Skip to main content

CCCC 2019 Presentations for Download

Lukas Stefanko, ESET

Per Thorsheim, Nordic Choice Hotels

Philip Mills, Centre for Secure Information Technologies (CSIT), Queen’s University Belfast

Rik Ferguson, Trend MicroResearcher

Vitali Kremez, Independent

Leszek Mis, Defensive Security


The individual download files are password protected. The password was sent to all conference participants after the event. In case you attended the conference, but can’t find the password anymore, please, send an email to mah(@) in order to have it resent.


CCCC 2019 Presentation Abstracts

Cybersecurity in 2019: Improving your Posture

Dimple Ahluwalia, IBM

Dimple Ahluwalia will share her experience on how her team helps to secure IBM. She will highlight the top pitfalls and practical actions organizations should consider as you strive to improve your company’s security posture in 2019 and beyond.

I PWN Thee, I PWN Thee not!

Jayson E. Street, SphereNY

Attackers love it when defenses fail. Implementing defenses without properly understanding the risks and threats is usually a waste of money and resources. This is a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. Jayson will walk through real-world scenarios that have led to successful compromise of different companies through control failures. He will also give detailed analysis of controls that led to his attacks being effectively thwarted. Learn how to understand and assess real-world risks, as well as simple defenses which can be implemented to better protect your organization. With a 95% chance of not using any fireworks or minor explosives Jayson will thrill the audience with ways to better defend their networks from criminals, nation states and Suzy in accounting! Come for the Explosive hyperbole but stay for the hugs! While his talk is in English AWESOME is universal!!

Imitation Is the Sincerest Form of Flattery

Kris McConkey, PwC

Technical level: Medium
Imitation is the sincerest form of flattery. Having seen the documented success of campaigns against IT Managed Services Providers, actors other than APT10 appear to have been given a green light to invade other key elements of supply chain ecosystems and infrastructure. Similarly, some cyber criminal groups appear to be swimming upstream from their intended targets in order to improve their vantage point from which to launch wider campaigns. This presentation details some of the recent sustained campaigns against IT and communications networks around the globe, and against vulnerable areas of key sectors.

Android Banking Threats: Simple vs Sophisticated

Lukas Stefanko, ESET

Technical level: Medium
With mobile devices increasingly entwined in our everyday lives, countless services, tools and products are always (literally) at our fingertips. Each year, the number of Android devices and applications is growing, making our lives even more convenient and connected. But there’s also a dark side to the abundance of apps: malicious actors creating sophisticated and stealthy threats capable of stealing mobile banking credentials or even spying on unsuspecting users. Such threats are not just spread using social engineering or via alternative app stores, but sometimes also through Google Play, the official Android app store. As a result, dangerous malware, too, can be just a tap away. This presentation will give an overview of latest Android malware, focusing on banking malware and its go-to tricks and techniques. The talk will also include an analysis of a recently discovered family of Android banking malware that could make payment directly from infected device on behalf of the user.

Oops! It Happened Again!

Eddy Willems, G Data Software
Righard Zwienenberg, ESET

Technical level: Low
The problems malware causes for the ecosystem started 3 decades ago. Although some viruses are known to be older than that, they didn’t really cause too much trouble. In these 3 decades we’ve had lots of (new versions of) Operating Systems and new versions of applications. Normally one learns from mistakes made before, but somehow in the cyber-eco-system, seemingly it is exactly the opposite. Eddy and Righard will take you on a scenic tour spanning 3 decades of malware, 3 decades of ecosystems and 3 decades of history repeating itself. Will we ever learn? The presentation will contain (humorous) repeating events from the last 3 decades, but of course all with the intention to have a serious undertone, all backed up by the 6 decades of experience the two speakers have combined.

