Security BSides Athens 2018


Having a Career in Cyber Security; going down the rabbit hole...

by Dimitris Dorizas, @DimitrisDorizas

Abstract: As the Cyber Security world becomes more and more popular, the professional orientation around this area is becoming more complex and vast. Although the job market is in desperate need for more and talented security engineers, it has become equally difficult to build a solid career based only on ethical incentives. After 15 years with hands-on experience in the field, Dimitris will try to take you through the “dark” and challenging paths using his own experiences. Welcome to the rabbit hole of the Cyber Security Engineer...

Bio: Dimitris Dorizas has more than 15 years of experience in the Information Security and Cyber Security arena, and he is well-established in the security industry. He currently works for Encode Group in Greece, as MSS & Integration Services Manager. Dimitri’s expertise includes security architecture design, systems & network security management, MSS infrastructure design & operational management, and incident response orchestration.

Talk #1

What hacking has thought me about security in depth, detective and preventive measures

by Jos van der Peet , @Voske1985

Abstract: This talk will evolve around my learnings and insights regarding defence in depth, preventive measures and detective measures in corporate networks, which I gained during my 4 years or red-teaming. This talk will revolve around how attackers work, how they defeat security controls on various levels, ranging from the systems your end-users work on, all the way through to 2FA and 4-eye principles on critical business assets. Defence in depth matters, but it can be quite trivial for attackers to sidestep certain controls to get to the data they want if not done right. Just securing your ‘crown-jewels’ is insufficient and 'trusting your users' may just be the biggest mistake you make. It will also go into differences in and dependencies between preventive measures and detective measures and whether or not it is possible to fix a lack of the former by doing more of the latter. Talk is based on and supported by real-life examples

Bio: I’m an ‘ethical hacker’ with over 12 years of experience in IT and Information Security. Analysing systems, building systems, performing code reviews, architecture reviews, application and infrastructure testing. The last years, I've been using my experience in all these field to perform Red- and Purple teaming exercises (including physical intrusion, phishing exercises and network exploitation) for small and large companies all around the world. Helping them identify weaknesses and improve their overall security posture. I am especially concerned with helping companies embrace ‘security’ as an enabler to confidently bring new offerings to market, rather than trying to work around 'the security department-of-no’.

Talk #2

This is a serious laptop. No games and chatting possible. OK?

by Yiannis Koukouras , @twelvesec

Abstract: Secure workstation and laptop setups are not always so secure. In this presentation, we will demonstrate a series of vulnerabilities we identified during penetration testing of "Secure" laptop that utilizes IPSec VPN client, Desktop Firewall, Network Access Control, Full Disk Encryption and many other controls to prevent data extrusion and corporate network intrusion. We will try to showcase the attacker's mindset in exploiting highly secure setups for high-profile organizations where security is not only built-in but plays a substantial role in their mission. Inconspicuous misconfigurations, software bugs and race conditions, in such scenarios, if properly exploited can lead to vulnerabilities that have devastating impact in these critical systems.

Bio: Yiannis Koukouras, OSCP, CISSP, CISSP-ISSAP, CISM, CISA, has over 15 years of experience in the ICT domain, specialising in the Information Security sector. He started his career as a network security administrator and then went on to offer consulting services for information security to various companies across the globe, gaining valuable, hands-on experience. Yiannis has partnered with some of the leading Information Security companies in the EMEA region and has accrued experience in working across different regions and industries, both on the field of security management and information security assurance. Yiannis specializes on web application and infrastructure penetration testing while he is an active community supporter through various engagements. He is a board member of the Hellenic (ISC)2 Chapter and a member of the Greek ISACA and OWASP chapters.

Talk #3

Full Packet Capture for the Masses

by Xavier Mertens , @xme

Abstract: When you are facing a security incident, your investigations will depend on the data that you can analyze. If logs are often the first source of evidence, sometimes, it could be interesting to have access to a full packet capture to "dive deeper" in the traffic generated from/to the compromised network or host. Full packet capture (FPC) is like your insurance, you implement it and you never know if you'll have to use it... Until something weird happened! In my presentation, I'll present a simple way to implement FPC for small organizations and based on open source solutions (Moloch, Docker) and how to interconnect them. This talk is an extension of my SANS ISC diary (The easy way to analyze huge amounts of PCAP data) with more practical details.

