Dear OWASP fellows,

It’s our pleasure to inform you that the next local chapter meeting will be held on May 21st 2019 at Microsoft/Skype office, Vyskočilova 1561/ 4a, Building Delta, Praha 4.

This time we prepared for you again a day full of interesting speakers and workshops. The admission is as usual free of charge.

---

Schedule

Workshops

9:00 - 12:15 Sebastian Garcia & Veronica Valeros: Getting Your Hands Dirty: IoT Botnet Analysis

9:00 - 12:15 Tuna CTF team: Security & Lockpicking Workshop (CTF)

Talks

12:15 - 12:30 Opening ceremony with OWASP chapter leaders - Jan Kopecký & Daniel Mács

12:30 - 13:00 PIZZA TIME!

13:00 - 13:50 Lukáš Antal: NSA Hacking Tools

13:50 - 14:00 break

14:00 - 14:30 Simona Musilova & Sebastian Garcia: Does Your IoT expose You? Honeypots, Attacks and Decryption in an Edimax Camera

14:30 - 15:15 Michal Špaček: What if I told you browsers can tell servers they don't like the response

15:15 - 15:30 break

15:30 - 15:50 Jan Fajfer & Kamila Babayeva & Veronica Valeros: We Know Where You Are: How Most Mobile Applications Jeopardize Your Security

15:50 - 16:30 Petr Stuchlík: The messaging menagerie

16:30 - 16:45 break

16:45 - 17:25 Sebastian Garcia & Maria Jose Erquiaga & Anna Shirokova: Cybercriminal Activities Managing a New Android Botnet

17:25 - 17:55 Martin Žember: Why usual pentests suck?

---

Information about the trainers and workshops

Getting Your Hands Dirty: IoT Botnet Analysis

Sebastian Garcia

Sebastian is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu,InBot, Security Sessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.

Veronica Valeros

Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina, and co-founder of the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.

Workshop outline

Nowadays there are a lot of tools to analyze traffic, but the most important thing to have is the experience and knowledge of a malware analyst. The goal of the workshop is to give a hands-on experience on analyzing the behavior of malware and botnet traffic in the network by studying their ​ web patterns and their ​ traffic behavior. The workshop will use a real IoT botnet capture with real attacks in the network. Participants will learn a methodology to analyze a traffic capture and how to recognize malicious connections. The participants should leave with a good knowledge about how to do an overall analysis picture of the traffic to recognize if there are
malicious behaviors on it.

Requirements:

Attendees are required to have a medium knowledge about networking
Equipment for attendees:
○ Laptop + Power cord
○ Minimal tools installed: wireshark, tcpdump

Security & Lockpicking Workshop (CTF)

Tuna CTF team

• Filip Holec - Leader of educational Ethical Hacking, Linux or Python workshops and Co-Founder of https://engeto.cz

• Martin Zember - 11 years of experience in pentesting, Founder of https://zembered.com

• Petr Skyva - Cyber-Security student @ FI MUNI, Cloud Architect @ Cleverlance

• Jan Masarik - Cyber-Security student @ FI MUNI, AppSec @ Kiwi.com, OWASP Brno Ambassador, OSCP

• Martin Bajanik - Bug bounty hunter (https://hackerone.com/bayotop), AppSec @ Kiwi.com, OSCP

Workshop outline

Interested in learning basics of hacking or lock-picking? We’ve prepared a short CTF with vulnerable machines (similar to OSCP certification exam), along with real-life challenges where you’ll need to pick a lock to get the flag. We will help you with the exercises and provide necessary hints and tools to finish it in time and learn something. For winner, there will be a bottle of Bozkov!

Who is this for?

It is for everyone interested in security and lockpicking, from newbies up to seasoned pentesters. If you know what is port and how does a HTTP request look like, you should come!

---

Information about the speakers and talks

Lukáš Antal

Lukáš is a Cyber Security Specialist and Ethical Hacker at AEC a.s. He has been involved in the IT security field for more than 10 years and has extensive experience with penetration tests for leading Banking, Telco and Utility companies as well as for state institutions. In addition to security basics such as web application security and infrastructure, he also deals with security of ATMs, WiFi networks, Windows Active Directory, and RFID. His passion beyond IT is traveling together with the learning about other cultures.

NSA Hacking Tools

Have you ever wondered what tools are government-sponsored hacking groups using? The leak of data disclosed by hacking group Shadowbrokers has provided a unique insight into the state-level cyber-arsenal. In the presentation the entire ecosystem of hacking tools used by the NSA hacking division will be described and, above all, practically demonstrated.

Simona Musilova

Simona is a master student of cybersecurity at the Faculty of Electrical Engineering at Czech Technical University in Prague. After years spent in software development, she joined the Stratosphere lab. She is currently a member of the Aposemat project, a joint project between Stratosphere lab and Avast Software to study IoT security.Her research focuses on managing all the IoT devices as honeypots, in deep analysis of captured traffic of IoT honeypots, and studying the security of the devices. Her expertise is on deeply understanding the Telnet protocol for user profiling.

& Sebastian Garcia^

Does Your IoT expose You? Honeypots, Attacks and Decryption in an Edimax Camera

IoT devices are slowly getting into everyone's home. Their security is so questionable that they usually put owners at risk with vulnerabilities and expose their private data. To better understand the problem the Aposemat Project run several IoT devices as honeypots, including an Edimax camera. In this research we analyze how the camera was attacked from the Internet and how our network analysis exposed very strange behaviors from the camera. We further researched these traffic behaviors of the Edimax camera using reverse engineering methods on its firmware. By studying the firmware we were able to understand the communication between the camera and its remote servers, finding new algorithms used by the manufacturer to obfuscate/encrypt the payload sent between the device and the servers. Those algorithms were never mentioned until this talk, showing new promising ways to understand the decryption of payloads and how Edimax controls its cameras.
IoT devices are cheap, unregulated and obfuscated, making it very hard to evaluate its security and a huge liability to an organization.

