Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, October 27
 

08:30

Registration & Breakfast
Thursday October 27, 2016 08:30 - 10:00
00. Lounge University

09:15

BruCON Opening
Thursday October 27, 2016 09:15 - 09:30
01. Westvleteren University

09:30

Keynote - Allison Miller (@selenakyle) - Inventing Defense
Speakers
avatar for Allison Miller

Allison Miller

Allison Miller works in product management at Google, mitigating security risks to the Google platform and end-users. Prior to her current role, Allison held technical and leadership roles in security, risk analytics, and payments/commerce at Electronic Arts, Tagged.com, PayPal/eBay, and Visa International. She is known for her expertise in designing and implementing real-time risk prevention and detection systems running at internet-scale... Read More →


Thursday October 27, 2016 09:30 - 10:30
01. Westvleteren University

09:30

ICS and IoT Village
Thursday October 27, 2016 09:30 - 19:00
02. Westmalle University

10:30

Security through design - Making security better by designing for people
In this session we will explore why certain devices, pieces of software or companies lead us to utter frustration while others consistently delight us and put a smile on our face.
With these insights in mind, we will explore how we typically create our security processes, teams and solutions. All too often we create something without properly understanding what our colleagues or customers are trying to achieve only to bombard them with awareness training and policies because they "just don't get it" and because "humans are the weakest link".
We will look at user-centered design methods and concepts from other disciplines like economy, psychology or marketing that can help us to build security in a truly usable way not just our tools but also the way we setup our teams, the way we communicate and the way we align incentives. Every interaction with security is an opportunity to improve convenience and bring a smile to somebody's face.
By understanding the impact of design, we can do a lot to improve corporate productivity and security itself.

Speakers
JN

Jelle Niemantsverdriet

Jelle is a Director at Deloitte, specialising in Incident Response and has extensive experience in leading large international IR and Forensics projects across various industries worldwide. While previously working at Verizon he was one of the co-authors of the annual Data Breach Investigations Report. From his experience in dealing with incidents, he outlines how organisations can effectively build their security organisation. He passionately... Read More →


Thursday October 27, 2016 10:30 - 11:30
01. Westvleteren University

10:30

AllThingsTalk demo
Limited Capacity seats available

Speakers
avatar for Stefaan Top

Stefaan Top

Stefaan Top AllThingsTalk, COO & CCO holds an MBA from VLEKHO and ULB, Solvay. He started his career in various sales and marketing positions with international technology companies. Since 1993, Stefaan has been working with, and investing in, early stage technology companies where he developed his expertise to translate innovation into valuable market propositions while forging multi-disciplinary teams. In his role at AllThingsTalk he leads... Read More →


Thursday October 27, 2016 10:30 - 11:30
02. Westmalle University

10:30

Analyzing Malicious Office Documents
Limited Capacity full

In this workshop (2 hours), I explain how to use the tools (oledump, emldump, YARA rules, …) I developed to analyze (malicious) Microsoft Office documents.
I have around 30 exercises that explain step by step how to analyze malicious office documents with my Python tools. Microsoft Office is not required for the analysis.

Speakers
DS

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, CISSP, GSSP-C, GCIA, GREM, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant (Contraste Europe) currently working at a large Belgian financial corporation. Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs.com). You can find his... Read More →


Thursday October 27, 2016 10:30 - 12:30
03. Chimay Novotel

10:30

Putting a lock around your containers with Docker Security Primitives
Limited Capacity full

Docker, the new kid on the block, has taken the Ops world by storm. Suddenly everybody wants applications to be containerized and kick them from a development machine up to a production stack in seconds. But this new paradigm obviously has consequences in terms of security and compliance. In this talk we'll look at how to construct a container around applications and dive deeper into how we can put a tight lock around it, thanks to the built-in security primitives.

Speakers
ND

Nils De Moor

Nils is CTO, public speaker, electronics enthusiast and open source aficionado. After a brief passage through the academic world where he researched simulation of distributed systems, he decided to try his luck as an entrepreneur and cofounded Woorank as the CTO in 2011. Woorank is a SaaS product, sold worldwide, allowing digital marketers to monitor the online presence of a brand. By grabbing and calculating millions of data points every day, he... Read More →


Thursday October 27, 2016 10:30 - 12:30
05. La Trappe Novotel

10:30

The Control Things Workshop
Limited Capacity full

SamuraiSTFU was a great start to help Electric Utilities do penetration testing of their DCS and SCADA networks, however it just wasn't enough. SamuraiSTFU has expanded its goals to include all control systems and IoT devices, thus requiring a name change and a complete rebuild of the pentest distribution. Come check out the new ControlThings Platform and its new opensource hardware companion, the ControlThings Minion!