DNSpionage Campaign Targets Middle East

Paul Rascagnères, Cisco Talos

Technical level: Medium
Cisco Talos identified an espionage campaign that mainly targeted Middle East that we named “DNSpionage”. First, we will describe a malware targeting several government agencies in the Middle East, as well as a airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and registered SSL certificates for them. We identified a dozen of countires targeted by this redirection. The January 22nd, U.S. DHS published a directive concerning this attack vector. In this presentation, we will present the timeline for these events and their technical details.

SIM Swapping & Phone Hijacking: Attacks & Consequences

Per Thorsheim, Nordic Choice Hotels

SIM swapping attacks are on the rise in the US and many other countries, with tough consequences for business & personal information. In this presentation I will share the results of many years of work, resulting in a series of articles from Norwegian financial newspaper “Dagens Næringsliv” in Norway. The newspaper successfully hijacked the phone number of high-profile celebrities in minutes, using a fake business card and no valid ID. Attack vectors & methods will be discussed, along with current & hopefully upcoming changes to telcos in order to protect their customers.

Cybersecurity as an Environmental Variable

Jeppe P. Bjerre, FORCE Technology

Technical level: Low
Electronic products today have to live up to a long series of requirements that manufacturers are legally obligated to adhere to. This requirement has 2 goals: To ensure that a product is not disturbed by the environment; and that the product does not interfere with other devices. But where are the requirements for cybersecurity? And how can we approach the topic in a way that won’t add a massive cost to both industrial and consumer products?

Inside MageCart Credit Card Breaches & Criminal Ecosystem

Vitali Kremez

Technical level: Medium
Profiling the MageCart Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them” Responsible for recent high-profile breaches of global brands Ticketmaster, British Airways, and Newegg, in which Magecart and their operatives continue to intercepted thousands of consumer credit card records, Magecart is only now becoming a household name. However, its activity isn’t new and points to a complex and thriving criminal underworld that has operated in the shadows for years. Vitali Kremez will delve into technical and commercial side of Magecart operations—the sale and distribution of stolen cards on underground shops, the monetization of Magecart operations through mule-handling and shipping goods, and the dynamics of an underground supply chain offering operatives skimmer kits and compromised e-commerce sites as a service. Additionally, Mr. Kremez will demonstrate the live scenario how criminal operators inject malicious inject code and intercept victim credit card data from breached websites.

Five Most Significant Challenges in Threat Hunting and How to Address Them

Ian Qvist, Agile Response Technologies

Technical level: Medium
Threat hunting is generally described as a discipline that involves iteratively looking for threats that have bypassed existing security infrastructures. In practice, threat hunting is currently being done by a variety of types of people, using a variety of different tools and techniques. There are various challenges associated with threat hunting; among them the issue of finding the needle in the haystack and doing so quickly, without compromising on quality and correctness, especially (though not solely) in a large-scale and distributed environment. The penalty for being too slow and/ or incorrect and/ or missing the needle altogether is severe. In this talk, Ian will share lessons learnt and what we consider to be best practices, based on the 5 of the most significant challenges that people face when doing threat hunting work.

Playing with LDAP as C2 and Payload Delivery

Leszek Miś, Defensive Security

Technical level: Medium
During the APT campaign or red teaming activities, there is a scenario where two endpoint devices can’t talk directly to each other. However and because of both stations are members of Active Directory / FreeIPA Linux Domain Controller Environment, they both can connect to the same LDAP ports, where the possibility exists to upload and download encoded data by utilizing well-known LDAP user attributes. Now, what is even more surprising, based on FreeIPA example, there is pretty much no length restriction for some attribute values, which means we can use ex. ‘gecos’ attribute as a hidden and unlimited storage space to send/upload data and bypass FW/IDS/IPS/segmentation protection. I will show you also an example of an unexpected OOM-based Remote Denial of Service attack against FreeIPA ns-slapd daemon I found during a research. The talk is dedicated to showing you typical LDAP security misconfigurations as well as insights of powerful AD/FreeIPA LDAP C2 / exfiltration techniques that allows for bypassing access controls and using your Domain Controllers to act as a central communication point for all your pwned internal systems. In the end, we will consider how to detect the above attacks by using better logging, LDAP traffic decoders and doing some critical changes in LDAP configurations.

