI developments and trainings, to make AI accessible to all. She is the founder of the Defcon group Paris and a French vice-champion para-climber.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "c9728882-b3f8-50d5-b946-fb3cf82d1c4f", "url": "https://pretalx.com/hack-lu-2024/speaker/3LW9XQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/YVZXTW/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/YVZXTW/", "attachments": []}, {"guid": "25be0496-f5ee-51a8-acc6-22ec5b2ac876", "code": "ZFPPKY", "id": 57107, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/ZFPPKY/WEDOS_Global_Protection_G3TDWbM.png", "date": "2024-10-24T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57107-future-of-websites-without-ddos", "url": "https://pretalx.com/hack-lu-2024/talk/ZFPPKY/", "title": "Future of websites without DDoS", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "This presentation provides an overview of WEDOS Global, a decentralized network of servers, running AnyCast DNS, reverse proxy and CDN, with a focus on high-performance, security, and environmental sustainability. The presentation covers the company\u2019s cutting-edge infrastructure, including its geographically distributed data centers and advanced DDoS protection systems, which ensure the reliability and safety of its clients' online assets. Through real-world case studies, the presentation demonstrates how WEDOS Global helps businesses of all sizes optimize their digital presence with scalable, cost-effective solutions, reducing their carbon footprint.", "description": "The topic of website safety and ways to manage it on both personal and application levels. Basics about encryption, certificates, DNS, WAF and other various confusing abbreviations. We will be taking you on a trip through the most interesting technologies used nowadays to ensure a comfortable and safe experience browsing the internet.\r\n\r\nIn this presentation, we will delve into ways to safeguard websites from cyber threats. How to get multi-layered protection against DDoS attacks, ensuring your website remains accessible even during severe cyber onslaughts. By leveraging BGP Anycast technology and a reverse proxy to efficiently distributes and filter traffic, blocking malicious requests and allowing only legitimate users to access your site.\r\n\r\nWe will also explore the role of CDN caching in speeding up website content delivery across the globe. By caching data and connecting users to the nearest server, reducing response times, enhancing user experience and improving SEO. Additionally, the Web Application Firewall (WAF) provides robust security by monitoring and blocking suspicious activities.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CTJQQP", "name": "Luk\u00e1\u0161 Kr\u0161ek", "avatar": "https://pretalx.com/media/avatars/CTJQQP_EbCktvv.webp", "biography": "Luk\u00e1\u0161 Kr\u0161ek is the country manager for the AMER region, focusing on business development and sales in that area. He uses both his economics background as well as love for travelling and studying cultures to seek and connect people around the world.", "public_name": "Luk\u00e1\u0161 Kr\u0161ek", "guid": "7ad527ee-4577-5586-b2b6-8b38849dd559", "url": "https://pretalx.com/hack-lu-2024/speaker/CTJQQP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ZFPPKY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ZFPPKY/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/ZFPPKY/resources/Future_of_int_CAhfBGW.pdf", "type": "related"}]}, {"guid": "91917399-2d6f-5a09-aa80-0f780c564601", "code": "7YHE8M", "id": 57127, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/7YHE8M/hack.lu-rg_ymTbpbh.png", "date": "2024-10-24T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57127-analysis-and-forecasting-of-exploits-with-ai", "url": "https://pretalx.com/hack-lu-2024/talk/7YHE8M/", "title": "Analysis and Forecasting of Exploits with AI", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "In this talk, we evaluate classical AI prediction and recommendation approaches as a system for threat modelling facilitation. This approach should reduce the number of manual research activities and increase organization\u2019s security.", "description": "We propose a simple, explainable, effective and fast threat analysis method, which is based on artificial intelligence and can support security experts in threat modelling, organization\u2019s protection strategy planning, and allow them to quickly adopt suitable protection measures for current and future periods.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QNGCEP", "name": "Roman Graf", "avatar": "https://pretalx.com/media/avatars/QNGCEP_MDFegeC.webp", "biography": "Roman is a Manager in Deloitte\u2019s Consulting group in Austria and a Teamlead of the Pentesting- and Red-Teaming group. He joined Deloitte\u2019s Cyber service line in Vienna in 2021 with a focus on Cyber Security. He has more than 15 years of experience in the IT Security industry. Roman has a strong penetration testing and cyber security background and experience with artificial intelligence.\r\n\r\nFrom 2020 till 2021, prior to joining Deloitte, Roman worked as a consultant, pentester and DevSecOps engineer for a big consulting company. From 2009 till 2020 he was working as a pentester and researcher for one of the leading European Research Institutes, where he was responsible for penetration testing, threat modelling and AI application for security domain. He was also tasked with the planning, preparation and presentation of individual workshops for different target groups.", "public_name": "Roman Graf", "guid": "7de40c2a-8fa9-5edc-9ec0-e1190b4dff6e", "url": "https://pretalx.com/hack-lu-2024/speaker/QNGCEP/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/7YHE8M/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/7YHE8M/", "attachments": []}, {"guid": "08525a0e-ac0f-532e-8aea-38d8adb232a1", "code": "TGV7MK", "id": 57129, "logo": null, "date": "2024-10-24T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57129-improving-the-cvd-process", "url": "https://pretalx.com/hack-lu-2024/talk/TGV7MK/", "title": "Improving the CVD Process", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Vulnerability Lookup (https://github.com/vulnerability-lookup/vulnerability-lookup) facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).\r\n\r\nIt is a rewritten and enhanced version of cve-search, an open-source tool originally designed to maintain a local CVE database.", "description": "Vulnerability Lookup (https://github.com/vulnerability-lookup/vulnerability-lookup) facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).\r\n\r\nIt is a rewritten and enhanced version of cve-search, an open-source tool originally designed to maintain a local CVE database.", "recording_license": "", "do_not_record": false, "persons": [{"code": "XNLTSW", "name": "C\u00e9dric Bonhomme", "avatar": "https://pretalx.com/media/avatars/XNLTSW_Nt5qlHd.webp", "biography": "Computer security expert, pianist, runner, photographer, thinker, and intellectual (non-practicing).\r\nC\u00e9dric Bonhomme is a computer scientist, intensely interested in computer security and privacy.\r\nFrom 2010 to 2017, he served as an R&D Engineer at a public research center, focusing on Multi-Agent Systems and Cybersecurity.\r\nSince 2017, he has been part of CIRCL, where he contributes to CSIRT activities and open-source software projects.", "public_name": "C\u00e9dric Bonhomme", "guid": "98b341be-035d-5264-bfd0-a707241febc2", "url": "https://pretalx.com/hack-lu-2024/speaker/XNLTSW/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TGV7MK/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TGV7MK/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/TGV7MK/resources/Vulnerability-Lookup_Hacklu-2024_hhRh16w.pdf", "type": "related"}]}, {"guid": "0a00eed3-4ba2-507f-baa2-4e92b44487a4", "code": "VVF3AU", "id": 57184, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/VVF3AU/manga_fwdLUS4.jpg", "date": "2024-10-24T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57184-misp-playbooks-proving-the-value-of-cyber-threat-intelligence-and-ics-csirt-io", "url": "https://pretalx.com/hack-lu-2024/talk/VVF3AU/", "title": "MISP playbooks, Proving the Value of Cyber Threat Intelligence and ICS-CSIRT.io", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Overview of the latest developments of the MISP playbooks. A sneak peak into a new project for \"Proving the Value of Cyber Threat Intelligence\" and a MISP community for the ICS world.", "description": "- https://github.com/misp/misp-playbooks\r\n- https://github.com/cudeso/proof-value-cti\r\n- https://www.ics-csirt.io/", "recording_license": "", "do_not_record": false, "persons": [{"code": "DPLK9P", "name": "Koen Van Impe", "avatar": "https://pretalx.com/media/avatars/DPLK9P_m2RnCn9.webp", "biography": "Threat intelligence. Incident response. Security operations.", "public_name": "Koen Van Impe", "guid": "5763bc45-7773-528c-87d2-4edfdcd30895", "url": "https://pretalx.com/hack-lu-2024/speaker/DPLK9P/"}], "links": [{"title": "Slides", "url": "https://github.com/cudeso/tools/blob/master/hacklu2024/hacklu2024-lightningtalk.pdf", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VVF3AU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VVF3AU/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/VVF3AU/resources/hacklu2024-li_9uP8CF8.pdf", "type": "related"}]}, {"guid": "527b59e9-f109-5549-b25a-743123ff6a27", "code": "VQGFDL", "id": 54250, "logo": null, "date": "2024-10-24T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54250-quantum-cybersecurity-pioneering-a-secure-future", "url": "https://pretalx.com/hack-lu-2024/talk/VQGFDL/", "title": "Quantum Cybersecurity - Pioneering a Secure Future", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "As quantum computing advances, it presents unique cybersecurity challenges that existing digital security systems are inadequately equipped to handle. This talk explores the realm of quantum cybersecurity, focusing on quantum key distribution (QKD) and post-quantum cryptography (PQC) as essential tools to secure communications against the formidable computational power of quantum computers. We will explore the advantages of these technologies, their necessity in the modern cybersecurity landscape, current interoperability issues between different quantum cryptographic systems, and propose potential solutions to these challenges. The session aims to highlight the future directions of quantum cybersecurity and the ongoing efforts to standardise and enhance the security protocols to address these emerging threats effectively.", "description": "Introduction\r\nQuantum computing is set to revolutionize various industries like AI by providing powerful computational capabilities that far exceed those of classical computers. However, this technological leap also introduces significant security risks, particularly to existing cryptographic systems that protect the world's digital information. Quantum cybersecurity emerges as a crucial field, promising enhanced security mechanisms through QKD and PQC to withstand quantum computing threats.\r\n\r\nAdvantages of Quantum Cybersecurity\r\nQuantum cybersecurity technologies, such as QKD, offer the promise of unbreakable encryption by utilizing the principles of quantum mechanics. Unlike traditional methods, where security is based on the computational difficulty of certain mathematical problems, QKD uses the quantum properties of particles to ensure secure communication that can immediately detect any interception attempts. PQC provides algorithms that are resistant to quantum attacks, aiming to secure our digital infrastructure both now and in the future.\r\n\r\nNecessity for Quantum-Resistant Solutions\r\nThe development of quantum computers poses a significant threat to the cryptographic standards currently protecting global communications, financial transactions, and government data. Quantum-resistant cryptographic methods are essential to prevent the quantum threat and safeguard information integrity in the forthcoming quantum era.\r\n\r\nCurrent Problems and Future of Quantum Cybersecurity\r\nWhile quantum cryptography offers robust security, it currently faces significant challenges such as high costs, limited range of operation, and complex integration with existing technologies. The future of quantum cybersecurity lies in overcoming these barriers and facilitating widespread adoption. Innovations in satellite quantum communications and the development of quantum repeaters are among the advances that could extend the range and feasibility of QKD systems.\r\n\r\nInteroperability Challenges\r\nA significant obstacle in the deployment of quantum cryptographic solutions is the lack of interoperability between different systems, which often use incompatible protocols and technologies. This challenge hinders the creation of a unified quantum-safe network necessary for global security.\r\n\r\nSolutions and Challenges of Current Solutions\r\nAddressing interoperability involves developing universal standards and protocols that can seamlessly integrate various quantum and classical cryptographic systems. The solution proposed includes creating adaptable interfaces and middleware capable of translating between different quantum cryptographic protocols. However, these solutions must navigate the sophisticated balance between maintaining high security and offering the flexibility to support a diverse ecosystem of technologies.\r\n\r\nConclusion\r\nQuantum cybersecurity stands at the forefront of the next revolution in digital security. By addressing the challenges of interoperability and advancing the development of user-friendly, cost-effective quantum cryptographic systems, we can pave the way for a secure transition into the quantum computing age. This talk will explore these aspects, offering insights into both the current landscape and the future directions of quantum cybersecurity.", "recording_license": "", "do_not_record": true, "persons": [{"code": "G7TRJW", "name": "Samira Chaychi", "avatar": "https://pretalx.com/media/avatars/G7TRJW_U18nlGn.webp", "biography": "Samira CHAYCHI holds a PhD from the University of Luxembourg, specializing in computer science. Additionally, she possesses a master's degree in Information and Computer Science, specializing in Reliable Software & Intelligent Systems, with expertise in RDF streaming data processing using asynchronous iterative routing frameworks. Furthermore, she pursued studies in Computer Simulation in Science, specializing in Financial Mathematics. She is also the co-founder of LuxQuantum, contributing her expertise to the advancement of quantum technologies.", "public_name": "Samira Chaychi", "guid": "c1a04780-aae7-5add-8af8-b8fa19c744b3", "url": "https://pretalx.com/hack-lu-2024/speaker/G7TRJW/"}, {"code": "KETXE3", "name": "Sharif Shahini", "avatar": null, "biography": "Sharif Shahani is a physicist and materials scientist with a robust foundation in academic research and entrepreneurial ventures. Holding a PhD in Physics from the University of Luxembourg and two MSc degrees in Physics and Materials Science & Engineering from Sorbonne University and Sharif University of Technology, Sharif has a diverse and rich educational background. His extensive academic journey has equipped him with expertise in graphene-based 2D materials, optics, quantum materials, and nanotechnology. As the co-founder of LuxQuantum, Sharif leads efforts to advance quantum cryptography technologies. His work focuses on bridging the gap in quantum technologies, aiming to enhance their interoperability.", "public_name": "Sharif Shahini", "guid": "00be49d9-ea58-5f2b-ab09-f6d0a37f1d41", "url": "https://pretalx.com/hack-lu-2024/speaker/KETXE3/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VQGFDL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VQGFDL/", "attachments": []}, {"guid": "649c708a-cec8-5087-9e90-17d1d758e5a6", "code": "TFYNSZ", "id": 53329, "logo": null, "date": "2024-10-24T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-53329-making-iot-great-again", "url": "https://pretalx.com/hack-lu-2024/talk/TFYNSZ/", "title": "Making IOT great again", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "We are surrounded, in our daily life, with devices that have a strong link with cloud infrastructure.  