This two hour workshop will introduce you the the ControlThings Platform, a linux distribution filled with tools, documentation, captures, and simulators to help you interact with various types of control systems and IoT devices. We'll be learning how to the use the custom built ControlThings tools to interact with a simulated control system infrastructure, one that you can take home with you and continue exploring after the workshop. This will be a highly interactive, educational setting where you'll be guided through the use of the tools, giving you a brief sample of what you can do with ControlThings and what you may have missed during our three day training.

Speakers

Thursday October 27, 2016 10:30 - 12:30
04. Orval Novotel

11:30

Building a Successful Internal Adversarial Simulation Team
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.

Speakers
CG

Chris Gates

Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a cofounder... Read More →
CN

Chris Nickerson

Chris Nickerson, Founder & CEO, Lares | Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Information security and Social Engineering in order to help companies better defend and protect their critical data and key information systems. He has created a blended methodology to assess, implement, and manage information security realistically and effectively. At Lares, Chris leads a team of... Read More →


Thursday October 27, 2016 11:30 - 12:30
01. Westvleteren University

11:30

Cryptography design for IoT
Limited Capacity full

Speakers
avatar for Sander Demeester

Sander Demeester

Sander Demeester is a Technical Expert within the Technology Consulting department of PwC | As a technical expert, Sander has a strong focus on formal security & cryptographic engineering. Besides that he has worked for institutions all across the world, breaking and building crypto systems all the way down.


Thursday October 27, 2016 11:30 - 12:30
02. Westmalle University

12:30

Lunch
Thursday October 27, 2016 12:30 - 13:30
00. Lounge University

12:30

Introduction to the IoT CTF
Limited Capacity filling up

Speakers
JV

Jean-Georges Valle

Jean-Georges is a Senior Technology Consultant within PwC since April 2015. | He is passionate about IT security and new technologies and is a titular of a Master in information system security (2008). He has worked in highly heterogeneous environments, service and industrial type with both deep technical (administrator in a hosting business), organizational (security auditor in a French Ministry, acting CISO in a BNP Paribas Branch) and... Read More →


Thursday October 27, 2016 12:30 - 13:30
02. Westmalle University

13:30

What Does the Perfect Door or Padlock Look Like?
You have spent lots of budget on a high-grade, pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. You've carefully chosen robust and heavy-duty padlocks to secure your critical infrastructure and grounds. Your Plant Ops people feel assured that outsiders wouldn't dare try to pick or smash such a lock open.

Maybe they're right. But... the bulk of real-world attacks that both penetration testers and also criminals attempt against doors and padlocks have little or nothing to do with the locking mechanism itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your doors and padlocks -- the most fundamental parts of your physical security -- can possibly be thwarted by someone attempting illicit entry via means that don't involve intricate pick tools or finesse techinques. Bypassing and quick entry are often possible on our physical security hardware due to systemic and simple vulns that we have not yet eradicated. The showcasing of these scary problems will be immediately followed by bulleted lists of simple solutions that are instantly implementable and usually very within-budget.

You, too, can have a near-perfect doors or padlocks... if you're willing to learn and understand the problems that all such hardare tends to have out of the box.

Speakers
DO

Deviant Ollam

While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. At multiple annual security conferences Deviant runs the Lockpick Village workshop area, and he has... Read More →


Thursday October 27, 2016 13:30 - 14:30
01. Westvleteren University

13:30

Introduction to the SCADA set-up
Limited Capacity filling up

Speakers
avatar for Tijl Deneut

Tijl Deneut

Tijl is a researcher and lecturer at Howest University College with a history in server technology. With experience in server storage, networking & virtualisation. | As a Certified Ethical Hacker, Tijl is teaching within the Computer & Cyber Crime Professional program in Bruges. Starting early 2015, he also takes part in the Ghent University Industrial Security research project. The lock on your automation network. Applied research... Read More →
HD

Hendrik Derre

Hendrik is a research associate at the KU Leuven (University of Leuven) where he obtained his master’s degree in engineering technology. His research topics are industrial data communication and embedded systems, but in recent years his focus has shifted towards industrial control systems security. Having a background in industrial automation, he tries to bridge the gap between the traditional IT security and the OT environment. While... Read More →


Thursday October 27, 2016 13:30 - 14:30
02. Westmalle University

13:30

802.11 Leakage: How passive interception leads to active exploitation
Limited Capacity full

When was the last time you thought to yourself, hmm, I wonder if an attacker is exploiting my smart phone and laptop as a result of merely leaving my WiFi enabled? Or, when did you think: I wonder if a person can create a profile about me and possibly determine where I live, work, and places I have been simply via passive interception of the 802.11x frames beaconed from my devices? Ok, let's go a bit further: when was the last time you realized your smart phone is wirelessly leaking details regarding every network you have stored on your device for everyone to see and when did you ever consider that an attacker could intercept your beacons, establish a rogue AP mimicking exactly what you are looking for, and MiTM your system directly back to the attacker automatically? Do you even know the information your smart phone is constantly broadcasting out via that wireless NIC of yours?

