HackCon#10 - 2015

HackCon#10 - 2015


Mandag 2. februar 2015

08.15 Dørene åpnes

08.15 Registrering HackCon#10

09.00 - 09.15 Administrativ informasjon

09.00 - 09.45 When states goes to cyberwar with off the shelf ATP - Germany

Rocket Kitten is a threat actor that is responsibble for a set of advanced cyber espionage campaigns against several European and Israeli targets. This talk will uncover a set of intrusions by this actor that involved a commercial attack framework – a highly specialized tool that has not been publicly documented and remained undetected in multiple operations.


We will discuss the framework's technical design and review its features and capabilities that make it a premium instrument for stealth intrusions. We will further discuss how the tool is delivered to victims and what post-exploitation actions are performed once the adversary has gained a foothold on a target. We conclude with an assessment of the discrepancies between the importance of this actor's campaigns and their sophistication.


The presentation will be held by Tillmann Werner. Tillmann is a researcher at CrowdStrike where his duties include the in-depth analysis of targeted attacks. He has a passion for proactive defense strategies like botnet takeovers. As a member of the Honeynet Project, Tillmann is actively involved with the global computer security community and is a regular speaker on the international conference circuit.

10.15 - 11.00 Keynote - Vår digitale sårbarhet, teknologi og åpne spørsmål - Norge

"Lysneutvalget" har fått i oppdrag av Regjeringen å gjøre en vurdering av landets digitale sårbarhet. Dette har bakgrunn i en rekke hendelser i den senere tid hvor vår avhengighet digitale strukturer har blitt tydeliggjort. Ord som stormen "Dagmar", brannen i Lærdal, Edward Snowden, IMSI-cathcere, personvern, chilling effect og datakriminalitet gir hver sin innfallsvinkel til problemstillinger som er knyttet til samfunnets forhold til digitale strukturer.


I dette foredraget vil lederen for utvalget, Professor Olav Lysne, fortelle om bakgrunnen for det arbeidet de skal gjøre, og som til slutt skal lede frem til forslag som kan danne basis for en fremtidig politikk på området. Olav Lysne er professor i Informatikk ved Simula og Universitetet i Oslo. Han er videre seksjonsdirektør ved Simula, hvor han leder Robuste Nett senteret som han også har grunnlagt og bygget opp. Sommeren 2014 ble han av regjeringen oppnevnt som leder av et digitalt sårbarhetsutvalg. Utvalget skal levere sin rapport i september 2015.

11.15 - 11.30 NetScope - your best friend in proactive defense - US/Norway

In 2015, HackCon celebrates its 10 years anniversary - in this occasion HackCon will release NetScope for free. It's very easy and strait forward to implement NetScope in your organization. NetScope is a network analysis framework designed to seemlessly integrate with your enterprise boundary protection systems to better categorize traffic, correlate alerts, and provide situational awareness regarding the health of the network.


In today's paradigm, if you were asked: "Is our network under attack?" How would you answer this question and what metrics would you use to derive your response? NetScope helps to answer these questions. In short time, you will be up and running, and will have a good view of what's occurring on your network and systems. The research with NetScope will help you to better identify where attacks are originating from, which system are being attacked, the type of attacks, and much much more.


NetScope functions will amaze you, as this is also a tool for your CEO, CTO, and board directors to easily understand what's going on against your organization in real time. NetScope is a must in your organization, not only to understand the treats, but also how you best can protect your network and systems. And best of all - it's free for you to use!


The presentation will be held by Solomon Sonya and Suhail Mushtaq - both core developers of NetScope. Solomon and Suhail are both well known senior security researchers, and have created several innovative security systems in the past.

11.30 – 12.10 Why does your sandbox attack the Whitehouse? - Danmark

The original implementation of Sandbox technologies for analyzing malware used to be considered a very strict and closed environment, where the malware was often not executed on real-life operating systems, and the network connectivity was emulated.


Today’s threats require the sandboxes to be more open to what the malware is allowed to do, including contacting remote C&C servers to download and execute additional components. While the barriers in the sandboxes are fading towards the Internet, this introduces a new threat that can pose a risk in the way these are being implemented and used by companies. Although the malware sandboxes have previously been attacked in several ways, this is a new attack scenario not seen in use before. This presentation will show several ways to utilize the sandboxes to attack hosts on the Internet, such as the Whitehouse.


