BruCON 0x0A has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk [clear filter]
Wednesday, October 3


BruCON Retro Opening
The original BruCON founders and the current crew will reminisce over the BruCON history!

Philippe Bogaerts, Pieter Danhieux, Seba Deleersnyder, Benny Ketelslegers and Filip Waeytens

Current crew:
Philippe Bogaerts, Koen Burms, Stephen Corbiaux, Matt Erasmus, Tom Gilis, Xavier Mertens, Jochen Raymaekers, Pieter Van Goethem, Larry Vandenaweele, Stephanie Vanroelen, Bertrand Varlet and Marijke Vinck.

Wednesday October 3, 2018 10:00 - 10:30
01. Westvleteren University


Advanced WiFi Attacks using Commodity Hardware
This talk explains how low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. Additionally, in this new version of the talk, we also discuss how mobile phones can be modified to carry out similar attacks.

First, we show how to give ourselves a higher throughput than normally allowed. Then we create a continuous jammer which makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints to timely jam the targeted frames.

Finally, we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a multi-channel man-in-the-middle attack. This can then be used to attack WPA-TKIP. In this new version of the talk we also discuss how this MitM position was used in the KRACK attacks against WPA2, and several other attacks against protected Wi-Fi networks.

avatar for Mathy Vanhoef

Mathy Vanhoef

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He is mostwell known for his KRACK attack against WPA2, and the RC4 NOMORE attackagainst RC4. His research interest is in computer security with a focuson wireless security (e.g. Wi-Fi), network protocols, appliedcryptography... Read More →

Wednesday October 3, 2018 10:30 - 11:30
01. Westvleteren University


Hacking driverless vehicles
Hacking Driverless Vehicles
Are driverless vehicles ripe for the hacking? Autonomous and unmanned
systems are already patrolling our skies and oceans and being tested on
our streets and highways. Pioneering tests of autonomous vehicles were
performed in Europe and all trends indicate these systems are at an
inflection point that will show them rapidly becoming commonplace. It is
therefore a salient time for a discussion of the capabilities and
potential vulnerabilities of these systems.

This session will be an informative and amusing look at the current
state of civil driverless vehicles and what hackers or other miscreants
might do to mess with them. Topics covered will include common sensors,
decision profiles and their potential failure modes that could be
exploited. With this talk Zoz aims to both inspire unmanned vehicle fans
to think about robustness to adversarial and malicious scenarios, and to
give the paranoid false hope of resisting the robot revolution. The talk
will also contain brand new information from conversations with the US
Department of Transportation including insights into the new Connected
Vehicle and Vehicle To Vehicle Communications programs that may be
hacking-relevant well before the adoption of fully autonomous cars and
other vehicles.

avatar for ZoZ


Zoz is a robotics interface designer and rapid prototyping specialist.He is a co-founder of Cannytrophic Design in Boston and CTO of BlueSkyin San Francisco.  As co-host of the Discovery Channel show 'PrototypeThis!' he pioneered urban pizza delivery with robotic vehicles,including... Read More →

Wednesday October 3, 2018 11:30 - 12:30
01. Westvleteren University


(Re)Investigating Powershell attacks
At BruCon 2014, we presented “Investigating PowerShell Attacks” at what ended up being the precipice of widespread adoption and abuse of PowerShell in the wild. A year later, we examined how PowerShell Desired State Configuration (DSC) provided further avenues for covert persistence and C2. In this presentation, we’ll look at how these offensive techniques - and the corresponding approaches to detection and response - have evolved.

Wednesday October 3, 2018 13:30 - 14:30
01. Westvleteren University


Levelling Up Security @ Riot Games
In this talk, Mark will be discussing his 5+ years at Riot Games where the InfoSec team has developed a security program (https://engineering.riotgames.com/news/evolution-security-riot)
based on feedback and self-service, across a truly hybrid infrastructure.