Welp, if any of these questions take you by surprise, then this talk may be of particular interest to you. I show you exactly how to engineer a distributed sensor network that captures, parses, interprets, and visualizes 802.11x frames/messages in order to build the picture of devices communicating within the sensor mesh. Next, I show how to build the connector agents to resolve GPS location of devices in the area and extracted from your device's broadcasted frames. After this, I'll show you how we interface with Google Map to interactively display the location profiles we create on users intercepted within the area. Finally, we go into carrying out MiTM attacks based on what your devices is requesting to automatically exploit the user without their knowledge. We conclude with enhancements required to better secure your devices from future exploitation.

This talk wouldn't be complete without a brand new tool release! Developing a framework like this is not as difficult or costly as you might think. I'll show you exactly how to do it. And if the coding and parsing of raw 802.11 frames is not your cup of tea, no worries at all. This talk talk releases and demo's a new framework I've built called Theia Sensor Suite that automatically analyzes all of this data and visualizes it for you in a robust GUI and framework. 802.11 exploitation will never go away, so let’s get started!

Participants are encouraged to bring a Wireless Alfa Card g/b/n and a laptop configured to run Kali Linux version 2.0

Speakers

Thursday October 27, 2016 13:30 - 15:30
05. La Trappe Novotel

13:30

Hunting Malware with osquery at scale
Limited Capacity full

This workshop is an introduction to osquery, an SQL-powered operating system for instrumentation and analytics. osquery is developed and used by Facebook to proactively hunt for abnormalities. Since osquery allows us to easily ask questions about our infrastructure, it provides powerful capabilities, such as finding malware persistence techniques and scanning IOCs across our fleets of machines. This workshop is a very hands-on training and we expect participants to be comfortable with CLI.

Speakers
NA

Nick Anderson

| Nick Anderson is a security engineer at Facebook, focusing on corporate hids infrastructure. He is also a developer for Facebook's osquery project, an open source tool used by dozens of organizations for intrusion detection, systems operations, and compliance to better understand the state of their infrastructure and how it changes over time. Previously, Nick was a Cyber Security Research Engineer at Sandia National Labs where he lead... Read More →
JB

Jackie Bow

Jackie is a malware analyst and reverse engineer on Facebook Security. She enjoys hunting malware across corp and prod. She one day hopes to be the very best, like no one was before. To catch them is her real test, to train other analysts is her cause...She will travel across the land, searching far and wide, teach analysts to understand, the power that's inside (osquery).
EW

Erik Waher

Erik Waher is a security engineer at Facebook. He likes mountain biking, surfing, and anything to do with packets on the network


Thursday October 27, 2016 13:30 - 17:30
03. Chimay Novotel

13:30

Incident Response Workshop
Limited Capacity full

This workshop will confront participants with a state-of-the-art security incident. During the workshop, they will learn how to deal with this situation step-by-step by challenging them in their knowledge of various infosecurity topics. The goal of this workshop is to provide the participants with a structured approach on how to spot malware and how to deal with incidents caused by modern adversaries. Virtual machines will be provided so that the participants can practice at their own pace and even continue at a later point in time. Two instructors will be assisting the students towards the full mapping of the incident and will provide a typical solution at the end of the workshop.

The situation that the students will have to handle is as follows: “You are part of your company’s Incident Response team. On some idle Friday afternoon, your manager barges in. He has just been notified by the authorities that they have compromised a Command-and-Control server and that they have found systems communicating to that server originating from your company. The board of directors is breathing down his neck to find out what has happened and has asked him to contain this problem as soon as possible. How come we haven’t noticed this? What systems have been compromised? What data is exfiltrated? Are there still active connections? You immediately coordinate with the authorities and receive an extract of the information they have pulled from the compromised server. And so you quest begins…”

The students will work in teams of 2 and will have 4 hours to find out what has happened and to verify if there is still any active connections. During the workshop, the instructors will switch between guiding the participants and challenging them by assuming various positions in the company.