Those devices, while still completely operational, can become a useless piece of hardware if the vendor stop the infrastructure for any reason.\r\n\r\nThis aims at discussing how to give a second life to such devices using the practical use case of the EV chargers of the Belgian company PowerDale which went on bankrupt in July 2023.\r\n\r\nWe will discuss the successes and failures of our journey, how a community of enthusiasts manages to build workarounds and what could be our community contribution.", "description": "## Agenda\r\n\r\n1. The story of Powerdale EV charger from success to bankrupt\r\n2. How to regain controls over the devices: success and failures\r\n3. What all this says to IOT and their (software) lifetime?\r\n4. Thoughts and conclusions\r\n\r\n\r\n## Powerdale EV charger from success to bankrupt\r\n\r\n- Relatively popular brand of EV chargers in Belgium\r\n- About 50 000 devices installed in the Belgium\r\n- Went out of business in July 2023\r\n- Cloud platform taken over by MyDiego\r\n    - private customers abandoned with no access to their EV charger\r\n    - WIFI connected appliances configuration change to slowest charge speed\r\n    - some installers under heavy pressure to fix unsupported devices\r\n    - ...\r\n\r\n\r\n## Gaining access to device\r\n\r\n- The naive approach (and the failures)\r\n    - open the box search for available ports\r\n    - try to reverse the protocol without a functioning app ;)\r\n    - BLE implementation on PicoW not so easy...\r\n    - ...\r\n- The success: Google\r\n    - an open-source based on ESPHome was launched by Geert Meersman\r\n    - extend the solution to address needs on a standalone solution\r\n    - build scripts to deploy at scale\r\n\r\n\r\n## What all of this says to IOT?\r\n\r\n- Why the bankrupt was an issue?\r\n    - Authentification on cloud (no cloud, no app, no configuration)\r\n    - No way to configure appliances without mobile application\r\n    - WIFI connected devices could be reconfigured without user consent\r\n\r\n- Is this unique?\r\n    - No... Siemens abandoned its IOT line without notice.\r\n    - Issues with bike in the Netherlands\r\n\r\n- Could we act?\r\n    - Partially...\r\n    - But this shows that a community can bring back to life our devices\r\n\r\n\r\n## Thoughts and conclusions\r\n\r\n- Some idea to avoid such issues\r\n    - Making code to be stored in source code escrow a legal obligation?\r\n    - Forcing vendor to allow local configuration of devices (without cloud authentication)\r\n    - Open APIs\r\n    - ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "PKXHJG", "name": "David Durvaux", "avatar": "https://pretalx.com/media/avatars/PKXHJG_cbtcfW2.webp", "biography": "David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented in numerous conferences including hack.lu.", "public_name": "David Durvaux", "guid": "989e5a58-e832-5827-b7f5-5b12aafe19d7", "url": "https://pretalx.com/hack-lu-2024/speaker/PKXHJG/"}, {"code": "GJLKDL", "name": "Marc Durvaux", "avatar": null, "biography": "Marc spent his career in the R&D for telecommunication and space systems (mobile networks, optical communications, xDSL...) while working for major companies such as Alcatel and Philips. He held different R&D management positions and retired as CTO of Thales-Alenia Space Belgium.  Since them, he is very busy as a volunteer but keeps some free time to tinker with sensors, signal processing and IoT. He is also an expert for EU's European Innovation Council. Marc is graduated in physics from UCLouvain and holds a PhD in electronics and telecommunication from INP Grenoble. He is author or co-author of several patents.", "public_name": "Marc Durvaux", "guid": "de08f4d5-ad76-5500-a88e-2fe21a849faf", "url": "https://pretalx.com/hack-lu-2024/speaker/GJLKDL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TFYNSZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TFYNSZ/", "attachments": [{"title": "Talk slides", "url": "/media/hack-lu-2024/submissions/TFYNSZ/resources/nexxtlook_Seoux45.pdf", "type": "related"}]}, {"guid": "fe11e04d-34a6-53f3-a1ed-3946a654b7fa", "code": "D7FGK9", "id": 54386, "logo": null, "date": "2024-10-24T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54386-ghosts-n-gadgets-common-buffer-overflows-that-still-haunt-our-networks", "url": "https://pretalx.com/hack-lu-2024/talk/D7FGK9/", "title": "Ghosts'n'gadgets: common buffer overflows that still haunt our networks", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Stack smashing has become very different in the 21st century. Binary hardening\r\nmechanisms used by default by all modern OSes make it nearly impossible to\r\nexploit trivial buffer overflows. Since 1996, machines have evolved\r\nsignificantly and you cannot even follow the original \"Smashing the stack\r\n[...]\" tutorial by Aleph One on a modern computer.\r\n\r\nYet, there are other kinds of machines that are lacking all the binary\r\nhardening we now take for granted. Because of that, they are ideal \"target\r\npractice\" material for those who wish to learn about exploiting stack-based\r\nbuffer overflows or use them for causing real damage. Too bad these\r\nmachines \"sit\" on the edge of home and enterprise networks, often being the\r\nonly barrier between that the attackers need to overcome for a complete PWN.\r\n\r\nIn this talk I will demonstrate how we could smash the stack of two networking\r\ndevices from two different vendors (a wireless gateway, and a high-throughput\r\nVPN concentrator), allowing for unauthenticated root access. I will also\r\npresent the vulnerability root-cause analysis and offer insights on why such\r\nattacks are still viable in 2024.", "description": "I will start the talk with an introduction of the two vulnerable devices,\r\nfollowed by a quick overview of the vulnerability research activities we have\r\nperformed against them. \r\n\r\nNext, we will go over the root-cause analysis of these vulnerabilities,\r\nfocusing on two stack buffer overflow vulnerabilities that allow for Remote\r\nCode Execution.\r\n\r\nI will then demonstrate how we used these vulnerabilites to pop a root shell\r\non both devices (interestingly, they are designed not to allow any kind of\r\nroot access to the users). I will discuss the binary hardening mechanisms we\r\nhad to bypass (or lack thereof), and demonstrate the exploits in action.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NL397J", "name": "Stanislav Dashevskyi", "avatar": "https://pretalx.com/media/avatars/NL397J_sPS98yQ.webp", "biography": "Stanislav Dashevskyi is a Security Researcher at Forescout. He received his PhD from the International Doctorate School in Information and Communication Technologies (ICT) at the University of Trento (Italy) in 2017. His main research interests are open source software, software security, and vulnerability analysis.", "public_name": "Stanislav Dashevskyi", "guid": "5479ca70-3046-5c19-93f0-21d20b952f4b", "url": "https://pretalx.com/hack-lu-2024/speaker/NL397J/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/D7FGK9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/D7FGK9/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/D7FGK9/resources/dashevskyi_ha_uuBzYDN.pdf", "type": "related"}]}, {"guid": "dc9ffbf1-63f0-5ac3-9358-5ea478957b01", "code": "GFM8HN", "id": 54431, "logo": null, "date": "2024-10-24T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54431-sql-injection-isn-t-dead-smuggling-queries-at-the-protocol-level", "url": "https://pretalx.com/hack-lu-2024/talk/GFM8HN/", "title": "SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "SQL injections seem to be a solved problem; databases have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.", "description": "Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution.\r\n\r\nTo put our findings into context, we will explore the real-world applicability of this new concept by comparing how robust various languages and frameworks are against these attacks. We will also discuss how smuggling attacks are not specific to database wire protocols but affect all kinds of binary protocols, from databases over message queues to caching. We will end the session with inspirations for future research to explore the topic further.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BSQMXA", "name": "Paul Gerste", "avatar": "https://pretalx.com/media/avatars/BSQMXA_DMpmPBB.webp", "biography": "Paul Gerste ([@pspaul95](https://x.com/pspaul95), [@pspaul@infosec.exchange](https://infosec.exchange/@pspaul)) is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing CTFs with team FluxFingers and organizing Hack.lu CTF.", "public_name": "Paul Gerste", "guid": "70e1af11-dcfa-50e6-be72-433b7125d179", "url": "https://pretalx.com/hack-lu-2024/speaker/BSQMXA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/GFM8HN/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/GFM8HN/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/GFM8HN/resources/Slides_4ppDlEq.pdf", "type": "related"}]}, {"guid": "cbc42662-043a-5725-8f47-68bdf3b05e74", "code": "XDFR83", "id": 51230, "logo": null, "date": "2024-10-24T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51230-keys-to-the-city-the-dark-trade-off-between-revenue-and-privacy-in-monetizing-sdks", "url": "https://pretalx.com/hack-lu-2024/talk/XDFR83/", "title": "Keys to the City: The Dark Trade-Off Between Revenue and Privacy in Monetizing SDKs", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Software Development Kits (SDKs) allow developers to significantly enhance the functionality and performance of their apps, among other benefits, without writing complex code. By importing SDKs, developers can save time and money, access various services and APIs, and achieve compatibility and integration across different platforms, devices and operating systems. When it comes to app monetization, advertisement SDKs are a common way of generating revenue from apps, especially freeware that rely on in-app purchase or subscription.\r\n\r\nHowever, there are also downsides associated with using code from external sources, such as security breaches, data leaks, or malicious attacks and perhaps one of the most effective ways to safeguard an app from such a threat is to perform some type of security audit. Mobile apps though pose a challenge for code review, as they can use webviews to dynamically change their behavior and execute arbitrary code from remote sources, bypassing the security audit of the app.", "description": "This presentation provides an in-depth examination of Advertisement SDKs, particularly focusing on their widespread use of webviews and the potential security risks these may introduce for end users. It explores how these SDKs integrate webviews into their functionality and offers technical insights into the mechanisms behind their implementation. Additionally, the presentation considers the broader security implications that may arise from this usage, aiming to raise awareness about potential areas of concern for developers and users alike.", "recording_license": "", "do_not_record": false, "persons": [{"code": "C3TJEK", "name": "Dimitrios Valsamaras", "avatar": "https://pretalx.com/media/avatars/C3TJEK_miSqX9P.webp", "biography": "Dimitrios is a cybersecurity professional specializing in mobile, web, and network penetration testing. He holds a degree in Computer Science with a focus on Cryptography and Security and has collaborated with top companies such as Microsoft and Google. A frequent speaker at prominent security conferences, he is passionate about reverse engineering and was a member of one of Greece's pioneering reverse engineering research groups.", "public_name": "Dimitrios Valsamaras", "guid": "52b29aab-9373-52ea-9bfc-8cbeb2463c42", "url": "https://pretalx.com/hack-lu-2024/speaker/C3TJEK/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/XDFR83/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/XDFR83/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/XDFR83/resources/monetizing_sd_2228pT9.pdf", "type": "related"}]}, {"guid": "22dbf153-f0e6-5a66-9826-4bc3dbe11979", "code": "EZ7Z7M", "id": 54289, "logo": null, "date": "2024-10-24T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54289-understanding-file-type-identifiers", "url": "https://pretalx.com/hack-lu-2024/talk/EZ7Z7M/", "title": "Understanding file type identifiers", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Yara, LibMagic (file, binwalk, polyfile), TrID, Yara, Magika, PeID, Pronom, FDD, ShareMime, DiE...\r\nHow do they work? What are their pros and cons, their limitations, their risks?", "description": "There's a lot of misconception around file type identifications and scanning:\r\nthe existing tools have different needs and use cases, requirements and limitations (that could be abused).\r\n\r\nWarning: contains raw bytes.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QAMB7A", "name": "Ange Albertini", "avatar": "https://pretalx.com/media/avatars/QAMB7A_jxJSOM4.webp", "biography": "A reverse engineer since the 80s who started his Infosec career as a malware analyst decades ago.\r\n\r\nHis wide knowledge of file formats is available in his hundreds of Corkami posters and visualisations, and is essential for projects like Magika, the AI-powered file type detection at Google.\r\nHis passion for retrocomputing and funky files makes him explore the darkest corners of the files' landscape:\r\nbypassing security with ancient techniques, analyzing parsers and breaking them with extreme files, writing tools to evade detections via mock files or polyglots such as PoC||GTFO, exploiting AES-GCM via crypto-polyglots or colliding SHA1 via Shattered.", "public_name": "Ange Albertini", "guid": "819d6c8e-5ad8-55f1-ab9a-b16e7ba3ec4e", "url": "https://pretalx.com/hack-lu-2024/speaker/QAMB7A/"}], "links": [{"title": "Recording", "url": "https://www.youtube.com/watch?v=PBbld8xB2Bo", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/EZ7Z7M/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/EZ7Z7M/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/EZ7Z7M/resources/Overview_of_f_yMGlT2P.pdf", "type": "related"}]}], "Schengen 1 & 2": [{"guid": "47bfb3f0-1352-54e9-bb1d-d42224bcb153", "code": "DFES8D", "id": 53701, "logo": null, "date": "2024-10-24T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-53701-reversing-flutter-with-blutter-and-radare2", "url": "https://pretalx.com/hack-lu-2024/talk/DFES8D/", "title": "Reversing Flutter with Blutter and Radare2", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "Flutter is an open-source UI software development kit with the ability to create applications for Android, iOS, and non-mobile platforms using a single codebase. The performance aspect is handled by using ahead-of-time (AOT) native compilation in release builds.\r\n\r\nIn terms of reverse engineering, Flutter is particularly difficult to tackle because disassemblers do not support its custom binary format, registers and representation of integers.\r\n\r\nIn this workshop, we will:\r\n\r\n- Learn how to reverse Flutter applications\r\n- Learn how to use Blutter and understand its output\r\n- Load symbols in Radare2 to parse the binary more easily\r\n- Patch a game with a native Frida hook to reveal an Easter Egg", "description": "Pre-requisites: \r\n\r\n- It is preferable to have basic experience in reading Assembly (but it is not necessary to be fluent).\r\n- Pre-Install Radare2 (https://rada.re/n/radare2.html) and Docker (https://docs.docker.com/engine/install/) on your laptop, before the workshop.\r\n- If possible, come with an ARM64 Android smartphone. If not, I'll lend one (we only need it shortly). On ARM-based MacOS, instead, you can use an ARM64 Android emulator from Android Studio: download and install Android 14, Google APIs (but not Google Play), ARM64.\r\n- Access to Internet.\r\n\r\nNot necessary:\r\n\r\n- You do *not* need to install Blutter: we'll learn how to install and use a patched version during the workshop. That patched version runs in a Docker container.