Tid | Foredrag |
08.15 | Dørene åpnes |
08.15 – 11.00 | Registrering HackCon#11 |
09.00 – 09.15 |
Administrativ informasjon |
09.15 – 10.00 |
How to bypass your security with 30 dollar, Kevin Bong, US |
10.15 – 11.00 |
The Future is Now - Security implications of DIY (do it yourself) cybernetic implants and how to bypass your security, Alex Smith - Australia |
11.15 – 12.00 |
Når tradisjonell risikohåndtering ikke strekker til - hvordan håndtere sårbarheter og risikoer effektivt via dynamisk risikohåndtering, Flere foredragsholdere – Norge |
12.00 – 13.00 |
Lunsj |
13.00 – 13.45 |
How to protect our people (The Awkward Border), Laura Bell - New Zealand |
14.00 – 14.45 |
When Penguins Attack your highly valued assets, Chester "Chet" Wisniewski - Canada |
14.45 – 15.15 |
Pause |
15.15 – 16.00 |
Secure your organization from Phishing attacks, |
16.15 – 17.00 |
Chellam – a Wi-Fi IDS/Firewall which will protect you, Vivek Ramachandran - India |
17.30 |
Sosialt arrangement Her har du muligheten til å knytte kontakter og blir kjent med andre. nettverket sørger for lett middag og underholdning med mer. |
23.00 | Dørene låses |
Tid | Foredrag |
08.15 |
Dørene åpnes |
09.00 – 09.45 |
Hvordan virksomheten kan miste kontroll over egen informasjon gjennom sosiale medier, Cecilie Staude, Norge |
10.00 – 10.45 |
Smartwatch risks, the new security risk to your enterprise, |
11.00 – 11.45 |
SMS og IMSI-fangere – favorittverktøyene til dem som driver med etterretning, industrispionasje og identitetstyveri, Odd Helge Rosberg - Norge |
11.45 – 12.30 | Lunsj |
12.30 – 12.45 |
Loddtrekning |
12.50 – 13.35 |
Information As A Weapon: Varities, Deterrence and Response, Chris Pallaris - Swiss |
13.50 – 14.35 |
The age of Mobile App Insecurities – top 10 Mobile Risks, Aditya Modha - India |
14.50 – 15.35 |
Electronic Opsec: Protect Yourself From Online Tracking & Surveillance, Zoz - Australia |
15.35 – 15.40 | HackCon#11 slutt |
Mandag 15. – tirsdag 16. | 2 | 2016
Kurs 1 – Securing mobile platforms and mobile apps (teknisk kurs)
Mobile App Hacking is a two days course on learning how to perform Android and iOS application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around multiple in-house developed vulnerable applications which contain vulnerabilities that were observed by the trainer during his daily application security assessments.
Technical know-how about modern applications such as application built using cross platform development software, application encrypting HTTP request parameters, etc. will also be taught during the course.
By taking this course, attendees will learn following topics:
Day1 (Android)
- Crash course on Android application permission model
- APKfile architecture and setting up the emulator
- Reversing the APK file package
- Investigating app permissions through manifest file
- Understanding, patching and runtime debugging smali code
- Importing SSL certificates and bypassing SSL pinning
- Intercepting traffic and network activity monitoring
- Exploring local data store
- Analyzing system logs
- Understanding components such as content provider, broadcast receiver, activities and services
- Classification of vulnerabilities based on “OWASP Top10 Mobile Risks”
Day2 (iOS)
- Crash course on – process of jailbreaking
- IPA file architecture and setting up the iOS device for security assessment
- Decrypting App Store applications and dump class headers
- Local datastore inspection (plist, SQLite, keychain, XML files, etc.)
- Investigate platform provided security API usage
- Bypass client-side validations
- Import SSL certificates and bypass SSL pinning
- Traffic interception and runtime manipulation
- Binary patching
This training will be held by AdityaModha with co-teacher Chintan Gurjar. Aditya Modha, is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 web and mobile applications including core banking solutions and middlewareapplications. He blogs at oldmanlab@blogspot.com.
Aditya Modha was a trainer at the following information security conferences,
- HITB, KL – Extreme Web Hacking Oct’2013
- HackCon, Oslo – Advanced Burp Suite Mar’2014
- OWASP AppSec Eu, Amsterdam - Android App Hacking - Internet Banking Edition
This is a technical training and are suitable for people with IT technical background and interest – we will provide you with necessary tool and knowledge to get full advantage of this training.
Kurs 2 - Proaktiv krisehåndtering og informasjon som angrepsvåpen (strategisk/ledelse/adm.kurs)
Det har vært etterlyst fra deltakerne at preHackCon også bør bestå av strategiske kurs. Tilbakemeldingene har vært man ønsker mer kunnskap om proaktiv krisehåndtering og hvordan informasjons blir brukt som "våpen" mot virksomheten. Vi har derfor satt sammen dette kurset for at deltakerne skal kunne tilegne seg kunnskap innen disse emnene. Dette kurset forutsetter ikke spesifikke/tekniske kunnskaper, og er like egnet for ledere som teknokrater.
Dette kurset er unikt da det vil gi deg ulike verktøy som du kan benytte med engang for å håndtere sikkerhetshverdagen din mye lettere og bedre. Dag 2 er opprinnelig en del av et lukket kurs på hvordan informasjon benyttes offensivt og defensivt som "våpen" både mot, og innad i en virksomhet. Vi har valgt å dele noe av denne kunnskapen på preHackCon#11. Det vil være flere foredragsholdere på dette kurset.
Dag 1 - En praktisk tabletop beredskapsøvelse for proaktiv krisehåndtering
Dagen vil gjennomføres som en "avansert" tabletop øvelse, der deltagerne vil engasjeres til å takle en praktisk/reell case med en rekke forskjellige deloppgaver. Workshopen vil innledes med litt teori og eksempler på gjennomgang av ulike varianter av beredskapsøvelser, og hvordan man bør gå frem for å planlegge og gjennomføre slike øvelser. Gjennomgangen blir krydret med praktiske eksempler og erfaringer fra gjennomføring av forskjellige former for øvelser.