Speakers
EV

Erik Van Buggenhout

Erik is a co-founder of the Belgian cyber security company NVISO, where he is responsible for the Cyber Resiliency service line. He coordinates the delivery (read: finds people to do work for him while he enjoys a Duvel in the sunshine) of highly technical services such as penetration testing, digital forensics, incident response and malware analysis. | | Next to his activities at NVISO, Erik is also an Instructor for the SANS Institute where... Read More →
avatar for Maxim Deweerdt

Maxim Deweerdt

Incident Response and Digital Forensics Analyst, NVISO
Max is one of Erik’s minions who has to work day and night to ensure Erik can drink his Duvel in the sun without interruption. During these devilishly long workdays, he focusses on Incident Response and Forensics and occasionally rocks some penetration testing. Max has several SANS certifications and is currently pursuing a track to become a SANS mentor. Rumor has it that Max lost his hair due to his incredible brain size and that sleep needs... Read More →


Thursday October 27, 2016 13:30 - 17:30
04. Orval Novotel

14:30

Decepticon The Rise and Evolution of an Intelligent Evil Twin…!!!
“Decepticon” is an attempt to write a marginally intelligent bot capable of operating on IEEE 802.11 standards, which will launch as an Evil Twin Attack and will operate in the mode of execution with a lot of added smartness/intelligence. The brief course of talk is, Evil Twin Attack and its evolution from the normal evil twin attack to Decepticon, the need for evolution of Evil Twin Attack, drawbacks of Evil Twin and enhancements considered so far in Decepticon, the challenges we faced and our ways to solve some of them.

Speakers
AI

Amrita Iyer

Amrita is a test analyst by profession. Having spent a substantial time in the development life cycle of wide array of applications, helped her earn a flair in the agile approaches in testing. A telecom engineer, who blended the network, security and testing in the perfect mould for her day to day work and passion. Her research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014 and BruCON 2015.
RN

Rukshikes Nandedkar

Rushikesh is a security researcher. Having more than six years of experience under his belt, his assignments encompasses many challenging and innovative approaches attaining information security. He research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014 and BruCON 2015. Being an avid CTF player, for him solace is messing up with packets, frames and shell codes.
KP

Krishnakant Patil

Krishnakant is a Developer by profession. Yet, he is best known amongst the security researchers for his cutting edge capabilities and skill in reverse engineering, exploit development and malware analysis. Having conducted many workshops and hands on sessions on malware analysis and reverse engineering and having played many CTF untiringly, he is all set to contribute towards the secure state of information, with the best possible endeavor.


Thursday October 27, 2016 14:30 - 15:30
01. Westvleteren University

14:30

Software-Defined-Radio
Limited Capacity full

Speakers
JV

Jean-Georges Valle

Jean-Georges is a Senior Technology Consultant within PwC since April 2015. | He is passionate about IT security and new technologies and is a titular of a Master in information system security (2008). He has worked in highly heterogeneous environments, service and industrial type with both deep technical (administrator in a hosting business), organizational (security auditor in a French Ministry, acting CISO in a BNP Paribas Branch) and... Read More →


Thursday October 27, 2016 14:30 - 15:30
02. Westmalle University

15:30

Anti-Forensics AF
This presentation is the screaming goat anti-forensics version of those 'Stupid Pet Tricks' segments on late night US talk shows. Nothing ground-breaking here, but we'll cover new and trolly techniques that forensic investigators haven't considered or encountered. Intended targets cover a variety of OS platforms.

Speakers
D

DualCore

int0x80 is the rapper in Dual Core. Drink all the booze, hack all the things! | Site: http://dualcoremusic.com | Twitter: https://twitter.com/dualcoremusic | Facebook: https://facebook.com/dualcoremusic | Bandcamp: https://dualcoremusic.bandcamp.com/album/all-the-things | iTunes: https://itunes.apple.com/us/album/all-the-things/id559565665 | Amazon: https://www.amazon.com/dp/B0096ANSK4 | YouTube: https://www.youtube.com/watch?v=FoUWHfh733Y


Thursday October 27, 2016 15:30 - 16:30
01. Westvleteren University

15:30

BrewCon
Limited Capacity full

From the timeless consistency of classic Trappist ales to seasonality of artisanal small batch farmhouse sours, Belgium has one of the greatest collections of breweries to be found anywhere on the globe. Sadly for most people "Belgian beer" means ordering a Stella, or occasionally getting a Chimay for a special occasion. Over the course of this 1 hour talk, we'll walk attendees through some of the hidden gems of Belgium. Come have a beer with Chris. He'll tell you about some of Belgium's most classic beers, what makes them special, and where to go in Ghent to get some more good beers. There will be drinking, tasting notes, and recommendations. Bring your favorite beer from wherever you're from to share at the bottle swap!

Speakers
CL

Chris Lytle

Chris is a Senior Adversarial Engineer with Lares Consulting. This one time, he hacked a computer. You can find him on Twitter as @MrToph.


