All Articles

Turbo Talks

How the Heartbleed bug was found?

Antti Karjalainen discoverer of Heartbleed

The Heartbleed bug was a catastrophic vulnerability in widely used OpenSSL TLS implementation. This talk will give background how the Heartbleed bug was found by Codenomicon. The mechanism that initially detected the vulnerability is presented. It is also discussed what made the Heartbleed bug so severe, and what kind of factors would have mitigated the consequences of the vulnerability.

Bitcoin Transaction Malleability - An Insight

Daniel Chechik

5 Real ways to destroy business by breaking SAP Applications

Alexander Polyakov 

Do you know where all the critical data of your company is stored? Is it possible for attacker to commit sabotage or espionage against your company by breaking into just one of your business critical systems? And if so - what kind of systems could be under attack? Is it easy to break them? Is it a myth that SAP systems could be accessed only internally? Time has come not only to answer all of these questions. This time the real examples of different attacks on Enterprise Business application systems will be shown, based on eight-year research experience in that field. First of all we will cover all possible business risks related to each end every type of systems such as ERP, SRM, HR, Business Intelligence, PLM’s and Industry solutions so that every high level executive will get the full understanding of what could happen. After that, we will show examples of how easy is it to do such critical actions in different systems by exploiting vulnerabilities and misconfigurations from more business-related - such as Abusing SRM systems - to win the bid, for example. From frauds in HR system and salary-increasing to more technical things, such as drilling into corporate network via SAP Portal or delivering backdoors, which look like official updates via SAP Router. Our presentation will be the first to show real threats for business during those attacks with demo of the most interesting ones, and a guide to avoid them from EAS-SEC.

A journey to protect POS

Nir Valtman Discoverer of Point-of-Sale Vulnerabilities

From Target to other retail chains were all about 'POS'. Point-Of-Sale vulnerability has been at its peak for a while. This talk illustrates the POS vulnerabilities from both retailer and software vendor's perspective. Get an insight into how the POS devices are compromised including difficult methods like memory scraping. This talk will demonstrate the working of POS vulnerability and how threats can be minimized. It will also explain the ways to mitigate the risk while you get the basic concepts and get to know which of these actually work.

Intrinsic Leadership

Deb Maes Neuro-Linguistic Master Practitioner & Trainer

This talk illustrates a new effectiveness model for modern leading, a new method of better HR management and how to harness great potential in your human resources. Learn to harmonize thoughts, emotions and intuition to create coherence between your thinking modalities and become grounded and confident in decision making — emerge a better, human-centric leader. The talk includes the cognitive and emotions aspect.

Cyber Safety in Cars and Medical Devices 

Beau Woods - Creator of IOT Security Framework

We are adopting connecting, computerized technology faster than we are able to secure it. When this technology is integrated into life and safety systems, bits and bytes meet flesh and bone. We must know, not just hope, that devices with the ability to impact human life and public safety are worthy of our trust. Learn how the safety impacts of merging cyber security with cars and automobiles impacts all of our safety. Learn the current state of research and what it tell us about these devices' resilience to accidents and adversaries. Understand why our current approaches to cyber security won't work and, in many cases, will be more dangerous than doing nothing.

The notorious 9 in Cloud Security

Moshe Ferber 

Cloud Computing presents major opportunities and benefits for the organization worldwide. It is scalable, flexible and efficient. But along with those major advantages, comes the threats. Most Cloud Computing threats and risks are well documented, but we are missing information regarding how those threats can be put into practice in the real world, what are the attack vector used and what is the risks and results for those events. In the presentation we will elaborate the notorious nine Cloud computing threats as described by the Cloud Security Alliance, and for each threat we will provide recent examples for known incidents, the attack vectors used and the damage resulted from the incident. By understanding the risks and case studies, we can better prepare our organization for cloud adoption. Among the recent events we will explore: Supply chain attacks, Attacks for Bitcoin mining, Attacks on the management GUI, API manipulation and more. We will talk about recent incidents for such as Code-spaces.com hack, Buffer and Mongo DB OAUTH credential theft, attacks on Twitter and Microsoft and many more.