Starting with a recap of his 2015 BruCON talk (Feedback Security), Mark will dive into where the team failed and succeeded in the years since the talk. He will dive into areas such as:

- internal RFCs
- developer education & collaboration on solutions
- receiving feedback when the team don't hit the bar and acting on it
- in-house tools designed and developed to provide visibility into the security posture of AWS
- open-sourcing tools and contributing to other open-source projects 

An attendee should:

- see some pretty cool art (not created by Mark, obviously)
- understand where the Riot InfoSec team failed and succeeded
- learn about a self-service, feedback-driven approach to security, where the InfoSec team is embraced, not hated

Disclaimer :: There will be no cool exploits, 0days or buffer overloads in this talk.

avatar for Mark Hillick

Mark Hillick

Mark leads Player Security at Riot Games, makers of League Legends. Prior to moving to the US, Mark built and led Riot’s InfoSec team in Europe. At Riot, he has done everything from building teams, occasional engineering, levelling up the security program, dealing with DDoS attacks... Read More →

Wednesday October 3, 2018 14:30 - 15:30
01. Westvleteren University


Social engineering for penetration testers
2009 talk overview:
In recent years, people have become more familiar with the term "social engineering", the use of deception or impersonation to gain unauthorised access to resources from computer networks to buildings. Does this mean that there are fewer successful social engineering attacks? Probably not.
In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more and more people are resorting to social engineering techniques as a means of gaining access to an organisations' resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organisation gives a good indication of the effectiveness of current physical security controls and the staff's level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

2018 talk overview:
It’s 2018 and we can’t get enough social engineering.  People are still falling for social engineering scams and criminals are using more social engineering techniques than ever.  On the plus side, social engineering testers are busier than ever too.  So how do you actually conduct a social engineering test in 2018? Has much changed over the past decade? Thanks to recycling, dumpster diving is a lot less disgusting, that’s for sure.  Come and hear what else has changed from someone who has been delivering social engineering tests since before Brucon existed.

avatar for Sharon Conheady

Sharon Conheady

Sharon Conheady is the director of First Defence Information Security (www.firstdefenceis.com) and a founding member of The Risk Avengers (www.riskavengers.co.uk). She specialises in the human side of security and has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Sharon is a regular speaker at security events and has appeared as... Read More →

Wednesday October 3, 2018 16:00 - 17:00
01. Westvleteren University


The 99c heart surgeon dilemma
Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:

1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.

2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...

What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.

This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike. Also, it might help saving the rainforests.

While revisiting this talk from 2011, we will look into the question: Have things changed for the better and do we still face the same issues?

avatar for Stefan Friedli

Stefan Friedli

Stefan Friedli has been working in infosec since 2003 after wasting his teenage years on assembler and shareware nag screen. He is a well-known face in the European Infosec Community. As a speaker at various conferences, co-founder of the Penetration Testing Execution Standard as... Read More →

Wednesday October 3, 2018 17:00 - 18:00
01. Westvleteren University


Nerdland podcast recording
For our tenth anniversary we have arranged a special event to supplement our standard conference track. On October 3rd, from 7:00 PM – 8:00 PM, one of Belgium’s most popular podcasts will be recorded in the main auditorium “Westvleteren” at the BruCON venue. As of 6:30 PM, there will be free entrance so anybody can join !

The Lieven Scheire’s Nerdland podcast brings together a bunch of nerdy science freaks to share the most important science news of the past month. Interesting science facts put forward in a hilarious manner. With cyber security as a recurring topic on the show, we are sure you will like it just as much as the BruCON Crew does.

After the usual conference track the bar will remain open, and a sandwich dinner will be foreseen at the venue for anyone who wishes to sit in the live audience.

Language spoken: English
More info : https://soundcloud.com/lieven-scheire Twitter : @lievenscheire                   


Wednesday October 3, 2018 18:30 - 20:00
01. Westvleteren University
Thursday, October 4


BruCON Opening
Thursday October 4, 2018 09:45 - 10:00
01. Westvleteren University


Keynote - When Lemon Markets, Imposter Syndrome & Dunning–Kruger collide
A talk on why we struggle to secure organizations, or build useful security products (and how we can do better).

avatar for Haroon Meer

Haroon Meer

Haroon Meer is the founder of Thinkst, the company behind the well loved Thinkst Canary. Haroon has contributed to several books on information security and has published a number of papers and tools on various topics related to the field. Over the past decade (and a half) he has... Read More →

Thursday October 4, 2018 10:00 - 11:00
01. Westvleteren University


Reversing Industrial Protocols – Real World Use Cases (From zero to control in 10 minutes)
XiaK (http://security.xiak.be/en) or Center of Expertise for Industrial Automation in Kortrijk, Belgium is a research group of the Ghent University.
Recently (3 years ago), a new project was started concerning Industrial Security. Main topic: create awareness for implementing in-depth network segmentation and security by demonstrating old and new vulnerabilities on commonly used industrial devices.