Thursday October 27, 2016 15:30 - 17:30
05. La Trappe Novotel

16:00

Dumping data with Hardsploit
Limited Capacity full

Speakers

Thursday October 27, 2016 16:00 - 17:00
02. Westmalle University

16:30

Coffee Break
Thursday October 27, 2016 16:30 - 17:00
00. Lounge University

17:00

Esoteric Web Application Vulnerabilities
A summary of the strangest vulnerabilities I've found during last year which includes:
Aggressive input decoding
Nil, NULL and password reset tokens
Host header manipulation
(quick) X-Forwarded-For: 127.0.0.1
ActiveSupport::MessageVerifier Remote Code Execution
Insecure Paypal IPN implementations

Speakers

Thursday October 27, 2016 17:00 - 18:00
01. Westvleteren University

17:00

How to hack a router
Limited Capacity full

Speakers
avatar for Jens Devloo

Jens Devloo

Senior Technology Consultant, PwC
Jens is a Technology Consultant within the Advisory service line of PwC since September 2014. At PwC, Jens is involved in a wide variety of more technical assignments with a focus on IoT and mobile. In every project, Jens is dedicated to reach the same goal: to help the client reach its objectives using new, emerging technologies (e.g. wireless communication networks, mobile applications, cloud solutions, etc.). Prior to joining PwC, Jens... Read More →


Thursday October 27, 2016 17:00 - 18:00
02. Westmalle University

18:00

Scraping leaky browsers for fun and passwords
One of the most commonly used applications on desktop systems are web browsers. We identified that the latest versions of Microsoft Internet Explorer Edge, Google Chrome and Mozilla Firefox all contain vulnerabilities with regards to memory management of sensitive data. Concretely, they keep clear-text credentials in memory long after they have been entered and the designated tab is closed, allowing an adversary to recover this sensitive data as long as the web browser is running. This could prove very useful in certain forensic investigations, or be abused by an attacker to stealthily harvest website credentials without the need to install additional malware (e.g. a keylogger).

As a Proof-of-Concept for the vendors, we have implemented a Volatility Framework Plugin that allows to harvest website credentials from a memory dump. This plugin will be open-sourced after this talk. Additionally, we will share the response of the three vendors on our PoC.

Speakers
AT

Adrian Toma

Adrian Toma is a Romanian living in Belgium. He has a passion for Informatics, holds a Bachelor Degree in industrial systems and is following evening courses for a Second Bachelor Degree in Networks and Systems Security. At this moment he's working as Consultant in .NET development.
ST

Stefaan Truijen

Stefaan Truijen holds a Master Degree in Computer Science with specialization in secure software. His thesis was on scraping the RAM memory of web browsers. Currently, he is employed as a junior security consultant at Planet-Talent.


Thursday October 27, 2016 18:00 - 19:00
01. Westvleteren University

19:00

Dinner
Thursday October 27, 2016 19:00 - 20:00
00. Lounge University

21:30

BruCON Party
Thursday October 27, 2016 21:30 - 23:59
00. Lounge University
 
Friday, October 28
 

07:30

Hacker Run (10K)

What better way is there to start the second conference day than running 10km with a bunch of hackers?

Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30.

We’ll be back in time to freshen up and attend the first presentation of the day.

Word is that it’s also a good way to get rid of a hangover!


Friday October 28, 2016 07:30 - 08:30
Novotel Novotel Ghent

08:30

Registration & Breakfast
Friday October 28, 2016 08:30 - 10:00
00. Lounge University

09:30

Keynote - Robert Schou & Gene Spafford
Speakers
RS

Robert Schou

Dr. Schou is the director of the National Information Assurance Training and Education Center (NIATEC) and the Simplot Decision Support Center (SDSC). These are two key components of the Informatics Research Institute. In 1996, the Simplot Decision Support Center center was cited by the Information Systems Security Association (ISSA) for Outstanding Contributions to the Profession. Under his leadership, the Information Systems program was... Read More →
EH

Eugene H. Spafford

Eugene H. Spafford is one of the most senior cyber security researchers in the field. During his 30+ years in computing— including 29 years as a faculty member at Purdue University -- Spaf (as he is widely known) has worked on issues in privacy, public policy, law enforcement, | software engineering, education, social networks, operating systems, and cyber security. He has been involved in the development of fundamental technologies in... Read More →


Friday October 28, 2016 09:30 - 10:30
01. Westvleteren University

09:30

Introduction to the IoT CTF
Limited Capacity filling up

Speakers
JV

Jean-Georges Valle

Jean-Georges is a Senior Technology Consultant within PwC since April 2015. | He is passionate about IT security and new technologies and is a titular of a Master in information system security (2008). He has worked in highly heterogeneous environments, service and industrial type with both deep technical (administrator in a hosting business), organizational (security auditor in a French Ministry, acting CISO in a BNP Paribas Branch) and... Read More →


Friday October 28, 2016 09:30 - 10:30
02. Westmalle University

09:30

ICS and IoT Village
Friday October 28, 2016 09:30 - 18:00
02. Westmalle University