Bio: Xavier Mertens, is a freelance security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT). Besides his daily job, Xavier is also a security blogger (https://blog.rootshell.be), an ISC SANS handler (https://isc.sans.org) and co-organizer of the BruCON (http://www.brucon.org) security conference.

Talk #4

Making a state-backed implant invisible (introducing a new blind spot of modern A/V & HIDS solutions)

by Dimitrios Bougioukas

Abstract: This talk is about a cutting-edge A/V and HIDS evasion technique. Essentially, we will present a newly-discovered blind spot of modern endpoint security solutions, residing entirely in memory. More specifically, during the talk we will showcase how a RAM disk in conjunction with a PE loader, which loads PE files from disk (in this case a RAM disk), can be used to drop and execute any malicious executable (regardless of its A/V detection score), evading almost all endpoint security solutions. It should be noted, that during the talk we will touch the kernel land, since a kernel-level driver is involved in the process. Such a technique can also prove handy when dealing with closed-source malware whose A/V detection score is high, during the post-exploitation phase. To prove the effectiveness of our technique, we will perform a live demonstration, dropping and executing the recently leaked peddlecheap implant, designed by NSA itself, on a machine featuring an enterprise grade A/V and HIDS solution, without being detected.

Bio: Dimitrios Bougioukas is the Director of IT security training services and IT security research lead of eLearnSecurity. Dimitrios also authors advanced IT security courses, taken by individuals, Fortune 100 companies and government agencies alike. In the past, he has worked as an information security engineer and analyst for a major financial institution and as a penetration tester within EY's practice. Dimitrios specializes in advanced cyber threat simulation, threat intelligence and purple team tactics. He has been engaged on numerous penetration testing activities and he has presented at information security conferences, such as BSides. Dimitrios has also received acknowledgements from security, telecom and other major companies for reporting vulnerabilities in their applications (IBM Trusteer, LG etc.). In the context of his professional career, his work led to international and regional information security awards in highly competitive contests such as Retail Banker International Awards.

Talk #5

Red + Blue = Purple: How to execute purple team exercises even if you think you can’t

by Isidoros Monogioudis , @isidor_mon

Abstract: The benefits of Red and Blue Teams working together has become more widely accepted in recent years, popularizing the concept of Purple Teaming. But how can a small organization or enterprise implement a Purple Team? What human and technical resources are needed? Where do you start from? What preparation is required? And how long does it take to execute? These questions often lead to the assumption that a specially trained team with highly sophisticated technical skills and resources is needed. While most security teams would ideally have these resources at their disposal, we know this is not the reality for most organizations. However, this presentation will demonstrate how even small IT security teams can benefit from executing Purple Team exercises at a smaller scale by splitting tasks and following well-known and documented techniques to evaluate their defence toolset. This presentation will highlight the how Purple Team exercises can be carried out in practice without a sophisticated and dedicated Red Team. It will show how these exercises can be a part of the internal Information Security Management System (ISMS) program to improve an organization’s security posture and evaluate current security measures and gaps. In particular, the presentation will focus on how different reference models such as MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) can be used to define metrics and threat models tailored for each individual organization, improving the value of the exercise’s findings. In this context, security methods are continuously evaluated and improved by being tested against a framework that takes into account the most basic and sophisticated attack methods available to adversaries. Isidoros will also provide examples (including privilege escalation attempts and command and control communication) of how predefined and well-prepared attacks with open source tools can be tested, and what security metrics and controls should be included for mitigation. For example, by using the ATT&CK matrix table, IT security teams can map the associated defensive techniques, controls, tools and commands used to clearly demonstrate the feasibility and efficiency of each attack. Finally, Isidoros will explain how the results of Purple Teaming exercising can be most effectively communicated.

Bio: Isidoros Monogioudis is a Senior Cyber Security Analyst with more than 20 years’ experience in the cyber security and defense domains. As a Senior Cyber Defense Officer in the Greek Ministry of Defense, Isidoros was involved in several cyber security operations and defense exercises at both national and international levels (Panoptis, NATO Cyber Coalition, Locked Shields, Cyber Europe). Following his retirement, he joined Digital Shadows where he works on adversary tools, tactics and techniques (TTP) research, threat intelligence operations and internal security activities, including local Purple Team exercises.