These include the known problems on Siemens PLC’s or common switches and demonstrating sniffing, MitM etc …
But foremost, since the target audience is Belgium and the SME’s therein, the most used industrial hardware for this region is actually a trilogy of Siemens, Beckhoff and Phoenix Contact. All three are major and large OEM’s that (should) have security as one of their concerns…

avatar for Tijl Deneut

Tijl Deneut

Tijl Deneut has over 5 years of experience in the IT security sector and is, amongstEthical Hacker and an active EC-Council Certified Instructor. Tijl also teachesthe Howest University College and the Ghent University, where he also leads severalresearch projects. He has had the privilege... Read More →

Thursday October 4, 2018 11:00 - 11:30
02. Westmalle University


Finding 0days in embedded systems with code coverage guided fuzzing
Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years. 

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows: 

- As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them. 

- In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject basic block instrumentation at compile time. 

- Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are sorely lacking. 

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems. 

- We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulate them in Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in order to feed actual response for program configuration. 

- We will introduce a new lightweight dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in details, so the audience can also see many other applications of our DBI beyond this project. 

- We will discuss how we built a powerful guided fuzzer to run inside emulated firmware. Using our own DBI at the heart for basic block instrumentation, this requires no firmware source code, and can find vulnerabilities in binary-only applications on all kind of embedded CPUs available. 

In a limited time of just few months, our fuzzer discovered many 0days in some widely popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fix them in time. 

The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.

avatar for Quynh Nguyen Anh

Quynh Nguyen Anh

Dr.Nguyen Anh Quynh is a regular speaker at industrial information security conferences such as Blackhat USA/Europe/Asia, DEFCON, RECON, Syscan, HackInTheBox, Shakacon, Opcde, ZeroNights, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Eusecwest, etc. He also presented his researches... Read More →
avatar for Lau Kai Jern

Lau Kai Jern

KaiJern, Lau (xwings) is the IoT/Blockchain researcher at JD Security (JD.COM), Advisor for UnicornTeam/HACKNOWN Team and also Hack In The Box Security Conference core crew. His research topic mainly on hardware and software of embedded device, blockchain security, reverse engineering... Read More →

Thursday October 4, 2018 11:00 - 12:00
01. Westvleteren University


$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase
Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach. 

As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks.

avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →
avatar for Matthew Dunwoody

Matthew Dunwoody

Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →

Thursday October 4, 2018 12:00 - 13:00
01. Westvleteren University


All Your Cloud Are Belong To Us – Hunting Compromise in Azure
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. 

Attackers have shifted tactics, incorporated nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the Internet until it's too late. 

In this talk I'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace. 

Finally, I will present research I've done into the default security configuration of Azure & AWS Marketplace images and present a call to action for teams working on Azure security offerings

avatar for Nate Warfield

Nate Warfield

Nate Warfield is a Senior Security Program Manager for the Microsoft Security Response Center. He spent nearly 20 years designing, building and troubleshooting enterprise & carrier-grade networks for Fortune 500 companies while simultaneously moonlighting as a Grey Hat. He learned... Read More →

Thursday October 4, 2018 14:00 - 15:00
01. Westvleteren University


Forging Trusts for Deception in Active Directory
Using Deception for defence in Active Directory is very fruitful. It makes it possible to target multiple phases of an adversary’s attack methodology. While attacking an enterprise network, adversaries generally enumerate the AD trusts. It is important for them to map the relationships and trusts between domains and forests as it helps in lateral movement and post exploitation. 

This talk discusses forging and implanting computers, domain and forest objects in an AD environment. Such objects target the attacker mind-set and methodology by providing easy yet high value targets. We will see how this deception technique traps an adversary across an enterprise attack cycle. 

