HackCon#12 - 2017

HackCon#12 - 2017

Program HackCon#12

Onsdag - dag 1, 15. | 2 | 2017

08.15                 Dørene åpnes
08.15 – 11.00    Registrering HackCon#11
09.00 – 09.15    Administrativ informasjon

09.15 - 10.00 State of the Union 
"Den teknologiske utviklingen gjør samfunnet stadig mer sårbart. Kompetente aktører har mulighet for tilgang til vitale deler av det norske samfunnets digitale infrastruktur. Den teknologiske utviklingen gjør at metodene er i rask utvikling og bidrar til at det er stadig vanskeligere å avsløre og identifisere stater, grupper og personer som opererer i det digitale rom.


Å utvikle skadevare og leveringsmetoder på den ene siden og mekanismer for deteksjon og beskyttelse på den andre, har begynt å anta form av et kappløp. Utbredelsen av teknologi gjør det mulig for stadig flere stater, grupper og personer å utvikle nye metoder og teknikker. Utviklingen vil bidra til at flere virksomheter og nye typer mål angripes. Avansert skadevare og komplekse operasjoner offentliggjøres derfor i et betydelig omfang (Fokus 2016 – E-tjenesten trusselrapport)".


Cyberangrep mot norsk infrastruktur skjer nå daglig og i et meget høyt tempo. KraftCERT, TelenorCERT og FinansCERT jobber alle for å forsvare norsk kritisk infrastruktur. For første gang vil de stå sammen på scenen for å gi "State of the Union" og fortelle om:


 - Hva en CERT er, og at en Cert ikke en CERT
 - Hva er trusselbildene?
 - Hvordan de møter truslene for å ivareta norsk kritisk infrastruktur?
 - Hvem får de hjelp av?
 - Hvilken trusler og utfordringer som ventes i fremtiden. 


Foredraget vil bli holdt av Margrete Raaum, Frode Hommedal og Morten Tandle. 


Frode Hommedal er leder av "Incident Response and Security Analytics" i Telenor Cert. Frode har lang Cert-erfaring og informasjonssikkerhet, samt hvordan man kan beskytte kritisk infrastruktur effektivt. 


Morten Tandle er daglig leder av FinansCERT. Morten har bred erfaring med sikkerhet i forsvar-, telecom- og bank/finans-sektoren, inkludert håndtering av angrep på nettbanker og betalingstjenester.


Margrete Raaum er daglig leder av KraftCERT og styreleder i FIRST Forum of Incident Response and Security Teams). Margrete har arbeidet med informasjonssikkerhet siden 1998 og har bl.a. også bygd opp Norges første Cert – UiOCert.


Frode, Morten og Margrete regnes som store fagkapasiteter i Norge innen informasjonssikkerhet og beskyttelse av kritisk infrastruktur. Kom og lær av blant de fremste i Norge innen beskyttelse av kritisk infrastruktur om hvordan du forberede deg for morgendagens sikkerhetsutfordringer.

10.15 - 11.00 These unknown attacks will own your top secure systems - even if they are not connect to Internet - Rogan Dawes - South Africa
At HackCon#12 we will cover some novel USB-level attacks, which can provide remote command and control of, even air-gapped machines and no Internet access, with a minimal forensic footprint using an open-source toolset on freely available hardware.


This session is an eye opener on how your most secure system, even if they are air-gapped and without Internet access, can be attacked and controlled and how you should secure them!


USB-keyboard attacks are not new, but there is still room for improvement. Our toolkit provides three significant improvements over existing work. The first is the ability to communicate with the device remotely via WiFi, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems.


The second is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target's existing network interfaces (i.e it would work against air-gapped hosts). Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult.


Rogan Dawes is a senior researcher at SensePost and has been working with security since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleagues frequent joke that he has an offline copy of the Internet in his head.


Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

11.15 - 12.00 Doing hopscotch, double-dutch, and gymnastics in your network - Joe McCray - US
This presentation will cover the newer advanced methods lateral movement, pivoting, tunneling used by hackers today. Techniques like pass-the-hash, pass-the-ticket, pivoting, port-forwarding, and ICMP/DNS/HTTP/HTTPS tunneling will all be demonstrated.


Joe McCray is a US Air Force Veteran and has been in the IT Security field for over 12 years. He has worked extensively with the medical community, the financial industry, retail, the federal sector, the Department of Defense, 3-letter agencies, and several foreign governments. His technical background is very broad with over 20 industry certifications and experience covering networks, web applications, binary applications, mobile applications and his expertise is in bypassing IT Security Systems.

12.00 - 13.00 Lunsj

13.00 - 13.15 Empire – Your best friend to secure your systems – Will Schroeder / Jared Atkinson - US
PowerShell has changed the way Windows systems/networks are attacked. PowerShell are setting a completely new ball game within Security thinking on Windows platform. PowerShell can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain and can be attacked or secured by PowerShell. 


We will show how attacker and criminals can use PowerShell to attack and compromise your whole system or some vital part of it, and how you can use PowerShell to secure and protect your system. You should not miss this session if you want to secure and protect your Windows system from the new attack vectors with your best friend - Empire.


The PowerShell Empire project, a pure PowerShell post-exploitation project that packages together a wealth of new and existing offensive PowerShell tech into a single weaponized framework, is one of the projects driving this newfound awareness. However, hope is not lost, as PowerShell, itself can help to detect these offensive abuses.

This session will demonstrate Empire 2.0, the new Empire architecture, and demonstrate its full capabilities using nothing but Microsoft's built-in scripting language. We will then switch gears and show how PowerShell itself can help detect various Empire actions. Uproot IDS is a WMI based Intrusion Detection System, which together with PowerForensics (a PowerShell based disk forensics platform) can catch or triage nearly every Empire action, including unmanaged process injection, lateral movement techniques, privilege escalation, and much more.

This session will be held by two of the World leading authorities in PowerShell and Windows security Will Schroeder and Jared Atkinson. 


Will (@harmj0y) is a security researcher and red teamer for Veris Group's Adaptive Threat Division. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. 


Jared (@jaredcatkinson) is the Defensive Services Technical Lead with Veris Group's Adaptive Threat Division. Before working for Veris Group, Jared spent four years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project (an open source forensics framework for PowerShell) and maintains a DFIR focused blog.

14.00 - 14.45 Silent RIFLE: How to take control of all your systems Kyoung-Ju Kwak – South Korea

Kyoung-Ju Kwak will hold this session. In 2016, an APT group tried to infiltrate Korean industry. Kyoung-Ju analyzed and profiled some malwares in February 2016, which led him to a conclusion that the malwares related suspiciously to the APT group that attacked the Korean industry and interests for a long time.


The group has been dubbed "RIFLE" due to the project name identified in the samples. One of these malwares used legitimate code-signing certificate, that is, "RIFLE", a hacked well-known IT solution provider by using 0-day and stole code-signing certificates. By further analysis with big data collected from network monitoring devices installed on Financial Companies in Korea, "RIFLE" targeted many financial companies including every major banks in Korea.


Kyoung-Ju and his team urgently shared this information with law enforcement agencies, and also cooperated with them in investigating C&C servers and infected computers. The investigation indicated that thousands of computer was compromised and that huge amount of data was being leaked. It was also discovered the 0-day vulnerabilities was used to penetrate the company network.


Kyoung-Ju will give a presentation about how they used Big data collected by SOC to detect the attempt of cyber-espionage and how we mitigated the damage before the last step of the Cyber Terror. At last he will show you what were the vulnerabilities and malwares related to these issues in depth so you can be aware of the technics APT group use to penetrate you systems and take a proper step to secure your organization.