Responsive deloppgaver vil gi deltagerne mulighet til å bruke sine evner til kreativitet, improvisasjon og "thinking on your feet", og gjennom dialog og samarbeid sette fokus på beredskapsforberedende tiltak i egen virksomhet. Workshopen gjennomføres som en kombinasjon av teori, planlegging og gjennomføring av en "reell" beredskapsøvelse.
Kunnskapen fra denne dagen er unikt og vil sette deg godt i stand til å gjennomføre egne beredskapsøvelser i din virksomhet, samt utvikle proaktive beredskapssystemer for effektiv håndtering av ulike hendelser og kriser.
Dag 2 – Informasjon som angrepsvåpen
Ved å angripe de "myke" målene i virksomheten, spiller det ingen rolle om du har investert millioner av kroner i sikkerhet, brannmurer, ID-kort, eller fysiske låser i den tro at man er sikker. Flere opplever i økende grad nå angrep mot de myke målene. Ved å bruke informasjon som angrepsmetode vil kriminelle, konkurrenter eller andre aktører på en enkel måte kunne tappe, manipulere, styre og kontrollere din virksomhet uten at du engang er klar over det.
Vi vil vise deg hvilke teknikker som kan benyttes for å få kontroll over deg, ditt nøkkelpersonell og virksomheten. Teknikker som benyttes mot dere hver dag uten at du kanskje legger merke til det. Med eksempler vil vi vise hvor vellykkede denne type operasjoner kan være! Vi vil også vise deg hvordan du kan bruke språket effektivt til å "nå" ut i virksomheten og få gjennomført sikkerhets tiltak effektivt.
Vi vil lære ulike teknikker med pragmatisk tilnærming som du kan benytte for både å avdekke "skjult kommunikasjon" og informasjonsangrep mot personene i virksomheten, samt hvordan du bør forholde deg for å opprettholde god kommunikasjon. Den siste delen vil vektlegges på dag 2 hvor vi henter elementer fra konflikthåndtering og forhandlinger til å forstå kommunikasjonskraften som kan påvirke deg og din virksomhet. Dag 2 baserer seg på praktiske øvelser for å gjøre deltagerne i stand til å forstå kjerneprinsippene i kommunikasjon. Kursleder dag2 er Suhail Mushtaq.
Onsdag - dag 1, 17. | 2 | 2016
Tid | Foredrag |
08.15 | Dørene åpnes |
08.15 – 11.00 | Registrering HackCon#11 |
09.00 – 09.15 |
Administrativ informasjon |
09.15 – 10.00 |
How to bypass your security with 30 dollar, This talk will introduce five different security-related hardware hacking projects that are great for beginners, each of which has a low cost (≈30 dollar) and can be completed in a few hours or less. Examples of the projects include travel router hacking with OpenWRT, building a directional Wi-Fi antenna, HID RFID snooping and spoofing with Arduino and USB keyboard spoofing with Arduino, and inline sniffer. A bill of materials and instructions for each project will be available online following the talk.
You will be amazed how this cheap project can bypass your security in cheap and "gentle" manner. And Yes, we will have hardware lab at HackCon where you can build the mentioned projects and test security on you own organization afterwards!
Session will be held by Kevin Bong. Kevin is a security researcher with an interest in hardware and electronics. He created the MiniPwner, a pocket-size penetration testing device used to get remote access to a network. He’s also an author, instructor and a speaker at international conferences.
Kevin is a Manager at 403 Labs, the Security & Compliance division of Sikich LLP. He focuses on information security and compliance issues faced by financial institutions. With his experience performing audits, penetration testing, risk assessments and forensic investigations, Kevin provides invaluable guidance to institutions affected by standards such as those related to the FFIEC, NIST, HIPAA and PCI DSS.
|
10.15 – 11.00 |
Until now, we have been dealing with firewall, router, IDS etc to protect our information and secure our organization. A new challenge is coming on the horizon, biosecurity. We may think this a science fiction, but the truth is you already today can implant several devices in your body by yourself – and compromise the organization security on several levels. And this is what this talk is about – tomorrows security challenges.
|
11.15 – 12.00 |
Når tradisjonell risikohåndtering ikke strekker til - hvordan håndtere sårbarheter og risikoer effektivt via dynamisk risikohåndtering, Det har i det siste vært rettet stor fokus på at virksomhetene skal foreta risikovurderinger for å håndtere sårbarheter/risikoer i virksomheten. Men hva er egentlig en risikovurdering? Og bidrar risikovurderingene egentlig til å redusere sårbarheter og risikoer i virksomheten slik de praktiseres i dag? Hvem lages disse risikovurderingene egentlig for, og hva er formålet med dem? Vår påstand er at slik risikohåndtering ofte foretas i dag, ikke gir noe særlig merverdi til virksomheten.
På HackCon#10 orienterte vi om at vi vil bidra til å lette virksomhetenes arbeid med å håndtere risikoer. Etter nærmere ett års utvikling kan vi nå på HackCon#11 presenterer RT-RMAP, Real Time Risk Manager and Assets Protection, det vil si dynamisk risikohåndtering.
Dynamisk risikohåndtering er pragmatisk måte å tilnærme seg risikohåndtering på for å ivareta virksomhetens interesser, samt ha virksomhetens sårbarheter og risikoer under kontroll. Og ikke minst, at ledelsen og personellet til enhver tid er i stand til å håndtere de ulike risikoer og sårbarheter i virksomheten.