The Mysterious Case of the Ukrainian Bagsu

Benoît Ancel, Peter Kruse; CSIS Security Group

Technical level: Medium to high
Bagsu is a Trojan banker that has been around for approx. 4 years without getting much attention from the security industry. That is about to change now. So strap on your seatbelts as we are heading for an unexpected ride into a fairly organized and long time running criminal operation distributing the Bagsu malware – but also many other and more complex malware families – sharing the same infrastructure and MO. The name Bagsu is a generic naming scheme as the code is more or less based on the leaked ZeuS source code. It is therefore not something new as such, but the criminals behind this operation prefer to keep a low profile and fly under the radar. So far – unfortunately – with great success. Apart from targeting Windows, we have also found several previously undocumented Android malware samples that have been deployed in the wild since 2014. Lately we have observed how the author and brain behind this operation has switched to a Crime as a Service setup and just the begining of 2019 we can document losses of several million euros stolen from enterprises globally but mostly in Germany. This presentation will look into the binary code, its distribution methods, geographical targets, infrastructure, and finally – as always when it comes to research from CSIS – the potential identity of the person/individuals behind it.

Utilizing YARA to Find Evolving Malware

Jay Rosenberg, Kaspersky Lab

Technical level: Medium to high
YARA rules are often made specifically for a certain variant of a threat using strings from a binary. What happens when the strings simply disappear or become obfuscated? This presentation will highlight key components to building YARA rules for finding newer variants or new versions of malware from the same threat actor, that will last through generations of the malware evolution process.

Yes, We Can Get into Your Company. Now What?

Tom Van de Wiele, F-Secure

Technical level: Low
As attacks are becoming increasingly targeted and decrease in cost over time, many organizations are making changes to their defense approaches but without really knowing what the implications are towards the use of their infrastructure and data, their security culture and if it makes any difference from an attacker’s perspective. Spoiler: It usually doesn’t. The presentation is about how companies make mistakes in their defense philosophy, how organized crime and F-Secure red-teamers always get in, where Denmark rates and what can be done to actively measure your own security overall. This presentation will go through what defense scenarios companies are using, how criminals are able to get in anyway and what needs to change to make your security investments more effective, not just more complex and costly.

GDPR – One Year After

Cristina A. Gulisano, Datatilsynet

The General Data Protection Regulation (GDPR) has been applied for a year now. What’s the current state of play? Where are we heading? Why is this so important for me? The director of the Danish Data Protection Agency Mrs. Cristina A. Gulisano will do her best to shed light into these fundamental questions.

CSIT – A Disruptive Model for Open Innovation

Philip Mills,Centre for Secure Information Technologies (CSIT), Queen’s University Belfast


The Centre for Secure Information Technologies (CSIT) is the UK’s Innovation and Knowledge Centre for cybersecurity technologies, employing 90 people. CSIT is focussed on cutting-edge research into technologies which will help secure the digital world, and make the internet a safer place for businesses and consumers alike. Working with international partners such as Thales, BAE Systems, Allstate, IBM and Seagate, CSIT’s open innovation model enables the commercialisation of advanced research, and also supports a growing community of SMEs and start-up companies. This presentation sets out the key features of the model and illustrates some success stories based on the open innovation ecosystem.

How Easy iI Is to Steal Money from Almost any Company…

Chris Parker, Royal Bank of Scotland
Jan Kaastrup, CSIS Security Group

Technical level: Low
Impersonation fraud (known as BEC fraud) is one of the fastest growing financial threats in the world. According to FBI, the loses reached 12 billion dollars last year. The presentation will reveal the research of several impersonation fraud IR cases and how they potentially could have been detected.

        CSIS Security Group A/S, Vestergade 2B, 4th floor, 1456 Copenhagen