Kyoung-Ju Kwak are Security Researcher at South Korean Computer Emergency Analysis Team, FSI (Financial Security Institute). He is currently working on a Threat Analysis and dissect potential threats to the Korean Financial Industry. He audited National SCADA system and the Ministry of Land with "the Board of Audit and Inspection of Korea" as an Auditor General in 2016. He currently act as a member of National Police Agency Cyber-crime Advisory Committee, and have also received Minister of Interior's Excellence Award, National Cyber Security Awards 2016.

14.45 - 15.15 Pause

15.15 - 16.00 How your virtual machines can be hacked in cloud environment - Dr. Ronny Bull - US

If you are concerned about security of your virtual machines in cloud environment – attend this session. Cloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring.


In this talk I will discuss the effects of VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform, including results of attacks originating from the physically connected network as well as within the virtual networks themselves.  Each attack category that is discussed will be accompanied by a detailed proof of concept demonstration of the attack.


Dr. Ronny Bull will hold this presentation. Dr Bull is an Assistant Professor of Computer Science at Utica College with a focus in computer networking and information security. He earned his Ph.D. in Computer Science from Clarkson University in 2016, with a focus on Layer 2 network security in virtualized environments.


He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together students from regional colleges to compete against each other in offensive and defensive cybersecurity activities. Dr. Bull is also the owner and principal consultant of Adirondack IT Solutions, LLC which is a small engineering and consulting firm based in Upstate New York.

16.15 - 17.00 Catch Me If You Can
Det norske samfunnet anses som et av verdens mest høyteknologiske samfunn. Men det digitale samfunnet har også gjort oss sårbare. Angrep mot den norske infrastrukturen og virksomheter øker både i omfang og kompleksitet. Beskyttelse av våre systemer er kritisk for å opprettholde samfunnsorden og virksomhetens funksjoner. 

Derfor er dette foredraget et viktig foredrag. Dette foredraget tar ikke for seg hvordan man får tilgang til en bedrifts nettverk, men fokuserer på hva som skjer når tilgangen er oppnådd. Blant annet tar foredraget for seg hva en angriper ser når han har en fot innenfor nettverket, vanlige feil norske bedrifter gjør om og om igjen i sitt interne nettverk, og hvilke tiltak som ville oppdaget angrepet.

Dette foredraget er basert på erfaringene fra Red Team som gjennom flere år har gjennomført mange angrep mot norske virksomheter for å teste sårbarheten. Foredraget er unikt og gir unikt innsikt i den operative sikkerhetstilstanden til den norske infrastrukturen og norske virksomheter. Dette foredraget vil gi deg god innsikt i hvordan du kan beskytte virksomheten din bedre, og gjøre sikkerhetsarbeidet ditt mer effektivt. 

Foredragsholder er Eivind Utnes og Christian A.H. Hansen. Både Eivind og Christian er store sikkerhetskapasiteter innen informasjonssikkerhet og besitter stor kunnskap innen området. 

Eivind har jobber blant annet som Pentester, kursholder, Red Teamer og sikkerhetssjef. Han fokuserer på å finne løsninger for bedrifter som er hensiktsmessige og skalerbare. For tiden arbeider Eivind i Watchcom Security Group.

Christian jobber som rådgiver, Pentester og Red Teamer. Han hjelper virksomheter med å forbedre sin sikkerhet ved å finne sårbarheter i systemer og demonstrere konsekvensen av disse, slik at de kan utbedres før de utnyttes av ondsinnede angripere. For tiden arbeider Christian i Watchcom Security Group.


17.00 Sosialt arrangement

Her har du muligheten til å knytte kontakter og blir kjent med andre. nettverket sørger for lett middag og underholdning med mer.

23.00    Dørene låses


Torsdag dag 2, 16. | 2 | 2017

08.15 Dørene åpnes

09.00 - 09.45 Blockchain: Hype or Hope for next generation cyber security? - Radia Perlman - US

"Blockchain" is a technology that powers Bitcoin, and has gotten a lot of press. There are many articles about eagerness to apply it to all sorts of problems beyond Bitcoin, from supporting IoT, banking, to protecting the nuclear arsenal. In this talk, we will explain how Bitcoin's blockchain technology works, and its properties, including efficiency, security, and anonymity. 

