Alexander Ermolov - Independent Security Researcher

Dino Dai Zovi - Staff Security Engineer, Square

Elie Bursztein & Daniela Oliveira - Google & University of Florida

Fermin Serna - Chief Security Officer, Semmle

H2HC University: Lucas Ferreira - Administrador de Sistemas, CTBTO

H2HC University: Thais Hamasaki & Gustavo Scotti - Security Researchers, Intel STORM

Inbar Raz & Raziel Einhorn - Security Researchers

Marek Zmyslowski - Security Researcher, Cycura

Marion Marschalek - Security Researcher, Intel STORM

Matias Soler - Senior Security Researcher, Intel STORM

Nikita Tarakanov - Independent Information Security Researcher

Nina Alli - Executive Director, Biohacking Village

Veronica Valeros - Researcher and Intelligence analyst



  Bypassing a hardware based trusted boot through x86 CPU microcode downgrade
 Alexander Ermolov
  It is widely known Intel CPU microcode is hardcoded into CPU ROM, and for security reasons, should be updated every time CPU is powered on, including situations like waking up from Sleep/Hibernation states. This is usually done by a microcode loader in UEFI BIOS. I've discovered a vulnerability in this loader, which allows tricking it to downgrade the CPU microcode.

One of the obvious consequences of this attack vector is removing fixes (implemented in microcode) for vulnerabilities like Spectre var2. However, I've found out the older versions of microcode allows to load the older versions of Intel ACMs (Authenticated Code Modules).

ACMs are a special code modules developed (and signed) by Intel to support some Intel security technologies, like Intel Boot Guard, Intel BIOS Guard, Intel TXT, Intel SGX. "Supporting" means serving as a Root of Trust. These modules are loaded into CPU L3 cache (sometimes called AC RAM) and executed from there. Like the other code, ACMs can be updated/fixed, and for security reasons running a downgraded version of an ACM is deprecated. This is maintained by a microcode and, like mentioned above, the old version of a microcode loads an old (associated) version of an ACM.

This opens up an opportunity to exploit patched vulnerabilities in ACMs influencing on the technologies they support. Which in turn leads to bypassing the trusted/measured boot (hardware-based).

In this talk I'm going to show how exactly this could be done on a real Intel TXT & Intel BIOS Guard protected platform.
  Independent Security Researcher



 Dino Dai Zovi
  Dino Dai Zovi is an information security industry veteran and entrepreneur. Dino is also a regular speaker at information security conferences having presented his independent research at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The iOS Hacker's Handbook" (Wiley, 2012), "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). He is best known in the information security community for winning the first PWN2OWN contest at CanSecWest 2007.



  Analyzing phishing campaigns targeting Gmail users
 Elie Bursztein & Daniela Oliveira
  With over 1.4 billion active users and millions of companies entrusting it to handle their email, Gmail has a unique vantage point on how phishing groups operate. In this talk we Gmail telemetry to illuminate the differences between phishing groups in terms of tactics and targets. Then, leveraging insights from the cognitive and neuro-science fields on user's susceptibility and decision-making, we discuss how users from different demographic groups fall for phishing differently and how those insights can be used to improve phishing protections.
  Elie Bursztein leads Google's security & anti-abuse research, which helps protect users against Internet threats. His research focuses on advancing the state of applied-cryptography, machine learning for fraud and abuse, at risk user protections, and web security. He is the author of 60+ scholarly publications for which he received 6 best papers awards. Elie gave over 20 talks at leading industry conferences and received multiple industry awards including the Back Hat Pwnie award. He was invited to give over 20 guest lectures to numerous universities including Stanford, Berkely and Tsing Hua. Elie's work is regularly covered by major news outlets including the Wall Street Journal, CBS, Forbes, Wired, the Huffington Post and CNN. Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.