10:30

NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation
Every Incident Response presents unique challenges. But — when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day — the cumulative challenges can become overwhelming.
This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

Speakers

Friday October 28, 2016 10:30 - 11:30
02. Westmalle University

10:30

Virtual Terminals, POS Security and becoming a billionaire overnight
Very few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Interaction (POI) device or through a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and secure communications channel the Point of Sale (POS) is still a target for criminals. The malware affecting point of sale systems seen in previous years demonstrates that criminals continually adapt to find ways to target card payment channels and keep the cycle going.
Following on the above, during this presentation, a number of features (provided in POI devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, it will demonstrated how POS malware can shift and instead of targeting Card Holder Data (CHD) can targets the actual money directly. In other words, I will show you how someone ended up with billions overnight, without having to steal a single card number.


Friday October 28, 2016 10:30 - 11:30
01. Westvleteren University

10:30

802.11 Leakage: How passive interception leads to active exploitation
Limited Capacity full

When was the last time you thought to yourself, hmm, I wonder if an attacker is exploiting my smart phone and laptop as a result of merely leaving my WiFi enabled? Or, when did you think: I wonder if a person can create a profile about me and possibly determine where I live, work, and places I have been simply via passive interception of the 802.11x frames beaconed from my devices? Ok, let's go a bit further: when was the last time you realized your smart phone is wirelessly leaking details regarding every network you have stored on your device for everyone to see and when did you ever consider that an attacker could intercept your beacons, establish a rogue AP mimicking exactly what you are looking for, and MiTM your system directly back to the attacker automatically? Do you even know the information your smart phone is constantly broadcasting out via that wireless NIC of yours?

Welp, if any of these questions take you by surprise, then this talk may be of particular interest to you. I show you exactly how to engineer a distributed sensor network that captures, parses, interprets, and visualizes 802.11x frames/messages in order to build the picture of devices communicating within the sensor mesh. Next, I show how to build the connector agents to resolve GPS location of devices in the area and extracted from your device's broadcasted frames. After this, I'll show you how we interface with Google Map to interactively display the location profiles we create on users intercepted within the area. Finally, we go into carrying out MiTM attacks based on what your devices is requesting to automatically exploit the user without their knowledge. We conclude with enhancements required to better secure your devices from future exploitation.

This talk wouldn't be complete without a brand new tool release! Developing a framework like this is not as difficult or costly as you might think. I'll show you exactly how to do it. And if the coding and parsing of raw 802.11 frames is not your cup of tea, no worries at all. This talk talk releases and demo's a new framework I've built called Theia Sensor Suite that automatically analyzes all of this data and visualizes it for you in a robust GUI and framework. 802.11 exploitation will never go away, so let’s get started!

Participants are encouraged to bring a Wireless Alfa Card g/b/n and a laptop configured to run Kali Linux version 2.0

Speakers

Friday October 28, 2016 10:30 - 12:30
05. La Trappe Novotel

10:30

Analyzing Malicious Office Documents
Limited Capacity full

In this workshop (2 hours), I explain how to use the tools (oledump, emldump, YARA rules, …) I developed to analyze (malicious) Microsoft Office documents.
I have around 30 exercises that explain step by step how to analyze malicious office documents with my Python tools. Microsoft Office is not required for the analysis.

Speakers
DS

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, CISSP, GSSP-C, GCIA, GREM, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP) is an IT Security Consultant (Contraste Europe) currently working at a large Belgian financial corporation. Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs.com). You can find his... Read More →


Friday October 28, 2016 10:30 - 12:30
03. Chimay Novotel

10:30

The Control Things Workshop
Limited Capacity seats available

SamuraiSTFU was a great start to help Electric Utilities do penetration testing of their DCS and SCADA networks, however it just wasn't enough. SamuraiSTFU has expanded its goals to include all control systems and IoT devices, thus requiring a name change and a complete rebuild of the pentest distribution. Come check out the new ControlThings Platform and its new opensource hardware companion, the ControlThings Minion!

This two hour workshop will introduce you the the ControlThings Platform, a linux distribution filled with tools, documentation, captures, and simulators to help you interact with various types of control systems and IoT devices. We'll be learning how to the use the custom built ControlThings tools to interact with a simulated control system infrastructure, one that you can take home with you and continue exploring after the workshop. This will be a highly interactive, educational setting where you'll be guided through the use of the tools, giving you a brief sample of what you can do with ControlThings and what you may have missed during our three day training.

Speakers

Friday October 28, 2016 10:30 - 12:30
04. Orval Novotel

11:30

Hacking KPN: Lessons from the trenches
This talk will dive into three very different but equally interesting vulnerabilities, from the perspective of the in-house penetration testing done by the KPN (Royal Dutch Telecom) REDteam. We will not only go into the technical details of the vulnerabilities, but also share some tips and tricks on how we handle things like reporting, emotional counselling of internal stakeholders, browbeating vendors, etc.

