6.-7.June 2024
Komplex457 Zürich

Welcome to Area41! Please keep your barcode ready. Once you got your badge, please help yourself to coffee and grab a seat for the opening ceremony!

Let the AREA41 team welcome you to the conference and give you some last-minute info about the event before handing the stage over to this year's keynote speaker!

In the DevOps era of frequent releases, CI tools such as Github actions are powerful platforms to enable secure and rapid software releases, but what additional attack surface do these often privileged components come with? This talk covers a recent research project from Snyk Security Labs to understand Github actions in depth and how they can be attacked to leak cloud environment access tokens, arbitrary secrets and result in a full compromise of the repository. Security engineers, pentesters and bug hunters alike will come away knowing the threat landscape for Githubs CI platform, and through case studies of high impact vulnerabilities we have uncovered, be equipped to exploit and secure Github actions.


Bio:
Elliot is a senior security researcher at software security company Snyk. He has a background in software engineering and application security.

Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.


Bio:
Ignacio Navarro, an Ethical Hacker and Security Researcher from Cordoba, Argentina. With around 6 years in the cybersecurity game, he's currently working as an Application Security. Their interests include code analysis, web application security, and cloud security. Speaker at Hackers2Hackers, Security Fest, BSides, Diana Initiative, Hacktivity Budapest, 8.8, Ekoparty.

Shufflecake is a novel, free, open-source data encryption tool that allows the creation of hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. This is useful for people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. You can consider Shufflecake a "spiritual successor" of tools such as TrueCrypt and VeraCrypt, but vastly improved: it is fast, supports any filesystem of choice, and can manage multiple layers of nested decoy volumes, so to improve user experience and make deniability of the existence of these partitions really plausible. Shufflecake is the result of a multi-year research aimed at solving fundamental limitations of plausible deniability tools. It has been peer-reviewed and presented at top IT conferences such as DEF CON Demo Labs and ACM CCS. It is under active development, and the open source community is welcome to contribute. In this talk we will present the history and limitations of other existing solutions, we will show how Shufflecake works and solves such limitations, and we will see why Shufflecake is an indispensable tool in the arsenal of users facing violent or coercive investigation.


Bio:
Tommaso "tomgag" Gagliardoni is a mathematician, cryptographer, and privacy advocate. He published influential peer-reviewed papers in the areas of cryptography, quantum computing, security, and privacy, and spoke at many international conferences in these fields. Additionally, he has a background in privacy hacktivism, investigative journalism, and ethical hacking, and being a strong advocate of the FOSS philosophy and digital freedoms. Tommaso obtained a PhD in cryptography at the Technical University of Darmstadt, Germany. He worked at IBM Research before joining Kudelski Security in 2019, where he is currently technical lead for the initiatives in quantum security and advanced cryptography.

Cookie tossing is a web attack that consists of injecting cookies from a vulnerable or malicious subdomain in order to poison other websites under the same parent domain. As part of a coordinated vulnerability disclosure with the Swisscom Bug Bounty program and Project Jupyter, this talk will describe how such a technique can systematically turn Self-XSS into a high-impact bug and then explore how it also results in novel web attacks. Ultimately, the aim is to draw attention to the strong capabilities of cookie tossing and the many creative attack vectors it enables.


Bio:
Bug Bounty Hunter and Cyber Security MSc student at ETH Zürich.

In this talk, we dive into the vulnerabilities discovered in various Unify desktop phones during a research project. Insecure default settings and improper permission configurations expose these devices to remote compromise. We will explore the step-by-step process of identifying and exploiting these vulnerabilities. Additionally, the session will demonstrate how a seemingly benign screenshot tool was leveraged to escalate privileges. Due to the vendor's insecure by default approach, we believe there are many vulnerable installations outside. We will also discuss considerations for securing these devices within your network infrastructure to prevent similar threats.


Bio:
Michael studied business informatics at the Humboldt University, Berlin. He worked as a game developer and subsequently as a teacher for maths and computer science before starting his career in IT security. He currently focuses on web application security at Pentagrid.

This session dives deep into the evolution of cyber defense tactics, laying bare the necessity of a holistic approach where offensive and defensive techniques are harmoniously amalgamated. By juxtaposing IT and OT, we unravel their innate intricacies and spotlight the compelling need for a harmonized security blueprint, especially during those critical junctures of incident analysis and swift breach detection. As we journey further, attendees will be introduced to the groundbreaking utility of adversary emulation, spotlighting CALDERA's prowess for OT-specific plugins and submodules. This enlightening segment not only showcases the tactics, techniques, and procedures (TTPs) of potential adversaries but also delineates how defenders can counteract, adapt, and prepare. Our exploration doesn’t stop there. The crux of defense, as we advocate, hinges on a potent blend of technology and architecture. Learn how a meticulously crafted architectural model can become the lighthouse, illuminating dark spots and enhancing visibility within sprawling OT terrains. Moreover, we dissect state-of-the-art detection technologies, detailing the operational capabilities and unique advantages of Microsoft Defender for IoT. The climax of our discourse is an immersive emulation exercise set within the confines of a virtualized electric plant. This ambitious endeavor is a precursor to our groundbreaking project—a tangible, physical firing range tailored for OT security testing. Experience firsthand the strategies deployed, challenges faced, and the riveting results of this emulation.


