• Conference Hall – First Part
    07:45 - 08:30
    08:30 - 08:35
    Attila Marosi-Bauer - Opening Ceremony
    08:35 - 09:15
    Rakhim Davletkaliyev - How Will Cryptography Survive the Rise of Quantum Computing?
    The most widely used cryptography today is based upon a handful of ideas from number theory. The key to the security of most communications in the world lies in the sheer scale of the computation required to break codes. But some quantum algorithms will definitely reduce the computation time from billions of years to few hours, rendering modern cryptography useless. How will cryptography survive the rise of quantum computing? Or is there nothing to worry about?
    09:20 - 09:40
    Barnabás Sztán-Kovács - FRIDA, the "Hooker"
    FRIDA is a bad girl who can do nasty things - not only she is a hooker but also an expert at manipulating and eavesdropping. In other words, FRIDA is a superb customizable dynamic instrumentation toolkit which can attach to processes and inject code, even detach without crashing them. It can be used for reverse engineering, hooking, monitoring function calls and can also be used as a special malware analysis tool. This talk will tap into these cases a bit further and gives a glance at the capabilities of FRIDA and the possibilities it offers.
    09:45 - 10:25
    Tobias Schrödel - Social Networks are Social Weapons
    Tobias will talk about Social Networks with two aspects: a) how do they know so much about us, even though we don't give them all this information. There will be an example of what happens, when you upload a picture to a social network. What information can be extracted and where does this lead us to. b) fake news - some examples and how to identify them.
    10:25 - 10:45
    Coffee break (20 mins)
    10:45 - 11:25
    Philipp Krenn - Scale Your Auditing Events
    The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant.
    11:30 - 12:10
    Zsombor Kovács - How to be a Pentester?
    The word Hacker is one of the most widely misunderstood and misused one within the IT community, and as in most cases with overloaded words of multiple meanings, this makes it really hard to understand its underlying philosophy. I have been asked a multitude of times many related questions, e.g. how to became a hacker? Which school should I choose if I want to make a career in IT security? What should be the next first step for me? What to do and what not to do? Alas, as with most things in real life, there is hardly one definite answer for them... This quick talk will make an attempt to clear things up from multiple perspectives and hopefully, by the end of the talk, everyone in the audience from rookies to seasoned vets will have something new in their eyesight.
    12:15 - 12:55
    Guillaume Lopes - Abusing Google Play Billing for Fun and Unlimited Credits!
    In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.). The agenda of the presentation will be divided as follow: 1. Google Play Billing Presentation: Presentation of the workflow and how it works. In addition, a focus will be done on the local validation of the process. 2. Known vulnerabilities: Review of the vulnerabilities found by Dominik Schürmann. Demonstration of why the fixes performed by Google are not enough and how it is still possible to bypass the payment process. 3. Vulnerable applications: Example of vulnerable applications trying to protect the billing process (Doodle Jump, Snoopy Pop, Fruit Ninja, etc.) with different techniques (obfuscation, shared libraries, etc.). The presentation will focus on how the billing process is performed and how by reverse engineering the application, it is still possible to bypass the payment process. 4. Conclusion: Sum up of the numbers of vulnerable applications. Comparison with other billing libraries (Amazon and Samsung).
    12:55 - 13:40
    Lunch break (45 mins)
    13:40 - 14:20
    Dávid Török - Sustainability of the x86 Insecurity Model
    In today's ever evolving cybersecurity landscape, some organizations are starting to get the grasp of their individual threat profiles and associated attack surfaces that they have to invest time and effort in. Vulnerable software is a problem that we as an industry have been trying to deal with for a long time. There are no perfect solutions but there are many smart people tackling the issues there; doing code audits or performing security assessments, dare I say penetrating testing with an independent team or contractor is something that is definitely on the radar of competent organizations. With some of the industries leading minds on the effort, we've come to develop mitigations against entire classes of vulnerabilities via solutions such as pointer authentication, shadow stacks, control flow integrity checks (CFI) and the like. In this talk, I will tackle what I perceive to be the largest and least well understood attack surface there is in today's organizations, x86 platform security and out of band management systems such as Intel's management engine and AMD's platform "security" processor.
  • Conference Hall – Second Part
    14:25 - 14:45
    Sándor Fehér - The Katz out of The Bag
    Mimikatz is a hacking tool that showed up in almost all significant IT incidents of the last few years. We all know it, although less of us know how it really works. In my presentation I would like to share the Mimikatz story, how Benjamin Delpy kept developing it year by year, and how the developers at Microsoft tried to harden the OS. I will show the working mechanisms of Windows' main protections and how Mimikatz bypasses them. I would also like to share my concept on how an enterprise defender can harden the environment in order to limit Mimikatz user efficiency in the network.