One vulnerability will demonstrate how pervasive the relatively recently announced Java Deserialisation vulnerability is (even among a big enterprise cloud player who should know better). This will show an interesting example of where the Java Deserialisation vulnerability can show up and we will also release an update to a tool to detect this variation. We will guide you through the process of discovery and exploitation via an enterprise mobile app that was completely unexpected.
Another vulnerability (disclosed to the vendor, but not yet publicly released) will demonstrate how simple it sometimes is to bypass or abuse "enterprise grade" solutions, in this case a security device for mobility management/single sign-on. Some of you might also be suffering through vulnerability disclosures and because pain shared is pain divided, we'll go into how the KPN-CERT has tried to deal with this vulnerability disclosure. The last vulnerability will demonstrate the finer points of reverse engineering crypto out of a custom in-house developed binary with a surprising KISS lesson learned weeks after testing was complete. You can expect to see ImmunityDebugger at work here with useful tips and tricks for getting to the core of crypto functionality and then extracting it out for fun and profit (ok, maybe not profit).
Some company and product names have been censored to protect the guilty ;-)

Speakers
JG

Jeremy Goldstein

Jeremy is the team lead of the KPN (Royal Dutch Telecom) REDteam based in Amsterdam, The Netherlands. He has over 10 years experience in penetration testing and has also spent plenty of time doing incident response and some threat intel. Jeremy enjoys coding and almost anything sufficiently technical... even though he's a team lead. Prior to joining KPN, Jeremy helped build and run a successful penetration testing, incident response and threat... Read More →
BV

Bouke van Laethem

Bouke has been (legally) breaking stuff (or rather, finding stuff that's broken) since 2007. Fittingly equipped with a masters in Ancient History, he has been throwing himself at IT security armed with two of the most dangerous questions: "surely this wont work?" and "what does this button do?"


Friday October 28, 2016 11:30 - 12:30
01. Westvleteren University

11:30

AllThingsTalk demo
Limited Capacity seats available

Speakers
avatar for Stefaan Top

Stefaan Top

Stefaan Top AllThingsTalk, COO & CCO holds an MBA from VLEKHO and ULB, Solvay. He started his career in various sales and marketing positions with international technology companies. Since 1993, Stefaan has been working with, and investing in, early stage technology companies where he developed his expertise to translate innovation into valuable market propositions while forging multi-disciplinary teams. In his role at AllThingsTalk he leads... Read More →


Friday October 28, 2016 11:30 - 12:30
02. Westmalle University

12:30

Lunch
Friday October 28, 2016 12:30 - 13:30
00. Lounge University

12:30

Introduction to the SCADA set-up
Limited Capacity filling up

Speakers
avatar for Tijl Deneut

Tijl Deneut

Tijl is a researcher and lecturer at Howest University College with a history in server technology. With experience in server storage, networking & virtualisation. | As a Certified Ethical Hacker, Tijl is teaching within the Computer & Cyber Crime Professional program in Bruges. Starting early 2015, he also takes part in the Ghent University Industrial Security research project. The lock on your automation network. Applied research... Read More →
HD

Hendrik Derre

Hendrik is a research associate at the KU Leuven (University of Leuven) where he obtained his master’s degree in engineering technology. His research topics are industrial data communication and embedded systems, but in recent years his focus has shifted towards industrial control systems security. Having a background in industrial automation, he tries to bridge the gap between the traditional IT security and the OT environment. While... Read More →


Friday October 28, 2016 12:30 - 13:30
02. Westmalle University

13:30

New Adventures in Active Defense, Offensive Countermeasures and Hacking Back
The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. You may be able to immediately implement some of the measures we discuss in this course, while others may take a while. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, determine who is attacking you, and, finally, attack the attackers.

Speakers
JS

John Strand

John Strand is the owner of Black Hills Information Security, a firm specializing in penetration testing, Active Defense and Hunt Teaming services. He is the also the CTO of Offensive Countermeasures, a firm dedicated to tracking advanced attackers inside and outside your network.John is an experienced speaker, having done presentations to the FBI, NASA, the NSA and at various industry conferences. He is a senior instructor with the SANS... Read More →


Friday October 28, 2016 13:30 - 14:30
01. Westvleteren University

13:30

How to hack a router
Limited Capacity full

Speakers
avatar for Jens Devloo

Jens Devloo

Senior Technology Consultant, PwC
Jens is a Technology Consultant within the Advisory service line of PwC since September 2014. At PwC, Jens is involved in a wide variety of more technical assignments with a focus on IoT and mobile. In every project, Jens is dedicated to reach the same goal: to help the client reach its objectives using new, emerging technologies (e.g. wireless communication networks, mobile applications, cloud solutions, etc.). Prior to joining PwC, Jens... Read More →


Friday October 28, 2016 13:30 - 14:30
02. Westmalle University

13:30

Crowdsourced Malware Triage
Limited Capacity full

Malware triage is an important function in any mature incident response program; the process of quickly analyzing potentially malicious files or URLs to determine if your organization has exposure. But what if you don't have an incident response program? What if you are just setting one up? What if you don't have the tools you need to perform your analysis? With the current offering of free online tools and the right mindset, a web browser and a notepad may be all you need.

