# Schedule

18.9.2019 (Wednesday) at Park Boutique Hotel Varaždin.

Technical lectures, single track, relevant technical content with no sales talks.

Additional activities include: OWASP Croatia meeting.

Time	Speaker	Subject
08:30 - 09:00		Registration
09:00 - 09:05		Opening Ceremony
09:05 - 09:45	Ivan Fratric	Flash Click2play in Web Browsers and Other Horror Stories
10:00 - 10:45	Antonio Zekic	iOS exploitation
11:00 - 11:45	Bojan Zdrnja	Threats seen by SANS Internet Storm Center
12:00 - 13:30		Lunch Break (no organized lunch, make your own arrangements)
13:30 - 13:50	Dejan Strbad	(Ab)using eBPF as a security tool
14:00 - 14:45	Andrea Barisani	USB armory Mk II sneak peek
15:00 - 15:45	Vanja Svajcer	Legitimate tools or weapons of mass compromise?
16:00 - 16:45	penguin / Deso	That one time someone tried to blackmail KPN
16:45 - 17:00		Closing Ceremony

Adobe Flash used to be a crowd favorite when it comes to exploiting web browsers with over 20 0day attacks using Flash vulnerabilities caught in the wild during the last 5 years. As a consequence of this trend and Flash's eventual deprecation, major web browsers don't play Flash content by default any more and now require user interaction in order to play it, aka click2play. This means that an attacker sitting on a stockpile of unpatched Flash vulnerabilities now needs a click2play bypass for those vulnerabilities to become relevant again.

In this talk we will dive into the good, the bad and the ugly of click2play implementations in two major web browsers (Google Chrome and Microsoft Edge). I will show how I discovered several weaknesses in those implementations, including a full click2play bypass in Microsoft Edge.

Ivan Fratric is a security researcher at Google Project Zero. Before joining Project Zero he worked in the Google Security Team and before that at the University of Zagreb where he also received his Ph.D. He has been doing and publishing security research for over 10 years and is the author of several open-source security tools.

Presentation is a general introduction of a typical iOS attack model, iOS attack vectors as well as modern iOS mitigations and post-exploitation mitigations.

A passionate security specialist with a broad background in information security. In spare time he enjoys iOS/macOS reverse engineering and vulnerability research.

In last couple of years we have witnessed some sophisticated (and some less sophisticated) attacks that severely impacted businesses around the world, causing millions of EUR in damage. SANS Internet Storm Center has been following and analyzing various attacks for more than 2 decades.

In this presentation, Bojan Zdrnja, senior SANS Internet Storm Center handler will introduce the SANS Internet Storm Center and will talk about several new emerging threats that are slowly becoming prevalent. We will also discuss some incident that Bojan and other SANS ISC handlers worked on in last year.

Bojan is the CTO of INFIGO IS, a Croatian security company, where he leads the penetration testing team. Besides this, Bojan is also a senior SANS Internet Storm Center (https://isc.sans.edu) handler, where he regularly posts about new malware, incidents or penetration testing techniques. Finally, Bojan is also a SANS instructor - he teaches the SEC542 course (Web App Penetration Testing and Ethical Hacking) and holds numerous SANS certificates.

eBPF unlocks God mode on Linux. Why not (ab)use it as a security tool then?

In this talk I will present few real-world examples where eBPF fits perfectly as a security tool. Since we live in a containerized world my focus will be on such environments.

Dejan is the CTO in Kraken (KrakenSystems) and Ascalia, with over 10 years of professional experience in a wide range of software development, SRE, Ops and systems architect roles.

He is the main figure in supporting Nextuser’s distributed high-load system spreading over 4 continents and helping their other clients tackle their technical challenges. Lately his focus is on building Ascalia, ICS for 21st century...

He is constantly looking for new challenges, building new companies and likes to exchange knowledge through meetups, workshops and conferences. In his free time, he is involved in political activism through civil society initiatives.

We will delve into the engineering challenges (say Type-C one more time...) that the USB armory Mk II security goals entailed, exploring how this open hardware has been developed.

Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.

His experiences focus on large-scale infrastructure defense, penetration testing and code auditing with particular focus on safety critical environments, with more than 15 years of professional experience in security consulting.

Being an active member of the international open source and security community he contributed to several projects, books and open standards. He is the founder of the oCERT effort, the Open Source Computer Security Incident Response Team.

He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box, among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded system security and many other topics.

Windows desktop and servers contain a large number of legitimate tools which can also be used by attackers, once they obtain initial access. This presentation describes those tools and their usage in real world attacks.

Centralised logging and telemetry provides a wealth of information for blue team members and their day to day operations. These sources usually contain enough data to detect when attackers were successful in compromising the defended network.

But how to recognise a successful attack when the tools the attackers are using are also legitimate system administration utilities? Most Windows administrators would agree that PowerShell is an essential system administration tool but it has also been frequently seen as an attack avenue for attackers and red team activities.

Powershell is typically used to load code from remote servers and make the attacks “fileless” using reflective dll loading, steal user credentials, pivot within the compromised network, maintain persistence and execute other offensive tasks.

Right from the initial compromise, we can expect attackers to use standard Windows tools for enumerating network resources, adding new users, pivoting to other servers, dumping databases, exfiltrating data etc.

This session will be a walk through attackers techniques using tools which can also be considered legitimate and are usually installed by default on Windows. We will talk about basic and advanced functionality of this legitimate attack arsenal and show its usage observed during recent attacks.

Vanja works for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. He enjoys tinkering with automated analysis systems, reversing binaries and other types of malware. He thinks time spent scraping telemetry data for signs of new attacks is well worth the effort.

In his free time, he is hopelessly trying to improve his acoustic guitar skills and sometimes plays basketball, which at his age is not a recommended activity.

KPN was the target of a blackmail attempt in October 2017 by an ex-employee of a KPN MSP. KPN-CERT conducted and coordinated an investigation, assisting Dutch Law Enforcement, into the situation. As a result, two suspects were raided and arrested, and eventually convicted in public court.

Miscreant Puncher at KPN-CERT