Security BSides Amsterdam 2017

Call for Presentations

Call for Presentations (CFP) - Talks List

Thank you all for submitting a talk to the conference. We had an overwhelming number of talks and a very challenging selection process. As this is our first attempt to run a Security BSides Amsterdam event, we had to start small, but we promise to add more tracks in the future.

Please see below the accepted talks list. The Track Schedule is available HERE.

Talk #1

Bots Combine! : Behind the Modern Botnet

by Andrea Scarfo, @AScarf0

Abstract: Botnets are part of the dynamic infrastructure seen in modern large scale cyber attacks, spy networks, spamming, and the distribution of malware. Over the years, botnets have gained a global reach and this has enabled cyber crimminals to make millions from exploiting their many targets. These targets can be private companies, government agencies and banking institutions, to name a few. We’ve also seen botnets be used simply for destruction, in DDoS attacks. My research highlights how I as a Security Analyst, see today’s botnets being used. Using the unique and massive view of DNS traffic that I have available to research, I’ll highlight how I analyze the infrastructure of the C2 domains that are being used to deliver malware and enlist systems into botnets. I’ll also analyze the tactics behind turning systems into bots and how we’ve seen these used in particular with delivering Hailstorm Spam. Additional listener takeaways : Why are botnets such a hard problem to solve? Why do botnets succeed? Why do we need to continue to research botnets?

Bio: I began my career in Support and Sysadmin work, for 12 years. I was previously with Hewlett Packard and the Town of Danville, California. Security was always my passion. I began work for OpenDNS as a Security Analyst on the Security Research team in 2015. Now, I spend my days working to make the Internet a safer place by hunting attackers and malware.

Talk #2

V!4GR4: Cyber-Crime, Enlarged

by Ben Herzberg, @KernelXSS

Abstract: Trafficking of counterfeit pharmaceuticals is a massive industry, and have been known for its persistent usage of different blackhat techniques in order to maintain its operation. A large part of those attempts are web application attacks, which are used in order to operate a huge network which generates substantial income to its operators. In this session we're going to introduce some of the main Methods of Operation for these groups, estimate the size of this operation, and why it matters. We will walk through real attack data, to see some of the latest attacks generated by these organizations, and discuss how organizations can be better protected against those attacks.

Bio: Ben has years of experience in hacking stuff, writing code, and in his past was a red team leader, and technical leader as a CTO and research manager. Ben is the group manager of Imperva's research group, consisting of elite security researchers and developers - researching Applications Securtiy, Network Security, Data Analytics & Machine Learning.

Talk #3

I Boot when U-Boot

by Bernardo Maia Rodrigues - Vincent Ruijter, @bernardomr, @_evict

Abstract: Personal computer systems are now considerably more secure than embedded devices. Trusted Platform Module (TPM) and secure boot are readily available and even default in a lot of new desktop computers and laptops. Numerous small office and consumer devices, including routers and smart televisions, however, are lacking even the most basic security features. In this talk we will demonstrate and describe the inner-workings of a custom developed (Fully Weaponised IoT Cyber™) bootkit, which gains persistence on U-Boot based embedded devices, at a lower level than even the firmware. Firmware updates and factory resets usually do not interfere with the bootloader, as a small problem could render the device unusable for an end-user: the bootkit will therefore remain present. By including a properly functioning killswitch and a multi-boot like technique, it is possible to switch between a regular and a backdoored image to thwart detection. Enterprises and ISPs must take this additional attack surface into account, and put effort into detecting and responding to this threat. Well-known security researchers have long advocated for easier ways to verify and demonstrate the integrity of hardware, but this comes at a price that vendors are not willing to pay for security. Recently however, regulatory bodies have started to enforce vendors to lock-down their wireless devices, in order to prevent them from operating outside of their certified frequencies. But these 'vendor lock-downs' are not sufficient to increase the device security, as we will demonstrate, it's just a minor inconvenience.