Talk #6

NATO and Cybersecurity: Driving Progress Across the Alliance

by Niko Pissanidis , @nikopissanidis

Abstract: In the past, aggressive activity by other states was for soldiers crossing the border, today things aren't as straightforward.
Fog isn’t thicker than it is in cyberspace, this is in view of the nature of cyber attacks and the range of actors operate in the cyberspace. How do NATO State members stay ahead of the Curve and how a Cyber Defense Centre of Excellence can help? How do we coherently build synergies between different(Strategic, Law, Technical) perspective of cyber? What NATO consider as a Cyber attack and when article 5 of the treaty should be activated? Where does Greece stand in all that?

I will try to answer these questions in a simple understandable way and elaborate a discussion through my presentation with the title "NATO and Cybersecurity: Driving Progress Across the Alliance".

Bio: Started as a developer, coding in middleware and front end of a C2 project with ejb, jsp, icefaces, web services, for 10 years. The last 5 years dealing with cybersecurity, conference organizer, secure coding, web penetration testing but never stop learning.
Had the privilege for three years 2014-17 to serve as the first Greek Officer in NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), Tallinn (Estonia) at the Technical Branch. On 03 Noe 2015, the Hellenic Republic joined NATO CCD COE as sponsoring nation and the Greek Flag waves in Tallinn.

Through my key participation as Green and Red member in major Cyber Defense exercises as Locked Shield and Crossed Swords 2015-17, I have developed and have exploited web targets according to each year's scenario.

Besides as technical track manager of IEEE Cyber Conflict(CyCon) conference 2015-17, i organized and moderated several combined(technical - strategy - law and policy) sessions in IEEE CyCon 2015-17 conference with variety of topics (Network Centric Warfare, New Cyber Threats in Aviation, Protection of Weapon Systems, Anonymity-Privacy-Encryption, Internet of Things as an Attack Vector, and Blockchain ‘s approach for Cybersecurity problems), but mostly on future critical defense technologies, that are needed to support military capabilities.

Talk #7

Using Apklab.io Mobile Threat Intel platform to fight banking threats

by Nikolaos Chrysaidos , @virqdroid

Abstract: In order to properly do his job well, an analyst requires detailed data analyses, breakdowns and correlations of applications with similar samples and behaviors at once. Apklab.io’s main goal is to provide structured intelligence for mobile threats, including collecting static and dynamic features, an indexable and queryable database of features, detection information, family tracking, custom and automatic labeling and prevents the threat from further spreading. Threats features are collected for our machine learning model by two main boxes - the dynamic and static analysis box. The presentation will highlight some of the advantages of using a unified platform to hunt for new threats and explore how apklab.io has revolutionized the way we track them (and in some cases also the actors behind them) in near real-time. In addition, it will be shown how we use the platform to investigate prevalent campaigns in the wild. All of this will be demonstrated on the recent case of BankBot malware, which repeatedly, successfully made its way onto the Google Play Store. In October and November of 2017, for instance, the malicious actors behind the BankBot were constantly uploading droppers to Google Play that were mainly downloading Banking Trojans. Using apklab.io and the family tracking feature, we were able to identify and detect every sample that was being uploaded to Google Play within a matter of minutes of them appearing. Currently, we're working on making the platform available, at least to some extent, to the general public and if all goes well, we'd like to conclude the presentation by announcing the availability of this platform to any interested parties.

Bio: Nikolaos is head of mobile threat intelligence and security at Avast, leading mobile security projects, mobile threat intelligence, and threat prevention. He loves mobile forensics, malware analysis, reverse engineering and promoting innovation in the security field.

Talk #8

Paravirtualized Honeypot Deployment for the Analysis of Malicious Activity

by Andronikos Kyriakou

Abstract: In today’s world, cyber security is a fast-paced changing environment. New threats are continuously emerging and the ability to capture and effectively analyze them is more crucial than ever. A popular and widespread tool that is being utilized in the quest for new and unknown threats is a honeypot. Based on [1], a honeypot is “a security resource whose value lies in being probed, attacked or compromised”. In our work, we examine a multi-honeypot system that aims to gather and analyze in real time the actions of an attacker. The implementation of the system uses Docker in order to deploy a cowrie, a dionea and a glastopf container. Cowrie is a medium interaction SSH and Telnet honeypot, dionaea is a malware collector designed to expose network services and glastopf is a web application honeypot. By using Docker, isolation of the resources needed for each system to run, as well as, a low system load are achieved. The open source Elastic stack is selected for the purpose of analyzing and visualizing the data gathered. The Elastic stack consists of Logstash, which is the streaming Extract, Transform and Load (ETL) engine, Elastic Search, a real-time, full-text search engine and Kibana, an administration and visualization platform. Using this modular and expandable stack an examination of the data is made possible and an abundance of information such as the origin country of the attack and the most popular port targeted can be identified. In closing, by monitoring the incoming connections many useful conclusions can be drawn about the behavior and the nature of the malicious users. This information can be exploited in order to create more powerful intrusion detection systems, as well as, to identify and mitigate zero day attacks.