More Shadow Walker- The Progression Of TLB-Splitting On X86

Jacob Torrey - Discoverer of TLB-Splitting on x86

This talk will cover the concept of mis-using the hardware (x86 translation lookaside buffer) to provide code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, the talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit). This talk will be very high-level but aims to convey the complexities of the hardware and possible attack vectors that can happen at the lowest-levels of an organization's IT infrastructure.

Ants and Elephants in the CISO's Office

Paul Raines - CISO, UNDP

I will show how ISO 9001 and ISO 27001 can be used together to deliver business value and demonstrate to executive management and key stakeholders that you are exercising due diligence in protecting your organisation's information assets. The talk will briefly discuss the requirements of the two standards and show how ISO 27001 and ISO 9001 can be used to address both the tactical challenges of information security (the ants) as well as the strategic challenges of delivering business value (the elephants).

Embedding risk assessment into your project workstream

Michael Calderin - Security Officer, Bupa Global Latin America

Position information security more strategically within your organization by managing information risks early in the project lifecycle. A concise Impact Assessment can help you address serious risks at a time when they can be best addressed. Encourage your audience to participate by creating an unobtrusive process that engages the project team and security team and promotes dialog. This has been key in integrating information security into business and IT workstreams and demonstrating that information security personnel can and should be consulted whenever questions arise. With minimal effort, this type of thinking can create major impact for you and your organization.

Application Security Best Practices

Yuval Idan

Cybercrime is rising exponentially and millions of are at risk. Yuval Idan, APAC Technical Director at Checkmarx, will be speaking about today's prominent vulnerabilities and how Source Code Analysis (SCA) can help tackle these issues.The main topics of this talk include: Integrating Security as part of the Software Development Life Cycle (SDLC),  learning how to engage developers in the Security Process and turn them into Champions with the help of a Source Code Analysis Solution (SCA) along with how to identify and fix security vulnerabilities early to significantly reduce costs Yuval will demonstrate live how these goals can be achieved.

Actionable Security Intelligence

Derek Manky

Heartbleed, Shellshock are just two of many critical vulnerabilities that are present in hundreds of thousands of embedded devices that are connected to the 'Internet of Things'. This talk will overview embedded vulnerabilities including ones discovered by FortiGuard Labs to shed light on a much larger issue at stake. This review will highlight the state of IoT security moving forward in 2015. Security strategy will be discussed including vendor response (PSIRT) and practical protection measures. Heartbleed has subsided, Shellshock is on stage - but many similar vulnerabilities need to be addressed with priority.

th

Workshops & Trainings (20-21 Nov)

Fuzz Testing Techniques for Discovering Zero Days

Antti Karjalainen ( discoverer of Heartbleed ) 

The workshop gives an introduction to fuzz testing. Common fuzzing techniques are presented, and it is discussed, what makes a good fuzzer. Different kind of failure modes that can be triggered by fuzz testing are demonstrated with real-world examples. It is also demonstrated, how the triggered failures can be detected automatically by using sophisticated oracles.

Implementing SAP security

Alexander Polyakov ( The father of ERPScan )

An SAP system is the heart of any large company; it enables all critical business processes, from procurement and payment to human resources and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, probably even termination of business processes. Within the last 7 years, SAP security experts have spoken a great deal about various attacks on SAP. Interest in the topic has been growing exponentially. This session will provide practical steps of implementing SAP Security in company from the beginning based on a real case-study in one of the world-lagest airlines.

Defending Online Attacks on Cloud Instances

Nir Valtman ( Discoverer of Point-of-Sale Vulnerabilities ) & Moshe Ferber ( Cloud Security Entreprenuer )

"Cloud instances lifecycles is changing. Instances can launch up, process hug amounts of data and terminate, and al within range of minutes."

This life cycle makes traditional security processes such patches, vulnerability scanning, hardening and forensics impossible due to lack of maintenance time. New methods must be adapted in order to cope with those challenges.Our idea is a technical live demo. For each part of the cloud instance lifecycle (instaling, launching, procesing, terminating) we show the atacking surface and how we implement the new automated security procedures (automatic patches, encryption of volume storage, automate configuration, log alerting, provisioning encryption keys) in order to reduce the atack surface and eliminate risk." 