The presentation will be held by Dennis Rand. Dennis is a Senior Security Consultant at FortConsult, located in Denmark. Dennis has more than a decade of experience in the IT-security industry, having previously discovered many vulnerabilities in leading enterprise products and widely used software. For the past 5 years, Dennis has been doing a large amount of research in the area of eCrime, including Incident response, Reverse engineering, analyzing exploit kits and malware to map and collect intelligence on the eco-system of the cyber criminal underground.

12.10 - 13.00 Lunsj

13.00 - 13.45 Are you sure you are not bugged? Espionage at high tech level - UK

Most companies have their own trusted meeting rooms where you leave your phones and computers outside, but do you REALLY know who is still listening? Do you know it's take just couple of minutes to set up total surveillance of your company (including your critical personal), and monitor every step your company make.


No, we are not talking about 'cyber' threats and vulnerabilities; we are talking about the modern art of high tech surveillance. We will demonstrate with live stage demoes how your competitors', criminals, and others, with little effort can control every step your company takes, know your classified and critical information, and trace every move you make.


Yes, you are right, we are talking about high-level espionage to tap your critical information, and control your organization with the latest high tech devices. If you think, you are secure even when you leave all technical device behind you and close all doors, thing twice. We will show you how new and modern surveillance and espionage technology can tap your critical date behind closed doors, and leave you no place to hide. But don't worry, we will also show you, how to do some countermeasures to protect your critical data, your company and personal.


This presentation will be held by Gavin. Gavin currently, in his role as Operations Director for Verrimus Ltd, delivers all Government and commercial Technical Surveillance Counter Measures (TSCM) and Counter Espionage services worldwide. Gavin has acted as the Senior Team Leader for many high profile TSCM operations, undertaking Government contracts, overseas and within the UK, and TSCM contracts for oil and gas companies, defence contractors, banking organisations, diplomatic staff and high risk individuals. Gavin also led the Verrimus Team that carried out the Technical Surveillance Counter Measures for the Olympic Delivery Authority (ODA) for the London 2012 Olympics.

14.00 - 14.45 Golden ticket to permanent domain admin privilege - Hungary

After compromising a Windows domain, an attacker is capable to create a Ticket Granting Ticket (TGT) by using the krbtgt domain user's password hash to impersonate ANY domain user including the Domain Administrator(s). This ticket is valid for arbitrary time and can be renewed for more. This means full control over the domain for unlimited time, a perfect backdoor for the attackers.The audience can learn about Kerberos infrastructure, tickets and Windows privilege impersonation through this live demo presentation. It includes mitigations as well, how to defend our domain against these kind of attacks.


The presentation will be held by Balazs Bucsay. Balazs is an IT-Security expert and techie geek, who is mainly focusing on penetration testing. Currently he is working as an Ethical Hacking Engineer for the Vodafone Group Plc, helping to secure the network and services. He is also a well-known speaker in Hungary, he had several talks on various advanced topics (PayPass, XSS worms, distributed password cracking) at different conferences and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science.

15.00 - 15.45 How your stolen company data are sold - US

Over the last decade, data breaches of major retailers in the US have become common and lead to the loss of millions of pieces of personal information and sensitive financial data. In the last year alone, there have been massive breaches of nationwide chain stores which would potentially place consumers at high risk of economic loss due to on-line fraud.Evidence increasingly demonstrates that data acquired through breaches are rapidly sold via on-line markets operating in forums and shops to prospective buyers around the world.


There is, however, generally little research exploring the ways that actors within these markets operate or the extent to which buyers and sellers profit from the sale and use of data. As a result, it is unclear how actors utilize risk reduction techniques in order to minimize the likelihood of financial losses and ensure successful transactions.


This study attempts to explore these issues using qualitative and quantitative analyses of a sample of threads from 13 Russian and English language forums involved in the sale of stolen data. This talk will consider the various forms of data sold, the pricing and profits accrued by market actors, and the techniques employed in order to facilitate successful exchanges between buyers and sellers. The policy implications of this study for consumers, law enforcement, and security personnel will be discussed in depth to provide improved mechanisms for the disruption and takedown of stolen data markets globally.