Bio: Bernardo Maia Rodrigues (Brazil) Bernardo works as an Ethical Hacker for KPNs (Royal Duth Telecom) REDteam. He enjoys hacking (and bricking) embedded devices including routers, modems and TVs. He presented on security topics at the NullByte Conference, the null Amsterdam chapter and local venues. He frequently participates in CTFs with TheGoonies and is famous for not using buzzwords like IoT, APT and Cyber in his bio.
Vincent Ruijter (Netherlands) Pacifistic Internetveapon @ KPNs (Royal Dutch Telco) REDteam, who thinks he knows Linux. Moderator @ null Amsterdam chapter, with an endless curiosity for all things binary. Knows how to quit Vi ^[ESC!wqwq:wq!

Talk #4

Demystifying the Ransomware and IoT Threat

by Christopher Elisan, @Tophs

Abstract: We have seen a rise in Ransomware attacks in the past year. While we are recovering from these attacks a new wave of DDoS attacks using IoT devices suddenly thrust into the limelight. In this talk, I will discuss all the stages of a ransomware attack. How it works and how a researcher can handle each of the stages with tried and true analysis techniques. I will then shed light on how IoT are used in DDoS attacks by discussing how the malware used in the latest IoT DDoS attack works and how it can be manipulated for future attacks. Then I will discuss how a combination of Ransomware and IoT attacks can be a bigger threat in years to come.

Bio: Christopher Elisan is a seasoned reverse engineer and malware researcher. He is currently the Principal Malware Scientist at RSA. He has a long history of digital threat and malware expertise, reversing, research and product development. He started his career at Trend Micro as one of the pioneers of TrendLabs. This is where he honed his skills in malware reversing. After Trend Micro, he built and established F-Secure's Asia R&D where he spearheaded multiple projects that include vulnerability discovery, web security, and mobile security. After F-Secure, he joined Damballa as their resident malware SME and reverse engineer. Aside from speaking at various conferences around the world, he frequently provides expert opinion about malware, botnets and APTs for leading industry and mainstream publications. Christopher Elisan is also a published author. He authored "Advanced Malware Analysis," "Malware, Rootkits and Botnets" and co-authored "Hacking Exposed: Malware and Rootkits." All books are published by McGraw-Hill.

Talk #5

Automating security with PowerShell

by Jaap Brasser, @Jaap_Brasser

Abstract: There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.

Bio: Jaap Brasser is a Cloud and Automation Engineer and PowerShell MVP with a big passion for scripting and automation. As an IT professional Jaap is part of several professional communities, speaks at technical events and writes articles on a variety of subjects on his personal blog and other websites or magazines. As an active member of the PowerShell community he supports users by providing answers in forums, blogs about PowerShell and creates and shares PowerShell modules and functions.

Talk #6

To click or not to click, or how to build awareness about behavior online

by Jelena Milosevic, @_j3lena_

Abstract: One of the largest problem we face in and about cyber security is human error. By many investigations it came out that internal data breach goes even till 81,6 % (investigation by Verzion). This shows how important it is to make employees at hospitals/companies aware of the importance of both good cyber security and their good and sensible behavior online at the workplace. I will explain how we can reach the employee to be open and want to learn more about good behavior online. The basic training with few rules from and for IT department will bring the awareness on higher level, so we can eliminate the ability of the bad and average criminal hackers to harm the company and everyone in there.

Bio: My name is Jelena Milosevic, an extremely curious nurse, in love in math and tech ( believe it or not), finding correlations between the subjects that most people doesn't see. I can be proud that because of my curiosity, willing to learn and my activity, I get the part of I am the Cavalry group ( @iamthecavalry ) and belong to the network of Women in cyber security ( WICS - @WomenInCyber)

Talk #7

To pin or not to pin: an introduction into SSL pinning for Android & iOS

by Jeroen Willemsen, @commjoenie

Abstract: Should you pin? And if so: on what? On the certificate? On the public key? Should you follow http public Key pinning? And to which certificate: leaf, intermediate or root? And how can you easily do this with Android and iOS? In this talk we will briefly go to the highlights on pinning on mobile and if you do it, how you can best apply it.

Bio: Jeroen Willemsen is a security architect with a passion for mobile and risk management. He loves to work on secure building blocks, security automation pipelines and embedding information security risk management controls in an agile environment. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).

