Hardly a day goes by without an article about a new IoT (Internet of Things) device being hacked. IP cameras, routers, baby monitors, smart homes, NAS devices, light bulbs, cars, rifles, you name it. We have seen in the past 5-10 years how horrible the security of these devices is. Some people play VNC roulette, others hijack cars driven by a journalist. Junk hacking has become part of the ITSEC industry. Journalists are happy because of improved click-through rates through scary headlines, security researchers feel they are the celebrities of the day. But this is just part of the full story.

During one of our IT security investigation we have observed an undocumented Windows feature which leaks much valued hashes from the system. No complicated exploitation is needed to play the trick we will present and it can drastically speed up owning all the users in the systems and reaching to domain administration privileges.

In this presentation, it will be demonstrated live how to hack at least three IoT devices. At first, a childrens toy, which is a radio-controlled car with a built-in video camera. Second, an “adult toy”, that is accessible via bluetooth from any person in reach. Here, a second “adult toy” will be demonstrated, that has security built-in, so this can not happen. At last, it will be shown, how to hack into Philips HUE light system from within the same network. As a wrap-up there will be a talk about what needs to be done from vendors in the future to make the IoT safe.

Event logging is a central source of information for IT security. The syslog-ng application collects logs from many different sources, performs real-time log analysis by processing and filtering them, and finally it stores the logs or routes them for further analysis. This session focuses on how syslog-ng parses important information from incoming messages, enriches them with additional contextual information, and concludes with demonstrating how all of this can be used for alerting or for dashboards.

Threat Intel and IOC (indicators of compromise) sharing are very hot topics these days, and has been around for a few years. People tend to rely on these kind of information more and more. In my talk I will talk about why we are sharing IOCs in the wrong way, why those won’t be useful at all in large enterprises, and what we should change to make it valuable. I will also talk about what IOC types we share and don’t share, and which of those could add the most value to an organisation.

Blue and Red teams are missing the low hanging vulnerabilities that exist in many enterprise networks today. This session will show in detail how the red team can quickly identify and exploit numerous network protocol vulnerabilities that the previous security test team probably missed. Methods for securing routing and switching protocols will be covered. Detailed PCAP examples will be covered. Recommendations for adding visualization and instrumentation to the network to detect network exploits will be covered.

Do you have a backup strategy? I’m glad. But what about security? In my presentation I will introduce the problems, that may arise during backup saving, and also talk about how our own backup can be harmful for us. The participants can also meet some solutions that can help to protect themselves against threats.

In the last decades video games have grown into a multi-billion dollar industry, creating new opportunities for attackers. Connected features of the games and their lack of security solutions provide an ideal platform for malware developers, who managed to exploit it for financial gains. In time, attacks and defenses have become more and more sophisticated. This escalated into an ongoing war of cheaters and anti-cheat developers, which is very similar to the one between malware authors and security companies. In this talk I focus on the parallels of regular malware and cheating exploits, also showing the struggle of mitigating attacks in an extremely performance-sensitive environment. I present methods attackers have used to gain money by cheating and talk about the current state of cheat and anti-cheat software.

PowerShell is a remote administration tool built into modern Windows operating systems. The shell is a command line driven tool that can be very powerful for network administration, scripting, and even gathering artifact evidence across an enterprise network. In this session, the attendee will see basic uses of PowerShell to gather data, and what traces the use of PowerShell leave behind and how to analyze the data. Finally, the presentation will walk through a case study of an attack that leveraged only PowerShell and Metasploit PowerShell scripts to compromise a bank’s network, move laterally through multiple domains, and ultimately transfer funds out of the bank using SWIFT transactions.

In the past few years several heap based software error exploitations have come to light and so several solutions have been created for detecting and preventing them. The presentation will discuss the different allocation methods of the up-to-date main heap solutions (e.g. low fragmentation heap) and the different exploitation techniques (e.g. use after free). These will be demonstrated through the analysis of existing software vulnerabilities.

The concept of deception security has been around since early 1990. However, its rate of adaption has been very slow. Deception security has been primarily used for research (ad-hoc hobbyist using honeypot systems or commercial rebranding of the same systems) and rarely as a protection mechanism. The security industry has a very limited understanding of Deception security and is not using it at its full capacity.

In these days we very often find ourselves in position, where we are facing with large amount of data and we need to analyze it. A lot of people think it is hard to visualize that data, but we will show it, that this is not always true. Using ELK stack (Elasticsearch, Logstash, Kibana) some good environment can be built which serves as good base for additional analysis. ELK stack is a modern solution that can handle large amount of data and make it search and visualize in an easy way.

Cuckoo automata malware elemző sandbox-al fogunk megismerkedni, megmutatom nektek, hogy milyen könnyen lehet egy ilyen sandbox-ot összerakni, majd a Cuckoo keretrendszer képességeit kihasználva készítünk néhány új modult, új funkciót a Cuckoo sandbox-unkhoz.

A typical mistake repeatedly seen in many SOCs is that they collect such a large amount of events that at the end they suffocate their SIEM solution. "Collect all the events!!!" sounds nice in theory but in practice, less is often more and security teams must select and focus on events that have an actual use-case and provide real value from a security perspective. But what if we do not even have a SIEM and cannot afford one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Events Logs.

JavaScript analysis automation JavaScript code deobfuscation always presents a challenge for malware analysts, analysis being time consuming, sometime even anti-debugging techniques make it more difficult. What if we had a mechanism to see into the very core of the JavaScript engine and the DOM and be able to track down what the malware was up do without having to make any changes to the code and without giving the malware a chance to sense a debugger being present?