Level: Low Tech

Abstract:
Everybody’s focus is on the security of PaaS services (such as AWS), but are we paying enough attention to the security of data in our SaaS applications?

We believe that the security of third-party integrations is an underestimated point of risk, given the general belief that vendors will take care of their applications’ security. However, the new world of interconnected SaaS applications creates new risks which have not yet been examined in sufficient detail. Even though your primary vendor may be secure, what if your data is leaked to vendors which are insecure or malicious? With the use of custom interconnectivity methods and limited protocols such as OAUTH2, the permissions of integrations are often questionable and hard to understand.

Do you use Jira? Slack? Have you looked at webhooks? Do you have unknown Google Integrations? Do you understand the permissions these apps can use?

These are just a few ways how apps may be unknowingly leaking your data to third parties. This talk will be focused on highlighting some of the lesser known ways to check if your SaaS application is leaking your data and also provide mitigation strategies to reduce these risks.

Want to know more? Then this talk is for you!

Bio:
Boris Sieklik is a Senior Director of Information security at MongoDB and a strong believer in cybersecurity being a business enabler. He has more than 10 years of experience in cybersecurity leadership roles across different industries including Finance, Anti-malware and Tech and companies. Previously, he published a new DDoS amplification attack which was covered in international media. He holds a number of certifications including OSCP, CeH and others. Additionally, Boris holds a MSc with Distinction in Advanced Security and Digital Forensics from Edinburgh Napier University and First Class BSc. in Computer Networks from Middlesex University London.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Technical

Abstract:

It is safe to assume that when buying an iOS device, it is a device made by Apple, running software which was either written or vetted by Apple. Their model is very clearly that of proprietary software that runs exclusively on their hardware, and therefore every person that buys a new iPhone will have the same out-of-the-box experience: what’s installed, what security features are in place, and so on.

This assumption is not true with Android. While all Android devices will have the same core taken from the Android Open Source Project, each manufacturer and vendor can customise this as much as they like to present a different UI or implement different core features. Additionally, the vendor has full control over which applications come pre-installed with their devices, and which of them have system-level (think something akin to root) privileges. These can be minor changes that are very close to what you might call “”stock Android”” or they can have significant changes.

From a security point of view, this makes reviewing entire Android devices an interesting prospect. Mobile testing of specific applications obviously only affects those users that have installed them, and these assessments are closer to a traditional web application or thick client test. However, assessing the complete device opens up the investigation to the inner workings of Android, how applications talk to each other, and depending on what default applications are included out-the-box what vulnerabilities might exist before the user has installed their first app.

In this beginner-friendly talk, we will explore the findings of a recent pentest engagement targeting several production Android devices, with a focus on issues that could affect the user’s privacy. Through improper use of the Android permission model, the vendor unwittingly allowed any application to capture a photograph of the user, start a voice recording, and even modify authentication factors without proper authorisation. We will cover the basics surrounding Android app components’ permission model, demonstrate how a malicious app could abuse overly lax permissions, and talk about how the vendor could have implemented their functonality without exposing the user to every application on the device.

Bio:
Milosz Gaczkowski is a mobile security specialist at WithSecure, having previously spent entirely too much time working in academia. His current work revolves around Mobile Device Management solutions, Android device security audits, advisory consultancy, and complaining about password managers. Outside of technical work, his primary interests are in education and the culture of education.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Low-tech

Abstract:
In this talk, I will present a unique behind-the-scenes perspective on running oss-security since 2008 and its private counterpart (linux-)distros since 2011, as well as historical perspective on their predecessor mailing lists some of which I’ve been on since 1990s. Rationale for their existence, different approaches, tough decisions and challenges, opinions and food for thought, community participation, timeline, statistics. Present time and the future. Whether, when, and how to use the lists.

Bio:
Alexander Peslyak, better known as Solar Designer, is the founder of Openwall, a community project and professional services company focused on security of Open Source software. He achieved a number of “”firsts”” in (anti-)exploitation of memory corruption vulnerabilities, co-authored much of Openwall’s software including John the Ripper and other password security tools, runs the oss-security and (linux-)distros mailing lists – among many other past and current activities. Alexander spoke at numerous international conferences.

Alexander’s other hat is Chief Architect at Binarly, where he is contributing to the mission to build the world’s most advanced firmware supply chain security platform.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Technical

Abstract:

Talk is my personal journey to the future. Future is a metaphor for ipv6 internet. During the talk, it will be explained what motivated me to even start this adventure. Ipv6 adoption by country will be mentioned.

It will start with an intro and talk about some fundamentals every one of us is encountering while accessing the internet. We will cover ipv4 and ipv6, along with the current states of both address spaces (availability, prices).

Methods of acquiring ipv6 address space will be covered. Two methods of starting with ipv6 and dual stack will be covered. I will call them “”free”” and “”non-free””, but we could also call them “”easy”” and “”little harder”” method. Ipv6 tunnel brokers will be mentioned, along with pros and cons of using this method. BGP as a protocol will be mentioned, along with BGP VM, and common tunnel types when there is no ability to do BGP with local ISP. I will explain why I switched from “”free”” to “”non-free”” method.
Possible router hardware will be mentioned, along with some personal recommendations. RIPE will be mentioned, we will touch the topic of IP transit, upstream providers and bgp.services url will be mentioned. It is list of providers offering ip transit (if permitted, not affiliated with any of them).

Drawings of my current dual stack network setups will be shown. I have everything MikroTik based at the moment (I grew up with MikroTik, but now I outgrew it so I will mention that I am in the process of switching to x86 hardware running router OS).

Lessons learned and things to watch out for will be mentioned.

I hope I will manage to share knowledge with attendees by presenting and explaining how relatively easy it is to get to dual stack network and enjoy ipv6 internet. The idea behind the talk is to motivate people to start using ipv6, because they are missing out :)

Bio:
Nikola Garafolić – Born and raised in Varaždin, Croatia. 15 years of Linux experience, I’ve seen stuff. 3D print enthusiast. Drone pilot. DevOps guy by day, geek by night.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Technical

Abstract:
During our internal network scan we have discovered conference room TVs that have ADB (Android Debug Bridge) and HTTP port open. The ADB port required “”authentication”” to access (a confirmation on the TV screen to allow the connection), but the HTTP port allows requests that emulate TV remote control key presses which we’ve used to emulate a sequence of keys to confirm the ADB debug prompt showing on the TV at the moment when the ADB connection is happening. After connecting to the ADB port and obtaining a shell we have investigated different scenarios:
– ways to control the TV (HTTP and ADB)
– capturing TV screen and audio (natively and external tooling)
– installing own APKs to perform an action (i.e. move laterally)
– accessing attached mic to record audio
– accessing attached cam to record video

The analysis shows that all of these are possible but depend on different circumstances of the TV (Android version, integrated microphone/camera, attached external microphone/camera, …). Most of the focus was spent on capturing audio and video with attached mic and cam for which we have created our own small Android application that samples 5 seconds and stores it to a file in order to demonstrate the capabilities. We will demonstrate parts of a complete chain where we can automatically:
– request access to the ADB port
– emulate TV remote via HTTP and confirm the ADB auth prompt
– push our Android listener application via ADB
– start the Android listener application
– confirm the recording permissions on its first run (HTTP or ADB, whichever preferred)
– pull the recording file from filesystem when done”

Bio:
Tomislav Turek is an Application security lead at Infobip working with a team that analyzes and performs security reviews of application systems, integrations and code. While mostly focused in application security and software engineering, he likes to tinker with all things related to security. He invests a lot of his free time in computers and loves to participate in Capture the flag competitions.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]