There is a lot of misinformation about it, and to further the confusion, researchers are naming all sorts of things "blockchain" that bear little resemblance to the original blockchain. So is blockchain a revolutionary technology that will enable not only electronic money, but to all sorts of other applications in the name of security?  Or is it an unsalable fad that will fade away? 

Radia Perlman will hold this session. Radia are often named as "mother of Internet", and has made many contributions to the fields of network routing and security protocols including robust and scalable network routing, spanning tree bridging, storage systems with assured delete, and distributed computation resilient to malicious participants. She wrote the textbook Interconnections, and co-wrote the textbook Network Security.


She holds over 100 issued patents. She has received numerous awards including lifetime achievement awards from ACM's SIGCOMM and Usenix, election to National Academy of Engineering, induction into the Internet Hall of Fame, and induction into the Inventor Hall of Fame. She has a PhD from MIT.

10.00 - 10.45 I, For One, Welcome Our New ________ Overlords  - Zach Lanier - US
What actually decides the winner of an election? The number of votes, or the number of electronic voting machines that were compromised? 


Short of a few exceptional cases, including some previous research, electronic voting machines have largely been black boxes. The 2016 elections echoed, very eerily, the same concerns of the security and reliability of these machines as elections from nearly a decade ago, if not beyond.


In order to help call attention to the seriously problematic state of voting machine security, we demonstrate new and updated methods of compromising voting machine hardware. We were able to compromise a Sequoia AVC Edge by several means, and were able to take complete control of the machine by means of removable media. We can alter vote counts, and more. We will present all our current findings specific to Sequoia and other vendors.


We will bring the voting machine to the presentation for demonstration.


This presentation will be held by Zach Lanier. Zach is currently Director of Research with Cylance, where he helps run the Vulnerability Research/Intelligence team. He specializes in various bits of network, application, mobile, and embedded security. Zach have served as a Senior Research Scientist with several major companies. He is well known within the international Cyber Security community as a person and for his knowledge.

11.00 - 11.45 Hva må jeg tenke på for å være sikker på at data er lagret trygt i skyen - Marius Sandbu - Norge
Det er en eksplosjon i bruk av offentlige skyplattformer. Hvordan kan man tilrettelegge for å bruke den samme sikkerhetsmodellen man er vant med – og hva kan en forvente at leverandørene gjør for å ivareta sikkerheten på løsningene som kjører i skyen?


Dette foredraget tar for seg de tekniske aspektene for å migrere trygt og sikkert til en skyplattform og ta i bruk skytjenesten på en trygg måte.


Foredraget til bli holdt av Marius Sandbu. Marius er Cloud Architect i EVRY og har lenge hjulpet de største kundene med å ta i bruk skytjenester. Marius er blant de aller dyktigste i Norge innen skytjenester og bekraktes som levende oppslagsverk i sikkerhetsmiljøet for å ta skytjeneste trygt i bruk. Marius er osgå én av to Microsoft MVPer innenfor Azure i Norge, er sertifisert instruktør på flere områder, og har skrevet en håndfull IT-relaterte bøker.


Kom og lær hvordan du virkelig trygt kan migrere og ta i bruk skytjenester trygt. Dette er must foredrag hvis du skal ta skytjenester trygt i bruk!


11.45 – 12.30    Lunsj
12.35 – 12.45    Kåring av Master of Cyber Security 2017
12.35 – 12.45    Loddtrekning

12.50 - 13.35 How to take control of your systems thru wireless Mouse or keyboard! - Marc Newlin - US

Is it possible to take control of your system thru your wireless mouse or keyboard? Yes, definitely! Research reveals this to be the case for non-Bluetooth wireless mice and keyboards from 16 vendors including Logitech, Microsoft, Dell and Lenovo. The vulnerabilities are primarily unencrypted keystroke injection, encrypted keystroke injection, and keystroke sniffing, and most of the affected devices cannot be patched due to hardware limitations.