Bio: Andronikos Kyriakou is an Undergraduate student at the Computer Engineering & Informatics Department (CEID), University of Patras. He is a computer security enthousiast and has joined SCYTALE Research Group in January 2018 where he is working on his Diploma Thesis under the supervision of Associate Professor, Dr. Nicolas Sklavos. His research interests include digital forensics, network security, privacy issues and machine learning. In recent years, he has attended many conferences and has taken active part in the organising commiteee of ECESCON 8.

Talk #9

Convincing my SmartLock that it’s really me!

by Gema Fernandez, @baskugnana and Christina Skouloudi, @miss_narbi 

Abstract: This talk presents a generic and customizable tool, which allows us to evaluate the implementation of authentication measures within IoT mobile applications. Given the wide penetration of IoT and its cyber-physical nature, both safety and security risks emerge and need to be addressed. An important element in this direction is the use of strong authentication and authorisation processes in IoT environments, since they remain key to protect communications, privacy and access to resources. Smartphones being the means by which users interact with IoT environment (e.g. smart devices, cloud), the need for secure implementation of IoT mobile applications becomes crucial. Two examples of using this tool will be presented, namely OAuth 2.0 in combination with Open ID Connect, a very popular framework for delegated authentication, and Bluetooth Low Energy pairing mechanisms, as BLE is one of the most widely used protocols for smartphone-to-smart thing communication. The use-case of authentication is indicative and has been chosen for this talk due to its significance; nevertheless, the tool can be applied to the evaluation of any other security measure in mobile applications. Providing as input the API calls in bytecode form implementing authentication measures, the tool identifies instances among a given set of applications, and provides as output how many and which ones have implemented such measures, as well as the classes where they reside. This tool is adaptable and configurable, depending on the specific security measure to be investigated. It automates the process of evaluating and checking for the implementation of security by design principles, providing in addition meaningful statistics and insights. These results allow us to draw the big picture of the state of authentication concerning IoT mobile applications, and help us to identify the main gaps to tackle. By means of IoT mobile apps, users can not only access information, but also command and control smart devices that can influence the physical world. Consequently, authentication implementation is a must for app developers and designers. This tool will help them not only to evaluate the security of their existent applications, but also to apply security by design principles in the future.

Bio: Gema Fernandez is a passionate and enthusiastic trainee at ENISA in Athens. Even though she looks Greek, she comes from the centre of Spain; precisely from the city Doménikos Theotokópoulos / El Greco chose to spend half of his life, Toledo (coincidence?). Given her restless character, she first went to Madrid to become an engineer in telecommunications, and quickly jumped further north to study an MSc on cybersecurity in Tallinn, where she discovered the fun of forensics and specialised in file manipulation detection. Realising the ice-cold climate was not for her, she ran away back south to find new experiences, sunrays and the top cybersecurity experts to be surrounded with (and hopefully start looking like them). Always out and about, playing basketball and beach volley, and now diving head into IoT security, keeps looking for new challenges to grow professionally and as a person; in other words, to never stop moving.

Bio: Christina Skouloudi has a background on computer science and hold a master’s degree on Digital Systems Security. At the early stage of her career, she worked for several years as a Full stack developer and moved to the Information Security area working as a Network and Information Officer at ENISA. Combining the two things she is passionate about, namely Software development and Information security, she likes to offer smart and innovative solutions through her work. A maker and breaker, who loves to contribute to both development and security community. Her main research interests focus on Internet of Things, Wireless Sensor Networks, Cloud Security, Incident Reporting and technical development of Cyber Security Exercises. She has published various papers on these topics and has also presented pieces of her work and developments in conferences like BSides.