\r\n- You do *not* need to know how to use Radare2: we'll cover all basic commands you need to use during the workshop.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ACG8SL", "name": "Axelle Apvrille", "avatar": "https://pretalx.com/media/avatars/ACG8SL_VghJUBV.webp", "biography": null, "public_name": "Axelle Apvrille", "guid": "65c000b2-29bd-599c-b9f3-f58de246c14b", "url": "https://pretalx.com/hack-lu-2024/speaker/ACG8SL/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/DFES8D/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/DFES8D/", "attachments": []}, {"guid": "446a1dff-7235-5367-b128-c1172d2d8101", "code": "E93DZB", "id": 52384, "logo": null, "date": "2024-10-24T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-52384-cryptography-from-zero-to-dont-shoot-yourself-in-the-foot", "url": "https://pretalx.com/hack-lu-2024/talk/E93DZB/", "title": "Cryptography: from zero to dont-shoot-yourself-in-the-foot", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Let's be honest: cryptography is hard. Luckily, plenty of great cryptographers in the past 70 years did the heavy lifting for us. So our goal here will be to understand how we can use the most common cryptographic algorithms properly, which one to use depending on the context, the common pitfalls and how to avoid them.", "description": "The training will start from the very basics to allow anyone interested to join, so there is no particular presequisite, just really basic math and the willingness to learn without being scared (or to learn regardless of being scared or not :-) ).\r\n\r\nWe will roughly follow the following syllabus:\r\n- Encryption 101\r\n- Randomness & entropy\r\n- Block ciphers\r\n- Stream ciphers\r\n- Hash functions\r\n- Key generation and key derivation functions / algorithms\r\n- RSA\r\n- Elliptic curves\r\n\r\nWe only have a couple of hours, so we will not dig deep into algorithms' math and internals, also because this is not the goal of the training.\r\n\r\nIf you are a cryptography expert and you want to join to add details, insights or correct the trainer if needed (we all do mistakes sometimes and we should all keep learning and improving), you are absolutely welcome!\r\n\r\nPS: the course is partially based on the content of the \"Serious Cryptography: A Practical Introduction to Modern Encryption\" by Jean-Philippe Aumasson book (ISBN-13: 9781593278267 - No Starch Press).", "recording_license": "", "do_not_record": false, "persons": [{"code": "GURR3Y", "name": "Lorenzo Nicolodi", "avatar": "https://pretalx.com/media/avatars/GURR3Y_iFehcAG.webp", "biography": "I am a passionate cybersecurity researcher who has spent the last 18 years learning and sharing as much as possible about this fascinating field.\r\n\r\nDuring these years, I have been fortunate enough to work on multiple aspects of the cybersecurity world, including digital forensics, incident response, cryptography, penetration testing, reverse engineering, research and development, and threat intelligence.", "public_name": "Lorenzo Nicolodi", "guid": "36b4a49b-6f52-5b88-b1d9-60990b6ac989", "url": "https://pretalx.com/hack-lu-2024/speaker/GURR3Y/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/E93DZB/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/E93DZB/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/E93DZB/resources/2024-10-hackl_qoUdfrD.pdf", "type": "related"}]}, {"guid": "8ebf8262-da08-52db-be23-1808181c0645", "code": "TJUNCH", "id": 54377, "logo": null, "date": "2024-10-24T16:15:00+02:00", "start": "16:15", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-54377-open-source-intelligence-and-command-line-based-bgp-hijacking-detection", "url": "https://pretalx.com/hack-lu-2024/talk/TJUNCH/", "title": "Open source Intelligence and Command line based BGP Hijacking Detection", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "In this training, trainees deal with BGP hijacking, which involves redirecting internet traffic by manipulating the Border Gateway Protocol. It covers the impact, training details, data sources, and notable BGP hijacking incidents. These incidents include the involvement of the Italian Hacking Team, Amazon DNS, China Telecom, and a recent incident at KlaySwap in South Korea.\r\nThis hands-on training session will use fully open-source-based intelligence and command-line analysis tools to identify and visualize BGP hijacking incidents in any network. After this training, trainees will be equipped with new skills to detect BGP hijacking when suspicious phenomena occur.", "description": "# Introduction\r\n\r\nBGP hijacking involves illegally redirecting internet traffic from its intended path by manipulating the Border Gateway Protocol (BGP), which exchanges routing information between different networks. In a BGP hijacking attack, an attacker advertises false routing information to routers on the internet, causing traffic to be routed through their network. This can be done for malicious purposes, such as intercepting sensitive data or launching a denial-of-service attack. BGP hijacking can have serious consequences, as it can disrupt internet connectivity and compromise the security and privacy of user data.\r\n\r\nBGP hijacking is an attack that undermines IP-based defense systems. When an attack occurs, all traffic directed to the hijacked destination IP is routed to an arbitrary location specified by the attacker, incapacitating all existing defense mechanisms.\r\n\r\nThis hands-on training session will use fully open-source-based intelligence and command-line analysis tools to identify and visualize BGP hijacking incidents in any network. After taking this training, trainees are supposed to carry out the BGP hijacking detection process when suspicious activity occurs. \r\n\r\nTo reduce the time wasted in environment settings, trainees are supposed to prepare notebooks with WSL/LINUX/OSX terminals and network connections.\r\n\r\n# Training Details\r\n\r\nThis training program uses real-world data that has not been artificially modified or generated. The skills acquired in this training can be immediately applied to all networks. The training provides expertise in threat modeling, visualization, and detection methods through case studies of significant historical BGP hijacking incidents.\r\n\r\n## Data Source\r\n\r\nThe data used in this course is broadly divided into two categories. To analyze BGP communications, we use archived data provided by the University of Oregon RouteViews Archive Project from 2001 to the present. We utilize data from regional Internet address registries to verify IP address variability.\r\n\r\n### Regional Internet Address Registries Data\r\n\r\n- https://ftp.apnic.net/stats/apnic/delegated-apnic-extended-latest\r\n- https://ftp.afrinic.net/stats/afrinic/delegated-afrinic-extended-latest\r\n- https://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest\r\n- https://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-extended-latest\r\n\r\n### BGP Archive Data\r\n\r\n- http://archive.routeviews.org/bgpdata/\r\n\r\n### Tools used\r\n- awk, bgpdump, graphviz, feedgnuplot, and other basic bash commands and shell scripts\r\n\r\n## BGP Hijacking Incidents\r\n\r\nFollowing is the list of possible analysis candidates for well-known BGP hijacking incidents, which can be analyzed in this training session\r\n\r\n### Italian Hacking Team BGP Hijacking\r\n\r\nThe Italian group \"Hacking Team\" was implicated in a state-sponsored BGP hijacking incident. They worked with the Italian Special Operations Group to manipulate the Border Gateway Protocol (BGP) and reroute internet traffic. The release of confidential data unveiled their involvement, and the hacker \"Phineas Fisher\" admitted to the breach. BGP hijacking poses substantial risks to internet connectivity and the security of user data.\r\n\r\n### Amazon DNS BGP Hijacking\r\n\r\nIn 2016, Amazon DNS servers in Route53 experienced a BGP hijacking incident. Attackers manipulated the Border Gateway Protocol (BGP) to redirect traffic intended for Amazon's DNS servers. \r\n\r\nThis misdirection allowed the attackers to intercept and manipulate DNS queries, potentially redirecting users to malicious websites or intercepting sensitive information. The incident underscored the vulnerabilities in BGP and the critical need for enhanced security measures to protect internet infrastructure.\r\n\r\n### BGP Man In the Middle Attack\r\n\r\nChina Telecom has been accused of engaging in extensive BGP hijacking activities, redirecting internet traffic through its infrastructure to spy on data and disrupt global communications. This practice, \"Leave No Access Point Unexploited,\" involves manipulating the Border Gateway Protocol (BGP) to reroute traffic from its intended path. These activities have raised significant concerns about the security and integrity of global internet traffic, highlighting vulnerabilities in the BGP system and the potential for state-sponsored cyber espionage.\r\n\r\n### Klayswap BGP Hijacking\r\n\r\nOn January 3, 2022, at 11:31 AM, there was a BGP hijacking incident at KlaySwap, a decentralized finance (DeFi) platform in South Korea that operates on the Klaytn blockchain network. The incident led to BGP hijacking attacks on two service-provider networks, resulting in approximately 2.2 billion KRW worth of virtual asset damage and nationwide service disruptions for around one hour.\r\n\r\nAffected services included QR check-in, Kakao Map Service, and Daum portal services. This incident raised concerns about South Korea's vulnerability to BGP hijacking attacks, highlighting that South Korea is no longer a safe zone from BGP hijacking attacks.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RFR8DQ", "name": "Joon Kim", "avatar": "https://pretalx.com/media/avatars/RFR8DQ_1LEE04Y.webp", "biography": "# About Author\r\n\r\nJoon Kim is the founder and CEO of Naru Security Inc. He is also an adjunct professor at SungKyunKwan University, teaching network security. He graduated from the University of Alberta in Canada, majoring in Computer Engineering. Joon Kim started his career at the Korea Internet and Security Agency as a Security Incident Responder at the national CERT/CC. Additionally, he has been a national joint incident response team member and has served as a cyber security advisor for the Korea Cyber Command and the National Police Agency. Joon Kim's contributions to the cyber security industry and governments have been recognized with several awards,  including the 2008 FIRST Best Practice award, the 2018 Cyber Safety Award from the National Police Agency, the 2019 Ministry of Commerce Industry and Energy Minister's Commendation, and the 2019 and 2022 Army Chief of Staff Award.", "public_name": "Joon Kim", "guid": "29e37782-d91e-54b0-9a45-446b7b405d19", "url": "https://pretalx.com/hack-lu-2024/speaker/RFR8DQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TJUNCH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TJUNCH/", "attachments": [{"title": "Training slides", "url": "/media/hack-lu-2024/submissions/TJUNCH/resources/24.10.BGP_Hijacking_Detection_Public_lXavMGy.pdf", "type": "related"}]}], "Echternach & Diekirch": [{"guid": "26751585-98f5-57ac-bf2e-758e94c825c9", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-24T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-3-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}, {"guid": "cc47e79f-ba7b-5ece-ac98-fef4d8bd3495", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-24T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-4-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}, {"guid": "bef03636-a682-55b7-8f9c-c0212e182424", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-24T16:15:00+02:00", "start": "16:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-5-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}], "Hollenfels": [{"guid": "9f5449ed-40ad-5025-be40-0d7cb90d0c29", "code": "SQUPHL", "id": 54352, "logo": null, "date": "2024-10-24T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Hollenfels", "slug": "hack-lu-2024-54352-nlp-deep-dive-transformers-for-text-mining-and-text-generation-in-cybersecurity", "url": "https://pretalx.com/hack-lu-2024/talk/SQUPHL/", "title": "NLP deep-dive: Transformers for Text Mining and Text Generation in Cybersecurity", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The application of Natural Language Processing (NLP) has become increasingly vital for cybersecurity threat intelligence and response strategies today. NLP plays a crucial role by enabling more accurate and nuanced analyses of potential threats through linguistic techniques. Among other applications, NLP allows quicker categorization of threats based on their nature \u2013 such as phishing schemes or anomalous behaviors \u2013 and enables prioritizing responses accordingly. NLP can also facilitate the development of content prediction schemes for analysts or provide powerful information extraction tools. We will cover two text-mining techniques that we believe are a good starting point with NLP for analysts and incident responders: sentiment analysis and Named Entity Recognition (NER). While sentiment analysis reveals underlying emotions or biases in social media content potentially linked to malicious activities, NER identifies critical information such as IP addresses, domains, and user details essential for correlating incidents across different data sources.", "description": "The workshop provides a hands-on, iterative deep dive into transformer-based NLP techniques and their applications in text mining and generation for cybersecurity threat intelligence and response strategies. It is dedicated to people who have already an experience using natural language processing and LLM or LLM only, to deeper their understanding and skills.\r\n\r\nProgram:\r\n\r\n- Quick Introduction to Transformers, best current models\r\n- Hands-on: Text Preprocessing and Tokenization\r\n    - Text-preprocessing \r\n- Transformer-Based Sentiment Analysis\r\n    - Choose and load a pre-trained transformer model \r\n    - Step-by-step building of an NLP pipeline using transformers library\r\n    - Run the sentiment analysis task on an imported dataset\r\n- Same adapted the pipeline to Named Entity Recognition (NER)\r\n    - Results interpretation\r\n- Same adapted pipeline to text-generation\r\n    - Compare basic and light models (e.g., BART, T5, Llama)\r\n- Discussion: Applications in Cybersecurity\r\n    - Apply transformer-based NLP techniques to cybersecurity problems\r\n    - Limitations and future directions of transformer-based NLP in cybersecurity\r\n\r\nBy the end of this workshop, you will have a deep understanding of transformer-based NLP techniques and their applications in text mining and generation for cybersecurity. You will be able to apply your new skills to real-world problems and develop practical solutions for threat intelligence and incident response. You'll be able to work directly on the code and scale your analysis. \r\n\r\nFamiliarity with Python programming is expected. Prior experience with deep learning libraries such as PyTorch is a plus, along with practice of LLMs (with frontend).", "recording_license": "", "do_not_record": true, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Pauline's focus gravitates towards offensive cybersecurity, artificial intelligence, and programming culture. She has a background with experience in various fields including linguistics, criminology, cybersecurity, computer engineering, and education. By blending together approaches from humanities and deep technical insight, she provides a unique lens on cyber threats and their evolution. She provides these days AI developments and trainings, to make AI accessible to all. She is the founder of the Defcon group Paris and a French vice-champion para-climber.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "c9728882-b3f8-50d5-b946-fb3cf82d1c4f", "url": "https://pretalx.com/hack-lu-2024/speaker/3LW9XQ/"}, {"code": "WHXH3Q", "name": "William Robinet", "avatar": "https://pretalx.com/media/avatars/WHXH3Q_Q8FkSnu.webp", "biography": "William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg.  He\u2019s been working in cybersecurity using free and opensource software on a daily basis for more than 25 years. Recently, he presented his ASN.1 templating tool at Pass the SALT 2023 in Lille.  