Hvis du synes at det er litt tungt å arbeide med tradisjonell risikohåndtering, eller føler at du ikke når frem med ditt budskap etter at du har foretatt risikohåndtering, eller føler at du har mistet oversikten over risikoer i virksomheten, kan vi love deg at etter du har startet med dynamisk risikohåndtering i RT-RMAP (etter at verktøyet er frigjort) vil du få et helt nytt perspektiv på risikohåndteringer. Vi kan sitere en som har arbeidet med risikohåndtering i over 15 år: "Med dette kan vi få kontroll over våre risikoer og sårbarheter, og forstår virkelig hva risikohåndtering er og bør være".
I denne sesjonen vil gå gjennom hva dynamisk risikohåndtering er, utfordringer med tradisjonell risikohåndtering, og hvordan du kan håndtere dine risikoer og sårbarheter på en enkel og pragmatisk måte. Og ikke minst, hvordan du skal kunne ivareta virksomhetens interesser og virksomhetens behov for å ivareta sikkerheten på ulike plan. På HackCon#11 kan du få første smakebit av RT-RMAP.
Denne sesjonen vil bli holde av flere forelesere som har utviklet metodikken, systemet, og eventuelt pilotbrukere. Hvis du skal håndtere risikoer i en verden som er i kontinuerlig endring, bør du få med deg dette foredraget for å kunne håndtere virksomhetens risikoer og sårbarheter enkelt og effektivt samt ivareta sikkerheten på en god måte. |
12.00 – 13.00 |
Lunsj |
13.00 – 13.45 |
How to protect our people (The Awkward Border),
|
14.00 – 14.45 |
When Penguins Attack your highly valued assets,
1. What types of malware are we seeing target Linux systems? While the landscape continually evolves, we see far greater numbers of legacy infections on Linux than other platforms.
2. How are these systems being monetized? Most criminals are in it for the money. There are numerous ways to cash in on a compromised Linux host that can yield good returns for criminals.
3. How do we better defend our hosts to prevent exploitation? Many of the adversaries are far from advanced, so why is it we still fall victim?
Many best practices are ignored by the operators of much of the world's internet hosting infrastructure. A few simple steps could go a long way toward not just better protecting our servers and our brands, but also toward creating a safer neighborhood for our Windows and Mac loving friends.
This presentation will be held by Chester "Chet" Wisniewski. Chester is a Senior Security Advisor at Sophos with more than 15 years experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, the media and IT professionals.
Chester frequently writes articles for the award-winning Naked Security blog, produces the weekly podcast "Sophos Security Chet Chat" and is a frequent speaker at conferences and in the press.
|
14.45 – 15.15 |
Pause |
15.15 – 16.00 |
Secure your organization from Phishing attacks, The presentation will explore some of the common phishing attack tools and techniques, and end with a demo of a recently created tool which can assist your organization in quickly deploying phishing exercises to secure your organization in minimal time.
The tool, when provided minimal input (such as just a domain name), can automatically search for potential targets, deploy multiple phishing websites, craft and send phishing emails to the targets, record the results, and generate a basic report. The tool can either work in a standalone fashion or make use of external tools (such as theHarvester and BeEF) if available.
Adam Compton will hold the session. And Yes, Adam will have a small lab area at HackCon#11 where you can learn the new tool and use it to test and secure your organization.
Adam currently works as a Senior Security Consultant for Rapid7 where he puts his 20+ years of infosec and penetration testing experience to use. He has worked in both the government and private sectors for a variety of customers ranging from domestic and international governments, multinational corporations, and smaller local business. When not performing penetration tests or with his family, he developed various open source tools and weed application to aid himself and others in the infused field.
If you want to learn how to secure your organization from phishing – than you don't want to miss this session.
|
16.15 – 17.00 |
Chellam – a Wi-Fi IDS/Firewall which will protect you, This talk will introduce techniques to detect Wi-Fi attacks such as Honeypots, Evil Twins, Mis-association , Hosted Network based backdoors etc. on a Windows client without the need for custom hardware or drivers. Our attack detection techniques will work for both Encrypted (WPA/WPA2 PSK and Enterprise) and Unencrypted networks.
We will also release a proof of concept tool implementing our detection techniques. Even though the focus of this talk is Windows, the same principles can be used to protect other Operating Systems, both workstation and mobile.
The talk will be held by Vivek Ramachandran. Vivek discovered the Caffe Latte attack, broke WEP Cloaking and publicly demonstrated enterprise Wi-Fi backdoors.
He is the author of "Backtrack 5: Wireless Penetration Testing" which has sold over 13,000+ copies worldwide. He is the founder of SecurityTube.net and runs SecurityTube Training & Pentester Academy which has trained professionals from 90 countries. Vivek is international speaker and has spoken on several international conferences.
|
17.30 |
Sosialt arrangement Her har du muligheten til å knytte kontakter og blir kjent med andre. nettverket sørger for lett middag og underholdning med mer. |
23.00 | Dørene låses |
Torsdag dag 2, 18. | 2 | 2016
Tid | Foredrag |
08.15 |
Dørene åpnes |
09.00 – 09.45 |
Sosiale medier påvirker måten vi jobber på. Kanalene større betydning for å fremme samarbeid, samskaping og innovasjon, på arbeidsplassen såvel som i relasjonen til bedriftens øvrige interessenter, har endret vår hverdag.
Hvordan skal vi møte utfordringer som oppstår når digital samhandling påvirker hvordan innhold skapes, deles og konsumeres og dermed bidrar til at virksomheter mister kontroll over eget innhold. Spørsmålet er om din virksomhet er forberedt på å miste kontroll over eget innhold? Denne sesjonen gir deg godt innblikk i de utfordringer som virksomhetene står ovenfor når informasjonen flyter fritt (og ofte uten kontroll) i vårt moderne samfunn, og hvilke konsekvenser det kan få for våre virksomheter.
|
10.00 – 10.45 |
Smartwatch risks, the new security risk to your enterprise, This session will show how smartwatches is introducing a new security risk to your enterprise. We have analyzed some of the most popular smartwatches (as well as the plethora of other smartwatches on the market); to determine the risks they introduce to mobile enterprise data. Our research team continues to discover a broad range of smartwatch and wearable vulnerabilities including PIN bypass vulnerabilities, pairing apps speaking to random international IP addresses, lack of proper encryption controls, and more.