Bio:
Jeroen Vandeleur is a highly skilled and experienced senior security expert at NVISO, specializing in security architecture, cloud security, and automation within cloud and virtual environments. With more than 15 years of experience in the cybersecurity field, Jeroen has tackled complex challenges and provided concrete advice on avoiding, detecting, and responding to cybersecurity incidents. In addition to his work at NVISO, Jeroen is also a respected SANS author and training instructor for their "SEC598: Security Automation for Offense, Defense and Cloud" course. He is a certified Cisco CCNP Security expert and a GIAC-certified penetration tester, as well as holding a MS-500 Security Administrator Associate certification and an AZ-500 certification in Microsoft Azure Security Technologies. Jeroen's expertise in security engineering, cloud security, and incident management has enabled him to build a significant body of knowledge in these areas. He is passionate about improving security through innovation and automation and is always looking for ways to stay ahead of the curve. Whether he's advising clients on best practices for cybersecurity or teaching others about the latest trends and techniques, Jeroen is a highly respected figure in the industry. He brings a wealth of experience and knowledge to every project he works on, and is a valued member of the NVISO team


Bio:
Nick Foulon
I like to play around with electronics & cyber stuff!

We often say in the cyber security world, you can’t detect what you can’t see. In the SOC, visibility is everything, and the days of relying solely on the network perimeter and server-side monitoring is no longer enough. Today, breaches are plenty and with it comes reputational damage and hefty fines. So as defenders, what can we do? Dive deep into the cyber battlefield where attackers, armed with cunning and creativity, launch indirect web skimming attacks through your digital supply chain. This high-stakes game often involves the exploitation of third-party javascript — the unsung heroes that power everything from your slick payment gateways to those addictive social media widgets and chic web fonts. Whilst your users are loving these new features, you’ve opened up yet another gap in visibility and posed a formidable challenge to SOC teams tasked with the herculean task of monitoring and neutralizing code modifications that could lead to disastrous data exfiltration. But we defenders can also get creative…walk with us in to the client side as we sift through a data set which likely already exists in your environment but you just don’t know it…yet. This is not your monitoring 101 class, and we’re not going to sit here and tell you about HTTP response codes. We're talking about the offensive side and defense; we're talking about strategies to spot exfiltration attempts through third-party code, turning your blindness into visibility and assurance. What's on the Agenda? Decrypting the code behind web skimming breaches via third-party integrations. Unveiling the tactics of attackers and their modus operandi in exploiting third-party code. Effective methods for collecting telemetry of third parties, including where and how to source it Analytical approaches to detect anomalies and correlate data Join the cyber guardians and elevate your security game to legendary status.

CTFs are a fantastic way to learn about and develop one’s skills into cybersecurity. They’re accessible, open-source most of the time, and consistently offer top-tier challenges to improve your hacking acumen. But are they realistic? When someone wants to make the jump into their cybersecurity career, they’ll often find themselves asking the same questions and wondering as to the answer. Jam (Vie) Polintan discusses her experiences and outlines some common techniques and methods that she learned from CTFs which prove to be effective in her starting and maintaining her career.


Bio:
Jam (Vie) Polintan is a security engineer at Google's Red Team and two-time DEF CON CTF winner.

The RFCs for email addresses are surprisingly flexible in regards to what is considered a valid address - a fact that is most often overlooked by developers. In this talk, we will show that attackers can abuse assumptions of what developers consider safe input and how this can be exploited. Using a real-world example, we will disclose multiple vulnerabilities which we identified in a mail spam filter appliance used by governments, universities and healthcare institutions.


Bio:
Michael's professional journey began in full stack development, leading him through roles in DevOps and system engineering before discovering his passion for cybersecurity. Currently Michael is working as a security analyst at modzero.

The injection of arbitrary code in a remote process is a well-know technique exploited by malwares. As defenders continue to intensify their efforts to uncover these actions, attackers must come up with new techniques and attack variations to evade detection. In this talk, I will present a novel approach to remote code injection that utilizes shared sections and handle inheritance between generations of processes to defeat behavior detection techniques. Additionally, I will be providing a detailed explanation and a proof of concept (PoC).