He contributed to the cleanup and enhancement efforts done on ssldump lately.  He particularly enjoys tinkering with open (and not so open) hardware. Currently he likes playing around with new tools in the current ML scene, building, hopefully, useful systems for fun and, maybe, profit.  When not behind an intelligent wannabe machine, he's doing analog music with his band of humans.", "public_name": "William Robinet", "guid": "3b84b965-4ff5-5894-a6a3-2d779304a6d1", "url": "https://pretalx.com/hack-lu-2024/speaker/WHXH3Q/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/SQUPHL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/SQUPHL/", "attachments": []}, {"guid": "fbe3c0da-a0f6-50d9-8986-12b7e1c00088", "code": "JMKWXX", "id": 52110, "logo": null, "date": "2024-10-24T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Hollenfels", "slug": "hack-lu-2024-52110-scanning-with-the-artemis-security-scanner", "url": "https://pretalx.com/hack-lu-2024/talk/JMKWXX/", "title": "Scanning with the Artemis security scanner", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "At CERT PL we periodically scan 500 thousands of domains and subdomains and automatically report found vulnerabilities and misconfigurations using the Artemis scanner ([https://github.com/CERT-Polska/Artemis](https://github.com/CERT-Polska/Artemis)). Are you e.g. a CSIRT, hosting provider, or an university network administrator and want to set up a similar project?", "description": "During the training, you will learn how to set up and use Artemis. For best results you are encouraged to have a Linux virtual machine with Docker and Docker Compose and a list of domains to scan. During the training, you\u2019ll configure Artemis and initiate a scan that will end with a package of e-mails ready to be sent to the affected entities. We recommend starting with a list of 100 domains.  \r\n\r\nNote that having a list of domains is not required. If you don't bring one, you will still learn how Artemis works and how to use it in practice. You will configure Artemis (or use a demo instance I will set up) and scan exemplary domains.", "recording_license": "", "do_not_record": false, "persons": [{"code": "T9P3CK", "name": "Krzysztof Zaj\u0105c", "avatar": "https://pretalx.com/media/avatars/T9P3CK_lLRw6ch.webp", "biography": "Senior Threat Analysis Specialist at CERT PL, currently working on automated vulnerability discovery techniques. Before becoming a security specialist, he's been a software engineer for more than ten years. Teaches offensive security at the University of Warsaw. Formerly a CTF player, playing with the p4 CTF team. Likes cats and bad puns.", "public_name": "Krzysztof Zaj\u0105c", "guid": "e7b026cd-2e2d-549f-90b9-a55085ac1533", "url": "https://pretalx.com/hack-lu-2024/speaker/T9P3CK/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JMKWXX/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JMKWXX/", "attachments": [{"title": "slides", "url": "/media/hack-lu-2024/submissions/JMKWXX/resources/Artemis_Secur_uvPHNq4.pdf", "type": "related"}]}], "Vianden & Wiltz": [{"guid": "b475225c-b750-5227-9cf9-d31438176f82", "code": "GCYGYP", "id": 54454, "logo": null, "date": "2024-10-24T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-54454-from-protocol-analysis-to-actionable-algorithmic-and-signature-detection-with-suricata", "url": "https://pretalx.com/hack-lu-2024/talk/GCYGYP/", "title": "From protocol analysis to actionable algorithmic and signature detection with Suricata", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Suricata is a widely-used high performance, open source network analysis and threat detection software. This training will provide hands-on learning for different techniques using Suricata protocol analysis data for generating useful and actionable algorithmic and signature detection.", "description": "Suricata is an versatile open source engine that has been evolving beginning in 2009 to currently being able to provide\u00a0 network protocol, flow, alert, anomaly logs, file extraction and PCAP at very high speeds. It is being used currently across the world as Network Security Monitoring, Intrusion Detection System, Intrusion Prevention System and even firewall..\u00a0\r\n\r\n\r\nThe training will employ actual hands-on review of malware network pcap traces. Starting from protocol analysis and generic signatures events, the attendee will discover\u00a0 the different queries and techniques that could be applied to detect the malware activity on the network. All of that keeping noise reduction in mind. The training aims to review a few cases of recent samples of malware families to give attendees practical experiences defending against modern threats. Attendees can expect to leave prepared to\u00a0 to use algorithmic detection formulas, methods and signatures that can be implemented at home or at work. In addition, they will gain experience finding relevant malware data.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UREGS8", "name": "Eric Leblond", "avatar": "https://pretalx.com/media/avatars/UREGS8_lAVeWOo.webp", "biography": "\u00c9ric Leblond is the co-founder and chief technology officer (CTO) of Stamus Networks and a member of the board of directors at Open Network Security Foundation (OISF). \u00c9ric has more than 15 years of experience as co-founder and technologist of cybersecurity software companies and is an active member of the security and open-source communities. He has worked on the development of Suricata \u2013 the open-source network threat detection engine \u2013 since 2009 and is part of the Netfilter Core team, responsible for the Linux kernel's firewall layer. Eric is also the lead developer of the Suricata Language Server, a real-time syntax checking and autocomplete app for Suricata rule writers. Eric is a well-respected expert and speaker on network security.", "public_name": "Eric Leblond", "guid": "b6d86565-a490-50b1-9a64-cf00a7a9849b", "url": "https://pretalx.com/hack-lu-2024/speaker/UREGS8/"}, {"code": "VRPXVT", "name": "Peter Manev", "avatar": "https://pretalx.com/media/avatars/VRPXVT_aqRwasS.webp", "biography": "Peter Manev is the co-founder and chief strategy officer (CSO) of Stamus Networks and a member of the executive team at Open Information Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software. He is responsible for training as well as quality assurance and testing on the development team of Suricata \u2013 the open-source threat detection engine. Peter is also the lead developer of SELKS, the popular turnkey open-source implementation of Suricata. Peter is a regular speaker and educator on open-source security, threat hunting, and network security.\r\n\r\nPeter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead. He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.\r\n\r\nSELKS maintainer - turn-key Suricata-based IDS/IPS/NSM. A frequent contributor to and user of innovative open source security software, Peter maintains several online repositories for Suricata-related information: https://github.com/pevma , https://github.com/orgs/StamusNetworks/repositories and https://twitter.com/pevma.\r\n\r\nPeter Manev is a co-author of the The Security Analyst\u2019s Guide to Suricata book written with Eric Leblond.\r\n\r\nAdditionally, Peter is one of the founders of Stamus Networks, a company providing commercial and open-source network detection and response solutions based on Suricata. Peter often engages in private or public training events in the area of advanced deployment and threat hunting at conferences, workshops or live-fire cyber exercises such as Crossed Swords, Locked Shields, DeepSec, Troopers, DefCon, Suricon, SharkFest, RSA, Flocon, MIT Lincoln Lab and others", "public_name": "Peter Manev", "guid": "2692af65-1a0b-542f-987a-e36828ef85d2", "url": "https://pretalx.com/hack-lu-2024/speaker/VRPXVT/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/GCYGYP/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/GCYGYP/", "attachments": []}, {"guid": "a7f9e043-5f5e-5330-ba78-15db5508d58f", "code": "YYNBVZ", "id": 52411, "logo": null, "date": "2024-10-24T16:15:00+02:00", "start": "16:15", "duration": "02:00", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-52411-ios-compromise-detection-using-open-source-tools", "url": "https://pretalx.com/hack-lu-2024/talk/YYNBVZ/", "title": "iOS Compromise Detection using open source tools", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Are you, or your organisation, concerned about potential compromise on your iPhone, iPad, or Apple Watch? This workshop equips you with the knowledge and tools to identify red flags on your iOS device. We delve into the world of sysdiagnose and explore methods to verify potential breaches.", "description": "Are you, or your organisation, concerned about potential compromise on your iPhone, iPad, or Apple Watch? This workshop equips you with the knowledge and tools to identify red flags on your iOS device. We delve into the world of sysdiagnose and explore methods to verify potential breaches.\r\n\r\nDuring this workshop we will be:\r\n- discussing some ways to know if an iOS device may be compromised\r\n- explore which opensource tools exist to perform analysis\r\n- generating a sysdiagnose file on an iPhone, iPad iWatch, ... (bring your own device)\r\n- use multiple methods to collect the sysdiagnose (sharing, custom app, PyMobileDevice3, ...)\r\n- use the open source sysdiagnose parser to convert the diagnostics data to something usable \r\n- explore what data it contains\r\n- generate a timeline and load it in timesketch\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "PKXHJG", "name": "David Durvaux", "avatar": "https://pretalx.com/media/avatars/PKXHJG_cbtcfW2.webp", "biography": "David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented in numerous conferences including hack.lu.", "public_name": "David Durvaux", "guid": "989e5a58-e832-5827-b7f5-5b12aafe19d7", "url": "https://pretalx.com/hack-lu-2024/speaker/PKXHJG/"}, {"code": "UCQ7F7", "name": "Christophe Vandeplas", "avatar": "https://pretalx.com/media/avatars/UCQ7F7_3WPCR8y.webp", "biography": "Beyond his role as a cybersecurity consultant, Christophe actively serves as a Belgian Cyber Reservist and contributes significantly to open-source projects. He is the founder of the MISP Threat Sharing Platform. His contributions to the community also include the creation of MISP-maltego and pystemon, the development of the sysdiagnose framework, as well as his previous involvement in organizing the FOSDEM conference. \r\nWhen not immersed in the world of cybersecurity, Christophe enjoys outdoor pursuits such as hiking, climbing, mountaineering, and sailing, finding solace in the beauty of nature.", "public_name": "Christophe Vandeplas", "guid": "5a0c4bb1-449f-5471-abc1-0146844ffd97", "url": "https://pretalx.com/hack-lu-2024/speaker/UCQ7F7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/YYNBVZ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/YYNBVZ/", "attachments": [{"title": "Intro slides", "url": "/media/hack-lu-2024/submissions/YYNBVZ/resources/hacklu-worksh_MaJelF1.pdf", "type": "related"}, {"title": "Exercise workbook", "url": "/media/hack-lu-2024/submissions/YYNBVZ/resources/Hack.lu_2024_GkOZK6A.html", "type": "related"}]}]}}, {"index": 4, "date": "2024-10-25", "day_start": "2024-10-25T04:00:00+02:00", "day_end": "2024-10-26T03:59:00+02:00", "rooms": {"Europe - Main Room": [{"guid": "d35f63be-3dfe-56e3-a768-b132b24842e0", "code": "YLWAQJ", "id": 54376, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/YLWAQJ/hacklu_presentation_kA57Bl7.jpg", "date": "2024-10-25T09:00:00+02:00", "start": "09:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54376-the-ouroboros-of-cybercrime-witnessing-threat-actors-go-from-pwn-to-pwn-d", "url": "https://pretalx.com/hack-lu-2024/talk/YLWAQJ/", "title": "The Ouroboros of Cybercrime: Witnessing Threat Actors go from Pwn to Pwn'd", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Infostealers are a type of malware designed to secretly collect sensitive information from infected devices. They create stealer logs with valuable data such as login credentials. These malware communicate with Command-and-Control (C2) servers, which direct their actions and receive the stolen data. These stolen logs are highly valuable, forming the basis of a profitable underground market where cybercriminals sell and trade this information.\r\nBut what if C2 operators also fell victim to their own skim : the biter bit. In this presentation, we will dive into stealer logs of C2 operators, who have infected themselves accidentally with infostealer malware, to uncover hidden C2 infrastructure and their backstage. Join us as we expose the unexpected vulnerabilities within the cyber underworld.", "description": "Through a meticulous investigation of stealer logs, an ironic twist in the cyber threat landscape has been unveiled: C2 operators falling prey to their own skim. In this presentation, we will explore stealer logs of (C2) operators, offering an unparalleled opportunity to delve into the backstage of cybercriminal networks.\r\n\r\nBy analyzing these compromised logs, we have uncovered detailed information about the hidden criminal infrastructure operated by C2 operators. The captured data includes sensitive details such as computer information, browser autofill content, usernames and passwords, and active browser cookies. Notably, we have identified numerous logs containing cybercrime credentials, revealing the administrative access to various C2 platforms and databases.\r\n\r\nThe investigation highlighted five specific C2 operators, exploring their use of different malware families, locations, and operational tendencies. One operator stood out: \"The Dutch Man,\" also known as the Malware Maestro, who demonstrated sophisticated management of multiple malware types, including Private Loader, Mystic, Asuka, and Raccoon Stealer, forming a versatile malicious ecosystem. \r\n\r\nJoin us as we dive into the trail of the cybercrime ecosystem provided by the threat actors\u2019 own compromise. This talk will provide invaluable insights into the operation of a versatile malicious ecosystem, highlighting the complexity of C2 networks. Discover how analyzing stealer logs from operators associated with known C2 IPs can uncover and allow the study of hidden criminal infrastructure, identify new, previously unknown, C2 endpoints, and create indicators of compromise (IOCs).", "recording_license": "", "do_not_record": false, "persons": [{"code": "YMPB7L", "name": "Estelle", "avatar": "https://pretalx.com/media/avatars/YMPB7L_FEA9GS1.webp", "biography": "Estelle is a Threat Intelligence Researcher at Flare. Having recently completed a master at University of Montreal, she is a criminology student who lost her way into cybercrime. Now she is playing with lines of codes to help computers make sense of the cyber threat landscape.", "public_name": "Estelle", "guid": "2731cf8a-a896-5a00-aae6-40e1e188b033", "url": "https://pretalx.com/hack-lu-2024/speaker/YMPB7L/"}, {"code": "LLP9EA", "name": "Stuart Beck", "avatar": null, "biography": null, "public_name": "Stuart Beck", "guid": "59323787-352b-53ae-b9ab-4474aae1710f", "url": "https://pretalx.com/hack-lu-2024/speaker/LLP9EA/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/YLWAQJ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/YLWAQJ/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/YLWAQJ/resources/HACK_LU_nNkGnex.pdf", "type": "related"}]}, {"guid": "e49b85c2-40c9-5517-870a-00502f5817a0", "code": "UURWBY", "id": 52360, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/UURWBY/we-files-title_jhMsMmv.jpg", "date": "2024-10-25T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52360-the-xe-files-trust-no-router", "url": "https://pretalx.com/hack-lu-2024/talk/UURWBY/", "title": "The XE Files - Trust No Router", "subtitle": "", "track": "topic: CTI", "type": "Talk", "language": "en", "abstract": "On the 16th October 2023 Cisco Talos shared intelligence about a handful of compromised routers discovered while resolving customer support requests. As the full story unfolded, a handful of backdoored devices turned into tens of thousands, and the massive mobilisation of incident response teams as patches were applied and workarounds implemented. Many months later, the incident may be largely forgotten by Cisco customers and the cyber-security community, but working on these routers remains an objective for somebody.", "description": "On the 16th October 2023 Cisco Talos shared intelligence about a handful of compromised routers discovered while resolving customer support requests. As the full story unfolded, a handful of backdoored devices turned into tens of thousands, and the massive mobilisation of incident response teams as patches were applied and workarounds implemented. Many months later, the incident may be largely forgotten by Cisco customers and the cyber-security community, but working on these routers remains an objective for somebody.