In this session, we will focus on: - What’s different about a smartwatch from other mobile devices
- What vulnerabilities we've discovered and reported on during our research and their impact on enterprise data
- A stack ranking of smartwatches and wearables in terms of their security posture regarding: lack of encryption, PIN protection, and other fundamental security controls
- The pairing apps and which ones exhibit suspicious behaviors (back-channel communications, outbound data exfiltration, data harvesting, etc.)
- A live demo of an attack on a smartwatch, using a PIN bypass vulnerability
- Lessons learned from the research to provide best practices and guidance in terms of smartwatch security and a mobile enterprise strategy for embracing these devices and securing enterprise data
The session will be held by Michael T. Raggo (CISSP, NSA-IAM, CCSI, ACE, CSI), Director, Security Research, MobileIron. Michael has over 20 years of security research experience. His current focus is threats and countermeasures for the mobile enterprise.
Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”.
A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of the PCI Mobile Task Force, and is a frequent presenter at international security conferences.
|
11.00 – 11.45 |
SMS og IMSI-fangere – favorittverktøyene til dem som driver med etterretning, industrispionasje og identitetstyveri,
Foredraget vil bli holdt av Odd Helge Rosberg. Odd Helge er CTO i Rosberg System. Han er en av grunnleggerne av Rosberg system, og har utviklet en rekke patenterte sikkerhetsløsninger for mobile enheter. Han har også lang erfaring fra sikkerhetsbransjen, både som IT-sjef og i IT-bransjen. Teknologiene omfatter løsninger for sikker kommunikasjon, proaktiv sikring av enheter mot tyveri, beskyttelse mot SMS-baserte angrep og mere.
|
11.45 – 12.30 | Lunsj |
12.30 – 12.45 |
Loddtrekning |
12.50 – 13.35 |
Information As A Weapon: Varities, Deterrence and Response, Information has always played a critical role in warfare, not least in the form of intelligence, deception, and propaganda. Today, information’s ability to inflict damage or harm has never been greater. Indeed, organisations of every stripe can now use information to disable or defeat their adversaries. This presentation will examine how that’s possible, and what we can do to avoid the risks.
We will begin with a historical overview of this phenomenon, examining how information has evolved to enable such disciplines as information warfare, information operations, etc.
From there, we will present a typology of information-related “weapon systems” (defensive, offensive, strategic, tactical, etc.) with demoes and real world cases and discuss how our adversaries might use such tools against us. Our focus here will not just be on the protection of one’s critical infrastructures, but also on how organisation’s can protect against reputational risks, social engineering, etc.
Finally, we will explore the options available to organisations on the receiving of such attacks, and what that can be done to retain one’s competitive advantages.
This session will be held by Chris Pallaris. Chris’ professional experience covers a broad range of disciplines including open source and competitive intelligence, journalism, information and knowledge management, network building, market research, strategy consulting, and organizational development.
|
13.50 – 14.35 |
The age of Mobile App Insecurities – top 10 Mobile Risks, There is a widespread adoption of mobile applications in today’s digital space, to an extent that some companies have shut their web portal and have gone completely mobile. This shift in the application space comes at a cost because unlike web applications, mobile applications may have more attack surface where they need to securely manage two components viz. mobile client application and its corresponding server-side code.
This talk will discuss about common vulnerabilities in Android and iOS applications on the basis of "OWASP Top 10 Mobile Risks" along with their real-world examples/demoes. The examples are derived from auditing well-known applications of App/Play Store from different categories such as banking, trading, e-commerce, health and fitness, travelling, insurance, etc. Speaker will also discuss about security best practices for mobile applications that can be incorporated during the development phase in order to create an application with minimum baseline security. Speaker Bio This session will be held by Aditya Modha. Aditya is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 web and mobile applications including core banking solutions and middleware applications. Aditya Modha was a trainer/speaker at different information security conferences such as Hack In The Box, HackCon, OWASP AppSec, ISACA, etc. He blogs at oldmanlab@blogspot.com.
|
14.50 – 15.35 |
Electronic Opsec: Protect Yourself From Online Electronic communication is the boon of the modern age, but surveillance is increasingly becoming its business model. Ordinary businesspeople and citizens, not just dissidents and criminals, are finding the traces they leave from their everyday internet and cellphone usage being used to target, monetize and exploit them.
In this presentation, we will look at the techniques used by intelligence agencies (both those of government and the private sector such as Facebook, Google and LinkedIn) to track and deanonymize users across networks and devices: what their capabilities are and how these techniques can be misused by end clients and observers.
The correct usage of various tools and techniques will be presented to help you to maintain operational security and protect against bad actors taking advantage of your online history. The presentation will also include a dissection of ways in which the latest directions in commercial end user tracking are taking their technology directly from criminal malware techniques.
