In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection.

In this presentation, we will see why security metrics are important and how they relate to risk management, if there are "good" and "bad" metrics and how we can visualize them. We will take an overview of the current state and resources available to security metrics. Finally, we will also attempt to find the most vital security metrics that can indicate the effectiveness of the overall security program of an organization.

When a vulnerability is found, it is always an interesting question whether and how can it be exploited. In this talk we take the Dnsmasq <2.78 vulnerabilities [1] as examples, and show how some of the proof of concept codes published by Google [1] can be extended to real exploits which give the attacker reverse shell connections. During the course we also see how the main memory protection mechanisms like No-Execute bit (NX), Address Space Layout Randomization (ASLR) and Stack Canaries work. Furthermore, we discuss and (with the exception of the Stack Canaries) demonstrate how to bypass these protections in a 64-bit Linux environment.

In-App virtualization is becoming a popular subject on mobile platform. This unique feature of Android and alike allows developers to build hundred of virtualization capable apps, with millions of users, to allegedly enhance privacy or offer muli-spaces. When considering future of malwares, it is generally admitted that In-app virtualization may weaken security of (1) the host app and (2) the virtualized apps among themselves. Recent studies also show that host app with malicious intent are a danger to virtualized apps. However, we believe that the danger of this technique is far greater for the whole android ecosystem as a non-maliciously payloaded (no requested permissions, no keylogging hooks, for instance) host and an even non-root device can attempt to deceive any app installed on the device. We will show in this talk how trivial it is to build a malware platform that rely on few if no permission yet is capable of launching advanced, targeted and undetected attacks. Such attacks include stealing of user personal data, stealing of user on-line identity, eavesdropping of network connection, even if SSL secured, and live in-memory patching of the ART structures to redirect or proxify core Android methods.

Trape is a recognition tool that allows you to track people and make phishing attacks in real time, the information you can get is very detailed. Objective is to teach the world through this, how the big Internet companies could monitoring you, getting information beyond your IP, such as the sessions of your sites or Internet services.

With the increasing amount of malware HTTPS traffic, it is a challenge to discover new features and methods to detect malware without decrypting the traffic. Our research goal is to detect malware HTTPS connections using data from the Bro IDS logs, that does not need to decrypt the traffic. Bro offers information about flows, SSL handshakes and X.509 certificates. These three types of data give us enough information to create powerful features and machine learning algorithms to detect the malicious HTTPS traffic with good accuracy. Our machine learning algorithm uses 40 different features. A core part of our research was the production and selection of correct datasets. We used 13 datasets from the CTU-13 malware dataset, 55 malware datasets from the Stratosphere Malware Capture Facility Project (done by Maria Jose Erquiaga) and we produced 20 of our own normal datasets. Our results show that malware HTTPS behaviour is distinct from normal HTTPS behaviour and that our methods are able to detect malware with good accuracy without decrypting the traffic.

This talk will give a quick overview about the methods of collecting threat intelligence data on various malware families and botnets. How is it possible to find out what different threat actors are currently up to and what countries do they target? Security teams are always one step behind the bad guys, but through our work, we ensure to make this step as small as possible.

I would like to demonstrate how easy it is to find a modern malware based solely on its persistence mechanism even if the AV ignores it. During my presentation I will show some live demo about active and infamous malwares focusing on their persistence. I would also like to show and publish a tool I have developed to query the different persistence mechanisms from a corporate environment which makes it easy to filter out the odd one out.

This talk demonstrates how a smart teddy bear can be hacked to allow strangers to talk to kids through its BT connected speaker. See Freddy Bear performing live on stage! The second part of this presentation is an online-shopping of user credentials in the darknet. Have you (or your company) ever bought stolen user IDs or passwords? No? Why not? After this presentation you will - just to secure your business!

After two years of implementation period the General Data Protection Regulation – GDPR, (Regulation (EU) 2016/679) – will be directly applicable in all Member States as of 25 May 2018. This new law aims to put individuals back in control of their personal data by strengthening rights of data subjects and introducing a set of new obligations for all data processing bodies – including companies, NGO-s and even most of the governmental sector. However, when focusing on the latest challenges, we can identify our own user as the weakest link of our IT systems, the main source of threats to IT security. Therefore, an integrated IT security tool must include also means of user behaviour and IT awareness analytics and management tools nowadays, such as monitoring services, risk assessment tools, or activities and trainings supporting security awareness. The application of these services and methods may support security, but meanwhile needs the collection, storage, analysis and in general processing of personal data of users, and have to be implemented to our systems in line with the requirements of GDPR. The presentation will show examples of the above-mentioned tools and applications available on the market, discuss their weak spots and challenges of their use from a legal aspect. Speakers will focus on the following issues: - Are users’ IT awareness assessment tools legally applicable after May 2018? What are the relevant new rules and basic principles of GDPR? - Are there legitimate goals or interests of data controllers to use behavioural or awareness analytical tools? - Is anonymization or pseudonymization of data collected a usable way to keep functions of users’ awareness assessment tools? - How to prepare your company for the lawful processing of the collected data under GDPR?

This workshop touches all the main phases of SDLC (i.e., design, development, code review, deployment) and gives hands-on experience for participants on how to integrate security into a given phase. The exercises are going to be solved on the avatao platform, which provides a wide range of technologies in terms of architecture, programming languages and software stacks.

XSS is still one of the most dominant vulnerabilities of the web. Since its discovery, quite a few countermeasures have been invented. During this workshop, you will learn techniques to combat XSS. I will introduce you to the concept of defense in depth, also known as the castle approach. We will take a look at various defense mechanisms step-by-step, examining their pros and cons as well as their limitations. The hands-on part of the workshop is organized into modules. First, we will try to prevent the XSS payload from reaching the browser intact. Second, we will take a look at what to do if our attempts in the first step failed. Lastly, we will discuss how to combine these practices to achieve true defense in depth. The hands-on part of the workshop requires git, Docker, a text editor and a modern browser.

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90's, its main user base was primarily universities, research labs and supercomputing centers. In the past few years however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions. At its core, Bro inspects traffic and creates extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python. During this two-hour workshop, we will learn about Bro's capabilities and cover the following topics: - Introduction to Bro - Bro architecture - Bro events and logs - Bro signatures - Bro scripting - Bro and ELK

Have seen all the youtube videos about LEDs blinking, motors turning and switches clicking but never tried arduino yourself? This is the moment when you can sit down and begin your journey into embedded systems.