\r\n\r\nIn this talk we explore the world of compromised IOS XE devices using data from weekly scans of all the potentially affected systems. The number of infected routers has changed over time showing a persistent motivation to maintain the backdoor\u2019s installed base and giving insights in to the life of the adversary. At the time of writing, two-thirds of all exposed devices show signs of compromise.\r\n\r\nWe investigate who was quick to apply the vendor\u2019s advice, and what kind of organizations the compromised devices belong to. We observe that some mature organizations with competent cyberdefence teams seem to be maintaining affected routers. \r\n\r\nFinally we look at the potential utility of a network of compromised routers, making the link to Operational Relay Box (ORB) networks as recently defined by Mandiant (Google Cloud), and the challenge this poses for Threat Intelligence analysts and cyber-defence teams more broadly.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DRMKFR", "name": "James Atack", "avatar": "https://pretalx.com/media/avatars/DRMKFR_zj41YMw.webp", "biography": "James worked in systems and networks for a decade before finally succumbing to the destiny of nominative determinism. After briefly flirting with pentesting he got a job as a security architect in the financial sector. He then became Head of the CERT team for a number of years but his hair had already fallen out at that point. He joined ONYPHE in 2023 as Deputy CTO and now dreams in Perl.", "public_name": "James Atack", "guid": "0075accf-997f-55f3-a179-a44be5db0e56", "url": "https://pretalx.com/hack-lu-2024/speaker/DRMKFR/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/UURWBY/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/UURWBY/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/UURWBY/resources/ios-xe-presentation-5_XOMpjuR.pdf", "type": "related"}]}, {"guid": "4edaf626-4ff4-564e-b86b-ddaadc0e9082", "code": "QLCNGS", "id": 54150, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/QLCNGS/zeek-favicon-white_sWs8LIF.png", "date": "2024-10-25T10:15:00+02:00", "start": "10:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54150-new-features-in-the-zeek-network-monitor", "url": "https://pretalx.com/hack-lu-2024/talk/QLCNGS/", "title": "New features in the Zeek Network Monitor", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "This talk provides a tour of new features in the open-source Zeek network monitor that have landed in the past year: scriptability via JavaScript, performance improvements to its scripting language via a new abstract language machine, analyzer development via the Spicy parser generator, a revamped telemetry framework for scraping via Prometheus, and more!", "description": "Network monitoring is key for understanding your infrastructure, whether that's your home network or a thousand-seat corporate environment. Zeek is the world's de-facto open-source standard for longitudinal network monitoring \u2014 a permissively licensed, mature, battle-hardened platform and ecosystem that runs on anything from Raspberry Pi's to industrial-scale deployments like Microsoft Defender.\r\n\r\nOver the past year Zeek has made important strides into new areas, which I'll present in this talk. Top among those are support for scripting Zeek's network events in JavaScript, opening up the Node ecosystem to network analysis; ZAM, the Zeek Abstract Machine, bringing substantial improvements to Zeek's script interpretation performance; expanded use of the Spicy parser generator, and an expansion of Zeek's telemetry framework for easy scraping via Prometheus.\r\n\r\nI'll also cover how to get started with Zeek via our Docker images, binary packages, or building it yourself, and will give a sneak preview of our upcoming roadmap.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WAEDB3", "name": "Christian Kreibich", "avatar": "https://pretalx.com/media/avatars/WAEDB3_FcgOFLM.webp", "biography": "Christian is the technical lead of the Zeek project, and an engineer at Corelight. He previously spent 5 years heading the networking group at Lastline, and prior to that spent 5 years as a research scientist at the International Computer Science Institute in Berkeley. He has served on the advisory board of the Open Information Security Foundation, and holds a PhD from the University of Cambridge's Systems Research Group. He still rides skateboards, which recently earned him a busted rotator cuff.", "public_name": "Christian Kreibich", "guid": "a0b04b39-784d-5427-8caa-17e438107b65", "url": "https://pretalx.com/hack-lu-2024/speaker/WAEDB3/"}], "links": [{"title": "Slides", "url": "https://docs.google.com/presentation/d/1_IrRuib84Y76-aTx_Cnaejy2QXk4M9nrKtDjRa1IVBY/edit?usp=sharing", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/QLCNGS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/QLCNGS/", "attachments": []}, {"guid": "562377b0-c1e6-5ceb-b034-245330af8d5e", "code": "TLGDKX", "id": 54451, "logo": null, "date": "2024-10-25T10:45:00+02:00", "start": "10:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54451-sigma-unleashed-a-realistic-implementation", "url": "https://pretalx.com/hack-lu-2024/talk/TLGDKX/", "title": "Sigma Unleashed: A Realistic Implementation", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Sigma is a well-known generic detection rule format in the cybersecurity landscape. While this free, open-source project is very active and offers a wide range of features, its implementation is challenging, and especially for MSSPs. At CERT-EU, we serve the 90 European Union institutions, bodies, offices and agencies (Union entities) and we strive to deliver the best possible services to them. This is why we relentlessly try to enhance the detection capabilities of our Security Log Monitoring Service. \r\n\r\nTo this endeavour, we created [droid](https://github.com/certeu/droid), a tool that we specifically built to introduce Detection-as-Code in our environment. In the spirit of fostering a culture of collective progress, we released [droid](https://github.com/certeu/droid) as our take to facilitate the ingestion of Sigma rules for any organisation.", "description": "In this talk, we will mainly talk about how we implemented Sigma in a practical way and about [droid](https://github.com/certeu/droid) that unlocks the following use cases:\r\n\r\n- Detection content versioning\r\n- Vendor agnostic approach\r\n- Cross-tool detection content\r\n- Testing and validating detection rules, by taking advantage of Atomic Red Team\r\n- Automation of exporting the rules to multiple SIEMs and EDRs.\r\n\r\nThe tool is under development and we aim at adding more platforms and testing features.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HC8UYQ", "name": "Mathieu LE CLEACH", "avatar": "https://pretalx.com/media/avatars/HC8UYQ_05PGc6r.webp", "biography": "Mathieu is a member of CERT-EU's Digital Forensics and Incident Response team. He has two hats: respond to security incidents, including significant ones, and engineer CERT-EU's detection strategy. He was a speaker at the 36th Annual FIRST Conference.", "public_name": "Mathieu LE CLEACH", "guid": "468ba8fb-4a99-5970-be8d-e2bc1d6a3bab", "url": "https://pretalx.com/hack-lu-2024/speaker/HC8UYQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TLGDKX/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TLGDKX/", "attachments": []}, {"guid": "045c26a6-586e-51fb-9f67-c5857d927095", "code": "KTE9WR", "id": 52976, "logo": null, "date": "2024-10-25T11:15:00+02:00", "start": "11:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-52976-predictive-analytics-for-adversary-techniques-in-the-mitre-att-ck-framework-using-rule-mining", "url": "https://pretalx.com/hack-lu-2024/talk/KTE9WR/", "title": "Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "In this presentation, Tristan Madani will delve into \"Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining.\" This talk introduces a novel approach to predicting potential adversary techniques by leveraging historical attack data and applying association rule mining. Attendees will gain insights into how the MITRE ATT&CK framework can be utilized to enhance threat hunting and incident response capabilities. Key takeaways include understanding the methodology behind rule mining, the practical application of the Apriori and FP-Growth algorithms, and the implications of the findings for proactive cybersecurity measures. This presentation is essential for cybersecurity professionals looking to stay ahead of evolving threats by anticipating adversary actions.", "description": "### Detailed Outline\r\n\r\n1. Introduction (3 minutes)\r\n- Greeting and Introduction\r\n  - Brief introduction of Tristan Madani and his credentials.\r\n  - Overview of the presentation\u2019s objectives.\r\n\r\n2. Overview of MITRE ATT&CK Framework (5 minutes)\r\n- Introduction to MITRE ATT&CK\r\n  - Explanation of the framework's purpose and structure.\r\n  - Importance in the cybersecurity community.\r\n- Challenges Addressed\r\n  - Discuss the vast number of TTPs and their evolution.\r\n  - Need for prioritizing and predicting critical techniques.\r\n\r\n3. Methodology (7 minutes)\r\n- Data and Tools Used\r\n  - Description of the dataset (version 13.1, May 2023) and STIX 2.1 format.\r\n  - Tools used for data manipulation (Python).\r\n- Rule Mining Techniques\r\n  - Explanation of Apriori and FP-Growth algorithms.\r\n  - Definition of key parameters: min_support (0.2) and min_threshold (0.7).\r\n- Process\r\n  - Conversion of TTP data into transactional data.\r\n  - Generation of frequent itemsets and association rules using the Mlxtend library.\r\n  - Filtering and sorting rules based on support, confidence, lift, and Zhang's metric.\r\n\r\n4. Key Findings (10 minutes)\r\n- Top Association Rules\r\n  - Presentation of the top 5 rules using different metrics (confidence, lift, conviction, Zhang's metric).\r\n- Significant Associations\r\n  - Brief discussion of notable associations:\r\n    - T1204.001 (Malicious Link) with T1566.002 (Spearphishing Link).\r\n    - T1059.005 (Visual Basic) with T1204.002 (Malicious File) and T1566.001 (Spearphishing Attachment).\r\n    - T1203 (Exploitation for Client Execution) with T1566.001 and T1204.002.\r\n- Insights on Tactics\r\n  - Key findings related to specific tactics like Initial Access, Execution, Command and Control.\r\n  - Importance of associations involving PowerShell, Windows Command Shell, etc.\r\n\r\n5. Visual Representations (3 minutes)\r\n- Heat Maps and Parallel Coordinates\r\n  - Explanation of these visual tools.\r\n  - Brief examples to illustrate strong relationships and patterns.\r\n\r\n6. Conclusion (2 minutes)\r\n- Implications for Cybersecurity\r\n  - Practical benefits of the predictive approach for threat hunting and proactive defense.\r\n  - How organizations can prioritize security resources based on predictions.\r\n- Future Enhancements\r\n  - Potential for enhancing the dataset with more comprehensive data.\r\n  - Importance of ongoing research to keep up with evolving threats.\r\n\r\n7. Q&A (5 minutes)\r\n- Open the Floor for Questions\r\n  - Encourage audience questions and discussion.\r\n\r\n### Total Time: 30 minutes", "recording_license": "", "do_not_record": true, "persons": [{"code": "JYPHAH", "name": "Tristan MADANI", "avatar": null, "biography": "Tristan is a dedicated and motivated professional committed to delivering positive results and fostering continuous improvement in his work. Over the years, he has accumulated extensive experience in both Offensive (Red Teaming, Penetration Testing, Vulnerability Research) and Defensive Security (Threat Hunting, Incident Response, Digital Forensics, Malware Reverse Engineering), as well as systems and networks. Additionally, Tristan finds fulfillment in sharing his knowledge through Cyber Security Training, recognizing the value of collaboration and ongoing learning in this dynamic field.", "public_name": "Tristan MADANI", "guid": "a272fb46-1602-5662-b68b-3878f554d297", "url": "https://pretalx.com/hack-lu-2024/speaker/JYPHAH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/KTE9WR/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/KTE9WR/", "attachments": []}, {"guid": "c0c17b22-8a11-5765-9d2d-0df85a04874d", "code": "DJ7SZA", "id": 57118, "logo": null, "date": "2024-10-25T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57118-introducing-the-actor-model-adversary-simulation-is-dead-long-live-adversary-simulation", "url": "https://pretalx.com/hack-lu-2024/talk/DJ7SZA/", "title": "Introducing the ACTOR Model: Adversary Simulation is dead, long live Adversary Simulation!", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "As cyber threats continue to evolve, traditional adversary simulation methods are struggling to keep pace with the sophisticated tactics, techniques, and procedures (TTPs) used by attackers today. In this talk, we explore the shortcomings of current simulation frameworks and introduce the ACTOR Model, a comprehensive and forward-thinking approach designed to overcome these challenges.\r\n\r\nLeveraging real-world insights and integrating the MITRE ATT&CK framework and Structured Threat Information Expression (STIX) data, the ACTOR Model enhances realism, scalability, and customization in adversary simulation. Through the lens of humor and deep technical analysis, we declare the end of outdated methods and present the future of simulation: a strategic, adaptable, and highly effective framework that equips organizations to stay ahead of adversaries. Join us as we dive into the next generation of adversary simulation \u2014 it\u2019s far from dead, it\u2019s just evolving.", "description": "The landscape of cyber threats has outgrown many of the traditional methods used in adversary simulation. Enter the ACTOR Model: a fresh and comprehensive framework that addresses the limitations of current simulation tools. In this talk, titled \"Adversary Simulation is dead, long live Adversary Simulation!\", Tristan Madani takes you through a humorous yet deeply technical journey of how adversary simulation has evolved. The session will explore the five key components of the ACTOR Model\u2014Adversary, Capabilities, Target, Operations, and Results\u2014while showing how they interconnect to create realistic, customizable simulations that reflect modern-day cyber threats.