The presentation will be held by Zoz. Zoz is a robotics engineer, pyrochemist, and inveterate tinkerer. He got his PhD from the Robotic Life group at the MIT Media Lab. Zoz is a robotics expert and privacy advocate whose interests center on the interactions between humans and technology in the form of human-machine interfaces, design, and individual empowerment. He has taught subjects including robotics, digital fabrication, cybersecurity and ethical hacking at top international universities and as a private industry consultant. He has hosted and appeared on numerous international television shows including Prototype This!, Time Warp and RoboNationTV. He speaks frequently at prominent security conferences world wide, and 2-time DEFCON black badge winner.
|
15.35 – 15.40 | HackCon#11 slutt |
Tid | Foredrag |
08.15 | Dørene åpnes |
08.15 – 11.00 | Registrering HackCon#11 |
09.00 – 09.15 |
Administrativ informasjon |
09.15 – 10.00 |
How to bypass your security with 30 dollar, Kevin Bong, US |
10.15 – 11.00 |
The Future is Now - Security implications of DIY (do it yourself) cybernetic implants and how to bypass your security, Alex Smith - Australia |
11.15 – 12.00 |
Når tradisjonell risikohåndtering ikke strekker til - hvordan håndtere sårbarheter og risikoer effektivt via dynamisk risikohåndtering, Flere foredragsholdere – Norge |
12.00 – 13.00 |
Lunsj |
13.00 – 13.45 |
How to protect our people (The Awkward Border), Laura Bell - New Zealand |
14.00 – 14.45 |
When Penguins Attack your highly valued assets, Chester "Chet" Wisniewski - Canada |
14.45 – 15.15 |
Pause |
15.15 – 16.00 |
Secure your organization from Phishing attacks, |
16.15 – 17.00 |
Chellam – a Wi-Fi IDS/Firewall which will protect you, Vivek Ramachandran - India |
17.30 |
Sosialt arrangement Her har du muligheten til å knytte kontakter og blir kjent med andre. nettverket sørger for lett middag og underholdning med mer. |
23.00 | Dørene låses |
Tid | Foredrag |
08.15 |
Dørene åpnes |
09.00 – 09.45 |
Hvordan virksomheten kan miste kontroll over egen informasjon gjennom sosiale medier, Cecilie Staude, Norge |
10.00 – 10.45 |
Smartwatch risks, the new security risk to your enterprise, |
11.00 – 11.45 |
SMS og IMSI-fangere – favorittverktøyene til dem som driver med etterretning, industrispionasje og identitetstyveri, Odd Helge Rosberg - Norge |
11.45 – 12.30 | Lunsj |
12.30 – 12.45 |
Loddtrekning |
12.50 – 13.35 |
Information As A Weapon: Varities, Deterrence and Response, Chris Pallaris - Swiss |
13.50 – 14.35 |
The age of Mobile App Insecurities – top 10 Mobile Risks, Aditya Modha - India |
14.50 – 15.35 |
Electronic Opsec: Protect Yourself From Online Tracking & Surveillance, Zoz - Australia |
15.35 – 15.40 | HackCon#11 slutt |
Mandag 15. – tirsdag 16. | 2 | 2016
Kurs 1 – Securing mobile platforms and mobile apps (teknisk kurs)
Mobile App Hacking is a two days course on learning how to perform Android and iOS application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around multiple in-house developed vulnerable applications which contain vulnerabilities that were observed by the trainer during his daily application security assessments.
Technical know-how about modern applications such as application built using cross platform development software, application encrypting HTTP request parameters, etc. will also be taught during the course.
By taking this course, attendees will learn following topics:
Day1 (Android)
- Crash course on Android application permission model
- APKfile architecture and setting up the emulator
- Reversing the APK file package
- Investigating app permissions through manifest file
- Understanding, patching and runtime debugging smali code
- Importing SSL certificates and bypassing SSL pinning
- Intercepting traffic and network activity monitoring
- Exploring local data store
- Analyzing system logs
- Understanding components such as content provider, broadcast receiver, activities and services
- Classification of vulnerabilities based on “OWASP Top10 Mobile Risks”
Day2 (iOS)
- Crash course on – process of jailbreaking
- IPA file architecture and setting up the iOS device for security assessment
- Decrypting App Store applications and dump class headers
- Local datastore inspection (plist, SQLite, keychain, XML files, etc.)
- Investigate platform provided security API usage
- Bypass client-side validations
- Import SSL certificates and bypass SSL pinning
- Traffic interception and runtime manipulation
- Binary patching
This training will be held by AdityaModha with co-teacher Chintan Gurjar. Aditya Modha, is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 web and mobile applications including core banking solutions and middlewareapplications. He blogs at oldmanlab@blogspot.com.
Aditya Modha was a trainer at the following information security conferences,
- HITB, KL – Extreme Web Hacking Oct’2013
- HackCon, Oslo – Advanced Burp Suite Mar’2014
- OWASP AppSec Eu, Amsterdam - Android App Hacking - Internet Banking Edition
This is a technical training and are suitable for people with IT technical background and interest – we will provide you with necessary tool and knowledge to get full advantage of this training.
Kurs 2 - Proaktiv krisehåndtering og informasjon som angrepsvåpen (strategisk/ledelse/adm.kurs)
Det har vært etterlyst fra deltakerne at preHackCon også bør bestå av strategiske kurs. Tilbakemeldingene har vært man ønsker mer kunnskap om proaktiv krisehåndtering og hvordan informasjons blir brukt som "våpen" mot virksomheten. Vi har derfor satt sammen dette kurset for at deltakerne skal kunne tilegne seg kunnskap innen disse emnene. Dette kurset forutsetter ikke spesifikke/tekniske kunnskaper, og er like egnet for ledere som teknokrater.
Dette kurset er unikt da det vil gi deg ulike verktøy som du kan benytte med engang for å håndtere sikkerhetshverdagen din mye lettere og bedre. Dag 2 er opprinnelig en del av et lukket kurs på hvordan informasjon benyttes offensivt og defensivt som "våpen" både mot, og innad i en virksomhet. Vi har valgt å dele noe av denne kunnskapen på preHackCon#11. Det vil være flere foredragsholdere på dette kurset.
Dag 1 - En praktisk tabletop beredskapsøvelse for proaktiv krisehåndtering
Dagen vil gjennomføres som en "avansert" tabletop øvelse, der deltagerne vil engasjeres til å takle en praktisk/reell case med en rekke forskjellige deloppgaver. Workshopen vil innledes med litt teori og eksempler på gjennomgang av ulike varianter av beredskapsøvelser, og hvordan man bør gå frem for å planlegge og gjennomføre slike øvelser. Gjennomgangen blir krydret med praktiske eksempler og erfaringer fra gjennomføring av forskjellige former for øvelser.