Talk #10

Lets Automate some security tasks in pipeline!

by Abdo Shajadi, @n3tg33k

Abstract: How we can integrate Security tests into DevOps and Continuous Integration pipeline? In this talk we go through challenges of security automation in an enterprise and introduce tools and procedures to build up a fully automated security test in pipeline. The talk goes through the concepts first and then introduce the problem and why we need security automation after that I introduce developed tools and scripts. It can be challenging to implement automation solutions but addressing those challenges and trying to introduce needed cultures and tools can help us getting closer to SecDevOps nirvana.

Bio: Working as Security Engineer for Liana Technologies, one of the pioneer finnish cloud based enterprises, Looking at everything with a security point of view. I like to play around with malwares and break stuff!, I also do rock climbing and play guitar, I’m currently focused on Web Application security.

Talk #11

Maritime Cyber Security

by Fotis Sofronis, @fotissofronis

Abstract: With multiple points of entry, Maritime vessels and ports are at an acute risk of a Cyber attack. Presentation will cover: Vulnerable on-board systems:

  • Propulsion and engine controls (ICS, SCADA, Remote management)
  • Cargo management (RFID, Tracking systems)
  • Navigation and positioning systems (AIS GPS, ECDIS)
  • Communication systems (NavTex, VSAT, WII, Email, VoIP)
  • Crew and passenger management and welfare systems
  • Alarm and access control systems
A number of recent high-profile attacks in the Maritime industry. These include:
  • Ships have been fooled in GPS spoofing attacks
  • Hackers have recently shut down a floating oil rig by tilting it.
  • An oil rig was so riddled with malware that it took 19 days to make it seaworthy again.
  • Somali pirates employed hackers to infiltrate a shipping company’s computer system, to identify vessels passing through the Gulf of Aden with valuable cargos.
  • A group of drugs smugglers hacked computers connected to a major port, to delete the shipping records of the containers used to smuggle contraband. They then made off with their smuggled drugs.
Case Study:
Researchers have demonstrated that it is possible to change a ships direction by faking a GPS signal Maritime technical security modules:
This section will go through the general structure (Network Architecture / Firewall,Physical Security, etc.) of the Shipboard. We will take a close look at the implementation and verify coherence.

Bio: Fotis currently serves as a Supervising Senior member at KPMG’s Cyber Security practice, in Greece. His experience is focused in the areas of Security Transformation, Cyber Attack and Defence, specializing in Penetration Testing of network infrastructures and web applications. His educational background includes a B.Sc. in Informatics & Telecommunication, (Un. of Macedonia) and a M.Sc. in Innovation and Technology, (Un. of Sheffield).


Embedded Firmware Exploitation

by Aaron Guzman, @scriptingxss

Abstract: IoT firmware is the crux of what controls the many embedded devices within the world's critical infrastructure. As technology evolves, firmware frameworks and underlying technology change at a much slower pace leaving a considerable amount of research from the security community to be performed. Join me as I share insider techniques gained from an IoT manufacture to discover and protect against software security bugs in firmware. Hands on demonstrations and labs will be given throughout the workshop. Upon completion of the workshop, trainees will learn the following:

  • How to identify vulnerabilities in embedded devices
  • Understand the embedded security testing methodology, techniques, and tools
  • Firmware reverse engineering, emulation, and binary exploitation
  • How to backdoor firmware for MIPs and ARM architectures
  • Understand IoT botnet exploitation techniques that impact critical infrastructures
With this knowledge, you might even earn your first CVE.
Course Prerequisites:
  • Familiarity with a Linux operating system
  • Admin rights
  • Hardware:
  • At least 25 GB of free space
  • Laptop with a minimum of 4 GB RAM
  • USB access allowed
  • Software:
  • Virtualization software installed (VMWare and/or VirtualBox)

At the start of the workshop, a preconfigured virtual machine with tools and labs will be distributed.

Bio: Aaron Guzman is a Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. Mr. Guzman has spoke at several word-wide conferences which include: DEF CON, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, 44Con, AusCERT as well as several regional BSides events. Furthermore, Aaron is a Chapter leader for the Open Web Application Security Project (OWASP) Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), a Technical Editor, and co-author of "IoT Penetration Testing Cookbook" with Packt Publishing. He has contributed to many IoT security guidance publications from CSA, OWASP, Prpl, and several others. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on Twitter at @scriptingxss