Open source scripts for deployment of discussed techniques will also be discussed during the talk. The talk will be full of live demonstrations. 

avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming. He specializes in assessing security... Read More →

Thursday October 4, 2018 15:00 - 16:00
01. Westvleteren University


Disrupting the Kill Chain
Disrupting the Kill Chain is a defender’s approach to minimizing cyber-adversary access and success in a Windows environment. It builds upon my previous work on ‘Defending a Microsoft Environment at scale’ which spoke to the innovations made in Windows 10 and the capabilities of a native Microsoft stack to launch a capable defense against most vulnerability classes. This talk is a bluebook of the most effective and efficient controls in Windows 10 and an associated Microsoft environment to disrupt the kill chain. 

This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the Lockheed Martin kill chain in conjunction with the MITRE ATTACK framework and explains how it has been used by us to build a defense model. We then dwell into specific capabilities of the Windows subsystem to detect and respond to the various stages of an attack lifecycle including: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2). 

As we continue, we describe a working defense model that dwells into some of the more effective and efficient controls in a Windows 10 ecosystem that address several categories of attacks. These higher efficiency controls are detailed in a few sample deployment guides that are made available on Github and based upon a “single platform approach” I’ve previously described in my other talks. As we continue, we talk about the different ways in which logging, and monitoring data can be collected and analyzed at scale. We talk about implementations that extrapolate the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation and finally the more recent technique of log collection and hunting using Windows Defender telemetry data. We don’t address the traditional SIEM implementations but talk about specific use cases that address the MITRE ATTACK framework. (Samples of such an approach are visible in my previous talks detailed here between Pages 16-25). 

During the second half of the talk, we dwell into some of the automated remediation and incident response capabilities built into the Windows Defender ATP product and how it can be used for handsfree triage and remediation through the use of automation playbooks (Hexadite). We cover scenarios from basic malware / hunting techniques such as frequency analysis, process trees and other indicators that may indicate suspicious behaviors. 

In closing, we round up the topics covered, provide some disclaimers that this is not a silver bullet to all attacks and simply reinforce the message that basic hygiene and a handful of properly implemented controls are indeed effective in disrupting the killchain.


Vineet Bhatia

Vineet Bhatia (@ThreatHunting) runs cybersecurity operations. His work focuses on digital forensics, threat hunting and aviation cybersecurity.

Thursday October 4, 2018 16:30 - 17:30
01. Westvleteren University


Hunting Android Malware: A novel runtime technique for identifying malicious applications
In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. 

Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK. 

What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications. 

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour. 

The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.

avatar for Christopher Le Roy

Christopher Le Roy

Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which... Read More →

Thursday October 4, 2018 17:30 - 18:30
01. Westvleteren University
Friday, October 5


Keynote - 5.256e+6 minutes in a decade
There are 5.256e+6 minutes in a decade, and in all of those minutes, a lot has changed since BruCon first started. This keynote puts on the rose-tinted glasses and delves into some of the more pressing issues we've faced over the past decade and tries to understand if we are getting better, or if things are still the same

avatar for Daniel Cuthbert

Daniel Cuthbert

Daniel Cuthbert is the Global Head of Cyber Security Research for Grupo Santander. With a career spanning over 20+ years on both the offensive and defensive side, he’s seen the evolution of hacking from small groups of curious minds to organised criminal networks and nation state... Read More →

Friday October 5, 2018 10:00 - 11:00
01. Westvleteren University


Exploits in Wetware
Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence. 
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff. 
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired? 
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift. 

avatar for Robert Sell

Robert Sell

Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert... Read More →

Friday October 5, 2018 11:00 - 12:00
01. Westvleteren University


Operator Jail Breakout
Operator stations are today one of the first systems/stations to interact with a distributed control system (DCS) or other industrial control systems. These operator stations often have some protection built in to restrict what the operator can do within the SCADA software and/or on the operating system itself.

Within this presentation, some of the most (easily) discovered ways are shown/explained and how these can be (ab)used to gain a further foothold within the environment.