Bio:
Rafael Salema Marques (SWaNk) is an old-school VX who tends to define himself as a malware enthusiast. He has been coding malware since early 2000. Today is leading a small and cool Red Team. He also conducts lectures, campaigns, and training on malware development, analysis, and reverse engineering. His MSc research focused on employing an artificial immune system approach to detect rootkit activities, while his PhD research introduced a novel method for detecting pivot attacks. SWaNk's main skills are related to offensive security, creating new malwares techniques to bypass defense solutions and penetrate the audited networks. Always available for coffee, beer, and malware projects. Peace.

Microsoft Entra ID (formerly Azure AD) offers many options to harden your tenant against attackers. Most of these options are enforced using Conditional Access policies, which for example allow you to restrict users to authenticate with only phishing resistant MFA methods such as Yubikeys and Windows Hello for Business. These MFA methods are resistant against common attacks, such as attacker-in-the-middle attacks via fake login pages, because they will only authenticate against the real Microsoft websites. There is however a catch: the provisioning of such MFA methods is often done from scenarios where such strong authentication cannot be enforced, such as during the device setup. In this talk we will see that by phishing for regular refresh tokens, using some tricks that Microsoft uses during the Windows installation, we can actually obtain a Primary Refresh Token and even provision these Phishing Resistant authentication methods by ourselves. The talk will also cover new mitigations that Microsoft introduced to combat these attacks, and what you can do to protect your tenant.


Bio:
Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

In March 2024 a backdoor was discovered in xz-utils packages of Debian and Fedora, originating from the upstream XZ project. This talk will take a deeper look into the techniques used by the backdoor to infect its primary target sshd and the different evasion techniques employed in an attempt to hide itself and why these ultimately led to the backdoors discovery.


Bio:
Timo Schmid is a Security Engineer at Google, performing red team operations and research, always looking for novel ways of evading defenders and preventing malicious actors from doing the same. Before working as a red teamer, Timo worked as penetration tester and researcher and worked as a trainer for web application and infrastructure pentesting and secure coding. As such, Timo was a recurring speaker at the TROOPERS conference.

Malware continues to increase in prevalence and sophistication. VirusTotal reported a daily submission of 2M+ malware samples. Of those 2 million malware daily submissions, over 1 million were unique malware samples. Successfully exploiting networks and systems has become a highly profitable operation for malicious threat actors. Traditional detection mechanisms including antivirus software fail to adequately detect new and varied malware. Artificial Intelligence provides advanced capabilities that can enhance cybersecurity. The purpose of this talk is to deliver a new framework that uses Machine Learning models to analyze malware, produce uniform datasets for additional analysis, and classify malicious samples into malware families. Additionally, this research presents a new Ensemble Classification Facility we developed that leverages several Machine Learning models to enhance malware classification. To our knowledge, this is the first research that utilizes Machine Learning to provide enhanced classification of an entire 200+ gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families. New, labeled datasets are released to aid in future classification of malware. It is time we leverage the capabilities of Artificial Intelligence and Machine Learning to enhance detection and classification of malware. This talk provides a pathway to incorporate Artificial Intelligence into the automated malware analysis domain.


Bio:
Solomon Sonya (@0xSolomonSonya) is a Computer Science Graduate Student at Purdue University. He earned his undergraduate degree in Computer Science and Master’s Degrees in Computer Science, Information Systems Engineering, and Operational Art and Strategy. Solomon routinely develops new cybersecurity tools and presents his research, leads workshops, and delivers keynote addresses at cyber security conferences around the world. Prior to attending Purdue, Solomon was the Director of Cyber Operations Training . Prior to that position, Solomon was a Distinguished Computer Science Instructor at the United States Air Force Academy, Research Scholar at the University of Southern California, Los Angeles, and an Adjunct Faculty Instructor with the Advanced Course in Engineering Cyberspace Security (ACE) at the Air Force Research Lab in Rome, NY. Solomon's previous keynote and conference engagements include: DEFCON and BlackHat USA in Las Vegas, NV, SecTor Canada, Hack in Paris and LeHack, France, HackCon Norway, ICSIS – Toronto, ICORES Italy, BruCon Belgium, CyberCentral – Prague and Slovakia, Hack.Lu Luxembourg, Shmoocon DC, BotConf - France, CyberSecuritySummit Texas, SANS Digital Forensics Summit, DerbyCon Kentucky, SkyDogCon Tennessee, HackerHalted Georgia, Day-Con Ohio, TakeDownCon Connecticut, Maryland, and Alabama, and AFCEA – Colorado Springs and Indianapolis.

Everybody is talking about SBOM, attestation, MFA, signatures and other security measures - but who is actually implementing them? This session will provide you with a technical overview of current cloud-native software supply chain security best-practices. Plus it will give you an idea of the adoption of said best-practices in the industry.