Talk #8

The hidden horrors that 3 years of global red-teaming have revealed to me

by Jos van der Peet , @Voske1985

Abstract: My last 3 years of global reteaming in small and large organisations has shown me that there still are a lot of misconceptions about security. We all know the ‘onion’ model for layered security. While useful for the ‘defence in depth’ principle, this talk will show that in reality, rather than an onion, security is more like a pyramid. The basis is the hardware people work on (laptops etc.) and the top your business applications. In between is everything else. Operating system, network components, proxies, shares, servers and their software stack. Like any hi-rise structure, the top cannot be secure if the base is not secure. Defence in depth matters, but it can be quite trivial for attackers to sidestep certain controls to get to the data they want. Just securing your ‘crown-jewels’ is insufficient. This talk will revolve around how we have defeated security controls on various levels, ranging from the systems your end-users work on, all the way through to 2FA and 4-eye principles on critical business assets. It will talk about common misconceptions which lull companies into a false sense of security, while making life far too easy for attackers. For example the fallacy of focussing security efforts only/mostly on ‘crown jewels’ and how misunderstanding of why certain controls are put in place jeopardize corporate and client data. The talk will be supported by real-life examples.

Bio: I’m an ‘ethical hacker’ with over 10 years of experience in IT. Analysing systems, building systems, performing code reviews, architecture reviews and application and infrastructure testing. The last years, Jos has been using his experience in all these field to perform ‘Red Team’ exercises (including physical intrusion, phishing exercises and network exploitation) for small and large companies all around the world. Helping them identify weaknesses and improve their overall security posture. I am especially concerned with helping companies embrace ‘security’ as an enabler to confidently bring new offerings to market, rather than trying to work around the security ‘department-of-no’.

Talk #9

Behavioral Analysis using DNS, Network Traffic and Logs

by Josh Pyorre, @joshpyorre

Abstract: Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus, and log analysis. However, the majority of these use signatures, looking for already known events and they typically require some level of human intervention and maintenance. Using behavioral analysis methods, it may be possible to observe and create a baseline of average behavior on a network, enabling intelligent notification of anomalous activity. This talk will demonstrate methods of performing this activity in different environments. Attendees will learn new methods which they can apply to further monitor and secure their networks.

Bio: Josh is a security researcher with OpenDNS/Cisco Umbrella. He's worked as a threat analyst at NASA, where he was part of the team that built the NASA Security Operations Center. He has also done some time at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh has presented at Defcon, B Sides Austin, Chicago, San Francisco, Los Angeles and Vienna, Source Boston, Source Seattle, Derbycon, InfoSecurity World, DeepSec Vienna and Qbit Prague. He hosts a podcast:

Talk #10

What if we really assumed breach?

by Kevin Jonkers, @gillroy

Abstract: Every large organization that takes security seriously is supposedly doing it: “assume breach”. By working under the assumption that an attacker will at some point bypass your perimeter defenses, you approach IT security in a different way. You perform regular hunts, continuously improve detection, perform war games, etc. But are we really treating our security as we say we are? In this talk, I will show where most organizations fail to actually uphold the assumption of an impending compromise. By accepting limitations in scope, effort and data sources involved, security teams are often severely hampered in their efforts. How can we improve this by looking at real world incidents and learning from the challenges we face in incident response situations? By gaining visibility on your strong and weak areas, I will show that a lot more can be done than is often thought.

Bio: Kevin is a senior manager within the Cyber Risk Services team of Deloite Risk Advisory, with over 8 years of experience in IT security. Before joining Deloitte in 2017, Kevin was responsible for Fox-IT’s forensics and incident response team. Prior to that he worked as a Forensics Expert and Incident Handler for Fox-IT and the Dutch Police. In this capacity he gained extensive experience in helping clients deal with serious cyberattacks and forensic investigations. Kevin holds a master's degree in forensic science from the University of Amsterdam and is a registered expert witness in the Netherlands.

Talk #11

I Thought I Saw a |-|4><0.-

by Thomas Fischer, @FVT

Abstract: Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does that really mean? And what real impact does it have on the security team? Threat hunting looks at a mountain of security data already being produced daily by the traditional monitoring solutions such as netflow data, firewall events and logs. Now include end point data and the events to review explode exponentially. The claim, from various vendors, is that the additional data provides greater visibility but for whom. Traditional incident detection doesn't necessarily take into consideration the endpoint events. Building a threat hunting activity scoped to start with end point data can significantly change the game. This talk is a journey of my experience diving into threat hunting and will cover the principals of threat hunting as a foundation, examine the challenges of working with large datasets that can be generated by end point data and analyse some of the tools claiming to ease this burden.