    14:50 - 15:30
    Julien Thomas - To Write or not Write, that is the Question - Abusing of Leaked Data and Vulnerable User Assets on Android
    Thought data leakage through Android shared folders is not a new topic, it generally focused on Android stock apps and how to steal user credentials or abusing of flawed device reset mechanisms. In this talk, we will show how these studies can be extended to consider both active devices and any apps installed by the user. By "simply" abusing of publicly shared assets, we will illustrate how it is possible to - infer app internal behavior and data format - retrieve user PII assets from leaked session tokens or simply directly from caches - retrieve / alter / delete user data - alter user data before sharing with partners and inject malicious payloads - perform replay session due to leaked session header or internal protocols Our work relies on research made on hundred of major Android apps, with around one third of them being at best partially flawed. Due to the associated disclosure policies, we will not reveal the name of the audited apps. However, we will also talk about vendor responses in order to illustrate how Android users should (attempt to) protect their privacy and data.
    15:30 - 15:40
    Break (10 mins)
    15:40 - 16:20
    Dávid Schütz - OWASP Top 10 Like I’m Five - From a Bug Bounty Hunter's Perspective
    OWASP Top 10 is a list of the 10 most common types of web vulnerabilities found in web applications today, made by OWASP. Since it is such a widely used and referred list by developers and hackers, people without web security experience could feel overwhelmed while trying to understand it, and may and up finding it complicated and confusing. My goal with this talk is to make ‘OWASP Top 10’ easily understandable for everyone including developers and people getting started in web security by using simple, real-world examples of the vulnerabilities, showing real disclosed bugs from bug bounty programs that paid and explaining the impact of them on the company, and by using my experience from the bug bounty space and the way I managed to understand these vulnerabilities in the first place. The talk will not only focus on how to find these bugs, but it will also try to help developers with understanding how to defend against these common vulnerabilities and write more secure code by understanding the way attackers think and try to exploit web applications.
    16:25 - 16:45
    Martin Vrachev - Precaution - Your Source… for Vulnerabilities
    Precaution is an open source GitHub app designed to increase the security of open source projects by automatically scanning new pull requests for security vulnerabilities. The analysis reports issues such as weak cryptography, potential issues in certificate handling or possible publication of secrets and passwords and many others. Right now, we support scanning code in Python (using Bandit) and Go (using Gosec) but additional languages may be added in the future. In the talk I will present the Precaution’s workflow - how does it interacts with GitHub, the analysis the code for security vulnerabilities, the way Precaution merges the output from multiple security linters and how the results from the analysis are shown in the pull request itself on GitHub. I plan to record short video of how to use Precaution.
    16:50 - 17:30
    Tamás Tokics - Return-Oriented-Exploitation on ARM
    The focus of my talk is to introduce Return-Oriented-Programming (ROP) exploit techniques. The talk will also cover the basics of ARM exploit development for those who are unfamiliar with it. The presentation will cover the fundamentals of ARMv7 and ARMv8 registers and also some differences between the two architectures. I will talk about stack based attacks and Heap based techniques such as Heap Feng Shui and Heap Spary. In the end I will show a demo with a pre-made vulnerable app.
    17:30 - 17:40
    Break (10 mins)
    17:40 - 18:00
    Dr. Ferenc Leitold - Measuring the Unmeasurable - How to Estimate the Vulnerability of the Users?
    User behaviors danger the operation of an organization much more than any technical vulnerability does. A lot of technical solutions exist against attacks using technical security holes. The technical part of the IT security is well-grown, however dealing with the human factor is still in its infancy. In this presentation the possible methods for the user behavior assessments are discussed. The presentation focuses on some useful observation possibilities for user behavior measurement. The input sources what we can use can be from the workstation used by the particular user, from the network traffic and from the application logs, especially from protection logs. Using these input sources, a couple of very useful metric can be defined for the user classification as well. Once we can measure the level of the user behavior, we can use it for improving the IT security at the given organization.