Overview of Harwdware Level Security

Jacob Torrey ( Discoverer of TLB-Splitting on x86 )

In this workshop, a brief summary will be provided on the current state-of-the-art in kernel and hypervisor-level attacks and defenses and how the cat-and-mouse game that is on-going in this field can impact your organization. After reviewing the threat landscape, the discussion will move to mitigation strategies and how to fold defending against these types of attacks into existing business models. A holistic view of the adversary model targeting OS and hypervisors will be provided and ranked against other common threats. The audience should leave this workshop with a better understanding of what is possible, what is common and what they can or should do to protect their organizations.

Building an Incident Management Program

Paul Raines ( CISO @UNDP,ex-OPCW )

The workshop will cover the ABCs of putting together an information security incident response team (ISIRT). It will cover the basics of being able to protect, detect, respond and learn from incidents. Based on industry best practices and the lessons learned from experience, the workshop will provide practical advice on how to develop an effective ISIRT with even limited resources.

Protecting SCADA environments

Daniel Lakier, CTO & President at SeeGee Technologies

This talk will take you through the fundamentals followed by the advanced levels of SCADA. What is SCADA, Why do we need to care, What are the Risks & Challenges,Operational Practical ( IT challenges), Why the traditional answer isn't enough. According to Daniel, The best answer today is Stealth Networking and next generation two factor authentication.

Network Machine Learning and the Security Industry: Past, Present, And Future

Bob (Robert H) Klein, Black Hat 2015 Speaker

Lessons learnt from recent Cyber-attacks on SAP systems

Alexander Polyakov 

This talk will take you through the past attacks on SAP systems in history and 10 lessons learnt from it. 

Since for a long time, almost no real attacks on SAP and Oracle ERP systems were known to the public, it gave CISOs a false sense of security. While the number of breaches in less critical applications was increasing rapidly, and so was the awareness, only a small group of professionals were aware of attacks on business applications. The most popular example of such fraud was to create a fake vendor and a payment order for this vendor and then to approve it. According to the Association of Certified Fraud Examiners, losses from internal fraud constitute 7% of profit on average. To prevent those types of attacks, the segregation of duties concept was created. ERP security isn’t limited to SoD. The issue of unauthorized access to system and user accounts via vulnerabilities now matters. Moreover, the increasing number of SAP vulnerabilities in ERP systems (from 100 in 2007 to 3500 in 2015 only in SAP) makes these issues more critical than ever. But what’s more important, in 2012 we saw a first sight of cyber-attack via SAP Vulnerabilities. Our predictions proved accurate and by now we have witnessed a number of examples from Anonymous attacks on Greek Ministry of Finance via SAP to the attest breach of US Investigation Services (a largest subcontractor of OPM) that led to company’s bankruptcy. In this talk, take a look at the history of ERP attacks and learn 10 lessons how to avoid them.

Building Immune Systems For Our Enterprises: Detecting Emerging Threats in real Time

Dave Palmer, Director of Technology, Darktrace

This talk will take you through a new perspective to realize how the math evolves to detect and emerge from the threats. Learn the algorithms behind, statistics, probability, the techniques, its evolution and how it can create the immune system for your organization.

United Nation's program to help developing nations in IT Security

Paul Raines - CISO, United Nations Development Programme

Cybersecurity assistance for developing nations. This talk will highlight a new initiative within the United Nations Development Programme (UNDP) to provide cybersecurity assistance to the governments of developing nations to help protect their critical national infrastructure and digital economies. UNDP uses its own experienced, award winning cybersecurity team instead of hiring expensive, outside consultants. Thus, UNDP can deliver services to its clients at less cost, less overhead and with the hands-on experience of a team of world recognised experts. The services to be provided include cybersecurity training, risk assessment, incident response training and exercises, training in business continuity/disaster recovery and preparation for ISO 27001 certification.

wh

Top Technical Tracks