Michal Špaček

Michal is a software developer and an application security engineer who's on a mission to show developers how & why to write secure code. He started building web sites and apps during the "First browser war" when "Best viewed in Netscape" logos were still a thing. Michal has worked for Skype and others, and is half freelancing, half working on a reporting aggregator report-uri.com.

What if I told you browsers can tell servers they don't like the response

The future is here. Your users and their browsers can already tell you what's going on with your site. Automatically, immediately. Malicious JavaScript? Expired certs? 404s? Deprecated features? Crashes? All covered by Reporting API.

Jan Fajfer

Jan works at Czech Technical University in Prague as a researcher for the Civilsphere project. Last year he graduated from Czech Technical University with a degree in Computer Security and Information technology. He is interested in network security, anonymity networks and artificial intelligence. He enjoys hiking in the mountains, reading and playing cello.

& Kamila Babayeva

Kamila is a bachelor student at the Czech Technical University in Prague. She is highly interested in understanding and analyzing malware. She currently works as a junior Malware Reverser at Civilsphere, a project dedicated to protect civil organizations and individuals from targeted attacks. She spends her free time learning and programming in Python.

& Veronica Valeros^

We Know Where You Are: How Most Mobile Applications Jeopardize Your Security

Despite the continuous growth of the market of mobile devices it is still unclear nowadays how to know how secure they are, what is happening in them, and how to know if we are safe. In an attempt to understand better the field, we used our own VPN server to capture the traffic of our phones. We tested some widely used mobile applications and we found... well, unexpected things.
Join us in this presentation where we will walk you through a some of our main findings while analyzing the traffic of normal mobile applications, the common problems found, and why there should be more people looking at these issues.

Petr Stuchlík

Developer and network traffic analyst, who enjoys security challenges of modern web applications. From freelancing, Petr crossed corporate sector and eventually ended up founding a software company, where he is currently producing apps for big data visualization.

The messaging menagerie

Message oriented systems gained a lot of developer popularity in the past years and still pushing forward. Protocols like MQTT or AMQP are often found in IoT industry while solutions like Kafka or JMS wire stufftogether in the enterprise world.
There is one interesting thing all messaging solutions have in common
and that's poor security in practice. In this talk I will describe a few
ways of service enumeration, message interception and data decoding
using industry standards as a target

Sebastian Garcia^
& Maria Jose Erquiaga

María José is a malware researcher from Argentina. She is researcher and teacher at the University of Cuyo, Mendoza Argentina. She is collaborator on the Stratosphere laboratory since 2015. She is a member of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. This project aims to execute malware and capture it from honeypots. Marias work has been focused on execute and analyze malware for IoT devices.

& Anna Shirokova

Anna is a security researcher from Russia, currently based in Prague, Czech Republic. She joined Avast's IoT research where she focuses on the IoT threat landscape. She is also a collaborator at Stratosphere IPS Aposemat project. This is a join project with Avast to create, publish and analyze malware attacks on IoT devices. Anna also has been a speaker on several conferences including Botconf, BruCON, and Troopers.

Cybercriminal Activities Managing a New Android Botnet

In mid 2018 we discovered by chance one of the largest reported Android banking botnets know to date that we named Geost. It was discovered from their botmaster logging into one of the Geost C&C servers while using an insecure proxy network created by the HtBot malware. HtBot creates an illegal network of proxies, and our laboratory captured the traffic while executing one instance. Geost resulted to be a new and very large Android Banking botnet operation targeting Russian citizens with almost 1 million victims, 15 C&C servers, thousands of domains, and thousands of malicious APK applications. Geost accesses all the SMS data of victims and has a direct connection to the systems of five large European banks. The discovery of Geost was possible due to a chain of OpSec failures.

During the Geost analysis we found a chat log of a cybercriminal entrepreneur related to the Geost operation. This log exposed numerous projects and activities of the underground group, and gave us a unique insight into how the business operation worked: the human relationships between the cybercriminals, daily routine tasks, motivational issues, money laundering, the decisions taken, and obstacles found. The criminal projects ranged from pay per install, phishing website hosting, and C&C
development to fake APK games development.

This research focuses on the new Geost botnet operations and the OpSec failures that resulted in its discovery. This work is unique in that it shows the attackers communications and the specifics of how an underground cybercriminal business operates. By analyzing their communications we got a better insight into how the underground economy works. We learnt that for these cybercriminals their malicious activities are essentially their occupation.

Martin Žember

Martin Zember is a Pentester since 2007 and recently, he fell in love with red teaming and CTFs.

Why usual pentests suck?
Pentesters have usually their hands tied by the customers themselves. How would it look if pentesters had a freedom to do a proper red team exercise and infiltrate company’s systems, e-mails and buildings?

---

Additional information

• If using public transportation you can either go to the metro station Budějovická and walk 5 minutes. There is also a bus stop Vyskočilova nearby, one stop away from the metro. For cars there are plenty of paid parking lots in the surrouding area.

• Unless stated otherwise, talks will be in English and the recordings will be available online ( with speakers' permission) after the convention

• For the workshops, please come at least 10 minutes ahead of time, otherwise it can happen that your seat is taken by somebody on the waiting list.

• There will be some snacks and soft drinks prepared for you during the event. Also, there is a small cafe next to the conference hall where you can purchase hot drinks.

• The venue is on the ground floor of the office building. There will be signs showing you way to the conference hall and the lecture room for workshops.