The audience will learn more on the shortcomings of most of the operator jail solutions and what could be done to step up this game to secure this properly. Key takeaways obtained by the audience through this presentation is that you cannot trust operator jails in the thought that it properly protects attackers from gaining access to the operating system itself and thus potentially exploiting the whole DCS environment.

avatar for Frank Lycops

Frank Lycops

Frank a freelance security consultant and researcher. He has 8 years of experience in both the IT and OT environments. During his work, he performed numerous penetration tests on OT environments, helped improving the overall security of various environments and discovered several... Read More →

Dieter Sarrazyn

Dieter is a freelance OT security expert who working extensively on industrial control system security including more than 10 years in a large electricity generation company. He performs SCADA security assessments, provides assistance in securing SCADA environments and helps customers... Read More →

Friday October 5, 2018 11:00 - 12:00
02. Westmalle University


Outside the Box: Breakouts and Privilege Escalation in Container Environments
Containers have quickly become a standard feature of most application and infrastructure stacks. The benefits of containers are numerous, with ease of use being a primary motivator. This has seen adoption by numerous cloud service providers. Application containers are expected to be a $2.7bn market by 2020[1]. The most popular container solution, Docker, has had 14 million hosts accessing their public Docker Hub, pulling down 12 billion container images[2]. At least 40% of organizations using Docker are also using a container orchestration service such as Kubernetes, Mesos, Amazon ECS, or Google Container Engine[3]. 

Escaping these container solutions is seen as a hard problem, requiring kernel vulnerabilities, bespoke ROP chains, or framework flaws. This is not the case! In this talk we will explore, from an attacker's perspective, real-world exploitable setups we've encountered. We will demonstrate numerous container escapes, including exposed Docker daemons and Kubernetes API access in multi-tenant environments, weak Linux capability blacklists and seccomp bypasses. These are not theoretical vulnerabilities or contrived lab examples, but actual misconfigurations we've seen in large cloud service providers. 

Many container operators and developers don't understand the implication of certain configurations and the attack surface presented by the confluence of the container technology's surface area and Linux kernel and other subsystem interactions. Secure design and configuration of a container environment requires a deep understanding of Unix sockets, networking, namespaces, and an equally deep understanding of container RPC and orchestration endpoints. Small, easy to overlook missteps like using the wrong network namespace or exporting the wrong port, or overlooking one of the hundreds of Linux syscalls can have disastrous results. 

The talk will provide a methodology that security professionals can use when assessing containerized environments and we will demonstrate attacks against common deployments. We will also cover configuration recommendations for engineers to avoid these mistakes and tools you can use to check for a safe configuration. 

avatar for Craig Ingram

Craig Ingram

Craig is a Principal Platform Security Engineer at Salesforce with over 12 years experience working in the security industry. At Salesforce Craig is hands-on with secure SDL/DevOps implementation and automation, penetration testing, and security research including reverse engineering... Read More →
avatar for Etienne Stalmans

Etienne Stalmans

Etienne is a member of the Public Cloud Security Group at Salesforce, and a security researcher with a keen interest in protocol reversing and finding ways to abuse functionality in everyday products. He completed a MSc in Network Security, focusing on Botnets and DNS. He has spoken... Read More →

Friday October 5, 2018 12:00 - 13:00
01. Westvleteren University


Dissecting Of Non-Malicious Artifacts: One IP At A Time
For years and years, anti-malware solutions, across many levels of the network, have been assisted by online anti-virus aggregation services and online sandboxes to extend their detection level and identify unknown threats. But this power booster comes with a price tag. Even today, enterprises all over the world are using security solutions that instead of protecting the data, are suspecting it as malicious and sharing it with online multi-scanners. The result is drastic. What separates a hacker from extracting all that data on a daily basis is a couple of hundreds euros, monthly. A price which could be covered easily if that hacker finds a man of interest. In just a couple of days, one skilled hacker can build an intelligence platform that could be sold in 10 times the money they invested.
The data is being leaked daily and the variety is endless. In our research, we dived into these malware-scanning giants and built sophisticated Yara rules to capture non-malicious artifacts and dissect them from secrets you've never thought possible of getting out of their chamber. But that’s not all. 
We will show the audience how we built an intelligence tool, that upon insertion of an API key, will auto-dissect a full dataset. In our talk we reveal the awful truth about allowing internally installed security products to be romantically involved with online scanners.