Despite vendors' claims that the attacks only work in close proximity, the keystroke injections attacks have been range tested out to 225 meters using less than $100 in commodity hardware. This talk will detail the research process used to identify each vulnerability, including vendor timelines and responses. Open source tools developed during this project will then be used to demonstrate keystroke sniffing and injection attacks against multiple vendors' products.


If you want to protect your systems from hidden hardware vulnerabilities, do not miss this session!

Marc Newlin will hold this session. Marc is a security researcher and software engineer at Bastille, where he focuses on RF/IoT threats present in enterprise environments. A glutton for challenging side projects, he has competed solo in two DARPA challenges, although he never went to college. In 2013-14, Marc got into software defined radio through the DARPA Spectrum Challenge, placing second in the preliminary tournament. In 2011, he competed in the DARPA Shredder Challenge, writing software to reassemble shredded documents and finishing in third place out of 9000 teams.

13.50 - 14.35 Protecting your critical systems from new and unknown malware, 0-days, and APT - Olav Tvedt - Norge
Daglig blir vi utsatt for angrep mot våre datasystemer. Disse dataangrepene blir mer og mer kompliserte og aktørene bak angrepene strekker seg fra "guttestreker" i nederste del av skalaen til organisert kriminelle og stater i den den andre del av skalaen. Daglig skriver media om dataangrep mot virksomheter og organisasjoner for å påvirke virksomheten, befolkningen, eller staten enten for å stjele verdier, påvirke beslutninger, eller manipulere informasjon for egen vinning.


Vi er helt avhengig av teknologi for at vår virksomhet og samfunnet som sådan skal kunne fungere. Spørsmålet er om vi kan beskytte oss mot digitale angrep som f.eks. "Pass the hash", ukjent skadevare, 0-days, APT på en god måte i et Windows miljø med krav til høy sikkerhet?


Mange av oss benytter Windows plattform som teknisk driftsplattform i virksomheten. Microsoft selv sier at Windows 10 og Windows Server 2016 det er den sikreste noen sine. Men er virkeligheten så enkel at oppgradering til "den sikreste Windows" vil øke sikkerheten?


Denne sesjonen har en svært praktisk tilnærming og tar for seg hvordan endringene i Windows sikkerhetsmekanismer kan hjelpe til både under "post-breach" og ikke minst "Pre-Breach" fasen. Både Windows 10 og Windows Server 2016 kommer med nye verktøy for å øke sikkerheten. Device Guard, Credential Guard, Windows Defender ATP og "Identity driven security" er nøkkel teknologier som man raskt kan ta i bruk dersom man ønsker å øke sikkerhet på en rask og effektiv måte.


Sesjonen vil bli holdt av Olav Tvedt. Olav Jobber til dagen som Principal Solutions Architect hos Lumagate, med hoved fokus på MUE, "Mobility and User Experience" som omhandler bruk av data på en sikker og trygg måte for bedriften, samtidig som man gjør løsningen forlokkende for brukerne slik at man unngår «ShadowIT» og andre sikkerhets utfordringer.


Olav regnes som blant de aller dyktigste og fremste i Norge innen dette tema. Han er en av ytterst få MVP som er tildelt 2 forskjellige MVP tittler, MVP - Cloud and Datacenter Management og MVP - Windows and Devices for IT. I tillegg til å ha hatt MVP tittel i 9 år har Olav hold foredrag på store og små konferanser som NIC, TechED North America/Europe og Microsoft Ignite i en årrekke.


Kom om lær av en av de beste hvordan du kan beskytte deg bl.a. mot "Pass the hash", ukjent skadevare, 0-days, APT i et Windows miljø med krav til høy sikkerhet!

