Keynote. Complexity Kills - Why Adding Layers of Security Doesn’t Solve Much
Abstract. Many of the technologies (e.g., email or the Web) we use today have been designed decades ago. Over the years, several additions have been made to these technologies to add security, be it in the form of transport encryption or security mechanisms supported by major browsers. However, the overwhelming evidence suggests that the addition of these mechanisms is only beneficial for a tiny fraction of affected operators. Indeed, merely adding security mechanisms leads to confusion about threat models and misunderstandings about the mechanisms. In this keynote, I'll underline this statement and identify what I believe are key issues to overcome to secure both the email and Web ecosystem.
Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web and network security, with a recent focus in particular on (un)usability of security mechanisms.
His group regularly publishes at all major security conferences and Ben serves on the PC and in chair roles for various security conferences.
Beyond the focus on academic output, together with his students, he regularly aims to bridge the gap between scientists and practitioners through talks at non-academic conferences like OWASP AppSec or Ruhrsec.
@kcotsneb
Talk. Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation
Abstract. TBA
Biography. TBA
Talk. SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level
Abstract. SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.
Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution.
Biography. Paul Gerste is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing and organizing CTFs with team FluxFingers.
@pspaul95
@pspaul@infosec.exchange
Talk. Red Team Operations in OT: A Peek Behind the Curtains of Hacking Industrial Systems
Abstract. In an era where industrial systems are increasingly targeted by sophisticated cyber threats, understanding how these attacks take place and how to defend against these attacks is crucial. This presentation will provide an in-depth look at Red Team operations within Operational Technology (OT) environments, such as factories and power plants.
We will begin by outlining the fundamental differences between OT and IT security, highlighting the unique challenges and vulnerabilities present in OT systems. This foundational knowledge sets the stage for a deeper exploration of the current threat landscape within OT environments.
The core of the presentation will focus on real-world case studies from our Red Team assessments. We will walk you through the methodologies we use to simulate real attacker behaviours, from initial infiltration to identifying critical vulnerabilities, all while ensuring minimal disruption to operational processes.
Agenda:
- Introduction: Overview of Operational Technology (OT) and Red Teaming
- Distinguishing IT from OT: Key Differences and Implications
- Current Threat Landscape: Emerging Threats and Vulnerabilities in OT
- Red Team Operations in OT Environments: Strategies, Tools, and Techniques
- Case Studies: Real-world Examples and Lessons Learned
Biography. Sarah is a Senior Consultant at NVISO, with a focus on Red Team Assessments. Complementing her cybersecurity experience, she has developed proficiency in Operational Technology (OT) assessments and continues to specialize further in this area.
She possesses a Master's degree in Applied IT Security, which has been enriched by her diverse experiences in cybersecurity roles across various companies.
In addition to her professional work, Sarah is dedicated to contributing to the community by leading workshops and delivering presentations at industry conferences.
Talk. 3D Printing Security
Abstract. TBA
Biography. TBA
More talks coming soon ...