\r\n\r\nWhether you're a security practitioner looking to refine your approach to adversary simulation or simply intrigued by the future of cybersecurity, this talk will offer valuable insights into how the ACTOR Model bridges the gap between theory and practical defense strategies. It\u2019s not just about surviving the cyber battlefield; it's about simulating it with precision, foresight, and strategy.", "recording_license": "", "do_not_record": true, "persons": [{"code": "JYPHAH", "name": "Tristan MADANI", "avatar": null, "biography": "Tristan is a dedicated and motivated professional committed to delivering positive results and fostering continuous improvement in his work. Over the years, he has accumulated extensive experience in both Offensive (Red Teaming, Penetration Testing, Vulnerability Research) and Defensive Security (Threat Hunting, Incident Response, Digital Forensics, Malware Reverse Engineering), as well as systems and networks. Additionally, Tristan finds fulfillment in sharing his knowledge through Cyber Security Training, recognizing the value of collaboration and ongoing learning in this dynamic field.", "public_name": "Tristan MADANI", "guid": "a272fb46-1602-5662-b68b-3878f554d297", "url": "https://pretalx.com/hack-lu-2024/speaker/JYPHAH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/DJ7SZA/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/DJ7SZA/", "attachments": []}, {"guid": "eb26a648-7e34-5524-a941-f91149a5d65b", "code": "GUYCCV", "id": 57205, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/GUYCCV/ail-project-medium_yyJmKFy.png", "date": "2024-10-25T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57205-ail-project-secrets-in-squares-qr-codes", "url": "https://pretalx.com/hack-lu-2024/talk/GUYCCV/", "title": "AIL Project: Secrets in Squares - QR Codes", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Extracting Hidden gems in QR codes from Telegram and Tor with the AIL Project - https://ail-project.org/", "description": "AIL Project is an open source framework to collect, crawl, dig and analyse unstructured data. The framework can be used to find information leaks, intelligence, insights and much more.\r\n\r\nAIL includes an extensible Python-based framework for analysis of unstructure information collected via an advanced Crawler manager or from different feeders (such as Twitter, Discord, Telegram Stream providers) or custom feeders.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7ULPM7", "name": "Aurelien Thirion", "avatar": null, "biography": "As a seasoned dark web connoisseur and lead developer of the AIL project, \r\nAur\u00e9lien enjoys exploring the complexities of the internet and analyzing it. \r\nHe is also a software engineer and analyst at CIRCL.", "public_name": "Aurelien Thirion", "guid": "d2c6ac51-1fbe-5d72-9d96-43a130fbcaa2", "url": "https://pretalx.com/hack-lu-2024/speaker/7ULPM7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/GUYCCV/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/GUYCCV/", "attachments": []}, {"guid": "eb45806b-fe72-5a06-b192-d2d099002a6f", "code": "Y8AAE9", "id": 54441, "logo": null, "date": "2024-10-25T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-54441-pentests-using-llms", "url": "https://pretalx.com/hack-lu-2024/talk/Y8AAE9/", "title": "Pentests using LLMs", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Using LLMs and other ML tools for attack surface discovery and pentesting.", "description": "Conjunction of LLMs and GANs in cybersecurity: network, OSINT, social engineering. Active probing techniques. Relation to LLM-based coding, TDD, test oracles, fuzzing. Next steps: adversarial SUT replication, humans as weakness, arms race dilemma.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SGH9LU", "name": "Al Mochkin", "avatar": null, "biography": "Entrepreneur and Philanthropist Pioneering Global Computer Literacy and Privacy Advocacy", "public_name": "Al Mochkin", "guid": "0b9e93f3-bf41-516c-ad90-e79ab6394388", "url": "https://pretalx.com/hack-lu-2024/speaker/SGH9LU/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/Y8AAE9/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/Y8AAE9/", "attachments": [{"title": "Talk slides", "url": "/media/hack-lu-2024/submissions/Y8AAE9/resources/Pentests_using_LLMs_RGJtZaZ.pdf", "type": "related"}]}, {"guid": "783ea4ad-5f50-5462-9477-aeb52c6545cd", "code": "AK3C7H", "id": 57123, "logo": null, "date": "2024-10-25T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57123-learn-anything-reload", "url": "https://pretalx.com/hack-lu-2024/talk/AK3C7H/", "title": "Learn anything - reload", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "Do you sometimes tell yourself that something is too difficult to learn? Well, it all depends on how you approach this new thing at first.", "description": "There's no secret: you can actually learn anything.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Pauline's focus gravitates towards offensive cybersecurity, artificial intelligence, and programming culture. She has a background with experience in various fields including linguistics, criminology, cybersecurity, computer engineering, and education. By blending together approaches from humanities and deep technical insight, she provides a unique lens on cyber threats and their evolution. She provides these days AI developments and trainings, to make AI accessible to all. She is the founder of the Defcon group Paris and a French vice-champion para-climber.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "c9728882-b3f8-50d5-b946-fb3cf82d1c4f", "url": "https://pretalx.com/hack-lu-2024/speaker/3LW9XQ/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/AK3C7H/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/AK3C7H/", "attachments": []}, {"guid": "ff76e582-2339-5656-a32b-665bda06aae5", "code": "WYPGG7", "id": 57132, "logo": null, "date": "2024-10-25T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57132-luks-full-disk-encryption-upside-down", "url": "https://pretalx.com/hack-lu-2024/talk/WYPGG7/", "title": "Luks Full Disk Encryption Upside-Down", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "A use case where full disk encryption do not do what you expected, and you should be aware of it.", "description": "A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated.", "recording_license": "", "do_not_record": false, "persons": [{"code": "89MNER", "name": "Michael Hamm", "avatar": "https://pretalx.com/media/avatars/89MNER_YoJRQ4I.webp", "biography": "Michael Hamm has worked for more than 10 years as Ing\u00e9nieur-S\u00e9curit\u00e9 in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center \u201cCRP Henri Tudor\u201d in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL \u2013 Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response", "public_name": "Michael Hamm", "guid": "5ab493be-cb6e-5385-bd63-0de0cb8bd0d8", "url": "https://pretalx.com/hack-lu-2024/speaker/89MNER/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/WYPGG7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/WYPGG7/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/WYPGG7/resources/HackLuks_t9cEjBX.pdf", "type": "related"}]}, {"guid": "2acd81c9-964d-5ed5-96da-c859e93e64c5", "code": "RMMUL7", "id": 57196, "logo": null, "date": "2024-10-25T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Europe - Main Room", "slug": "hack-lu-2024-57196-phantom-dll-hijacking-in-powershell-exe-aka-backdooring-powershell-for-fun-and-profit", "url": "https://pretalx.com/hack-lu-2024/talk/RMMUL7/", "title": "Phantom DLL Hijacking in Powershell.exe (aka Backdooring Powershell for Fun and Profit)", "subtitle": "", "track": "hack.lu lightning talk", "type": "Lightning talk", "language": "en", "abstract": "We will demonstrate how to Backdooring Powershell using Phantom DLL Hijacking.", "description": "This technique requires local administrator or system privileges to exploit, but it could be enticing for threat actors or red teams as it allows the loading of malicious code from a trusted process and a signed binary.", "recording_license": "", "do_not_record": true, "persons": [{"code": "JYPHAH", "name": "Tristan MADANI", "avatar": null, "biography": "Tristan is a dedicated and motivated professional committed to delivering positive results and fostering continuous improvement in his work. Over the years, he has accumulated extensive experience in both Offensive (Red Teaming, Penetration Testing, Vulnerability Research) and Defensive Security (Threat Hunting, Incident Response, Digital Forensics, Malware Reverse Engineering), as well as systems and networks. Additionally, Tristan finds fulfillment in sharing his knowledge through Cyber Security Training, recognizing the value of collaboration and ongoing learning in this dynamic field.", "public_name": "Tristan MADANI", "guid": "a272fb46-1602-5662-b68b-3878f554d297", "url": "https://pretalx.com/hack-lu-2024/speaker/JYPHAH/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/RMMUL7/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/RMMUL7/", "attachments": []}, {"guid": "f6ba678c-5c38-5071-841e-8105d17d9e0a", "code": "VLZFAQ", "id": 55301, "logo": null, "date": "2024-10-25T14:00:00+02:00", "start": "14:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-55301-internal-domain-name-collision-2-0", "url": "https://pretalx.com/hack-lu-2024/talk/VLZFAQ/", "title": "Internal Domain Name Collision 2.0", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "The proliferation of new Top-Level Domains (TLDs) has sparked security concerns primarily around phishing and social engineering attacks. However, the emergence of these new TLDs has broadened the attack surface, making it easier for threat actors to exploit other domain-related vulnerabilities. Our research explored another critical but often overlooked vulnerability: Internal Domain Name Collision.", "description": "During our research, we examined how legacy systems configured before the TLD boom can become susceptible to these collisions, potentially allowing threat actors to redirect or intercept sensitive internal traffic. This vulnerability can have a ripple effect, impacting even newly installed systems that rely on configurations from those legacy systems (e.g. DHCP, DNS Suffix, etc.). This presentation will showcase our methodology for identifying vulnerable domains and present real-world examples of high-value targets at risk, including a major European city, a US Police Department, and critical infrastructure companies. These examples underscore the scale and the urgency of addressing this know but often overlooked aspect of internal domain name collisions.", "recording_license": "", "do_not_record": false, "persons": [{"code": "C978KS", "name": "Philippe Caturegli", "avatar": "https://pretalx.com/media/avatars/C978KS_Jm9DSY0.webp", "biography": "Philippe has over 20 years of experience in Information Security. Prior to founding Seralys, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements. In his previous work experience, Philippe held several roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.).", "public_name": "Philippe Caturegli", "guid": "8e4ff8bb-59b6-5f25-835c-f11fb5ec92c3", "url": "https://pretalx.com/hack-lu-2024/speaker/C978KS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VLZFAQ/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VLZFAQ/", "attachments": []}, {"guid": "07ce1444-90ef-5553-95e0-ae782db6cc6c", "code": "99DP7K", "id": 57601, "logo": null, "date": "2024-10-25T14:30:00+02:00", "start": "14:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-57601-lucky-leaks-400-mln-files-are-worth-a-thousand-words", "url": "https://pretalx.com/hack-lu-2024/talk/99DP7K/", "title": "Lucky leaks: 400+ mln files are worth a thousand words", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Do you hate ransomware? Good, so do we.\r\n\r\nAre you curious about gangs TTPs, leak value and effective strategies to limit the impact of a breach?\r\n\r\nWe will do our best to share our ongoing research and to provide you with all of this. And possibly some more.", "description": "Me and my good friend Eireann spent the last two years collecting and studying the activity of 50+ ransomware groups through their DLS (Data Leak Site), more often than not hidden by the Tor network.\r\n\r\nWe discovered that the list of the files inside the leaks can provide plenty of information about the gang's TTP, the impact for the victim and the most effective countermeasures.\r\n\r\nWe also started in August 2024 to automatically analyse leaks at scale, to better understand the real impact for the compromised entity.\r\n\r\nWe want to present the current results of this ongoing research effort, together with some methodologies we used and some mistakes criminals did that we were able to exploit.\r\n\r\nThe talk will not be recorded and is tagged TLP:RED.", "recording_license": "", "do_not_record": true, "persons": [{"code": "GURR3Y", "name": "Lorenzo Nicolodi", "avatar": "https://pretalx.com/media/avatars/GURR3Y_iFehcAG.webp", "biography": "I am a passionate cybersecurity researcher who has spent the last 18 years learning and sharing as much as possible about this fascinating field.\r\n\r\nDuring these years, I have been fortunate enough to work on multiple aspects of the cybersecurity world, including digital forensics, incident response, cryptography, penetration testing, reverse engineering, research and development, and threat intelligence.", "public_name": "Lorenzo Nicolodi", "guid": "36b4a49b-6f52-5b88-b1d9-60990b6ac989", "url": "https://pretalx.com/hack-lu-2024/speaker/GURR3Y/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/99DP7K/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/99DP7K/", "attachments": []}, {"guid": "fd4e9be1-07b7-56d6-b95e-670a8073b838", "code": "JKUEDF", "id": 53554, "logo": null, "date": "2024-10-25T15:00:00+02:00", "start": "15:00", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-53554-reverse-engineering-android-apps-with-acvtool", "url": "https://pretalx.com/hack-lu-2024/talk/JKUEDF/", "title": "Reverse engineering Android apps with ACVTool", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "ACVTool is a sophisticated bytecode instrumentation tool designed for highlighting instruction coverage in Android apps. In 2024, ACVTool received a major update unlocking smali coverage analysis for modern complex Android apps. Now, ACVTool supports Multidex and Multi-APK applications of any size. Secondly, ACVTool can highlight a particular feature, e.g. to see the code actually executed when tapping a button. To further depict selected app behavior, ACVTool may partially shrink not executed code. ACVTool works on 3rd-party Android without source code, and it does not require a rooted device.", "description": "ACVTool was initially developed within University of Luxembourg with an idea of driving the coverage guided fuzzing and other automated testing frameworks for closed-source Android apps. Turned out, Android bytecode has many interesting peculiarities, which made ACVTool a highly challenging project. Over the past year, ACVTool project underwent a major revision. ACVTool has evolved into a well defined tool capable of effectively depicting executed code when reverse engineering Android apps.\r\n\r\nThe 2024 ACVTool release solved the major Multidex instrumentation challenge making it possible to handle modern Android apps. ACVTool also has learnt to deal with multiple APKs as Google Play nowadays delivers bundles apps in several APKs. This requires maintaining same signature over all APKs when repackaging only one of them. When it comes to repackaging, we learnt that Apktool, the most widely used repackaging tool, fails too often on complex applications. Therefore, ACVTool now implements more effective solution moving away from Apktool to the baksmali project. ACVTool runs baksmali to rewrite instrumented DEX files, and then we patch and rewrite AndroidManifest right inside the APK, which was apparently another challenge.\r\n\r\nAdditionally, ACVTool now allows for highlighting a particular feature execution. This may help reverse engineers significantly narrow the scope of analysed code and also better depict a feature execution. We demonstrate how it works on a preselected app.\r\n\r\nFinally, ACVTool includes an experimental shrinking functionality to further limit the analysis surface. From our experience, an average app may run less than 20% of its code when tested exhaustively. Usually, this still results in a huge pile of smali code to examine. Thus, instruction coverage of a single feature combined with shrinking gives a perfect slice of just executed code. Convenient to analyse!\r\n\r\nACVTool is freely available on GitHub under Apache 2.0 License. The Multidex instrumentation technique was patented, however, its implementation is free and fully available under ACVTool repository https://github.com/pilgun/acvtool.", "recording_license": "", "do_not_record": false, "persons": [{"code": "LAU9KN", "name": "Aleksandr Pilgun", "avatar": "https://pretalx.com/media/avatars/LAU9KN_OCqTL9Q.webp", "biography": "Aleksandr Pilgun is an independent Computer Scientist specialising on Android apps reverse engineering. \r\n\r\nInitially, Aleksandr has got Cyber Security education. He had an intense Software Engineering experience building enterprise level web solutions before moving to Luxembourg for PhD studies.