14.55 - 15.35 Real stories from the cyber battlefront! - reenz0h - Poland
Nowadays threat actors use more and more sophisticated techniques to breach into organizations and steal money, data or spread damage. In addition, network defenders and security specialists who guard their castles set the bar much higher by employing better detection capabilities and responding to intrusions much faster.


In this session, we go through and share few case studies from cyber battlefront and red team assessments engagement when security posture was quite demanding and required novel ways to make a breach. The session will also cover purple teaming – a possible way to cooperates with various blue teams in companies to improve detection and response process.


Session will be held by reenz0h. He is a IT Security expert, currently employed as a Senior Red Teamer for global corporation. He is interested in IT security for many years, focusing on network attacks, UNIX-like and zOS operating systems and communication protocols security. He knows both sides of the cyber battlefront: defending as well as offensive techniques. His research is always practice-centric. He for example improved HSRP MitM attack and backdooring Linux with POSIX file capabilities. 


This session will give you some insight from the cyber battlefront and the ongoing war, which can affect your security and can have a great impact on your organization! Don't miss this session!
15.35 – 15.40    HackCon#12 slutt

Program preHackCon#12

Mandag 13. – tirsdag 14. | 2 | 2017 
PreHackCon kurs#1 - Securing/hacking your systems with PowerShell

PowerShell has changed the way Windows systems/networks are attacked. PowerShell are setting a completely new ball game within Security thinking on Windows platform. PowerShell can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain and can be attacked or secured by PowerShell.


PowerShell is an integral development language in today's IT and IT security landscape. A basic understanding of PowerShell are now a must for securing and testing the strength of your system. It is extremely difficult to be an advanced and highly skilled InfoSec Professional without a firm understanding of PowerShell. We have therefore created this unique a 2-day workshop focused on using PowerShell for Information Security tasks. 


Here are some of the highlights of our PowerShell for Security Professionals training course:


- PowerShell attack frameworks
- System Attacks/pentest with PowerShell
- PowerShell and MetaSploit
- PCAP Parsing and Sniffing
- Log/Malware Analysis
- Parsing with Nessus, Nmap, Powersploit and more


This class is designed specifically for people with little to no programming experience. The class uses the common technical tasks performed by security professionals to teach the language instead of the way that programming is traditionally taught. Technical Level of the training are medium (Intermediate). Students should have some years of InfoSec experience. 


Instructor will be Joe McCray. Joe is an Air Force Veteran and has been in security for over 10 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award.

PreHackCon kurs#2 - Advanced securing/hacking your web systems

Most of our e-comers and interaction with our customers, clients and users are through web-applications and web-interface. To protect our web systems is therefore essential to protect our business and organization. 


This training will teach you about common and not-so-common (such as XXE, MIME sniffing, etc.) web application vulnerabilities as well as will focus on a specific methodology which is proven to work and gives optimum result during the web application securing/testing. Additionally, we shall also cover about interesting findings reported by researchers in popular bug bounty programs (this in addition to our experience), which will give attendees the real world scenario. Technologies such as WCF, WPF, WebRTC, etc. will be covered so you are aware of various challenges while securing/pen testing such applications.


We will also cover how you should secure your web systems and the challenge endpoint devices are for your web application security. This training will give you good foundation to secure and test your web systems and protect your business and organization. Technical Level is medium (Intermediate). Students should have some years of InfoSec experience. 


This training will be held by Aditya Modha and S. Sonya. Aditya Modha will be main trainer, Sonya may assist is necessary. Aditya is a Senior Security Analyst focused on web and mobile applications security assessment. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 250 web and mobile applications including core banking solutions and middlewareapplications. He blogs at oldmanlab@blogspot.com.


Sonya is a passionate reverse engineer and software developer focusing on the analysis of malware, covert channels, steganography, and computer network exploitation. Sonya has devoted many hours in academia mentoring students and teaching Computer Science techniques. Sonya have also developed several tool to help security communities secure their systems better. He will show some of them at HackCon so you can improve your security.