Skip to main content

CCCC 2018 Presentations for Download

Paul Vixie, Farsight Security; Peter Kruse, CSIS

Joona Airamo, Forcepoint

Gabor Szappanos, Sophos

Bill Ladd, PhD, Recorded Future

Lukas Stefanko, ESET

Gaetan van Diemen, ThreatFabric

Jens Heyn Roed Andersen

Ole Kjeldsen, Microsoft Denmark

Righard Zwienenberg, ESET

Gabriel Cirlig, Stefan Tanase, IXIA

Daniel Shepherd, Agile Response Technologies

Alex Kouzmine, CERT Societe Generale

Douglas Haywood, Tesco Bank

The individual download files are password protected. The password was sent to all conference participants after the event. In case you attended the conference, but can’t find the password anymore, please, send an email to mah(@) in order to have it resent.

Trust and Responsibility in the Digital Society

Lars Frelle-Petersen, DI Digital

Lars Frelle-Petersens presentation will set the scene for the importance of an ongoing prioritization of cyber security for not only businesses, but our society as a whole. A stronger awareness of the consequences of the use and misuse of data, digital services and artificial intelligence are needed.

Scaling Properties of Software and System Security

Paul Vixie, Farsight Security
Peter Kruse, CSIS

Humanity has been building and programming general purpose computers for about six decades now, with spectacular results, mostly good. As we contemplate the Internet of Things in light of our collective experience, there are some disturbing conclusions to be drawn. Can we as a species safely place our economy and culture into a global distributed network of computers, if those computers are programmed by humans using commodity programming languages and tools?

One Year After WannaCry – Has Anything Changed? A Root Cause Analysis of Data Breaches

Joona Airamo, Forcepoint

The year of the data breach, the year of ransomware, the year of APT – these catchy name tags summarise a given year. This session will review the last 12 months and attempt to assign a name tag. The timing is impeccable. 12 months after WannaCry, a milestone ransomware event and a couple of weeks after GDPR enforcement, provides a prompt to reveal research into the root causes of real-world data breaches and what to learn from their failings.
You will leave with a list of realistic actions to best protect your business over the next 12 months.

The Resurgence of Office Bugs

Gabor Szappanos, Sophos

Technical level: High
The exploit scene looked stale in the past couple of years, one or two new vulnerability made its way to the commercial exploit builders every year. The most important builders supported exploits that were fixed years before, limited the reach of the malware delivery. 2017 brought a drastic change. The number of widely used exploits multiplied and these exploits turned out to be much simpler. The previous major vulnerabilities required deep knowledge of document formats and advanced understanding of the exploitation. The new vulnerabilities were a lot simpler logic bugs or classic stack overflows that were easier to understand. It was no longer the privilege of skilled programmers to create builders for these exploit, average programming skills were enough. Many of these builders being published for free. The easy availability of these builders enabled many cybercrime actors to use the exploits with little-to-none investment resulting in the multiplied number of Office exploit related attacks in the past 12 months. The life cycle of an Office exploit starts with initial zero-day targeted attacks, then at some point a few well-resourced cybercrime groups start using it. Later the exploit ends up in exploit builders which leads to an explosion of use by many groups hitting the -general user population. This cycle can usually take a few months, however, last year, driven by the great demand for fresh Office exploits, was pushed down to weeks.
The presentation will reconstruct timeline one of the hottest Office exploits (CVE-2017-0199) that featured the following typical scenarios in its life cycle:
• Zero-day APT activities
• Enthusiastic security researchers playing with the exploit
• APT groups experimenting with bypassing virus scanners
• The appearance of exploit builders (both commercial and free)
• The explosion of the usage in cybercrime

Cryptocurrency Scams on Android

Lukas Stefanko, ESET

Technical level: Low
In 2017, cryptocurrencies have become a booming industry, attracting the attention of not only new users, but also cyber criminals. As the fraudsters came rushing to the newly crowded cryptocurrency space, users, businesses, and exchanges have found themselves the target of various cryptocurrency fraud schemes – from hacks, through phishing and scams, to surreptitious crypto-mining on compromised devices or, as of late 2017, via browsers. The Android platform hasn’t been left out of the cryptocurrency frenzy, with Android users targeted by all kinds of deceptive cryptocurrency-related apps. In this presentation, we’ll look at the most prevalent types of cryptocurrency scams currently targeting Android users and their go-to tricks and techniques. By identifying the common red flags, we’ll lay out tips for users to keep their devices and virtual coins safe from fraudsters.