    18:05 - 18:10
    Attila Marosi-Bauer - Closing Notes
  • Workshop Room
    08:35 - 10:35
    Guillaume Lopes & Davy Douhine - Mobile Hacking Workshop
    Guillaume Lopes ( and Davy Douhine (, senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% “hands-on” training. Goal is to introduce tools (Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc...) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is the exact workshop that you would have liked to have before wasting your precious time trying and failing while trying to assess the security of mobile applications. You’ll need: _ a laptop (running any OS: Windows / MacOS / Linux) _ with 8Gb RAM at least (ideally 16Gb) _ 40Gb of free space (to install an attacking VM based on Kali - we’ll provide it) _ Administrative rights on your laptop + a way to deactivate anti-virus, HIPS and firewall _ VMWare Player (ideally VMWare Workstation) _ A PDF reader _ A jailbroken iDevice (iPhone/iPad/iPod) running at least iOS9 if you want to follow the iOS part
    10:35 - 10:45
    Break (10 mins)
    10:45 - 12:45
    Éva Szilagyi & Dávid Szili - Elastic Stack for Security Monitoring in a Nutshell
    Elastic Stack is one of the most commonly used open source data analysis and management platform today. It quickly became popular among security professionals too and it is also the building block of many open source and commercial SIEM. Elastic Stack is designed for speed and ease of use; it indexes data as it is ingested (write once read many or "WORM" storage) and it is extremely scalable and powerful, making ad-hoc queries and real-time visualization very easy. The components in the Elastic Stack are designed to be used together and releases are synchronized to simplify the installation and upgrade process. The stack consists of: - Beats, which is the platform for single-purpose data shippers; - Logstash, which is a server-side data processing pipeline that ingests data from multiple sources, transforms it, and then sends it to one or more outputs ("stash"); - Elasticsearch, which is a distributed, RESTful search and analytics engine; - Kibana, which lets users visualize data with charts, graphs, and dashboards. During this two-hour workshop, we will see how to use Elastic Stack for security monitoring and cover the following topics: - Beats (filebeat, winlogbeat, auditbeat, etc.) - Logstash (input, filter, and output plugins) - Elasticsearch (cluster, node, index, shard, mapping, search, aggregation, etc.) - Kibana (index patterns, searches, visualizations, dashboards, etc.) - Elastic Stack Alerting and Security (X-Pack, ElastAlert, Search Guard, ReadonlyREST, etc.) Technical requirements for the workshop: - A laptop with at least 8 GB of RAM and 30-50 GB of free disk space; - VMware Workstation, VMware Fusion or VMware Player installed.
    12:45 - 12:55
    Break (10 mins)
    12:55 - 14:55
    Péter Balogh & Nándor Krácser - Detecting and Blocking Vulnerable Containers in Kubernetes
    We'd like to go into detail about how container image vulnerability scans work - with a focus on catching vulnerabilities at the point in time at which deployments are submitted into the cluster. Detecting and Blocking Vulnerable Containers in K8s Techincal requirements: Notebook with minimum 8GB memory Installed app: GNU/Linux and Windows: installed Virtualbox Mac: macOS newer than Sierra or installed Virtualbox
    14:55 - 15:05
    Break (10 mins)
    15:05 - 17:05
    Dávid Szili - Introduction to Osquery
    Maintaining real-time insight into the current state of your endpoint infrastructure is crucial. It is very important from operational, continuous security monitoring, and incident response perspective. Created by Facebook in 2014, osquery is an open-source instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD operating systems. Osquery exposes the operating system as a relational database and allows you to write SQL queries to explore system data. The generic SQL tables represent running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, etc. These SQL tables are implemented via an easy to extend API and several tables already exist and more are being written. The main advantage of osquery is that it allows you to use one platform for monitoring complex operating system state across an entire infrastructure. It has a high-performance and low-footprint distributed host monitoring daemon, osquery and also an interactive query console, called osqueryi. During this two-hour workshop, we will learn about osquery's capabilities and cover the following topics: - Osquery basics (installation, osqueryi, osqueryd, osquery schema); - SQL refresher (SELECT, FROM, WHERE, LIKE, JOIN, etc.); - Osquery configuration (flagfile, packs, schedule, logging, file integrity monitoring, etc.); - Fleet management (Kolide Fleet, Doorman, SGT, etc.); - Osquery extensions. Technical requirements for the workshop: - A laptop with at least 8 GB of RAM and 40-50 GB of free disk space; - VMware Workstation, VMware Fusion or VMware Player installed.
    17:05 - 17:15
    Break (10 mins)
    17:15 - 19:15
    Mohammed B. M. Kamel - Introduction To Buffer Overflow Exploit
    This workshop introduces how buffer overflow vulnerabilities arise in programs and how they get exploited. Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to selectively overwrite data pertaining to the program's state, therefore causing behavior that was not intended by the original programmer. Although all programmers know the potential threat of buffer overflow in their programs, there are still a lot of buffer overflow-related threats in both new and old software, regardless of the number of fixes that have already been performed. The workshop will contain a basic principal of understanding the buffer overflows, the program loading and execution within memory, how to spot buffer overflow conditions and how exploits get constructed for these overflow conditions.