This presentation will be held by Dr. Thomas Holt. Dr. Thomas is an Associate Professor in the School of Criminal Justice at Michigan State University specializing in cybercrime, policing, and policy. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. He has published extensively on cybercrime and cyberterror with over 35 peer-reviewed articles in outlets such as Crime and Delinquency, Sexual Abuse, the Journal of Criminal Justice, Terrorism and Political Violence, and Deviant Behavior.


He has published multiple edited books, including Corporate Hacking and Technology-Driven Crime with coeditor Bernadette Schell (2011), Crime On-Line: Correlates, Causes and Context, now in its 2nd Edition, and a co-author of Digital Crime and Digital Terror, 2nd edition (2010). He has also received multiple grants from the National Institute of Justice and the National Science Foundation to examine the social and technical drivers of Russian malware writers, data thieves, and hackers using on-line data.

16.00 - 16.45 Internet underground, the darksides of Internet - US

Tor, Darknets, Darkmarkets, and Bitcoin are all words that can conjure up images of clandestine meetings in back alleys, whispers in the night, and shady characters buying black market wares.


That's not what these technologies are about, well, they are a bit about that, but this talk will discuss what these technologies are, what they're used for, and why we need them. We'll discuss how you can use Tor to access Darknets and what to do and see once you're there. We'll talk about some of the seedier side of things, while ensuring we inform you about legitimate uses, and how to stay safe while you're looking around, or making purchases. And by the time you're done, we'll arm you with all the tools you need to get started doing your own Darknet research, and at the very least, you'll be entertained.


The presentation will be held by Grifter. Grifter is an Information Security Engineer and Researcher located in Salt Lake City, Utah, USA. He has spent over 15 years as a security professional focusing on vulnerability assessment, penetration testing, physical security, and incident response.


He is also a staff member of the Black Hat Security Briefings and DEF CON hacker conference. Grifter has spoken at numerous security conferences around the world, and has been the subject of various online, print, film, and television interviews. He has authored several books on information security, is a member of the DEF CON CFP Review Board and Black Hat Training Review Board, and remains active in his local hacker community as the founder of DC801, and co-founder of the 801 Labs hackerspace.

17.00 - 17.45 When "smart" isn't too clever - UK

Whether it's your smartphone being too smart when integrating new technologies like NFC, or your "smart" TV being too smart about decoding broadcast content, or your ID being too smart when letting you into your building, sometimes "smart" really means "dumb".


In this talk I will demonstrate some of the above issues, and show that when it comes to being smart, even huge companies with massive deployments can make some really dumb mistakes...


This presentation will be held by Adam Laurie. Adam is a security consultant working the in the field of electronic communications, and a Director of Aperture Labs Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He was involved in various early open source projects, the most well known of which is probably 'Apache-SSL' which went on to become the de-facto standard secure web server.


Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at http://rfidiot.org.

18.00 - 23.00 Sosialt arrangement

Her har du muligheten til å knytte kontakter og bli kjent med andre. Lett middag og underholdning med mer. Nettverket sørger for middag med mer .

23.00 Dørene låses


Tirsdag 3. februar 2015

08.15 Dørene åpnes

09.00 - 09.45 Hvordan bedriftsinformasjon lekker gjennom sosiale media selv om du gjør alle mulige sikkerhetstiltak - Norge

Fleste av oss bruker sosiale media, som f.eks. twitter, Facebook eller linkedln. Med de nye teknologiske innretningene som nettbrett, smartphone, og bring your own device, i kombinasjon med sosiale media, er grensen mellom privat og arbeid mer eller mindre visket ut. Men hva betyr det at vi er på sosiale media i denne setting? Hvilke sikkerhetsutfordringer får man på det menneskelige plan ved at man slipper inn sosiale media inn i organisasjonen? I denne sesjonen fokuserer vi ikke så mye på tekniske, men på det menneskelige plan.


Foredraget holdes av Christian Brosstad. Christian er kommunikasjonsdirektør i SpareBank 1 Gruppen, og ble kåret til ”Årets ildsjel” på Social Media Days i 2014.


Han er kjent for sine forrykende og ufiltrerte foredrag om bruk av sosiale medier i næringslivet. “Dette er en person som ikke bare har løftet sin egen bedrift inn i den sosiale verden, men har satt standarden for sosiale medier i hele Norge”, skrev juryen da han ble kåret til Årets ildsjel på Social Media Days.