In this workshop you will work through the triage of a live Exploit Kit using only free online tools. We will provide an introduction and demo of each tool and support you as you perform your analysis.

Speakers
SF

Sergei Frankoff

Sergei is the Director of Threat Intelligence for Sentrant. He is also co-founder of Open Analysis, a group providing free malware analysis services.
SW

Sean Wilson

Sean is a senior researcher with PhishMe. He is also co-founder of Open Analysis, a group providing free malware analysis services and tools.


Friday October 28, 2016 13:30 - 17:30
04. Orval Novotel

13:30

Hacking The Enterprise
Limited Capacity full

This workshop is not about how to digitally raid an enterprise, just to make sure your expectations are set right :)

Compliance, rules, and regulations oftentimes lead to frustration for security professionals every day. While these areas don’t contribute toward security on their own, they are part of the reality we live with. Instead of rowing against the stream, the professionals that get stuff done in their organizations are those that are able to leverage those pesky frameworks, laws, and other regulatory requirements to defend budgets, report about security to their management, and build security organizations with a long term view.

In this 4 hour workshop, we will lay out the approaches that have worked for us in organizations around the globe (without breaking any NDAs, obviously ;-)) and that can prepare you to become a better negotiator when it matters, be a better, well-rounded security professional, and become an asset to your organization.

Topics that will be covered are:
- Integrating penetration testing into a risk management framework
- Making the most out of your environments’ data
- Building and maintaining a security metrics framework
- Privacy as a driver for security
- Making your security program a reality by leveraging what you already have (instead of buying things you don’t really need)
- Becoming the trusted advisor to both your operational peers and your C-level leadership.
- Making compliance work


Friday October 28, 2016 13:30 - 17:30
03. Chimay Novotel

14:30

Hello to the Dark Side: Understanding YOUR Adversaries without All Those Expensive Threat Intel Tools
In the aftermath of the fall of Evernote as an inexpensive threat intel platform, free and low cost solutions have awoken from its dismantled remains to give hope to defenders everywhere. This presentation continues on with grecs’ threat intel series of talks covering lessons learned from his Evernote experiment and pivots towards improved data structures and newly discovered enterprise-friendly intelligence platforms to support them. And fresh off restrictions from previous employment grecs will discuss the process for bootstrapping and maturing your own threat intel program and describe a step-by-step framework for generating your own actionable intelligence to ease identification of advanced threats. As part of this fun Star Wars themed talk, grecs will release a VM with several tools integrated to get you started.

Speakers

Friday October 28, 2016 14:30 - 15:30
01. Westvleteren University

14:30

SDR GnuRadio demo
Limited Capacity filling up

Speakers

Friday October 28, 2016 14:30 - 15:30
02. Westmalle University

15:30

Coffee Break
Friday October 28, 2016 15:30 - 16:00
00. Lounge University

16:00

Smart Sheriff, Dumb Idea. The wild west of government assisted parenting
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?

Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!

Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?

We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?

Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Speakers
AA

Abraham Aranguren

Abraham was an honors student in Information Security at university. His work experience from 2000 until 2007 was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security. | He is a senior member of the Cure53 team, and... Read More →
FF

Fabian Fäßler

Fabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security, but started to seriously get into it, after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice. Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification... Read More →


Friday October 28, 2016 16:00 - 17:00
01. Westvleteren University

16:00

IoT CTF walkthrough
Limited Capacity full

Speakers
JV

Jean-Georges Valle

Jean-Georges is a Senior Technology Consultant within PwC since April 2015. | He is passionate about IT security and new technologies and is a titular of a Master in information system security (2008). He has worked in highly heterogeneous environments, service and industrial type with both deep technical (administrator in a hosting business), organizational (security auditor in a French Ministry, acting CISO in a BNP Paribas Branch) and... Read More →


Friday October 28, 2016 16:00 - 17:00
02. Westmalle University

17:00

Invoke-Obfuscation: PowerShell obFUsk8tion Techniques
The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.

We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.

Speakers

Friday October 28, 2016 17:00 - 18:00
01. Westvleteren University