avatar for Dani Goland

Dani Goland

Dani Goland is a 23 year old coding machine. At the age of 20 he founded his own boutique company for innovative software and hardware solutions. While gaining experience in the business field, Dani did not neglect his hands-on capabilities. In just a short while he won two coding... Read More →
avatar for Ido Naor

Ido Naor

Ido Naor is a Senior Security Researcher at GReAT, a team of researchers who've been tasked by Kaspersky Lab to investigate the most prolific APT incidents, ransomware distribution, banking heists and other type of internet hacking monsters. Ido's focusing on threats in the middle... Read More →

Friday October 5, 2018 14:00 - 15:00
01. Westvleteren University


IoT RCE, a Study With Disney
As desktop and server security keeps raising the baseline for successful exploitation,IOT devices are still stuck in the 1990's, despite their ubiquity in every home network. This, coupled with the ability to access them from anywhere is creating a time-bomb situation in which millions of households are left vulnerable, regardless of any network security posture. 

These topics will be examined using the "Circle with Disney" and Foscam devices as case studies. During the course of the vulnerability testing of these devices, over 50 CVEs were discovered, out of which, discussion will focus on the more novel attack techniques seen within the Disney Circle, including: 
- SSL certificate Attribute validation bypasses 
- SSID Broadcasting injection 
- Use-Between-Realloc Memory Corruption. 
- Cloud Routing Abuse 

Finally, there will be discussion IOT device's use of traditionally offensive tools (arp-poisoning, backdoors, and beaconing) for central functionality. 

avatar for Lilith Wyatt

Lilith Wyatt

Lilith is a Research Engineer with the Talos Security Intelligence and Research Group at Cisco. She's done open source and closed source research on a variety of products, resulting in CVEs on products from vendors including Vmware and Zabbix, and has also done internal research on... Read More →

Friday October 5, 2018 15:00 - 16:00
01. Westvleteren University


Mirror on the wall: using blue team techniques in red team ops
When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large quickly. This makes it harder to keep track of what is happening on it. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts. In this presentation we’ll show you how you can use that to your advantage. We’ll present different ways to keep track of the blue team’s analyses and detections, and to dynamically adjust your infra to fool the blue team. We will first set the scene by explaining common and lesser known components of red teaming infrastructures, e.g. dynamic redirectors, domain fronting revisited, decoy websites, html-smuggling, etc. Secondly, we’ll show how to centralize all your infrastructure’s and ops’ information to an ELK stack, leaving it open for intelligent querying across the entire infrastructure and operation. This will also help with better feedback to the blue team at the end of the engagement. Lastly, we’ll dive into novel ways of detecting a blue team’s investigation and we’ll give examples on how to react to these actions, for example by creating honeypots for the blue team.  

avatar for Mark Bergman

Mark Bergman

Starting coding COBOL85 at the ING mainframes at the age of 16 I swiftly learned several programming languages and querying formats. After aiding in compiling the first TCP/IP stack on the ING test mainframe I decided to dive into WinNT development and before I knew it I was digging... Read More →
avatar for Marc Smeets

Marc Smeets

Marc is a senior IT security expert, red teamer and ethical hacker. With 12 years experience in IT security and 3 years in IT operations he knows how to ‘make’ and ‘break’. In early 2016, he co-founded Outflank; a new company solely focussed on red teaming, complex penetration... Read More →

Friday October 5, 2018 16:30 - 17:30
01. Westvleteren University


Process Control through Counterfeit Comms: using and abusing built-in functionality to own a PLC
Programmable Logic Controllers (PLCs) are devices that factories, office  buildings, and utilities, among other facilities, use to control the processes running in their environment. These devices were designed to do their job and do it well, however they were not built to protect against malicious actors. This talk walks through some of the vulnerabilities discovered while investigating a well known PLC, discussing some of the  methodologies used in discovery and showing how stringing together a few seemingly minor vulnerabilities can result in device takeover. 

avatar for Jared Rittle

Jared Rittle

Jared Rittle is a security researcher with Cisco Talos who spends his time focusing on the discovery, exploitation, and coverage of vulnerabilities in the embedded systems found in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Internet of... Read More →

Friday October 5, 2018 17:30 - 18:30
01. Westvleteren University


BruCON Closing
Friday October 5, 2018 18:30 - 18:45
01. Westvleteren University