As organizations shift to cloud environments, they increasingly rely on tools like Microsoft Intune for efficient endpoint management. This transition from traditional to cloud-based infrastructures introduces a complex array of risks, including possible misconfigurations and new vulnerabilities. This presentation encapsulates our comprehensive examination of transitioning to a modern cloud platform. Our research reveals that configurations aimed at enhancing efficiency can, paradoxically, turn into vulnerabilities, allowing adversaries to exploit and compromise the integrity of endpoints, despite being originally designed to streamline IT operations. We will discuss in detail methods for privilege escalation, addressing both the enrollment and device usage phases. Through real-world examples, we plan to demonstrate the process of creating a backdoor, exemplified by the creation of a user account with administrative privileges. The backdoors not only bypasses device security controls, but also allow you to bypass the “known device” checks in Entra ID conditional access policies. Such vulnerabilities are particularly concerning in scenarios where internal threats collaborate with external actors, significantly increasing risk. The technical findings are translated into business risks, highlighting the critical need for a balance between endpoint security and operational usability. Attendees will acquire important knowledge about the nuances of cloud security for endpoints, the importance of vigilant configuration management, and strategies for securing against both internal and external threats in a cloud-centric world.


Bio:
Oleksandr is a seasoned cybersecurity professional driven by a fervor for offensive security. With a track record of leading impactful engagements spanning diverse industries, he excels in assisting clients in pinpointing and remedying critical security vulnerabilities within their systems and infrastructure. As the Offensive Security Manager at Storebrand, Oleksandr has played a pivotal role in cultivating and overseeing a robust red team program. This initiative has significantly contributed to enhancing Storebrand's security posture and providing a comprehensive understanding of its risks and vulnerabilities. Combining his background in software engineering with a profound knowledge of offensive tactics, Oleksandr is uniquely positioned to guide organizations in adopting contemporary and efficient defensive/offensive security practices.

In an era where cloud computing is ubiquitous, the security of cloud environments has never been more critical. Our presentation delves into the intricate landscape of cloud security through an exhaustive analysis of data from CloudIntel, a comprehensive dataset of cloud-based attacks. This dataset, accessible at https://github.com/unknownhad/CloudIntel, offers a unique window into the types of attacks targeting public cloud platforms, the malware employed, and the tactics, techniques, and procedures (TTPs) used by adversaries. By dissecting incidents across various public clouds, we reveal the nuanced differences in attack methodologies, initial foothold, and exploitation tactics. Our research not only sheds light on the current threats but also paves the way for enhanced defense mechanisms against cloud-based vulnerabilities.


Bio:
Over 12 years of Cybersecurity research experience. Talk to me about CTF, product and exploits. Play CTF with WaterPaddlers.

This presentation will be a bold attempt to highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. The audience will be challenged to think critically about their attitudes towards the creation of procedures and documentation, which are often associated with compliance audit checkboxes, and gain a new perspective on the value generated by documents such as an incident response plan and a ransomware playbook. During this talk Gergana Karadzhova-Dangela, a Senior Incident Response Consultant with Cisco Talos IR, will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers both during the proactive activities but also during actual cybersecurity breaches.


Bio:
I'm an Incident Response Consultant at Cisco Talos, based in Switzerland, with a focus on helping customers during a cybersecurity incident. I am part of a global, 24x7 team of responders and threat intelligence analysts who provide technical analysis and coordination support to retainer customers during an active security breach. Additionally, I work with Talos customers to improve their security posture through planned services, such as tabletop exercises, compromise assessments and the development of IR process documentation. My background is in digital forensics and data analytics.

In today's digital age, investigative journalists face unprecedented threats to their work and their sources. As an IT Security Engineer working for the public Swiss radio and television (SRF) I’m working on privacy solutions and secure communication methods with potential sources. I'll share practical strategies for journalists to navigate the digital realm securely. Topics include digital surveillance in Switzerland, threat modeling, secure communication tools, data protection, source anonymity, digital footprint management, and legal/ethical considerations. Join me to empower journalists to safeguard their work and uphold freedom of press.


Bio:
Rico Walde is a young Cyber Security Engineer based in Zurich, Switzerland who worked for media companies like Bertelsmann and Cyber Security Consulting firms like Orange Cyberdefense. He finished his Master in 2021 in IT-Security and Forensics and is consulting different companies in the area of Threat Intelligence and blue teaming in general. He is currently working for the public Swiss radio and television (SRF) and creating solutions for (investigative) journalists. He is author of the in 2018 published book "WLAN Hacking".

Many organisations make use of offensive security exercises to test their security posture - including Google. As part of testing of Google's Detection and Response capability, engineers undertake a variation of this testing, mimicking the behavior and techniques of real-world, highly sophisticated adversaries. This talk discusses Google’s approach to these exercises, why they’re important, and how other organisations can benefit from this approach.


Bio:
Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.