Dr. Daniela Oliveira is the IoT Term Associate Professor in the Department of Electrical and Computer Engineering at the University of Florida. She received her PhD in Computer Science from the University of California at Davis. Her current research interests include understanding and addressing cyber deception and phishing in an interdisciplinary fashion. She received a National Science Foundation CAREER Award in 2012, a Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama, and the 2017 Google Security, Privacy and Anti-Abuse Award. Daniela is an experienced public speaker, having given talks at National Academy of Sciences (Distinctive Voices Program), USENIX ENIGMA Conference, TEDx, and in many universities. She is a National Academy of Sciences Kavli Fellow and a National Academy of Engineers Frontiers of Engineering Symposium Alumni. Her research has been sponsored by the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the National Institutes of Health (NIH), the MIT Lincoln Laboratory, and Google. She was born and raised in Brazil and on her spare time she loves going to Disney World with her husband Marcio and her 10-old daughter Brooke. She is a dog lover and has a two-year-old German Shepherd, Wagner.



 Fermin Serna
  Fermin J. Serna is a Computer Science Engineer graduated at the prestigious Madrid's UCM currently working as Chief Security Officer at Semmle responsible of protecting corporate assets as well as running the security research team focused on open source security.

Previously to Semmle he served as Head of Product Security at Google for almost 8 years where he build, run and oversaw the application security program for Google products. Fermin has also worked at Microsoft at the MSRC Engineering team where he envisioned and built the industry recognized EMET tool. Fermin also served as CTO and co-founder of NGSEC and S21SEC in Spain.

Fermin has found, been credited and published multiple security vulnerabilities on software developed by Microsoft, Google, Adobe, Oracle and open source (dnsmasq, glibc, ...). Because of this Fermin has been recognized with multiple awards including a RootedCon lifetime achievement award and two nominations, one winner, of a Pwnie award for Best client side bug in 2016. Fermin is also a regular speaker at security conferences such as BlackHat, Syscan, Bluehat, H2HC, Rootecon, DeepSec, Source, Summercon, ...



  Como detectar uma bomba atômica?
 H2HC University: Lucas Ferreira
  Esta palestra irá apresentar o CTBT (Tratado de Proibição completa de Testes Nucleares) com foco nas tecnologias usadas para implementar o seu Sistema Internacional de Monitoramento, que coleta dados para detectar explosões de armas nucleares ao redor do mundo. O foco da apresentação será nas tecnologias usadas nos sensores e na análise dos dados. Também serão abordadas outros usos (monitoramento de mamíferos marinhos, previsões meteorológicas, alertas de tsunami, acompanhamento de vazamentos radioativos, etc.) para os dados coletados.
  Lucas C. Ferreira é um administrador de sistemas com alguns (poucos :) cabelos brancos, que já trabalhou em grandes e pequenas empresas, sempre com foco em administração de sistemas e segurança da informação. Hoje é o líder da equipe de administradores de sistemas Unix e Linux do CTBTO, cuja missão é manter os sistemas de monitoramento de explosões nucleares "up-and-running". Lucas é também um membro da OWASP onde ocupa a posição de Líder do Capítulo de Viena (Áustria).



  Dissecting a linux kernel exploit
 H2HC University: Thais Hamasaki & Gustavo Scotti
  In this talk we will give an insight into Linux kernel exploitation, starting from a CVE report already discussed on https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html.

We encourage you to read the blog post prior to the talk. Don't miss the opportunity to ask direct questions about this vulnerability and the techniques to write kernel mode exploits. We are going to give examples of writing bypasses and debugging techniques to help you on the development of your own exploit.

Since examples of exploit code are interesting but not really show the complexity of the actual development process, our focus will be to walk through the complexity of taking advantage of a vulnerability report to write a real-life (and working!) exploit.
  Thaís Moreira Hamasak is a security researcher at Intel STORM (STrategic Offensive Research & Mitigations Team). Previous to that, she worked as a malware researcher @F-Secure, with focus on static analysis, reverse engineering and logical programming. Thaís started her career within the anti-virus industry working on data and malware analysis, where se developed her knowledge on threat protection systems. She won the "best rookie speaker" award from BSides London for her very first talk about "Using SMT solvers to deobfuscate malware binaries". Recent research topics include binary deobfuscation, generic unpacking and static analysis automation. She is an active member of the Düsseldorf Hackerspace, where she also leads the groups for Reverse Engineering and x86 Assembly. In her free time, you can find Thaís buiding tools, cooking or climbing somewhere offline.