Bio: With over 25+ years experience, I have a unique view on security in the enterprise with experience in multi domains from risk management, secure development to incident response and forensics. In my career, I've held varying roles from incident responder to security architect for fortune 500 company as well as industry vendors and consulting organizations. Currently I play a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. I am also a strong advocate of knowledge sharing and mentoring through an active participant in the infosec community not only as a member but also as director of Security BSides London and ISSA UK chapter board member.

Talk #12

Requiem For An Admin

by Walter Legowski, @SadProcessor

Abstract: Orchestrating BloodHound and Empire for Automated AD Post-Exploitation. Lateral Movement and Privilege Escalation are two of the main steps in the Active Directory attacker kill- chain. Applying the 'assume breach' mentality, more and more companies are asking for red-teaming type of assessments, and security researcher have therefor developed a wide range of open-source tools to assist them during these engagements. Out of these, two have quickly gained a solid reputation: PowerShell Empire and BloodHound (Both by @Harmj0y & ex-ATD Crew). In this Session, I will be presenting DogStrike, a new tool (PowerShell Modules) made to interface Empire & BloodHound, allowing penetration testers to merge their Empire infrastructure into the bloodhound graph database. Doing so allows the operator to request a bloodhound path that is 'Agent Aware', and makes it possible to automate the entire kill chain, from initial foothold to DA - or any desired part of an attacker's routine. Presentation will be demo-driven. Code for the module will be made public after the presentation. Automation of Active Directory post-exploitation is going to happen sooner than you might think. (Other tools are being released with the same goal*). Is it a good thing? Is it a bad thing? If I do not run out of time, I would like to finish the presentation by opening the discussion with the audience and see what the consequences of automated post- exploitation could mean, from the red, the blue or any other point of view... *: DeathStar by @Byt3Bl33d3r | GoFetch by @TalTheMaor

Bio: Mixing stuff, using tools, and sharing is what I like. So I DJ and cook. But that wouldn’t get me into a security conference, so I decided to work in IT. I have had a path of its own, from system trainer in the airline industry to deployment technician, from pentest monkey to windows automation engineer. I have therefor seen just enough to grow a solid n00b interest for corporate security. Since I like windows (sue me!) I love PowerShell... So I decided to mix all this into a tool, learn a few things on the way, and share the result with you, in my hometown Amsterdam.

Workshop #1
(1 hour)

Building Secure Software with OWASP

by Martin Knobloch, @knoblochmartin

Abstract: This presentation is about tools and guide offers to developers to increase security in their software development. From making security requirements explicit and visual, secure development tooling to verification of the security, OWASP has a lot to offer. THis presentation gives you a heads-up on what OWASP does offer, for free!

Bio: Martin is independent security consultant at Xebia. His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum environments and continuous delivery / deployment. For OWASP, Martin is the OWASP Netherlands Chapter Leader since 2007 and member of the OWASP Foundation Board Directors since June 2017. He has lead and supported various OWASP projects and (co) organized various national and international OWASP conference.

Workshop #2
(4 hours)

WebGoat CTF workshop

by Nanne Baars, @OWASP_WebGoat

Abstract: In the world of application security a 'Capture the Flag' event is a competition where contestants race to complete hacking challenges. A server is setup that is knowingly vulnerable, and teams try to hack the system as quickly as they can and 'grab the flag' first.
 • In Part 1 of this session we introduce everyone to the world of 'Capture the Flag' (CtF) competitions, how to hack the server and complete the challenges, and some other skills. In Part 2, everyone will get their laptops out and compete in a real CtF competition.
 • In Part 2, everyone will get their laptops out and compete in a real CtF competition. During the workshop we will also focus on some of the challenges to give more background information about the vulnerability at hand and show some mitigations.

Bio: Nanne works as a security consultant & developer at JDriven and is one of the primary developers of WebGoat.

Further information about the conference

network - educate - participate

Meet the Team