Conference Schedule

Coffee and networking

Please note that no breakfast is served at the venue. Hot drinks and water will be available.

Welcome to BSides København

A brief presentation of the day, practical information, our code of conduct etc.

• The BSides København Organizers
• @bsideskbh

Keynote: Introducing BSides

Jack Daniel, Co-founder of Security BSides, will tell us a bit about what BSides is all about.

• Jack Daniel
• @jack_daniel

Trying to compromise an enterprise for fun and profit

Red team testing is now considered a best practice for most enterprise. We will share some insights and experiences we have with red team testing from a major Danish bank.

• Martin Clausen
• @martclau

Binary Exploit Mitigation and Bypass History

"This talk will describe and walk through the major user-mode binary exploit techniques, mitigations and associated bypasses starting from Windows XP to newest releases of Windows 10.

Exploitation techniques have evolved majorly over the last 15 years partly driven by the continuously added security mitigations by Microsoft and Intel but a complete application compromise achieving arbitrary code execution is still possible even on the most secure web browsers running on Windows 10.

The history of mitigations start with the know basic mitigations such as Stack Canary and Safe Structured Exception Handler, to so-called modern mitigations such as Data Execution Prevention and Address Space Layout Randomization to the newest Windows 10 mitigations like Control Flow Guard, Code Integrity Guard and Arbitrary Code Guard.

In this presentation all mitigations and associated bypasses techniques along with a layout of different memory corruption vulnerability types will be discussed and illustrated."

• Morten Schenk
• @blomster81

I would click anything for you, but won’t execute that

Showing the steps from getting started with whitelisting to having a fully locked down windows client/server that will be resistent to when antivirus fails, and going through all the excuses one at a time. It's time to move to active defense instead of hoping users wont make an error, its time for donaldduck.exe to stop running.

• Flemming Riis
• @flemmingriis

Tales from a professional stalker

Have you ever had a client who constantly clicks on the links, a CEO who opens all the attachments, or receptionists who reuse every single USB they've found? Do you blame them for the lack of security mindfulness?

If you do, stop. Blaming the users is so 2018. Reviewing the last 10 years of my professional career, I will walk through the hardest lessons I have learned regarding human behaviour. At the end of the day, being a cyber security expert is not bullying users into submission, it's understanding who they are as beings, and creating a safe, inclusive environment for them to learn.

Key points:

1. Demystifying hackers

2. Highlighting and understanding the value of data

3. Realising the 'hacker risk assessment' and how the fabulous foundations can help

4. Brief introduction to OSINT and where to learn more

• Zoë Rose
• @rosesecops

LOGITacker: How the idea of "An Awareness Training on risks of wireless input devices" ended up with breaking Logitech Unifying link encryption and remote shellz on air-gap machines

Logitech is a world leading manufacturer of wireless input devices. The wireless input core technology is called "Unifying" and consists of multiple Unifying devices which connect to a single Unifying receiver via a proprietary RF protocol in 2.4GHz ISM band. The receiver/dongle uses USB to connect to the host, effectively building a bridge between those medias.

A Unifying dongle basically relays vendor proprietary RF traffic from remote devices to USB, in order to present common input devices to the host.

In 2016, Bastille presented multiple security issues, which affected Unifying devices (and wireless devices of other vendors). The underlying vulnerabilities were called "MouseJack" and have been patched for today's Unifying dongles and devices.

This talk reflects a journey, which started with the idea to turn a Unifying dongle into a relay for a remote shell – controlled by a third party, sitting at RF end. The regular Unifying functionality should not be disrupted (Actually the initial idea was to bring up a Awareness talk on known vulnerabilities, but that is part of the story).

As all known vulnerabilities were patched, the research started out with investigation of RF protocol, the USB protocol and with firmware analysis. Why is this worth sharing? Because, being private research, everything was done with Open Source Software and low cost hardware.

While walking you through the research approaches, several new vulnerabilities will be uncovered. This includes RF injection of keystrokes into encrypted links between Unifying devices and dongles, which are patched against MouseJack vulnerabilities AND this includes eavesdropping and live decryption of Unifying RF keyboard traffic, utilizing issues in the implementation of Unifying encryption.

Breaking Unifying link encryption wasn't the exact objective of this research, so in the end we will refocus on remote shells. No new security issues, instead we will learn: arbitrary data could be injected and exfiltrated by-design!