What Does EU GDPR Have to Do with Information Security?

Jens Heyn Roed Andersen

How is the protection of personal data related to IT-security? And why do we need to focus on technology at all, when trying to comply with the EU General Data Protection Regulation (GDPR)? This is a question often heard in many of the GDPR projects carried out over the past months. And the answers range from “it’s a purely legal project that does not involve IT” to “we can do it all with new settings in our systems.” None of the answers are correct. A succesful GDPR project demands cooperation, in order to support your business. A highly complex business that today neither can do without technology, nor without complying with the law. And the GDPR demands in art. 32 implementation of “appropriate organisational and technical measures”, but how much is needed to fulfill this demand?
In order til be succesful at implementing the proper measures, using a cooperation strategy, businesses need to agree on where they stand, from both a legal and a technical point of view. And from there decide where to go. To do this standards are required. Standards that are easy to use, fully measurable and based on specific controls, as well as easy to implement in the entire organisation. And such a standard is the CSC20 from Center for Internet Security. A standard based on 20 controls, proven to mitigate the most common cyberthreats, are easily understod as well as measurable, with a focus on root cause and encouraging automation.
Hear how you can get all the way around the IT-security of GDPR and reach the “appropriate nirvana” using the CSC20 as your tool. For measurement, as well as management communication. By using its easily understood metrics. And learn how the CSC20 can help you ensure continuous compliance with the GDPR.

The Infinite Loop of Information Security in China

Bill Ladd, PhD; Recorded Future

Subtitle: How the Ministry of State Security is embedded China’s information security architecture and why that matters
Technical level: Medium
China has engineered an information security system that emphasizes not security, but control over data, users, content, and even the companies, platforms, and technology that underpin it. We present a study of China’s information security architecture and its nexus with the Chinese intelligence services, particularly the Ministry of State Security (MSS) and how the MSS uses this system to support intelligence operations.

Evolution of Mobile Banking Malware. (Where It Comes from and Where it
Goes to)

Gaetan van Diemen, ThreatFabric

Technical level: Low
Although cyber-criminal motivations are numerous, the prominent one remains money. Threat actors motivated by financial gain have noticed the shift of bank customers from desktop to mobile based online banking. The dominant market share and the flexibility offered by the Android operating system, combined with the shift from consumers towards mobile banking has resulted in the surge in Android malware visible since early 2014. This presentation will shed light on mobile malware’s first steps and how it evolved till today.

GDPR – So What Hit Us?

Ole Kjeldsen, Microsoft

June 7th is only a few weeks after GDPR comes into effect – in the time leading up to May 25th, 2018 much have been said, many a consultant and lawyer has sold a GDPR related project, to organizations in fear of incompliance. Can we honestly say that PII is more secure on June 7th because of GDPR? And regardless, what needs to be done now – get the open and honest perspective from one vendor.

The System Has Failed: CPU insecurity

Anders Fogh, G Data Software

Technical level: High
In this talk, I’ll discuss my research into how the design of microprocessors makes most current computers insecure. Since the issues lies in how CPUs are designed the issues has implications for cloud computing as well as normal users. I’ll show how information handled by the CPU is leaked by subtle design issues through so-called side channels and how these side channels affect every day security related processes from passwords to encryption of data. Once we have an understanding on how side channel works, we’ll discuss how so called speculative execution used by all modern CPU’s can be used to leverage side channels to gain unparalleled access to private information in attacks known as Meltdown and Spectre.

Understanding Threat Hunting: Why and How

Daniel Shepherd, Agile Response Technologies
Martin Clausen, Danske Bank

Driven by changes in regulation, an ever-evolving threat landscape and a greater level of awareness that we need to move beyond a pure Prevention mentality, threat hunting has rapidly grown to become one of the industry’s key focal points. This presentation will provide insights in our views on why threat hunting is such an important aspect in the way that companies approach security and the best practices around how to structure and run such exercises.