Gustavo Scotti, a.k.a. csh is one of those guys who curiosity drives his life. If I am not learning new stuff, experimenting with dangerous things, or living life at its fullest, csh is a dull boy. I am an enthusiast of mechanical engineer, electrical engineer, computer engineer, physics engineer, and music engineer. To fund all my hyperactive mind, I work as a Security Researcher at Intel Corporation, hacking cool stuff, at the lowest level you could imagine. Known by some exploits, axur05 e-zine, reversed engineered the PS2, wrote some rootkits, sniffers, and some other stuff.



  Under Pressure: Real world damage with TPMS spoofing
 Inbar Raz & Raziel Einhorn
  Modern vehicles are equipped with Tire Pressure Monitoring System (TPMS) - a system that alerts the driver when the tire pressure is inappropriate. TPMS broadcasts an unencrypted data stream at known frequencies and has already attracted the attention of security researchers, who demonstrated the ability to spoof the transmission and cause an alert.

However, while previous research concluded that the worst case scenario would be forcing the driver to pull over for inspecting the vehicle - and by that facilitating some other illicit activities such as robbing or kidnapping - we will demonstrate an attack scenario that could quite possibly cause physical harm and in extreme cases, maybe even loss of lives.

In this talk we will quickly go over the TPMS, show how to research it using Software Defined Radio and reach spoofing capabilities, and end by showing a proof of concept for our attack scenario. We will also include a "Fuckup" section where we will show you how we failed during the research and what we've learned.
  Inbar has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself, since the age of 9 on his Dragon 64. He spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, using his extensive experience of over 25 years at the IDF, Check Point, PerimeterX, and nowadays Argus Cyber Security, protecting the automotive domain from hackers.

Raziel has been working in the areas of Wireless Communication and Electronic Warfare for more than 10 years. Being fascinated by the possibilities that lie in the Cyberspace, he’s looking for ways to use tools and knowledge from the RF world, in order to discover new attack surfaces and vectors. Nowadays Raziel is working at Argus Cyber Security, protecting the automotive domain from hackers.



  Crash Analyzing with Reverse Tainting (Powered By Taintgrind)
 Marek Zmyslowski
  In recent years, fuzzing has become a popular and powerful method for vulnerability research. There are dozens of free and open frameworks available, with new ones arriving each month, but fuzzing itself is only part of the equation. Another part comes with triaging; or how to find only the relevant crashes when a fuzzer might find them in hundreds or even thousands. Often, these are sorted and binned based on the artefacts around the crash itself, but this is both naïve and superficial. In this talk, we will cover the use of taint analysis via ’reverse tainting’ as a potent alternative.

This presentation will show how reverse tainting can be used as a part of the crash analysis. The audience will see how it can give an easy solution as to the reasons for a crash based on its inputs rather than its effects. File formats are structured containing different fields. With reverse taint, it is easy to find the connection between that crash and the particular field in the structure. It can be very helpful for the future analysis of why the crash occurred.
  Currently Security Researcher @ Cycura where he is responsible for a different aspect of fuzzing services and vulnerability research. In the security industry for more than 12 years. Experience in the area of penetration testing, reverse engineering or vulnerability finding.



  Oh memset, where did you go?
 Marion Marschalek
  A compiler's code optimization is a scary beast. It tends to take over the thinking for a developer, kneads the input source into much smaller, faster and elegant output code, and in general happens to be very good at that too. Big help in this undertaking are so called compiler built-ins and intrinsics, which, as it turns out, are essential to study should one be interested in how compilers "disappear" function calls.

A common favorite to study is libc's memset function, which is known to occasionally fall victim to compiler optmization. Dead store elimination tends to think erasing content from memory is rather useless; we security folks disagree. By looking closer at how the compiler uses built-in functions, applies code inlining and chooses between call or inliner, we can learn a lot about its impact on security and potential ways for attackers to abuse this compiler behavior.
  Marion Marschalek is a former Malware Analyst and Reverse Engineer who recently started work at Intel in order to conquer the field of low level security research, where she nowadays spends an unusual amount of time looking at compiler source code. She has spoken at all the conferences and such, and seen all the things, and is one of the happiest hackers out there. Also, she runs a free reverse engineering bootcamp for women, because the world needs more researcherettes.