Responsive deloppgaver vil gi deltagerne mulighet til å bruke sine evner til kreativitet, improvisasjon og "thinking on your feet", og gjennom dialog og samarbeid sette fokus på beredskapsforberedende tiltak i egen virksomhet. Workshopen gjennomføres som en kombinasjon av teori, planlegging og gjennomføring av en "reell" beredskapsøvelse.
Kunnskapen fra denne dagen er unikt og vil sette deg godt i stand til å gjennomføre egne beredskapsøvelser i din virksomhet, samt utvikle proaktive beredskapssystemer for effektiv håndtering av ulike hendelser og kriser.
Dag 2 – Informasjon som angrepsvåpen
Ved å angripe de "myke" målene i virksomheten, spiller det ingen rolle om du har investert millioner av kroner i sikkerhet, brannmurer, ID-kort, eller fysiske låser i den tro at man er sikker. Flere opplever i økende grad nå angrep mot de myke målene. Ved å bruke informasjon som angrepsmetode vil kriminelle, konkurrenter eller andre aktører på en enkel måte kunne tappe, manipulere, styre og kontrollere din virksomhet uten at du engang er klar over det.
Vi vil vise deg hvilke teknikker som kan benyttes for å få kontroll over deg, ditt nøkkelpersonell og virksomheten. Teknikker som benyttes mot dere hver dag uten at du kanskje legger merke til det. Med eksempler vil vi vise hvor vellykkede denne type operasjoner kan være! Vi vil også vise deg hvordan du kan bruke språket effektivt til å "nå" ut i virksomheten og få gjennomført sikkerhets tiltak effektivt.
Vi vil lære ulike teknikker med pragmatisk tilnærming som du kan benytte for både å avdekke "skjult kommunikasjon" og informasjonsangrep mot personene i virksomheten, samt hvordan du bør forholde deg for å opprettholde god kommunikasjon. Den siste delen vil vektlegges på dag 2 hvor vi henter elementer fra konflikthåndtering og forhandlinger til å forstå kommunikasjonskraften som kan påvirke deg og din virksomhet. Dag 2 baserer seg på praktiske øvelser for å gjøre deltagerne i stand til å forstå kjerneprinsippene i kommunikasjon. Kursleder dag2 er Suhail Mushtaq.
Onsdag - dag 1, 17. | 2 | 2016
Tid | Foredrag |
08.15 | Dørene åpnes |
08.15 – 11.00 | Registrering HackCon#11 |
09.00 – 09.15 |
Administrativ informasjon |
09.15 – 10.00 |
How to bypass your security with 30 dollar, This talk will introduce five different security-related hardware hacking projects that are great for beginners, each of which has a low cost (≈30 dollar) and can be completed in a few hours or less. Examples of the projects include travel router hacking with OpenWRT, building a directional Wi-Fi antenna, HID RFID snooping and spoofing with Arduino and USB keyboard spoofing with Arduino, and inline sniffer. A bill of materials and instructions for each project will be available online following the talk.
You will be amazed how this cheap project can bypass your security in cheap and "gentle" manner. And Yes, we will have hardware lab at HackCon where you can build the mentioned projects and test security on you own organization afterwards!
Session will be held by Kevin Bong. Kevin is a security researcher with an interest in hardware and electronics. He created the MiniPwner, a pocket-size penetration testing device used to get remote access to a network. He’s also an author, instructor and a speaker at international conferences.
Kevin is a Manager at 403 Labs, the Security & Compliance division of Sikich LLP. He focuses on information security and compliance issues faced by financial institutions. With his experience performing audits, penetration testing, risk assessments and forensic investigations, Kevin provides invaluable guidance to institutions affected by standards such as those related to the FFIEC, NIST, HIPAA and PCI DSS.
|
10.15 – 11.00 |
Until now, we have been dealing with firewall, router, IDS etc to protect our information and secure our organization. A new challenge is coming on the horizon, biosecurity. We may think this a science fiction, but the truth is you already today can implant several devices in your body by yourself – and compromise the organization security on several levels. And this is what this talk is about – tomorrows security challenges.
|
11.15 – 12.00 |
Når tradisjonell risikohåndtering ikke strekker til - hvordan håndtere sårbarheter og risikoer effektivt via dynamisk risikohåndtering, Det har i det siste vært rettet stor fokus på at virksomhetene skal foreta risikovurderinger for å håndtere sårbarheter/risikoer i virksomheten. Men hva er egentlig en risikovurdering? Og bidrar risikovurderingene egentlig til å redusere sårbarheter og risikoer i virksomheten slik de praktiseres i dag? Hvem lages disse risikovurderingene egentlig for, og hva er formålet med dem? Vår påstand er at slik risikohåndtering ofte foretas i dag, ikke gir noe særlig merverdi til virksomheten.
På HackCon#10 orienterte vi om at vi vil bidra til å lette virksomhetenes arbeid med å håndtere risikoer. Etter nærmere ett års utvikling kan vi nå på HackCon#11 presenterer RT-RMAP, Real Time Risk Manager and Assets Protection, det vil si dynamisk risikohåndtering.
Dynamisk risikohåndtering er pragmatisk måte å tilnærme seg risikohåndtering på for å ivareta virksomhetens interesser, samt ha virksomhetens sårbarheter og risikoer under kontroll. Og ikke minst, at ledelsen og personellet til enhver tid er i stand til å håndtere de ulike risikoer og sårbarheter i virksomheten.