IDIoT or the ID of IoT

Righard Zwienenberg, ESET

Technical level: Low
Connected devices have spread across the world, and you have to ensure your IoT products stay secure and don’t become a security risk. Billions of devices are set to become part of the Internet of Things within the next few years, yet there is still a long way to go to ensure they are properly secured. It doesn’t matter if it is industrial or consumer, everything is either directly connected to the cloud, or through intermediary software. With all of these inter-connected systems security becomes mixed up.
The presentation highlights the huge range of attacks targeting the IoT in recent years, as hackers have increasingly gone after these new smart and unprotected devices. This is far from being a problem that just affects cheap devices: Devices with basic internet capabilities have faulty CPUs that are vulnerable to the Meltdown and Specter exploits. Furthermore, this presentation will explore how companies and consumers alike can stay secure online in the future. The Alliance for Internet of Things Innovation (AIOTI) and other defenses of IoT are discussed.

Leaking Intellectual Property, One Artefact At A Time

Ido Naor, Kaspersky Labs

Technical level: Medium
For years and years, anti-malware solutions, across many levels of the network, have been assisted by online anti-virus aggregation services and online sandboxes to extend their detection level and identify unknown threats. But this power booster comes with a price tag.
Even today, enterprises all over the world are using security solutions that instead of protecting the data, are suspecting it as malicious and sharing it with online multi-scanners. The result is drastic. What separates a hacker from extracting all that data on a daily basis is a couple of hundreds euros, monthly. A price which could be covered easily if that hacker finds a man of interest. In just a couple of days, one skilled hacker can build an intelligence tool that could be sold in 10 times the money they invested.
The data is being leaked daily and the variety is endless. In our research we found many artefact: PDFs with salaries and plans, database dumps and even highly sensitive intellectual property shared between board of directors. It’s time to meet a modern threat which has been hiding under the radar.
In this talk we’re about to look deeper into how we built an intelligence tool, one artefact at a time.

Redteaming Through Threat Modelling Inspired by Financial APT Adversaries

Alex Kouzmine, CERT Societe Generale

Technical level: Medium
Redteaming is a method inspired by the military community practices according to which an independent group of skilled adversaries challenges systemic weaknesses within an organization to improve its defensive posture against external attackers. This approach has recently become overhyped by the vendors of all sorts, which effectively leverage the Redteam hashtag, and the common ignorance to sell regular penetration testing and security assessment services under a different name and a different pricetag.
CERT Societe Generale has come up with an idea to find a better implementation for the method of Redteaming through the use of threat modeling inspired by the real-life adversaries’ tactics. Thus, we custom-tailored specific playbooks inspired by techniques, tactics and procedures employed by some of the notorious APT groups specifically targeting financial institutions to come up with realistic long-term missions of which the ultimate goal is not to tick in regulators’ fill-out reports, but to bring up authentic experience with the idea to optimize controls over most critical information security assets. Throughout our day-job experience of incident response and threat intelligence gathering and analysis, we came up with an approach of implementing targeted, coordinated, and purposeful offensive security posture to improve security strategies and defensive capacities of our Blue.
Killchain is the central pillar of our approach as we manage to use it in order to gain holistic permanent vision over different stages of an advanced attack while providing the necessary metrics for an adequate return of experience and continual improvement implementations.
Throughout this presentation, I will share some of the experience gained while working on this mission for the benefit and reuse within the community.

Smart Car Forensics and Vehicle Weaponization

Gabriel Cirlig, Stefan Tanase; Ixia

Technical level: Medium
As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars. Given a relatively new car with an infotainment system completely decoupled from the car’s backbone (ignition, lights and such), we discovered a plethora sensitive personal information being stored completely in the clear during our smart car forensic investigation. We were able to extract call logs, text messages and phone contacts from all mobile devices connected to the car. More worryingly, the navigation system logs were left completely unobfuscated, allowing a potential attacker to track the driver’s habits very precisely. Live demo: A proof-of-concept vehicle weaponization attack will be shown during this talk. By abusing various debug tools present on the car’s infotainment system, we demonstrate how a malicious attacker would be able to track the position of the car in real time, or even do wardriving and network exploitation from the on-board computer of the car.

Get the CEOs Attention! (Then Help Him/Her Make a Plan)

Morten Stilling, PhD; ICS Security Solutions ApS

Getting the attention of the CEO is not easy. He very likely did not get the job because he understands cybersecurity. It is possible, however, to get the CEOs attention. And once you do, you can help him make a plan to build resilience. In this presentation, founder and owner of ICS Security Solutions describes the three-step process that enabled him to get the CEOs attention at world leading offshore wind company Ørsted Wind Power. The process is very simple, and it can likely help you get traction with your c-level stakeholders.

        CSIS Security Group A/S, Vestergade 2B, 4th floor, 1456 Copenhagen