  Trashing like it is 1999: Unsolicited forensics on GPS trackers
 Matias Soler
  Hidden in a dark corner, in the bottom shelf of a huge rack full of old industrial cooking equipment, luminaires, and other weird objects, a bucket full of secrets was awaiting to be found. Who would have imagined that what was once destined to die as landfill, would finally end up revealing the secrets of one of the biggest food distribution networks in Argentina.

Join me in this journey of discovery, guided by the will to unveil the secrets hidden in these devices, that will make you think: what else are we ignoring that leaves scary details of our lives/companies dumped in the trash?

During this talk I will walk you through the process I took, from doing an initial assessment, analyzing the potential threat vectors, trying and failing multiple times, then failing again, until in the end simplicity was the key. While we travel this path together, I will talk about embedded MCU protections, bypasses, dumping flashes on corroded devices, and how to interpret data.
  Matias Soler is a Senior Security Researcher at Intel STORM team. Prior to that he worked for nine years at Immunity Inc where he has performed different tasks such as exploit development, reverse engineering, security research, and consulting. He has also taught trainings on binary and web exploitation. Matias has experience in both offensive and defensive areas within the information security field. He has previously presented at several international conferences such as Ekoparty, BlackHat Briefings and Infiltrate.



  Fertilising SnapDragons? Microsoft Windows on ARM
 Nikita Tarakanov
  Microsoft Windows has been out for quite a while. But WoA (Windows on ARM64) is quite a fresh beast. Several laptop makers have made laptops that have SnapDragon SoC and run on Windows ARM64 Edition. The first generation of those laptops is based on SnapDragon 835 SoC. The second (and the current one) generation is based on SnapDragon 850 SoC. This talk is about vulnerability discovery and exploitation of various components: of Windows on ARM64 itself and different parts of SnapDragon SoC.
  Nikita Tarakanov is an independent information security researcher. He has worked as an IS researcher in Intel corporation, Positive Technologies, Vupen Security, CISS. He likes writing exploits, especially for Windows NT Kernel. He won the PHDays Hack2Own contest in 2011 and 2012. Nikita has published several papers about kernel mode drivers and their exploitation. he is currently engaged in reverse engineering research and vulnerability search automation.



  Gamification Will Lead to Better Medical Device Resilience
 Nina Alli
  Gamers don't usually start their games by reading the manufacturers directions (amirite?) for the how-to's on a game, we just get in there and figure it out. Hackers use the same practice when getting into a system, learn and break by doing. This talk will go through what the medical device manufacturer community can learn from gaming to better secure their devices.
  Nina is the Executive Director of the Biohacking Village: bringing together security researchers, to integrating Medical Device Manufacturers, Citizen Scientists, and Hands-On lab together to share findings, discover vulnerabilities, and existing solutions, unmet needs, opportunities, market and path to commercialization. Nina is currently working on a multi-industry cybersecurity resilience model that includes operating model, plan impacts, linkages to industry frameworks to implement best practices and integration for an improved operating and defensive alignment with increased literacy for patients, medical device manufacturers, legal and federal governance, and sustainability.

Nina is a guru of trivial knowledge and RPG fan, especially the ass kicking games. For exercise, she run from rabid dogs, wrestle alligators while simultaneously participating in eating contests, and running for public office. For fun, she drives with her eyes open, plays hopscotch in the rain, race big wheels, has staring contests with wolverines, and passes out band aids to gunshot victims. Her favorite word is "interesting", since it has multiple meanings and all appear positive on the surface.



  Machete: 9 Years of Cyber Espionage Operations in Latin America
 Veronica Valeros
  Since early 2011, a threat actor has been conducting espionage operations in Latin America using an espionage tool known as Machete or Ragua. In this talk we will present the analysis of Machete based on the collection, reverse engineering, and analysis of more than a hundred Machete samples from 2011 to 2019. The large corpus of samples allowed us to study changes in its features and to map the gradual evolution of Machete from its creation until today. Our talk will focus on the technical aspects of this malware and the analysis of the decoy documents used in the spear phishing campaigns. Finally we will discuss how Machete managed to stay operational to this day.
  Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina, and co-founder of the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.