\r\n\r\nIn 2020, Aleksandr defended his doctoral thesis at the University of Luxembourg. During this research, he developed ACVTool, - an efficient instruction coverage measurement tool, and the coverage-backed shrinking technique for Android apps. He repackaged and run tons of Android apps and performed an extensive analysis for the instrumentation technique from size, performance and automated testing perspective. Aleksandr continues development of ACVTool searching to emerge his academic project closer to industry needs. \r\n\r\nIn recent years, Aleksandr was focusing on examining Android apps including technical analysis of fraudulent applications and reverse engineering. He assisted a few FinTech startups to improve their service interoperability through reverse engineering. Last year, Aleksandr moved to Portugal to enjoy sunny days and ocean views around Lisbon.", "public_name": "Aleksandr Pilgun", "guid": "aa37f065-29ab-5e21-bb71-4e6a73855b5c", "url": "https://pretalx.com/hack-lu-2024/speaker/LAU9KN/"}], "links": [{"title": "GitHub: ACVTool", "url": "https://github.com/pilgun/acvtool", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/JKUEDF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/JKUEDF/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/JKUEDF/resources/acvtool-2.3.2_UdI0a9f.pdf", "type": "related"}]}, {"guid": "2effa4d6-d5e0-5493-8899-f265ab467483", "code": "VAZ8JH", "id": 54342, "logo": null, "date": "2024-10-25T15:30:00+02:00", "start": "15:30", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54342-detection-and-response-for-linux-without-edr", "url": "https://pretalx.com/hack-lu-2024/talk/VAZ8JH/", "title": "Detection And Response for Linux without EDR", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "For defending Windows, EDR software is the simple, easy path. On Linux \u2013 not so much. Since products are designed and developed for Windows, they lack important capabilities on other platforms. We chose a different path.", "description": "In modern, networked, enterprise IT environments, the focus of defense teams has shifted from monitoring network infrastructure towards endpoints. Installing endpoint detection and response (EDR) software on user workstations and servers \u2013 and actually monitoring their activities and findings \u2013 has become an easy default choice. However, it appears that in development of most EDR products, with their heritage in antivirus software, a very Windows-centric worldview is retained. Support for other operating systems, especially Linux, seems to come as an afterthought, leaving visibility gaps that may be easily exploited by skilled attackers. \r\n\r\nAfter evaluating several EDR vendors' products specifically for use in a large, heterogeneous Linux server landscape, we found that the capabilities were no match to our existing near-real-time detection mechanisms. We couldn't even replicate our previous work using the products. Deciding against any EDR product meant that we need to find an alternative approach to building out response capabilities. This talk illustrates mostly home-grown approaches to detection and response engineering that provide analysts with tools for generating context and for large-scale threat hunting while making it as pleasant as possible for operations teams to integrate the required components into their systems.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KLZ3CR", "name": "Hilko Bengen", "avatar": null, "biography": "Hilko works in the CSIRT for a transportation and logistics company. He feels most comfortable when thinking about problems that touch systems programming, operations and IT security. For more than 25 years, he has learned to take free and open source software for granted, and he is still amazed when he hears how others have found his contributions useful.", "public_name": "Hilko Bengen", "guid": "cd276f23-aea1-5b25-be01-f7dde6afa06b", "url": "https://pretalx.com/hack-lu-2024/speaker/KLZ3CR/"}], "links": [{"title": "Slide deck", "url": "https://hillu.github.io/conference-materials/hack.lu-2024/slides.reveal.html", "type": "related"}], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VAZ8JH/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VAZ8JH/", "attachments": []}, {"guid": "ed272a11-c993-5a5b-bc63-d232552d5a35", "code": "TNXGJL", "id": 51792, "logo": "https://pretalx.com/media/hack-lu-2024/submissions/TNXGJL/logo3_RkFkOq7.png", "date": "2024-10-25T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-51792-mercator-mapping-the-information-system", "url": "https://pretalx.com/hack-lu-2024/talk/TNXGJL/", "title": "Mercator - Mapping the information system", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "Computer attacks are becoming increasingly sophisticated and occur in a rapidly evolving environment. To effectively address these challenges, organizations need a comprehensive understanding of their information systems. Achieving this requires implementing a detailed map of the Information System.", "description": "Creating a detailed map of the Information System provides a holistic view of all its components, enhancing readability and control. This cartography is crucial for the protection, defense, and resilience of the information system. It serves as an essential tool for managing information systems effectively and is mandatory for essential entities (NIS2) as part of a broader risk management framework.\r\n\r\nGitHub of the project : https://github.com/dbarzin/mercator", "recording_license": "", "do_not_record": false, "persons": [{"code": "F7ZBE7", "name": "Didier Barzin", "avatar": "https://pretalx.com/media/avatars/F7ZBE7_Bc65boE.webp", "biography": "Hi there, I'm Didier, a technology and information security enthusiast. I started my career as an information security Ninja, defending information systems against cyber threats using my Jedi skills. However, I also have another side to me that comes out at night, that of a benevolent hacker. I love using my skills to support the values of open source and firmly believe in them.\r\n\r\nI believe that technology can be used to improve people's lives, but this can only be done if we work together and share our knowledge. That's why I'm also a strong advocate of collaboration and openness in the tech industry.\r\n\r\nMay the source code be with you!", "public_name": "Didier Barzin", "guid": "f3d30423-f31f-58d2-a7b1-5130e94b7e0a", "url": "https://pretalx.com/hack-lu-2024/speaker/F7ZBE7/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/TNXGJL/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/TNXGJL/", "attachments": [{"title": "Powerpoint presentation", "url": "/media/hack-lu-2024/submissions/TNXGJL/resources/20241025_Merc_8kHmyX4.pdf", "type": "related"}]}, {"guid": "8694e2fe-4192-5cf8-b01b-e6afaee777a9", "code": "8GX8MS", "id": 54435, "logo": null, "date": "2024-10-25T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Europe - Main Room", "slug": "hack-lu-2024-54435-disconnecting-games-with-a-single-packet-an-unreal-untold-story", "url": "https://pretalx.com/hack-lu-2024/talk/8GX8MS/", "title": "Disconnecting games with a single packet: an Unreal untold story", "subtitle": "", "track": "topic: hack.lu", "type": "Talk", "language": "en", "abstract": "In 2023, the gaming industry reached a worldwide revenue of US$384.9 billion. Yet, this industry is facing a growing number of cheating actors and techniques. \r\n\r\nWe introduce new attacks targeting multiplayer games based on Unreal Engine such as Fortnite, PUBG, Valorant... These attacks disconnect a player from an ongoing game session against his will. Cheaters can launch it as a Denial-of-Service against opponents with very few packets (sometimes only one). In most cases, the attacker can steal the victory from the target without exposing himself as a cheater.\r\n\r\nIt is important to understand that these attacks do not exist because of a vulnerability or an implementation error. They are conscious design choices, dictated by the constraints inherent to a widely distributed multiplayer game. Mitigating these attacks is thus not trivial. \r\n\r\nThis talk shows how such issues present in a single game engine can spread widely, across several games produced by different editors. It is quite probable that other game engines, such as Unity, are not immune to these issues. However, this presentation solely focuses on the Unreal Engine whose source code is available. We present our analysis of the design and implementation choices made within the Unreal Engine. We explain how to exploit the protocols used. We cover and discuss how to defeat some common countermeasures used on the Internet against IP spoofing, such as Source Address Validation. We mention some mitigation strategies for video game developers. We show videos of these attacks against real popular games.", "description": "## Introduction\r\nCheating is a major threat to the Multiplayer Online Game industry, undermining the fairness among players and impacting their user experience.  \r\n\r\n## Unreal Engine: crucial common pieces of many games\r\nGame engine are software framework designed for the creation of video games, providing core functionalities to developers. Vulnerabilities within the engine, shared by multiple games can spread widely. This talk focuses on Unreal Engine (UE), powering some of the most famous games in the industry. \r\n\r\nWe introduce UE's network architecture, highlighting the UDP-based application-layer protocols used for communication, as well as the encryption components available.\r\n\r\n## A new attack exploiting Unreal Engine security features\r\nWe introduce new attacks that we have reported to all affected games through a responsible disclosure process. The general idea is to disconnect opponents within the same match by sending a single, specific packet. The attack exists under several flavors, with different packets, for different reasons. \r\n\r\nWe present concrete examples of the attack in practice with three video demonstrations on the following games: Fortnite, The Finals, and Valorant.\r\n\r\nWe present the methods we applied to investigate the root causes behind these vulnerabilities, combining static code analysis and dynamic profiling using an experimental game, developed with Unreal Engine.\r\n\r\nWe present and explain our findings: When parsing a received packet, the engine checks the data's validity to detect corrupted values that could propagate to errors in the game logic. In some specific cases, this can lead to the client being disconnected from the ongoing game. This feature is likely to have been designed for security purposes to disconnect suspicious clients trying to tamper with the game packets. However, a malicious player A can exploit this by spoofing player B's IP address and sending a single faulty packet to disconnect B from the game, performing a Denial-of-Service attack against B. \r\n\r\nWe explain the limitations of Unreal Engine\u2019s encryption components in preventing those attacks.\r\n\r\n## Practical exploitability of the attack\r\nWe present two detailed procedures to carry out this attack in different contexts. \r\n1. By broadcasting the specific packet within a LAN. \r\n2. In an online Game context over the Internet. We outline the steps required: finding the target's IP address (using the ICE protocols to establish a P2P communication traversing firewalls), spoofing an IP address over the Internet (bypassing Source Address Validation), and launching the attack.\r\n\r\nWe discuss potential mitigations that Unreal developers could implement.\r\n\r\n## Conclusion\r\nWhile making the task easier for game developers, game engines inadvertently broaden the scope of vulnerabilities. Consequently, achieving security at the engine level is primordial to strengthen the overall game industry. New powerful attacks targeting big names in the video games industry are disclosed and explained, with a focus on the limitations of the network devices used for security: firewall traversal, and IP address spoofing. It is an eye-opener for that community. \r\n\r\nBeyond video games, Unreal Engine is also used in VR, digital twins, automotive HMI, and more. While we haven't identified other exploitations of this vulnerability yet, it could lead to more critical issues in the future. Therefore, it's crucial to raise awareness and fix it.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CHBXXM", "name": "Hugo Bertin", "avatar": "https://pretalx.com/media/avatars/CHBXXM_9nnELsd.webp", "biography": "Hugo Bertin is a Visiting Student in the SeRBER research group at KAUST, Saudi Arabia. He got his master degree in CS from the University of Rennes, France. During this degree he realised different internships at the IRISA research lab, in France, where he could work on isolation units in the cloud under the supervision of Prof. David Bromberg and Ass. Prof. Djob Mvondo. He also studied software engineering and cyber-security as an exchange student at Newcastle University, UK.\r\n\r\nHe is interested in the network and system aspects inherent to distributed systems, which often involve a trade-off between security and performance. He is currently working on EGaming Security under the supervision of Prof. Marc Dacier and Prof. David Bromberg. The research project aims to investigate the security aspects leveraged by the gaming industry, which has experienced unprecedented growth and is expected to continue to shape tomorrow's virtual worlds. This comes with new challenges to enhance security, mainly to prevent cheating. From a technical point of view, Hugo is investigating synchronization and security mechanisms in game engines such as Unreal Engine.", "public_name": "Hugo Bertin", "guid": "5b64f243-2cf2-5148-93d6-abca9ed54eac", "url": "https://pretalx.com/hack-lu-2024/speaker/CHBXXM/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/8GX8MS/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/8GX8MS/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/8GX8MS/resources/disconnecting_R6Ghxmm.pdf", "type": "related"}]}], "Schengen 1 & 2": [{"guid": "77914417-02ca-5942-aa35-31c241c6dd2c", "code": "3FRCUT", "id": 54208, "logo": null, "date": "2024-10-25T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-54208-xor-cryptanalysis", "url": "https://pretalx.com/hack-lu-2024/talk/3FRCUT/", "title": "XOR Cryptanalysis", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier).", "description": "In this 2 hour workshop, Didier will guide you through XOR Cryptanalysis exercises using several open source tools (several of these tools are created and maintained by Didier). \r\n\r\nAfter an introduction to the XOR operator and its use in cryptography, we will work through several exercises that will familiarize you with tools like: \r\n\r\nCyberChef \r\n\r\ntranslate.py \r\n\r\nXOR 010 Editor script \r\n\r\nXORSearch \r\n\r\nxor-kpa.py \r\n\r\nAnd we will end with exercises using custom ransomware decryption tools that Didier developed for a particular ransomware strain with flawed crypto.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UY3X3H", "name": "Didier Stevens", "avatar": "https://pretalx.com/media/avatars/UY3X3H_9zuIVU6.webp", "biography": "Didier Stevens (SANS ISC Handler, ...) is a Senior Analyst working at NVISO. Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT security related blog http://blog.DidierStevens.com", "public_name": "Didier Stevens", "guid": "d2d02961-a2a7-514e-9edd-6402e97ffde4", "url": "https://pretalx.com/hack-lu-2024/speaker/UY3X3H/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/3FRCUT/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/3FRCUT/", "attachments": []}, {"guid": "dae014e8-7a4a-5c58-b659-d76fa8932b73", "code": "VZN7KU", "id": 53820, "logo": null, "date": "2024-10-25T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Schengen 1 & 2", "slug": "hack-lu-2024-53820-exploring-firmwares-tools-and-techniques-for-new-cartographers", "url": "https://pretalx.com/hack-lu-2024/talk/VZN7KU/", "title": "Exploring Firmwares: Tools and Techniques for (New) Cartographers", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "This workshop will introduce attendees to the world of firmware analysis. It will discuss only structured firmwares---i.e. firmware containing a file system---by opposition to monolithic firmwares also known as baremetal  firmwares. Students will discover two major steps of this analysis workflow which are also the most firmware specific ones: extraction of the filesystem and its cartography. Various open-source tools will be introduced, including two developed by Quarkslab: Pyrrha, a mapper collection for firmware analysis, and its underlying API Numbat. Based on this latter, attendees will be able to develop their own cartography tools with a nice UI. All along this workshop, a strong focus will be made on the tasks that could be automated by some existing or future tools but also on the limits of this automatization.", "description": "*Each section will start by a quick theoretical introduction, then attendees will practice a lot through guided\r\nexamples or real hands-on. The number of exercises done will depend of the workshop duration.*\r\n\r\n**Extraction** is the acquisition of the filesystem contained in the firmware. Classically, two types of\r\ntechniques could be employed, either using hardware access to dump its content or directly having the\r\nfirmware accessible as an archive file. This workshop will only discuss the second one. Firmware files\r\ncould have various formats, from the most classical ones which can be easily mount or extracted to the\r\nundocumented handmade ones. In this case, a format reverse-engineering should be done to create the\r\nappropriated unpacker.\r\n\r\nLabs:\r\nUsing Binwalk[3]/Unblob[4] to extract a firmware.\r\n- Extraction of a router firmware using binwalk or unblob, discussion of the limits of these tools.\r\n- Create your own extractor using Kaitai Struct[4].\r\n\r\n**Cartography** consists in gathering any information about the firmware and to identify points of interest\r\nwhich will require deeper analysis to potentially find a vulnerability or assess the correct security of it.\r\nFirst, we will introduce what we are usually looking for in a firmware:\r\n- boot process and initialization system;\r\n- attack surface;\r\n- classic weaknesses like SSL NO_VERIFY_PEER option;\r\n- deprecated OpenSSL options;\r\n- strcpy calls;\r\n- etc.\r\n\r\nLab:\r\n- Navigation into the firmware executables and their imports with Pyrrha. Manipulation of the different views proposed by the UI to identify potential entrypoints that will lead to a given binary (identified as the \"vulnerable\" one). The router firmware extracted at the previous step will be used as an example.\r\n\r\n**Develop your own tools** As seen in the previous sections, some steps of the analysis could be supported by some tools/scripts. This last part of the workshop tends to offer attendees tools to help this development. Two main ideas will be introduced: first, integrate a new mapper in Pyrrha based on a new heuristic or to handle a specific need. The second relies on Numbat, the API used by Pyrrha to create a\r\ngraph that could be rendered and looked in, in a user-friendly UI. The idea is to quickly develop a UI for\r\nalready existing tools\r\n\r\n---\r\n[1] Quarkslab. Pyrrha. 2023. url: https://github.com/quarkslab/pyrrha.\r\n[2] Quarkslab. Numbat. 2024. url: https://github.com/quarkslab/numbat.\r\n[3] ReFirm Labs. Binwalk. 2010. url: https://github.com/ReFirmLabs/binwalk.\r\n[4] Onekey. Unblob. 2021. url: https://github.com/onekey-sec/unblob.\r\n[5] Katai Struct. 2015. url: https://github.com/kaitai-io/kaitai_struct.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KWKKNB", "name": "Elo\u00efse Brocas", "avatar": "https://pretalx.com/media/avatars/KWKKNB_bNwPcnF.webp", "biography": "Elo\u00efse Brocas is a security researcher and reverse engineer at Quarkslab She has a strong interest in creating tooling that support security analysts in their day-to-day tasks, some of these tools have been open-sourced like [Pyrrha](https://quarkslab.github.io/pyrrha/).", "public_name": "Elo\u00efse Brocas", "guid": "c7ef18ce-4bc1-5e1b-abcc-af6b292b3967", "url": "https://pretalx.com/hack-lu-2024/speaker/KWKKNB/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/VZN7KU/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/VZN7KU/", "attachments": [{"title": "Custom Format Lab: Student Material", "url": "/media/hack-lu-2024/submissions/VZN7KU/resources/material_kvU4c2e.zip", "type": "related"}]}], "Echternach & Diekirch": [{"guid": "976a88b2-3e75-543c-9b63-dda97f6903c9", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-25T10:15:00+02:00", "start": "10:15", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-6-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}, {"guid": "b876df62-b7fb-5c94-ab50-96f340d7d61f", "code": "ACPFRF", "id": 52793, "logo": null, "date": "2024-10-25T14:00:00+02:00", "start": "14:00", "duration": "01:30", "room": "Echternach & Diekirch", "slug": "hack-lu-2024-52793-7-the-heist-get-your-hands-on-the-goods", "url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "title": "The Heist: get your hands on the goods!", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "The Heist: get your hands on the goods!", "description": "In a 90 minute workshop a team of max. 5 persons can enter the room. During the first 15 minutes they will receive a briefing on the mission. The countdown timer starts the mission (60 minutes)\r\nGoal is to get your hands on the goods that are protected by an alarm system. Triggering the alarm makes the mission fail.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Trying to combine fun with some security related stuff", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/hack-lu-2024/speaker/ZTMXFW/"}, {"code": "XSQKRS", "name": "Dominiek Madou", "avatar": null, "biography": null, "public_name": "Dominiek Madou", "guid": "de6560ce-2a70-5fdc-9b86-d17eb5d6e945", "url": "https://pretalx.com/hack-lu-2024/speaker/XSQKRS/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/ACPFRF/", "attachments": []}], "Vianden & Wiltz": [{"guid": "f6e670c8-10b9-5116-a81a-ad479e7f5ccc", "code": "SM9XM3", "id": 56650, "logo": null, "date": "2024-10-25T10:15:00+02:00", "start": "10:15", "duration": "01:45", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-56650-zeek-and-destroy-with-python-and-machine-learning-workshop-part-1-2", "url": "https://pretalx.com/hack-lu-2024/talk/SM9XM3/", "title": "Zeek and Destroy with Python and Machine Learning Workshop (Part 1/2)", "subtitle": "", "track": "topic: hack.lu", "type": "Workshop", "language": "en", "abstract": "Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.", "description": "The Zeek open-source NSM platform is so much more than just the vanilla Zeek log files. With a bit of Zeek scripting and Python bindings, you can connect it via Zeek Broker to your Python programs and libraries like Numpy, Pandas, and Tensorflow. Join us and use Python with machine learning to supercharge your Zeek environment!", "recording_license": "", "do_not_record": false, "persons": [{"code": "AVT3LK", "name": "Eva Szilagyi", "avatar": "https://pretalx.com/media/avatars/AVT3LK_jFvrTJF.webp", "biography": "Eva Szilagyi is a principal consultant at Alzette Information Security, an information security consulting company based in Europe. She has more than ten years of professional experience in various areas like penetration testing, security source code review, vulnerability management, digital forensics, IT auditing, telecommunication networks, and security research. Eva has two master's degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications, such as GSEC, GICSP, GCFE, GCIH, GCFA, GMON, GRID, GSSP-JAVA, GWAPT, GDSA, GCDA, GMOB, GMLE, CDP, CCSK, eCIR, eWPT, and eJPT.\r\nEva regularly speaks at international conferences like BruCON, Hack.lu, Nuit du Hack, Hacktivity, Black Alps, BlackHoodie, BSides London, BSides Munich, BSidesBUD, BSides Stuttgart, Pass the SALT, Security Session, SANS @Night Talks, and she is a former member of the organizer team of the Security BSides Luxembourg conference.", "public_name": "Eva Szilagyi", "guid": "c419d958-07c3-5209-bd85-a4fcd3dc65db", "url": "https://pretalx.com/hack-lu-2024/speaker/AVT3LK/"}, {"code": "PTRYM8", "name": "David Szili", "avatar": "https://pretalx.com/media/avatars/PTRYM8_mE2THbT.webp", "biography": "David Szili is a principal consultant at Alzette Information Security, an information security consulting company based in Europe. He has more than ten years of professional experience in various areas like penetration testing, red teaming, security monitoring, security architecture design, incident response, digital forensics, and software development. David has two master's degrees, one in computer engineering and one in networks and telecommunication, and he has a bachelor's degree in electrical engineering. He holds several IT security certifications, such as GSE, GSEC, GCFE, GCED, GCIA, GCIH, GCFR, GMON, GCTD, GCDA, GPEN, GNFA, GPYC, GMOB, GMLE, GAWN, CCSK, OSCP, OSWP, CAWASP, CRTP, BTL1, and CEH.\r\nHe is also a certified instructor at SANS Institute, teaching FOR572: Advanced Network Forensics and FOR509: Enterprise Cloud Forensics and Incident Response, and he is the lead author of SANS DFIR NetWars. David regularly speaks at international conferences like BruCON, Hack.lu, Hacktivity, x33fcon, Nuit du Hack, BSides London, BSides Munich, BSides Stuttgart, BSidesLjubljana, BSidesBUD, BSides Luxembourg, Pass the SALT, Black Alps, Security Session, Future Soldier, SANS @Night Talks, Meetups, and he is a former member of the organizer team of the Security BSides Luxembourg conference.", "public_name": "David Szili", "guid": "82511a64-c4b0-5f52-8c53-3de7208e6f12", "url": "https://pretalx.com/hack-lu-2024/speaker/PTRYM8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/SM9XM3/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/SM9XM3/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/SM9XM3/resources/2024_Zeek_and_JUniyOq.pdf", "type": "related"}]}, {"guid": "41a816aa-483b-5aa6-9f79-89b46c00ce61", "code": "KRJMJB", "id": 54225, "logo": null, "date": "2024-10-25T14:00:00+02:00", "start": "14:00", "duration": "01:45", "room": "Vianden & Wiltz", "slug": "hack-lu-2024-54225-zeek-and-destroy-with-python-and-machine-learning-workshop-part-2-2", "url": "https://pretalx.com/hack-lu-2024/talk/KRJMJB/", "title": "Zeek and Destroy with Python and Machine Learning Workshop (Part 2/2)", "subtitle": "", "track": "topic: hack.lu", "type": "Training", "language": "en", "abstract": "Zeek is an open-source network security monitor (NSM) and analytics platform that has been around for quite some time (since the mid-90s). It is used at large university campuses and research labs, but in the past few years, more and more security professionals in the industry have turned their attention to this fantastic tool.\r\n\r\nBut Zeek is so much more than just a NIDS generating alerts (notices) and log files! Zeek's scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or, most importantly, interfacing with external sources, such as Python! The Zeek Python bindings allow us, the analysts, to use powerful Python libraries such as Numpy, Pandas, and Tensorflow and apply machine learning-based detection on network traffic.\r\n\r\nDuring this two-hour workshop, we will learn about the following topics:\r\n- Super fast introduction to Zeek (architecture, events, logs, signatures, etc.)\r\n- Using machine learning and data science tools on Zeek logs (as an example, we will use Fourier Analysis to detect C2 beaconing)\r\n- Super fast crash course in Zeek scripting (just enough to understand how to create new logs)\r\n- Connecting Zeek and Python via the Zeek Broker Communication Framework\r\n- Using machine learning tools in Python on the data we receive from Zeek for detection (as an example, we will use convolutional neural network and random forest models to compare them, and then use them to find unknown malware in live network traffic)\r\n\r\nRequirements for the workshop:\r\n- A laptop with at least 16 GB of RAM and more than 50 GB of free disk space (VT-x support must be enabled on the host system).\r\n- Application to run Virtual Images (type-2 hypervisor): VMWare Workstation Pro (recommended), VMWare Workstation Player, VMWare Fusion, or VirtualBox.\r\n- Only 64-bit Intel-compatible (Intel or AMD) processors are supported. WARNING: ARM-based (like Apple Silicon, Qualcomm Snapdragon, some Microsoft Surface laptops) devices cannot perform the necessary virtualization and therefore cannot be used for the workshop.", "description": "The Zeek open-source NSM platform is so much more than just the vanilla Zeek log files. With a bit of Zeek scripting and Python bindings, you can connect it via Zeek Broker to your Python programs and libraries like Numpy, Pandas, and Tensorflow. Join us and use Python with machine learning to supercharge your Zeek environment!", "recording_license": "", "do_not_record": false, "persons": [{"code": "AVT3LK", "name": "Eva Szilagyi", "avatar": "https://pretalx.com/media/avatars/AVT3LK_jFvrTJF.webp", "biography": "Eva Szilagyi is a principal consultant at Alzette Information Security, an information security consulting company based in Europe. She has more than ten years of professional experience in various areas like penetration testing, security source code review, vulnerability management, digital forensics, IT auditing, telecommunication networks, and security research. Eva has two master's degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications, such as GSEC, GICSP, GCFE, GCIH, GCFA, GMON, GRID, GSSP-JAVA, GWAPT, GDSA, GCDA, GMOB, GMLE, CDP, CCSK, eCIR, eWPT, and eJPT.\r\nEva regularly speaks at international conferences like BruCON, Hack.lu, Nuit du Hack, Hacktivity, Black Alps, BlackHoodie, BSides London, BSides Munich, BSidesBUD, BSides Stuttgart, Pass the SALT, Security Session, SANS @Night Talks, and she is a former member of the organizer team of the Security BSides Luxembourg conference.", "public_name": "Eva Szilagyi", "guid": "c419d958-07c3-5209-bd85-a4fcd3dc65db", "url": "https://pretalx.com/hack-lu-2024/speaker/AVT3LK/"}, {"code": "PTRYM8", "name": "David Szili", "avatar": "https://pretalx.com/media/avatars/PTRYM8_mE2THbT.webp", "biography": "David Szili is a principal consultant at Alzette Information Security, an information security consulting company based in Europe. He has more than ten years of professional experience in various areas like penetration testing, red teaming, security monitoring, security architecture design, incident response, digital forensics, and software development. David has two master's degrees, one in computer engineering and one in networks and telecommunication, and he has a bachelor's degree in electrical engineering. He holds several IT security certifications, such as GSE, GSEC, GCFE, GCED, GCIA, GCIH, GCFR, GMON, GCTD, GCDA, GPEN, GNFA, GPYC, GMOB, GMLE, GAWN, CCSK, OSCP, OSWP, CAWASP, CRTP, BTL1, and CEH.\r\nHe is also a certified instructor at SANS Institute, teaching FOR572: Advanced Network Forensics and FOR509: Enterprise Cloud Forensics and Incident Response, and he is the lead author of SANS DFIR NetWars. David regularly speaks at international conferences like BruCON, Hack.lu, Hacktivity, x33fcon, Nuit du Hack, BSides London, BSides Munich, BSides Stuttgart, BSidesLjubljana, BSidesBUD, BSides Luxembourg, Pass the SALT, Black Alps, Security Session, Future Soldier, SANS @Night Talks, Meetups, and he is a former member of the organizer team of the Security BSides Luxembourg conference.", "public_name": "David Szili", "guid": "82511a64-c4b0-5f52-8c53-3de7208e6f12", "url": "https://pretalx.com/hack-lu-2024/speaker/PTRYM8/"}], "links": [], "feedback_url": "https://pretalx.com/hack-lu-2024/talk/KRJMJB/feedback/", "origin_url": "https://pretalx.com/hack-lu-2024/talk/KRJMJB/", "attachments": [{"title": "Slides", "url": "/media/hack-lu-2024/submissions/KRJMJB/resources/2024_Zeek_and_2Tw4m9G.pdf", "type": "related"}]}]}}]}}}