Hvis du synes at det er litt tungt å arbeide med tradisjonell risikohåndtering, eller føler at du ikke når frem med ditt budskap etter at du har foretatt risikohåndtering, eller føler at du har mistet oversikten over risikoer i virksomheten, kan vi love deg at etter du har startet med dynamisk risikohåndtering i RT-RMAP (etter at verktøyet er frigjort) vil du få et helt nytt perspektiv på risikohåndteringer. Vi kan sitere en som har arbeidet med risikohåndtering i over 15 år: "Med dette kan vi få kontroll over våre risikoer og sårbarheter, og forstår virkelig hva risikohåndtering er og bør være".
I denne sesjonen vil gå gjennom hva dynamisk risikohåndtering er, utfordringer med tradisjonell risikohåndtering, og hvordan du kan håndtere dine risikoer og sårbarheter på en enkel og pragmatisk måte. Og ikke minst, hvordan du skal kunne ivareta virksomhetens interesser og virksomhetens behov for å ivareta sikkerheten på ulike plan. På HackCon#11 kan du få første smakebit av RT-RMAP.
Denne sesjonen vil bli holde av flere forelesere som har utviklet metodikken, systemet, og eventuelt pilotbrukere. Hvis du skal håndtere risikoer i en verden som er i kontinuerlig endring, bør du få med deg dette foredraget for å kunne håndtere virksomhetens risikoer og sårbarheter enkelt og effektivt samt ivareta sikkerheten på en god måte. |
12.00 – 13.00 |
Lunsj |
13.00 – 13.45 |
How to protect our people (The Awkward Border),
|
14.00 – 14.45 |
When Penguins Attack your highly valued assets,
1. What types of malware are we seeing target Linux systems? While the landscape continually evolves, we see far greater numbers of legacy infections on Linux than other platforms.
2. How are these systems being monetized? Most criminals are in it for the money. There are numerous ways to cash in on a compromised Linux host that can yield good returns for criminals.
3. How do we better defend our hosts to prevent exploitation? Many of the adversaries are far from advanced, so why is it we still fall victim?
Many best practices are ignored by the operators of much of the world's internet hosting infrastructure. A few simple steps could go a long way toward not just better protecting our servers and our brands, but also toward creating a safer neighborhood for our Windows and Mac loving friends.
This presentation will be held by Chester "Chet" Wisniewski. Chester is a Senior Security Advisor at Sophos with more than 15 years experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, the media and IT professionals.
Chester frequently writes articles for the award-winning Naked Security blog, produces the weekly podcast "Sophos Security Chet Chat" and is a frequent speaker at conferences and in the press.
|
14.45 – 15.15 |
Pause |
15.15 – 16.00 |
Secure your organization from Phishing attacks, The presentation will explore some of the common phishing attack tools and techniques, and end with a demo of a recently created tool which can assist your organization in quickly deploying phishing exercises to secure your organization in minimal time.
The tool, when provided minimal input (such as just a domain name), can automatically search for potential targets, deploy multiple phishing websites, craft and send phishing emails to the targets, record the results, and generate a basic report. The tool can either work in a standalone fashion or make use of external tools (such as theHarvester and BeEF) if available.
Adam Compton will hold the session. And Yes, Adam will have a small lab area at HackCon#11 where you can learn the new tool and use it to test and secure your organization.
Adam currently works as a Senior Security Consultant for Rapid7 where he puts his 20+ years of infosec and penetration testing experience to use. He has worked in both the government and private sectors for a variety of customers ranging from domestic and international governments, multinational corporations, and smaller local business. When not performing penetration tests or with his family, he developed various open source tools and weed application to aid himself and others in the infused field.
If you want to learn how to secure your organization from phishing – than you don't want to miss this session.
|
16.15 – 17.00 |
Chellam – a Wi-Fi IDS/Firewall which will protect you, This talk will introduce techniques to detect Wi-Fi attacks such as Honeypots, Evil Twins, Mis-association , Hosted Network based backdoors etc. on a Windows client without the need for custom hardware or drivers. Our attack detection techniques will work for both Encrypted (WPA/WPA2 PSK and Enterprise) and Unencrypted networks.
We will also release a proof of concept tool implementing our detection techniques. Even though the focus of this talk is Windows, the same principles can be used to protect other Operating Systems, both workstation and mobile.
The talk will be held by Vivek Ramachandran. Vivek discovered the Caffe Latte attack, broke WEP Cloaking and publicly demonstrated enterprise Wi-Fi backdoors.
He is the author of "Backtrack 5: Wireless Penetration Testing" which has sold over 13,000+ copies worldwide. He is the founder of SecurityTube.net and runs SecurityTube Training & Pentester Academy which has trained professionals from 90 countries. Vivek is international speaker and has spoken on several international conferences.
|
17.30 |
Sosialt arrangement Her har du muligheten til å knytte kontakter og blir kjent med andre. nettverket sørger for lett middag og underholdning med mer. |
23.00 | Dørene låses |
Torsdag dag 2, 18. | 2 | 2016
Tid | Foredrag |
08.15 |
Dørene åpnes |
09.00 – 09.45 |
Sosiale medier påvirker måten vi jobber på. Kanalene større betydning for å fremme samarbeid, samskaping og innovasjon, på arbeidsplassen såvel som i relasjonen til bedriftens øvrige interessenter, har endret vår hverdag.
Hvordan skal vi møte utfordringer som oppstår når digital samhandling påvirker hvordan innhold skapes, deles og konsumeres og dermed bidrar til at virksomheter mister kontroll over eget innhold. Spørsmålet er om din virksomhet er forberedt på å miste kontroll over eget innhold? Denne sesjonen gir deg godt innblikk i de utfordringer som virksomhetene står ovenfor når informasjonen flyter fritt (og ofte uten kontroll) i vårt moderne samfunn, og hvilke konsekvenser det kan få for våre virksomheter.
|
10.00 – 10.45 |
Smartwatch risks, the new security risk to your enterprise, This session will show how smartwatches is introducing a new security risk to your enterprise. We have analyzed some of the most popular smartwatches (as well as the plethora of other smartwatches on the market); to determine the risks they introduce to mobile enterprise data. Our research team continues to discover a broad range of smartwatch and wearable vulnerabilities including PIN bypass vulnerabilities, pairing apps speaking to random international IP addresses, lack of proper encryption controls, and more.