• Marcus Mengs
• @mame82

• Slides (.pdf)
  
• Video demo 1: Encrypted injection
• Video demo 2: Pair sniffing and decryption
• Video demo 3: Encrypted injection of covert channel shell
• Video demo 4: USB key extraction flaw
• Video demo 5: Remote shell implant

How managers should think, or: Optimizing for long term success through skilled, creative and engaged security teams.

What makes your work life interesting and satisfying, and how can we create work environments in information security that foster and retain passion and motivation?

To help investigate this we will try and understand the principles behind extrinsic and intrinsic motivation, as well as look at a model for how to operationalize this in an information security context.

Our operational starting point will be a paper based on research in a SOC that propose a model for what to optimize for in your work.

You can use this to reflect on how your work is structured today, get some ideas for what to look for in a job, or as ammunition to be applied to a manager to nudge her in the right direction.

This talk is heavily inspired by a talk by John Hubbard about creating viruous cycles in SOCs to avoid burnout, and happened to coincide with many of the principles I try to apply in my work. I am very interested to discuss how these principles resonate with the community and how broad they can be applied and would like to incorporate participation during the talk through dialogue and services like Wooclap.

• Peter Aarhus
• @peteraarhus

JEA on the edge - access controls for remote management of Windows 10

PowerShell JEA - a Just-Enough Administration model implementation built on top of the PowerShell Remoting Protocol - has been available for years, but severely underutilized due to Microsofts initial focus on privileged administration of server infrastructure.

This talk will explain the purpose and capabilities of PSRP and JEA, and then show how JEA can be a powerful enabler in securely moving granular access control models to the endpoint in order to reduce and compartmentalize admin privileges needed for remote management of Windows 10 fleets.

• Mathias Jessen and David Wall
• @iisresetme

Fuzzing – How to throw smart (dumb?) CPU cycles at hard problems

How do you find vulnerabilities in complex, hard-to-read code, such as web browsers and operating systems?

What do you do when your runtime testing, source-code review or reversing efforts comes up short?

Security Advisor Magnus Klaaborg Stubman takes us through a pragmatic deep dive into the world of fuzzing, with easy to understand approaches and concrete demos of fuzzing setups used by Magnus to find 0day vulnerabilities in critical infrastructure.

• Magnus Klaaborg Stubman
• @magnusstubman

Presentation of the OSINT CTF winners an Introduction to Dinner Time Demos

Presentation of the OSINT CTF concepts and competition winners.

A brief introduction to the practical demos taking place during dinner and the networking event.

• Niel Nielsen, Keld Norman and Frederik Raabye
• @nieldk
• @keld_norman
• @fraabye

Keynote: Great Power Competition and Cyber Strategy

Computer networks were born during the Cold War - an era defined by the decades long global struggle between two super powers who represented vastly different visions of society, politics and economics. But computer networks came of age during the era after the Cold War, which was defined by globalization: a vision of ever increasing economic integration at a global level, where political convergence around democracy, human rights and the values behind the open society in the West, was assumed to follow.

That period really ended about five years ago – marked by the Russian annexation of Crimea and instigation of the war in eastern Ukraine, but also by the increasingly assertive Chinese posture in the South China Sea and in global affairs more generally.

Authoritarian states use their economic wealth and technological to resist the pressure for democratization. They create powerful big brother systems at home to control and subdue dissidence and civil society. Abroad, they seek to split and undermine unity among democratic societies, to affect democratic deliberation and elections and to divide and control elites in fragile states in both Europe, Africa, the Middle East and Asia.

Information technology plays a crucial part in this global power struggle, because it is uniquely suited to the grey zone between war and peace as it is more effective and cheaper than the alternatives.

• Henrik Breitenbauch
• @breitenbauch

Closing Speech

Closing remarks and practical information from the organizers.

• The BSides København Organizers
• @bsideskbh

LOGITacker demo

A short introduction to how you can use LogiTACKER together with the Logitech modified C-U0007 dongle to obtain a airgapped reverse shell

• Niel Nielsen
• @nieldk

Custom made hacker hardware

To better do my job, showing "people" how hacking works, I have built a suitcase containing a little fitlet2 pc, a hackrf, pineapple tetra, a big battery and many other things. I would like to share the information of what is in the box and also show other both custom made hacking projects and commercially available ones.

I hope to be able to inspire others to build stuff and not be that afraid of playing with hardware, lots of glue ! and a soldering iron.

• Keld Norman
• @keld_norman

C2 in 15 minutes - getting started with Covenant

A brief hands-on demo of setting up the open source .NET based c2 server Covenant and using it for lateral movement in a Windows Active Directory domain.

• Frederik Raabye
• @fraabye