Christian jobber bredt innenfor kommunikasjonsfaget med vekt på PR, samfunnsansvar, presse og media, selskapskommunikasjon og sosiale medier. SpareBank 1 har også tidligere vunnet prisen for beste sosiale medier plattform under Social Media Awards.

10.00 - 10.45 Hacking highly secured enterprise environments - Netherlands

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's Workstation.


I developed (and will publish) two tools that help you in these situations, for you to understand and secure your system better. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after you can execute code on the server with admin privileges (using a signed kernel driver). My tools has been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!


The presenttion will be held by Zoltan. Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide. He is a proud member of the gula.sh team, 2nd runner up at global Cyberlympics 2012 hacking competition.

11.00 - 11.45 Don't DDoS me my friend - Practical DDoS Defence - US

Layer 7 DDoS attacks have been on the rise since at least 2010, especially attacks that take down websites via resource exhaustion. Using various tools and techniques - it is possible to defend against these attacks on even a shoestring budget. This talk will analyze and discuss the tools, techniques, and technology behind protecting your website from these types of attacks.We will be covering attacks used against soldierx.com as well as attacks seen in Operation Ababil. Source code will be released for SOLDIERX's own DDoS monitoring system, RoboAmp.


The presentation will be held by Blake Self. Blake is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. He has been attending Defcon since high school and has given several talks. He currently works in the financial sector and was directly involved in defending against the DDoS attacks of Operation Ababil. Blake holds a M.S. in Computer Science from Purdue University.

11.45 - 12.30 Lunsj

12.30 - 12.50 Loddtrekning med med

12.50 - 13.50 How Open-source intelligence (OSINT) are used to chase you and your organization - Italy

In this presentation, we will show you how OSINT are used to gather information about you and your company. We will show you how you can be traced via social media, and why it is import to secure you and your company from leaking information, even if it an innocent information. We will show you how someone easy can gather tons of OSINT information and than attack you! In this session, we will go thru:


1)     Osint, what it is and where it comes from,
2)     Using the Domain Name System to get information,
3)     Keyword Mining and the Smart use of Google,
4)     The Investigative Dashboard, How to Get Companies Information Around the World,
5)     How to use Twitter for investigations,
6)     Inside Facebook Graph


The presentation will be held by Leo Reitano. Leo are founder and chairman of the Italian Association of Giornalismo Investigativo. Expert on personal digital security and Open Source Intelligence he wrote “Esplorare Internet” the first Italian handbook on Open Source Intelligence. As chairman of the organization he organized several course in investigative journalism, computer security, open source intelligence, use of confidential source, investigative techniques.


Along with other journalists he won the Best International Crime Report (BIOCR) for the investigation Toxic Europe: the first Italian Investigation made by using Open Source Intelligence Techniques.

14.05 - 14.50 Hjelp, jeg skal ut på skyen - her er alt hva du må huske på! - Norge

2015 er av mange spådd å være skyens år da stadig flere virksomheter ønsker å benytte seg av skytjenester. Presentasjonen vil søke å gi en oversikt over hvilke forhåndsregler en bør ta før en tar i bruk skytjenester, samt en oversikt over det regulatoriske rammeverket. Vi vil i tillegg se på overføring av data og risiko knyttet til skylagring utenfor EØS-området. Problemstillingene som reises vil i stor grad være sammenfallende enten dette dreier seg om skytjenester eller tradisjonell offshoring av tjenester. Problemstillingene vil bli presentert fra et strategisk ståsted med fokus på vurdering og håndtering av ulike typer risiko.


Presentasjonen vil bli holdt av Eirik Andersen. Eirik jobber som advokat i Simonsen Vogt Wiigs avdeling for Teknologi og Media og er en ressurs på området. Han bistår daglig klienter med forhandlinger og rådgivning innen teknologiavtaler, outsourcing-/offshoringavtaler og cloud. Eirik har forut for sin tid i SVW jobbet 4 år som legal advisor i NBIM hvor han var med på å lede og forhandle flere større teknologiavtaler.

14.55 HackCon#10 slutt

Onsdag og Torsdag 4. - 5. februar 2015

09.00 - 17.00 PostHackCon#10


1) Kurs I - Red Team
2) Kurs II - Blue Team