In this session, we will focus on: - What’s different about a smartwatch from other mobile devices
- What vulnerabilities we've discovered and reported on during our research and their impact on enterprise data
- A stack ranking of smartwatches and wearables in terms of their security posture regarding: lack of encryption, PIN protection, and other fundamental security controls
- The pairing apps and which ones exhibit suspicious behaviors (back-channel communications, outbound data exfiltration, data harvesting, etc.)
- A live demo of an attack on a smartwatch, using a PIN bypass vulnerability
- Lessons learned from the research to provide best practices and guidance in terms of smartwatch security and a mobile enterprise strategy for embracing these devices and securing enterprise data
The session will be held by Michael T. Raggo (CISSP, NSA-IAM, CCSI, ACE, CSI), Director, Security Research, MobileIron. Michael has over 20 years of security research experience. His current focus is threats and countermeasures for the mobile enterprise.
Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”.
A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of the PCI Mobile Task Force, and is a frequent presenter at international security conferences.
|
11.00 – 11.45 |
SMS og IMSI-fangere – favorittverktøyene til dem som driver med etterretning, industrispionasje og identitetstyveri,
Foredraget vil bli holdt av Odd Helge Rosberg. Odd Helge er CTO i Rosberg System. Han er en av grunnleggerne av Rosberg system, og har utviklet en rekke patenterte sikkerhetsløsninger for mobile enheter. Han har også lang erfaring fra sikkerhetsbransjen, både som IT-sjef og i IT-bransjen. Teknologiene omfatter løsninger for sikker kommunikasjon, proaktiv sikring av enheter mot tyveri, beskyttelse mot SMS-baserte angrep og mere.
|
11.45 – 12.30 | Lunsj |
12.30 – 12.45 |
Loddtrekning |
12.50 – 13.35 |
Information As A Weapon: Varities, Deterrence and Response, Information has always played a critical role in warfare, not least in the form of intelligence, deception, and propaganda. Today, information’s ability to inflict damage or harm has never been greater. Indeed, organisations of every stripe can now use information to disable or defeat their adversaries. This presentation will examine how that’s possible, and what we can do to avoid the risks.
We will begin with a historical overview of this phenomenon, examining how information has evolved to enable such disciplines as information warfare, information operations, etc.
From there, we will present a typology of information-related “weapon systems” (defensive, offensive, strategic, tactical, etc.) with demoes and real world cases and discuss how our adversaries might use such tools against us. Our focus here will not just be on the protection of one’s critical infrastructures, but also on how organisation’s can protect against reputational risks, social engineering, etc.
Finally, we will explore the options available to organisations on the receiving of such attacks, and what that can be done to retain one’s competitive advantages.
This session will be held by Chris Pallaris. Chris’ professional experience covers a broad range of disciplines including open source and competitive intelligence, journalism, information and knowledge management, network building, market research, strategy consulting, and organizational development.
|
13.50 – 14.35 |
The age of Mobile App Insecurities – top 10 Mobile Risks, There is a widespread adoption of mobile applications in today’s digital space, to an extent that some companies have shut their web portal and have gone completely mobile. This shift in the application space comes at a cost because unlike web applications, mobile applications may have more attack surface where they need to securely manage two components viz. mobile client application and its corresponding server-side code.
This talk will discuss about common vulnerabilities in Android and iOS applications on the basis of "OWASP Top 10 Mobile Risks" along with their real-world examples/demoes. The examples are derived from auditing well-known applications of App/Play Store from different categories such as banking, trading, e-commerce, health and fitness, travelling, insurance, etc. Speaker will also discuss about security best practices for mobile applications that can be incorporated during the development phase in order to create an application with minimum baseline security. Speaker Bio This session will be held by Aditya Modha. Aditya is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 web and mobile applications including core banking solutions and middleware applications. Aditya Modha was a trainer/speaker at different information security conferences such as Hack In The Box, HackCon, OWASP AppSec, ISACA, etc. He blogs at oldmanlab@blogspot.com.
|
14.50 – 15.35 |
Electronic Opsec: Protect Yourself From Online Electronic communication is the boon of the modern age, but surveillance is increasingly becoming its business model. Ordinary businesspeople and citizens, not just dissidents and criminals, are finding the traces they leave from their everyday internet and cellphone usage being used to target, monetize and exploit them.
In this presentation, we will look at the techniques used by intelligence agencies (both those of government and the private sector such as Facebook, Google and LinkedIn) to track and deanonymize users across networks and devices: what their capabilities are and how these techniques can be misused by end clients and observers.
The correct usage of various tools and techniques will be presented to help you to maintain operational security and protect against bad actors taking advantage of your online history. The presentation will also include a dissection of ways in which the latest directions in commercial end user tracking are taking their technology directly from criminal malware techniques.
The presentation will be held by Zoz. Zoz is a robotics engineer, pyrochemist, and inveterate tinkerer. He got his PhD from the Robotic Life group at the MIT Media Lab. Zoz is a robotics expert and privacy advocate whose interests center on the interactions between humans and technology in the form of human-machine interfaces, design, and individual empowerment. He has taught subjects including robotics, digital fabrication, cybersecurity and ethical hacking at top international universities and as a private industry consultant. He has hosted and appeared on numerous international television shows including Prototype This!, Time Warp and RoboNationTV. He speaks frequently at prominent security conferences world wide, and 2-time DEFCON black badge winner.
|
15.35 – 15.40 | HackCon#11 slutt |